Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Advisory Watch, September 22nd 2000

From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 29 Sep 2000 11:25:40 -0400
+----------------------------------------------------------------+
|  LinuxSecurity.com                      Linux  Advisory Watch  |
|  September 22nd, 2000                    Volume 1, Number 22a  |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                  Benjamin Thomas
               dave () linuxsecurity com       ben () linuxsecurity com

Linux Advisory Watch is a comprehensive newsletter that outlines
the security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for esound, lprng, sysklogd, xpdf,
imp/horde, mod_rewrite, and catopen().  The vendors include Apache,
Caldera, Mandrake, FreeBSD, and Conectiva.  It is critical that you update
all vulnerable packages.  Syslogd continues to be a problem on most
systems.  Last week, eight vendors released fixes to this problem.
Please refer to last weeks newsletter for additional information on
syslogd.

http://www.linuxsecurity.com/articles/forums_article-1620.html

Perhaps one of the more serious advisories released this week is the LPRng
format string vulnerability outlined by Caldera.  In the LPRng printer
daemon there is a format bug that could potentially be exploited to gain
root access.  This is particularly severe because it can be exercised
remotely.


-- OpenDoc Publishing ------------------------------------------//

Our sponsor this week is OpenDoc Publishing.  Their 480-page comprehensive
security book, Securing and Optimizing Linux, takes a hands-on approach to
installing, optimizing, configuring, and securing Red Hat Linux. Topics
include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more!
Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition.

https://secure.linuxports.com/cart/security/

+---------------------------------+
|   Installing a new package:   | ----------------------------//
+---------------------------------+

   # rpm  -Uvh
   # dpkg -i

Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager).  Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.

+---------------------------------+
|   Checking Package Integrity:   | -----------------------------//
+---------------------------------+

The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied.  It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.

  # md5sum
    ebf0d4a0d236453f63a797ea20f0758b

The string of numbers can then be compared against the MD5 checksum
published by the packager.  While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing it.


+---------------------------------+
|       Apache Advisory           | ----------------------------//
+---------------------------------+

* Apache: mod_rewrite vulnerability
September 27th, 2000

The Apache development list this week contains a fix for a security
issue that affects previous versions of Apache, including Apache
1.3.12. Apache is only vulnerable if you use mod_rewrite and a
specific case of the directive RewriteRule. If the result of a
RewriteRule is a filename that contains regular expression references
then an attacker may be able to access any file on the web server.

 Updated Package: (see full advisory)
 http://www.linuxsecurity.com/advisories/other_advisory-741.html


+---------------------------------+
|        Caldera Advisories       | ----------------------------//
+---------------------------------+

* Caldera:  'LPRng' format string vulnerabilty
September 25th, 2000

There is a format bug in the LPRng printer daemon that could possibly
be exploited to obtain root privilege. This problem is particulary
severe because it can be exercised remotely.

 Updated Package: LPRng-3.5.3-3
 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

http://www.linuxsecurity.com/advisories/caldera_advisory-740.html


+---------------------------------+
|        Conectiva Advisory       | ----------------------------//
+---------------------------------+


* Conectiva: imp vulnerability
September 23rd, 2000

There are several vulnerabilities in the horde and imp packages
shipped with Conectiva Linux that allow an user to execute remote
commands on the server as the user "nobody".

 Updated Package: imp (see full advisory)
 ftp://atualizacoes.conectiva.com.br/

http://www.linuxsecurity.com/advisories/other_advisory-737.html


+---------------------------------+
|        FreeBSD Advisory         | ----------------------------//
+---------------------------------+

* FreeBSD:  'catopen()' vulnerability
September 27th, 2000

Certain setuid/setgid third-party software (including FreeBSD
ports/packages) may be vulnerable to a local exploit yielding
privileged access. No such software is however currently known.

 Updated Package: (see full advisory)

http://www.linuxsecurity.com/advisories/freebsd_advisory-743.html


+---------------------------------+
|       Mandrake Advisories       | ----------------------------//
+---------------------------------+


* Mandrake:  'esound' update
September 27th, 2000

A problem exists with the esound daemon, which is used in GNOME and
responsible for multiplexing access to audio devices. Versions of
esound prior to and including 0.2.19 create a world-writable
directory in /tmp called .esd which is owned by the user running
esound. This directory is used to store a unix domain socket. The
socket is also created world-writable, so a race condition exists in
the creation of this socket which allows a local attacker to cause an
arbitrary file or directory owned by the user running esound to
become world-writable. This update contains a patch from FreeBSD
which creates ~/.esd as the temporary directory to use and makes the
unix domain socket read and write only to the user.

 Updated Package: esound-0.2.17-3mdk
 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates

http://www.linuxsecurity.com/advisories/mandrake_advisory-742.html



* Mandrake:  'sysklogd' update
September 25th, 2000

A problem exists with the kernel logging daemon (klogd) in the
sysklogd package. A "format bug" makes klogd vulnerable to local root
compromise, as well as the possibility for remote vulnerabilities
under certain circumstances, which are unprobable. There is also a
more probable semi-remote exploit via knfsd. This update provides a
patched version of klogd that fixes these vulnerabilities.

 Updated Package: sysklogd-1.3.31-18mdk
 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates

http://www.linuxsecurity.com/advisories/mandrake_advisory-739.html



* Mandrake:  'xpdf' update
September 25th, 2000

There is a potential race condation when using tmpnam() and fopen()
in xpdf versions prior to 0.91. This exploit can be only used as root
to overwrite arbitrary files if a symlink is created between the
calls to tmpname() and fopen(). There is also a problem with
malicious URL-type links in PDF documents that contain quote
characters which could also potentially be used to execute arbitrary
commands. This is due to xpdf calling system() with a netscape (or
similar) command plus the URL. The 0.91 release of xpdf fixes both of
these potential problems. Although there are no known exploits, users
are encouraged to upgrade their system with these updates.

 Updated Package: xpdf-0.91-4mdk
 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates

http://www.linuxsecurity.com/advisories/mandrake_advisory-738.html


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: