Information Security News mailing list archives
Linux Advisory Watch, Nov 24th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 24 Nov 2000 19:05:23 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 24th, 2000 Volume 1, Number 30a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for modutils, ghostscript, elvis-tiny, xmcd, ncurses, joe, ethereal, tcpdump, CUPS, cron, openssh, tcsh/csh, php, thttpd, curl, mgetty, telnet, pine. The vendors include Conectiva, Debain, FreeBSD, Mandrake and Red Hat. It was a big week for both Debain and FreeBSD. It is critical that you update all vulnerable packages to reduce the risk of being compromised. ### OpenDoc Publishing ### Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva Advisories | ----------------------------// +---------------------------------+ * Conectiva: 'modutils' vulnerability November 22nd, 2000 The modutils package contains an utility called modprobe which is normally used by the kernel when loading modules on demand. In versions higher that 2.1.121, the modprobe utility could be tricked into executing commands supplied as a module name. A normal user cannot load kernel modules, but he/she can make the kernel at least try to load a module with a given name by other means. If, as a result, modprobe is called (with root privileges), the commands will be executed as root or could at least be interpreted as options for the modprobe program. ftp://atualizacoes.conectiva.com.br/5.1/i386/ modutils-2.3.21-1cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-908.html +---------------------------------+ | Debian Advisories | ----------------------------// +---------------------------------+ * Debian: 'ghostscript' vulnerabilities November 23rd, 2000 ghostscript uses temporary files to do some of its work. Unfortunately the method used to create those files wasn't secure: mktemp was used to create a name for a temporary file, but the file was not opened safely. A second problem is that during build the LD_RUN_PATH environment variable was set to the empty string, which causes the dynamic linker to look in the current directory for shared libraries. Alpha architecture: gs_5.10-10.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: 72b77c03a2718fe983e177719242446f ARM architecture: gs_5.10-10.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: 5b9b95200a1a0045599e2255ee717403 Intel ia32 architecture: gs_5.10-10.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: 567e56445bd8f483c8d46fc0d7dd89c3 Motorola 680x0 architecture: gs_5.10-10.1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/ MD5 checksum: 7ea2f538d5aae483ef560975a27601e9 PowerPC architecture: gs_5.10-10.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 4fcaf6cb5ade143468562f482c2482d2 Sun Sparc architecture: gs_5.10-10.1_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ MD5 checksum: 85c6eced60413022596098b57fcf2e58 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-913.html * Debian: 'modutils' vulnerability November 22nd, 2000 In an ideal world modprobe should trust the kernel to only pass valid parameters to modprobe. However he has found at least one local root exploit because high level kernel code passed unverified parameters direct from the user to modprobe. So modprobe no longer trusts kernel input and switches to a safemode. Alpha architecture: modutils_2.3.11-12_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: 44ac46a4689bcbfe2f80ea1d4dcbbd6a ARM architecture: modutils_2.3.11-12_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: 7f6608a182324509ed24e7289fe4e3cd Intel ia32 architecture: modutils_2.3.11-12_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: 5050bd60fabb74e1814afc4f91b99e7f Motorola 680x0 architecture: modutils_2.3.11-12_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/ MD5 checksum: 0925f9813b4bd2627e9302b092fcefa0 PowerPC architecture: modutils_2.3.11-12_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 5b469eb86dd396de058752c0c053b93d Sun Sparc architecture: modutils_2.3.11-12_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ MD5 checksum: 988da3bc5908fd6884201b8947f91608 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-892.html * Debian: 'joe' symlink vulnerability November 22nd, 2000 When joe (Joe's Own Editor) dies due to a signal instead of a normal exit it saves a list of the files it is editing to a file called `DEADJOE' in its current directory. Unfortunately this wasn't done safely which made joe vulnerable to a symlink attack. Alpha architecture: joe_2.8-15.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: defbc5c39a2ae8ed000b7b302ecd339f ARM architecture: joe_2.8-15.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: bcb70726840c2cf11cba068ce2a826be Intel ia32 architecture: joe_2.8-15.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: 21444255b240be01132208e5cb1d3439 Motorola 680x0 architecture: joe_2.8-15.1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/ MD5 checksum: a4b275c324956489bf7558d42a80f22f PowerPC architecture: joe_2.8-15.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 689d54abe039ded6e82bf60115737631 Sun Sparc architecture: joe_2.8-15.1_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ MD5 checksum: 8846236e9158cf3f3d7f1b8edce73d40 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-903.html * Debian: 'ethereal' buffer overflow November 22nd, 2000 hacksware reported a buffer overflow in the AFS packet parsing code in ethereal. Gerald Combs then found more overflows in the netbios and ntp decoding logic as well. An attacker can exploit those overflows by sending carefully crafted packets to a network that is being monitored by ethereal. Alpha architecture: ethereal_0.8.0-2potato_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: 82f6fd38b2e7cab8b867ac52dae895fd ARM architecture: ethereal_0.8.0-2potato_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: 0a704256847208f89811650cc964644b Intel ia32 architecture: ethereal_0.8.0-2potato_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: e388da4ca483cf327dc784c1193d86f3 PowerPC architecture: ethereal_0.8.0-2potato_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 530905f2a5fa5a62ebad6207aec91588 Sun Sparc architecture: ethereal_0.8.0-2potato_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ MD5 checksum: 30a1e8df61a40ede30a005ad12d43fef Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-904.html * Debian: 'ncurses' buffer overflows November 22nd, 2000 The version of the ncurses display library shipped with Debian GNU/Linux 2.2 is vulnerable to several buffer overflows in the parsing of terminfo database files. This problem was discovered by Jouko Pynnnen . The problems are only exploitable in the presence of setuid binaries linked to ncurses which use these particular functions, including xmcd versions before 2.5pl1-7.1. UPDATES AVAILABLE IN VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-905.html * Debian: 'xmcd' vulnerability November 22nd, 2000 The Debian GNU/Linux xmcd package has historically installed two setuid helpers for accessing cddb databases and SCSI cdrom drives. More recently, the package offered the administrator the chance to remove these setuid flags, but did so incorrectly. A buffer overflow in ncurses, linked to the "cda" binary, allowed a root exploit. Fixed ncurses packages have been released, as well as fixed xmcd packages which do not install this binary with a setuid flag. UPDATES AVAILABLE IN VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-906.html * Debian: 'elvis-tiny' vulnerability November 22nd, 2000 Topi Miettinen audited elvis-tiny and raised an issue covering the use and creation of temporary files. Those files are created with a predictable pattern and O_EXCL flag is not used when opening. This makes users of elvis-tiny vulnerable to race conditions and/or datalossage. Alpha architecture: elvis-tiny_1.4-10_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-alpha/ MD5 checksum: 2590ee56961063492e4ea9042405cff0 ARM architecture: elvis-tiny_1.4-10_arm.deb http://security.debian.org/dists/potato/updates/main/binary-arm/ MD5 checksum: 7e7d705d069d12f9a6f2aafd887f16d5 Intel ia32 architecture:elvis-tiny_1.4-10_i386.deb http://security.debian.org/dists/potato/updates/main/binary-i386/ MD5 checksum: 5c53b7b9b8f9f61e64d39f51a57a684c Motorola 680x0 architecture: elvis-tiny_1.4-10_m68k.deb http://security.debian.org/dists/potato/updates/main/binary-m68k/ MD5 checksum: c4198630e2860fb4ed0acc3f2d28f3fa PowerPC architecture: elvis-tiny_1.4-10_powerpc.deb http://security.debian.org/dists/potato/updates/main/binary-powerpc/ MD5 checksum: e2578f19a8d8ebac6b68e7bccb4a263d Sun Sparc architecture: elvis-tiny_1.4-10_sparc.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/ MD5 checksum: 15c862e3debe027092edba3ab4ae62b3 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-910.html * Debian: 'CUPS' update November 19th, 2000 The first problem is not a problem either in Debian's potato (2.2) or woody (unstable). Our cupsys packages are shipped with browsing turned off by default. The second problem has to do with CUPS's configuration. CUPS does access control in a similar way to Apache, and is configured by default in a similar way to Apache. UPDATES AVAILBLE IN VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-890.html * Debian: 'cron' vulnerability November 18th, 2000 The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is vulnerable to a local attack, discovered by Michal Zalewski. Several problems, including insecure permissions on temporary files and race conditions in their deletion, allowed attacks from a denial of service (preventing the editing of crontabs) to an escalation of priviledge (when another user edited their crontab). Alpha architecture: cron_3.0pl1-57.1_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-alpha/ MD5 checksum: 3b146f5227182343d3b20cf8fce8a86c ARM architecture: cron_3.0pl1-57.1_arm.deb http://security.debian.org/dists/potato/updates/main/binary-arm/ MD5 checksum: 559e80e83abf371a8d09759ee900daf5 Intel IA32 architecture: cron_3.0pl1-57.1_i386.deb http://security.debian.org/dists/potato/updates/main/binary-arm/ MD5 checksum: 922bb72b07a05fb888771364697f52e1 Motorola 680x0 architecture: cron_3.0pl1-57.1_m68k.deb http://security.debian.org/dists/potato/updates/main/binary-m68k/ MD5 checksum: 2e0d8152ec03a66bb88ba84215fe4de3 PowerPC architecture: cron_3.0pl1-57.1_powerpc.deb http://security.debian.org/dists/potato/updates/main/binary-powerpc/ MD5 checksum: 16ad8c4a26436239e7a25260340be6d5 Sun Sparc architecture: cron_3.0pl1-57.1_sparc.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/ MD5 checksum: 2bd401a635eedc47e9f6dd1652f71e35 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-889.html * Debian: 'openssh' vulnerability November 18th, 2000 The adv.fwd security advisory from OpenBSD reported a problem with openssh that Jacob Langseth found: when the connection is established the remote ssh server can force the ssh client to enable agent and X11 forwarding. Alpha architecture: ssh-askpass-gnome_1.2.3-9.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: a8b51ca7b67cb0e5aeedac4fa301d18c ssh_1.2.3-9.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: bb58e19e240adfe940fbebe2364f6f35 ARM architecture: ssh-askpass-gnome_1.2.3-9.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: 543e76b02e7cfdb35f9b92365dc4610b ssh_1.2.3-9.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: ed70bc90de326bfec9899f4ed0ac5b6d Intel ia32 architecture: ssh-askpass-gnome_1.2.3-9.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: a03ebc405c792bbef06d4f3235f0a0d3 ssh_1.2.3-9.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: c1dfbadec6f9ef38b1ed9391bb1e8c52 Motorola 680x0 architecture: sh-askpass-gnome_1.2.3-9.1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/ MD5 checksum: dcdffa2a00132500621d4eb32ecbae9a ssh_1.2.3-9.1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/ MD5 checksum: e0059e6bfe72a14a18803a507884d194 PowerPC architecture: ssh-askpass-gnome_1.2.3-9.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 4354d03dc3030da57bb1ce91fac6247a ssh_1.2.3-9.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 5419aab89a4270933849430efdc0c3d2 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-888.html * Debian: 'modutils' vulnerability November 20th, 2000 In an ideal world modprobe should trust the kernel to only pass valid parameters to modprobe. However he has found at least one local root exploit because high level kernel code passed unverified parameters direct from the user to modprobe. So modprobe no longer trusts kernel input and switches to a safemode. Alpha architecture: modutils_2.3.11-13.1_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-alpha/ MD5 checksum: 6e4d54d87129ff14cbb667c69454bf0f ARM architecture: modutils_2.3.11-13.1_arm.deb http://security.debian.org/dists/potato/updates/main/binary-arm/ MD5 checksum: 12d4bd14fbc6f5bea5e399e886fef1bd Intel ia32 architecture: modutils_2.3.11-13.1_i386.deb http://security.debian.org/dists/potato/updates/main/binary-i386/ MD5 checksum: 14c86f702cfed261eb65fdcecaab9c4e Motorola 680x0 architecture: modutils_2.3.11-13.1_m68k.deb http://security.debian.org/dists/potato/updates/main/binary-m68k/ MD5 checksum: 41579a25f953981cc3148aee14699145 PowerPC architecture: modutils_2.3.11-13.1_powerpc.deb http://security.debian.org/dists/potato/updates/main/binary-powerpc/ MD5 checksum: b551d48435268e338e673f21f08d997d Sun Sparc architecture: modutils_2.3.11-13.1_sparc.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/ MD5 checksum: a96dee6c2525ac409bd3c58c711133fe Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-911.html * Debian: 'tcpdump' vulnerability November 20th, 2000 During internal source code auditing by FreeBSD several buffer overflows were found which allow an attacker to make tcpdump crash by sending carefully crafted packets to a network that is being monitored withtcpdump. Alpha architecture: tcpdump_3.4a6-4.2_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: 7f89d984dbe54116c5aa34aae93e5357 ARM architecture: tcpdump_3.4a6-4.2_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: 69dd2892ef04adf55f74b80828c26f5e Intel ia32 architecture: tcpdump_3.4a6-4.2_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: 906068aaeebbcb5f50ea1b2dd1aec4c0 Motorola 680x0 architecture: tcpdump_3.4a6-4.2_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/ MD5 checksum: 17c6feed12c3875d051659526f16393f PowerPC architecture: tcpdump_3.4a6-4.2_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: c850bdecfe6aded7728ef4b6d6549d8e Sun Sparc architecture: tcpdump_3.4a6-4.2_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ MD5 checksum: b7fbc7275e859c0b0db165349ecafaf0 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-893.html +---------------------------------+ | FreeBSD Advisories | ----------------------------// +---------------------------------+ * FreeBSD: 'curl' vulnerability November 20th, 2000 Malicious FTP server operators can execute arbitrary code on the local system when a file is downloaded from this server. If you have not chosen to install the curl port/package, then your system is not vulnerable to this problem. PATCH AVAILABLE IN VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-895.html * FreeBSD: 'thttpd' ports vulnerability November 20th, 2000 Remote users may access any file on the system accessible to the web server user (user 'nobody' in the default installation). If you have not chosen to install the thttpd port/package, then your system is not vulnerable to this problem. PATCH AVAILABLE IN VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-896.html * FreeBSD: 'php' ports vulnerability November 20th, 2000 Malicious remote users can execute arbitrary code on the local system as the user running the webserver (typically user 'nobody'). This vulnerability requires error logging to be enabled in php.ini or by using the syslog() php function in a script. PATCH AVAILABLE IN VENDOR ADVISORY Vendor Patch: http://www.linuxsecurity.com/advisories/freebsd_advisory-897.html * FreeBSD: 'telnet' vulnerability November 20th, 2000 Remote users without a valid login account on the server can cause resources such as CPU and disk read bandwidth to be consumed, ausing increased server load and possibly denying service to legitimateusers. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/ telnetd.patch.v1.1 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/ telnetd.patch.v1.1.asc Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-898.html * FreeBSD: 'ncurses' vulnerability November 20th, 2000 Certain setuid/setgid software (including FreeBSD base system utilities and third party ports/packages) may be vulnerable to a local exploit yielding privileged access. The /usr/bin/systat utility is known to be vulnerable to this problem in ncurses. At this time is unknown whether /usr/bin/top and /usr/sbin/lpc are also affected. The problems were corrected prior to the release of FreeBSD 4.2. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/ scan_ncurses.sh ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/ test_ncurses.sh Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-899.html * FreeBSD: 'tcsh/csh' vulnerability November 20th, 2000 Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the victim invokes the '<<' operator in csh or tcsh (e.g. from within a shell script). If you have not installed the tcsh or 44bsd-csh ports on your 4.1.1-STABLE system dated after the correction date, your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-900.html * FreeBSD: 'mgetty' vulnerability November 20th, 2000 Unprivileged local users may create or overwrite any file on thesystem. If you have not chosen to install the mgetty port/package, then your system is not vulnerable to this problem. PATCH AVAILABLE IN VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-894.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'pine' vulnerability November 21st, 2000 By adding specific headers to messages, the pine mail reader could be made to exit with an error message when users attempted to manipulate mail folders containing those messages. Linux-Mandrake 7.1: MD5 Checksum: caf4defdd635fa882b35c16b0f556683 7.1/RPMS/pine-4.30-3.2mdk.i586.rpm MD5 Checksum: 95a4a83fe3c602f9fc1416eff107952c 7.1/SRPMS/pine-4.30-3.2mdk.src.rpm http://www.linux-mandrake.com/en/security/ Linux-Mandrake 7.2: MD5 Checksum: 4213c046974d17cbce020814636de281 7.2/RPMS/pine-4.30-3.1mdk.i586.rpm MD5 Checksum: eb24c5cc0c4878206b19c1f459831f39 7.2/SRPMS/pine-4.30-3.1mdk.src.rpm http://www.linux-mandrake.com/en/security/ Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-902.html * Mandrake: 'joe' symlink vulnerability November 21st, 2000 When exiting joe in a non-standard way (such as a system crash, closing an xterm, or a network connection going down), joe will unconditionally append its open buffers to the file DEADJOE. This can be exploited by the creation of DEADJOE symlinks in directories where root would normally use joe. In this way, joe could be used to append garbage to potentially sensitive files, resulting in a denial of service or other problems. Linux-Mandrake 7.1: MD5 Checksum: 970975000a64dc08d8498f8d3e5d25f8 http://www.linux-mandrake.com/en/security/ 7.1/RPMS/joe-2.8-21.2mdk.i586.rpm Linux-Mandrake 7.2: MD5 Checksum: 409c7433858b819619f481597fbb18ea http://www.linux-mandrake.com/en/security/ 7.2/RPMS/joe-2.8-21.1mdk.i586.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-901.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * Redhat: 'openssh' vulnerability November 22nd, 2000 An OpenSSH client will do agent or X11 forwarding at the request of a server, even if the user has not requested that it be done. A malicious server can exploit this vulnerability to gain access to the user's display. ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm MD5 Checksum: 973c033bd3cf3e3641f7fb9d172baf5a ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm MD5 Checksum: 51fe082e6830e461a900000e2884cb14 ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm MD5 Checksum: dd9bb3271403162202599d3cd8b9a22e ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm MD5 Checksum: ead1cc84519f5a6fa0233ce8d3237457 ftp://updates.redhat.com/7.0/i386/openssh-askpass-gnome-2.3.0p1-4.i386.rpm MD5 Checksum: d426ff6c55181f8ccbea6e2f7a307b99 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-907.html * Redhat: 'ghostscript' vulnerability November 22nd, 2000 ghostscript makes use of mktemp to create temp files, which is an insecure and predictable apporoach, it is now patched to use mkstemp, which avoid the race condition on the name. It also uses improper LD_RUN_PATH values, causing ghostscript to search for libraries to load in current directorys. ftp://updates.redhat.com/6.2/i386/ghostscript-5.50-8_6.x.i386.rpm MD5 Checksum: e11e7ec51f8e6051e50c5a93738f49ed ftp://updates.redhat.com/6.2/i386/ghostscript-5.50-8_6.x.i386.rpm MD5 Checksum: 0d5f4448d5245721b1e2762f360791f2 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-909.html * RedHat: 'modutils' vulnerability November 22nd, 2000 The previous packages of modutils released to address a local root compromise contained an error in new safe guards that caused them to not properly be enabled when run as root from the kmod process. These new safe guards check the arguments passed to modules. The new 2.3.21 modutils package fixes this error and correctly checks the arguments when running from kmod, limiting kernel module arguments to those specified in /etc/conf.modules (on Red Hat Linux 6.2) or /etc/modules.conf (on Red Hat Linux 7). This release supersedes the previous modutils errata packages. Red Hat Linux 6.2:alpha: ftp://updates.redhat.com/6.2/alpha/modutils-2.3.21-0.6.2.alpha.rpm sparc: ftp://updates.redhat.com/6.2/sparc/modutils-2.3.21-0.6.2.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/modutils-2.3.21-0.6.2.i386.rpm Red Hat Linux 7.0:i386: ftp://updates.redhat.com/7.0/i386/modutils-2.3.21-1.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-912.html * Redhat: 'joe' update November 20th, 2000 When exiting joe in a nonstandard way (such as a system crash, closing an xterm, or a network connection going down), joe will nconditionally append its open buffers to the file "DEADJOE". This could be exploited by the creation of DEADJOE symlinks in directories where root would normally use joe. In this way, joe could be used to append garbage to potentially-sensitive files, resulting in a denial of service. Red Hat Linux 7.0 i386: ftp://updates.redhat.com/7.0/i386/joe-2.8-43.i386.rpm MD5 Checksum: 1578b0e184b76b23d2a30b101f1665d4 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-891.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Nov 24th 2000 vuln-newsletter-admins (Nov 25)