Information Security News mailing list archives
Linux Advisory Watch, Dec 1st 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 1 Dec 2000 00:23:19 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 1st, 2000 Volume 1, Number 31a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
If your using Red Hat, be prepared spend some time patching your
system. 16 Red Hat Advisories were recently released! Advisories
were released for bash, fsh, ed, me, pine, netscape, joe, ethereal,
ghostscript, bind, ncurses, modutils, gnormp, usermode, apache,
cyrus-sasl, nsslap, and openssh. The vendors include Caldera,
Debian, Immunix, Mandrake, Red Hat, and SuSE. It is critical
that you update all vulnerable packages to reduce the risk of
being compromised.
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
### OpenDoc Publishing ###
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Caldera Advisories | ----------------------------//
+---------------------------------+
* Caldera: 'bash' vulnerability
November 27th, 2000
Bash creates temp files for here scripts insecurely. This can be
exploited via a symlink attack to create or write over arbitrary
files on the system if the shell is run by root.
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
310d7b5b15517054697264fa449b732e RPMS/bash-1.14.7-14.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-925.html
+---------------------------------+
| Debian Advisories | ----------------------------//
+---------------------------------+
* Debian: 'mc' local DoS
November 25th, 2000
Maurycy Prodeus found a problem in cons.saver, a screensaver for the
console that is included in the mc package. cons.saver does not check
if it is started with a valid stdout, which combined with a bug in
its check to see if its argument is a tty (it forgot to close the
file-descriptor after opening the supposed tty) causes it to write a
NUL character to the file given as its parameter.
http://security.debian.org/dists/stable/updates/main/source/
mc_4.5.42-11.potato.5.diff.gz
MD5 checksum: 98428eb4284349e15b21b2cd36fbf55d
http://security.debian.org/dists/stable/updates/main/source/
mc_4.5.42-11.potato.5.dsc
MD5 checksum: f6bfd1c1c458247e49ec1f73a8da5a47
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-922.html
* Debian: 'fsh' symlink attack
November 29th, 2000
Colin Phipps found an interesting symlink attack problem in fsh (a
tool to quickly run remote commands over rsh/ssh/lsh). When fshd
starts it creates a directory in /tmp to hold its sockets. It tries
to do that securely by checking of it can chown that directory if it
already exists to check if it is owner by the user invoking it.
However an attacker can circumvent this check by inserting a symlink
to a file that is owner by the user who runs fhsd and replacing that
with a directory just before fshd creates thesocket.
http://security.debian.org/dists/stable/updates/main/binary-i386/
fsh_1.0.post.1-3potato_i386.deb
MD5 checksum: 6d6dd446e87bff6ed57c7176813609c8
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-945.html
* Debian: 'ed' vulnerability
November 28th, 2000
Alan Cox discovered that GNU ed (a classed line editor tool) created
temporary files unsafely. This has been fixed in version0.2-18.1.
http://security.debian.org/dists/stable/updates/main/
binary-i386/ed_0.2-18.1_i386.deb
MD5 checksum: bb6dbb9648a71c56d2cf1eb353407acf
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-944.html
+---------------------------------+
| Mandrake Advisories | ----------------------------//
+---------------------------------+
* Mandrake: 'pine' vulnerability
November 27th, 2000
By adding specific headers to messages, the pine mail reader could be
made to exit with an error message when users attempted to manipulate
mail folders containing those messages.
http://www.linuxsecurity.com/advisories/mandrake_advisory-935.html
* Mandrake: 'bash1' vulnerability
November 28th, 2000
The bash1 shell program has the same << vulnerability that tcsh has
and incorrectly creates temporary files without the O_EXCL flag. This
vulnerability does not exist in bash2 which uses the O_EXCL flag when
creating temporary files.
http://www.linuxsecurity.com/advisories/mandrake_advisory-943.html
+---------------------------------+
| Immunix Advisories | ----------------------------//
+---------------------------------+
* Immunix: 'joe' vulnerability
November 28th, 2000
A local root exploit is possible if the root user is running the joe
editor.
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/
joe-2.8-43_StackGuard.i386.rpm
MD5 Checksum: 56831a982a06cdf37e5c358b2f41aa34
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-936.html
* Immunix: 'netscape' buffer overflow
November 28th, 2000
New netscape packages are available that fix a buffer overflow when
parsing HTML
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/
netscape-common-4.76-1.i386.rpm
MD5 Checksum: dfa6bdfa255b83d3f68c83fa83765aca
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/
netscape-communicator-4.76-1.i386.rpm
MD5 Checksum: f8d77e2fee0f5315fed6aeb8fd083d2f
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/
netscape-navigator-4.76-1.i386.rpm
MD5 Checksum: aaf7a0497d972380432d98ca09616660
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-937.html
+---------------------------------+
| Red Hat Advisories | ----------------------------//
+---------------------------------+
* RedHat: 'ethereal' buffer overflow
November 29th, 2000
Versions of Ethereal prior to 0.8.14 are vulnerable to buffer
overflows.The ethereal-0.8.14 packages correct this problem.
Red Hat Powertools 7.0:
alpha:
ftp://updates.redhat.com/powertools/7.0/alpha/ethereal-0.8.14-3.alpha.rpm
MD5 Checksum: f66c8f700e762f1fcd03659f0e27626a
i386:
ftp://updates.redhat.com/powertools/7.0/i386/ethereal-0.8.14-3.i386.rpm
MD5 Checksum: fd164d3509dde25d21fd7cb926ba0e65
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-946.html
* Redhat: 'netscape' buffer overflow
November 28th, 2000
A buffer overflow exists in Netscape's HTML parsing code. By using
specially designed code, a remote website could cause arbitrary code
to be run on the local machine.
Red Hat Linux 7.0
alpha:
ftp://updates.redhat.com/7.0/alpha/netscape-common-4.76-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/netscape-communicator-4.76-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/netscape-navigator-4.76-1.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/i386/netscape-common-4.76-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/netscape-communicator-4.76-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/netscape-navigator-4.76-1.i386.rpm
MD5 Checksum in vendor advisory.
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-938.html
* Redhat: 'bind' update
November 28th, 2000
A bug in bind 8.2.2_P5 allows for a denial of service attack. If
named is open to zone transfers and recursive resolving, it will
crash after a ZXFR for the authoritative zone and a query of a remote
hostname.
Red Hat Linux 7.0:
alpha
ftp://updates.redhat.com/7.0/alpha/bind-8.2.2_P7-2.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/bind-devel-8.2.2_P7-2.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/bind-utils-8.2.2_P7-2.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/i386/bind-8.2.2_P7-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/bind-devel-8.2.2_P7-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/bind-utils-8.2.2_P7-1.i386.rpm
MD5 Checksums available in vendor advisory.
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-941.html
* Redhat: 'ghostscript' vulnerabilities
November 28th, 2000
ghostscript makes use of mktemp to create temp files, which is an
insecure and predictable apporoach, it is now patched to use mkstemp,
which avoid the race condition on the name.It also uses improper
LD_RUN_PATH values, causing ghostscript to search for libraries to
load in current directorys.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/ghostscript-5.50-8.alpha.rpm
MD5 Checksum: bd8b80bada77d59ee28aa72f6e5674e4
i386:
ftp://updates.redhat.com/7.0/i386/ghostscript-5.50-8.i386.rpm
MD5 Checksum: 0d5f4448d5245721b1e2762f360791f2
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-942.html
* Redhat: 'ncurses' vulnerabilty
November 28th, 2000
Attackers can force a privileged application to use their own termcap
file containing a special terminal entry which will trigger the
ncurses vulnerability, allowing them to execute arbitrary code with
the privileges of the exploited binary.
Red Hat Linux 7.0: i386:
ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm
MD5 Checksum: 9affe6c75ae33d616ea695766c10e44e
ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm
MD5 Checksum: a555ec460de5650c4a2c42abc5de838c
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-923.html
* RedHat: 'nss_ldap' vulnerabilities
November 27th, 2000
A race condition has been found in the nss_ldap package. On a system
running nscd, a malicious user can cause the system to hang.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/nss_ldap-122-1.7.alpha.rpm
MD5 Checksum: 8c47242abcd4aa16174cb41da27cdd12
i386:
ftp://updates.redhat.com/7.0/i386/nss_ldap-122-1.7.i386.rpm
MD5 Checksum: 95337178e79472118cf33b0584462679
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-927.html
* RedHat7: 'cyrus-sasl' vulnerabilities
November 27th, 2000
An error existed in the authorization checks in the version of
cyrus-sasl shipped with Red Hat Linux 7. Due to this bug, users who
had been successfully authenticated could be allowed access to
resources even if the system had been configured to deny these users
access. Versions of cyrus-sasl included in previous releases of Red
Hat Power Tools did not implement this function and are not affected
by this bug.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/cyrus-sasl-1.5.24-11.alpha.rpm
MD5 Checksum: 0e6f0edb4df1489e1a12e5ea16f9f828
i386:
ftp://updates.redhat.com/7.0/i386/cyrus-sasl-1.5.24-11.i386.rpm
MD5 Checksum: 59aaec92c60ddaed257bd581d976055b
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-928.html
* RedHat: Apache and other updates
November 27th, 2000
A vulnerability in the mod_rewrite module and vulnerabilities in the
virtual hosting facility in versions of Apache prior to 1.3.14 may
allow attackers to view files on the server which are meant to be
inaccessible. Format string vulnerabilities have been found in PHP
versions 3 and 4.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-929.html
* RedHat: 'usermode' vulnerability
November 27th, 2000
The usermode package contains a binary (/usr/bin/userhelper), which
is used to control access to programs which are to be executed as
root. Because programs invoked by userhelper are not actually running
setuid-root, security measures built into recent versions of glibc
are not active.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/usermode-1.37-2.alpha.rpm
MD5 Checksum: 6cd3999fa6015fcf301b502d4a416373
i386:
ftp://updates.redhat.com/7.0/i386/usermode-1.37-2.i386.rpm
MD5 Checksum: c32888b6f362b04f8a3805d4465c042a
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-930.html
* RedHat: UPDATE: 'gnorpm' vulnerability
November 27th, 2000
While fixing other problems with the gnorpm package, a
locally-exploitable security hole was found where a normal user could
trick root running GnoRPM into writing to arbitrary files due to a
bug in the gnorpm tmp filehandling.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/gnorpm-0.95.1-5.alpha.rpm
MD5 Checksum: 48f5f0dc6a0b17cd204a9bc6ab6c2a86
i386:
ftp://updates.redhat.com/7.0/i386/gnorpm-0.95.1-5.i386.rpm
MD5 Checksum: 1df97ee9659fc0f10c2f06ef69954228
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-931.html
* RedHat: 'joe' symlink vulnerability
November 27th, 2000
When exiting joe in a nonstandard way (such as a system crash,
closing an xterm, or a network connection going down), joe will
unconditionally append its open buffers to the file "DEADJOE". This
could be exploited by the creation of DEADJOE symlinks in directories
where root would normally use joe. In this way, joe could be used to
append garbage topotentially-sensitive files, resulting in a denial
of service.
Red Hat Linux 7.0:i386:
ftp://updates.redhat.com/7.0/i386/joe-2.8-43.i386.rpm
MD5 Checksum: 1578b0e184b76b23d2a30b101f1665d4
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-932.html
* RedHat: 'modutils' vulnerability
November 27th, 2000
The previous packages of modutils released to address a local root
compromise contained an error in new safe guards that caused them to
not properly be enabled when run as root from the kmod process. These
new safe guards check the arguments passed to modules. The new 2.3.21
modutils package fixes this error and correctly checks the arguments
when running from kmod, limiting kernel module arguments to those
specified in /etc/conf.modules (on Red Hat Linux 6.2) or
/etc/modules.conf (on Red Hat Linux 7). This release supersedes the
previous modutils errata packages.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/modutils-2.3.21-1.alpha.rpm
MD5 Checksum: 6f68c415e4ec7f18bc68e987e488056b
i386:
ftp://updates.redhat.com/7.0/i386/modutils-2.3.21-1.i386.rpm
MD5 Checksum: 46b7f3331bccd927d9d7fefbec74f721
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-933.html
* RedHat: 'pine' denial of service vulnerability
November 27th, 2000
By adding specific headers to messages, the pine mail reader and the
imap server could be made to exit with an error message when users
attempted to manipulate mail folders containing those messages. This
release also introduces SSL support to Red Hat Linux 6.x, Kerberos
support for Red Hat Linux 6.0 and 6.1, and LDAP support for Red Hat
Linux 6.0. This means that the packages from the enhancement
advisories for these packages will also need to be installed.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/pine-4.30-2.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/imap-2000-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/imap-devel-2000-3.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/i386/pine-4.30-2.i386.rpm
ftp://updates.redhat.com/7.0/i386/imap-2000-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/imap-devel-2000-3.i386.rpm
MD5 Checksums available in vendor advisory
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-934.html
* Redhat: 'bash 1.x' vulnerability
November 27th, 2000
The << operator in bash 1.x used predictable filenames, leading to a
potential denial of service attack. A local user account is required
to exploit the security leak.
Red Hat Linux 6.2:
alpha:
ftp://updates.redhat.com/6.2/alpha/bash-1.14.7-23.6x.alpha.rpm
MD5 Checksum: 19ed96c0935ef630215736d242911c98
sparc:
ftp://updates.redhat.com/6.2/sparc/bash-1.14.7-23.6x.sparc.rpm
MD5 Checksum: 1a92e61a4d5c7989b26d687dfe881a5c
i386:
ftp://updates.redhat.com/6.2/i386/bash-1.14.7-23.6x.i386.rpm
MD5 Checksum: 9fe492b13c08e7993a918d0395fda486
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-924.html
* RedHat7: 'openssh' vulnerability
November 27th, 2000
An OpenSSH client will do agent or X11 forwarding at the request of a
server, even if the user has not requested that it be done. A
malicious server can exploit this vulnerability to gain access to the
user's display.
i386:
ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm
ftp://updates.redhat.com/7.0/i386/
openssh-askpass-gnome-2.3.0p1-4.i386.rpm
MD5 Checksum's available in advisory.
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-926.html
* Redhat; 'ncurses' vulnerability
November 26th, 2000
Attackers can force a privileged application to use their own termcap
file containing a special terminal entry which will trigger the
ncurses vulnerability, allowing them to execute arbitrary code with
the privileges of the exploited binary.
Red Hat Linux 7.0: i386:
ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm
MD5 Checksum: 9affe6c75ae33d616ea695766c10e44e
ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm
MD5 Checksum: a555ec460de5650c4a2c42abc5de838c
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-923.html
+---------------------------------+
| SuSE Advisories | ----------------------------//
+---------------------------------+
* SuSE: 'netscape' buffer overflow
November 30th, 2000
It may be possible for an attacker to supply a webpage that executes
arbitrary code as the user running netscape. As of today, no exploit
code is known to exist in the wild.
Intel i386 Platform SuSE-7.0 SuSE-6.4 SuSE-6.3 SuSE-6.2
ftp://ftp.suse.com/pub/suse/i386/update/7.0/xap1/
netscape-4.76.glibc21.i386.rpm
MD5 Checksum: 7ccebaca7df0937a3c08fc30a27af858
SuSE-6.1 SuSE-6.0
ftp://ftp.suse.com/pub/suse/i386/update/5.3/xap1/
netscape-4.76.libc5.i386.rpm
MD5 Checksum: 3c4f06c5fea4755083524eb135627380
* SuSE: 'openssh/ssh' vulnerability
November 24th, 2000
Many vulnerabilities have been found in the openssh package, along
with a compilation roblem in the openssh and ssh packages in the
SuSE-7.0 distribution: An openssh client (the ssh program) can accept
X11- or ssh-agent forwarding requests even though these forwarding
capabilities have not been requested by the client side after
successful authentication. Using these weaknesses, an attacker could
gain access to the authentication agent which may hold multiple
user-owned authentification identities, or to the X-server on the
client side as if requested by the user.
i386 Intel Platform: SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/
openssh-2.3.0p1-0.i386.rpm
MD5 Checksum: 3c7b9044ffb64f9f74c904eb2b278eb2
Sparc Platform: SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/
openssh-2.3.0p1-0.sparc.rpm
MD5 Checksum: 898aaaacee88777429496f1a5658076f
AXP Alpha Platform: SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/
openssh-2.3.0p1-0.alpha.rpm
MD5 Checksum: dd12c60b2744455780c976b115b26f27
PPC Power PC Platform: SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/
openssh-2.3.0p1-0.ppc.rpm
MD5 Checksum: 72f7c339991e54a476585012423dda62
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-916.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Dec 1st 2000 vuln-newsletter-admins (Dec 02)