Date: Fri, 26 Jan 2001 18:39:23 -0500 From: vuln-newsletter-admins@LINUXSECURITY.COM Subject: [ISN] Linux Advisory Watch - January 26th 2001 To: ISN@SECURITYFOCUS.COM +----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | January 26th, 2001 Volume 2, Number 4a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for icecast, MySQL, kdesu, glibc, splitvt, micq, sash, wu-ftpd, jazip, tinyproxy, squid, php, apache, exmh, ipfw, ip6fw, XFree86, crontab, and bind. The vendors include Conectiva, Caldera, Debian, FreeBSD, Mandrake, Red Hat, SuSE, and Trustix. It has been a very active week in Linux security. Most of the focus has surrounded the Ramen worm, but other problems have surfaced. Among then, a few vulnerabilities found may result in remote root compromises. With this, it is extremely important to verify which packages you have installed and update accordingly. =================================================================== Are you vulnerable to Ramen? A self-propagating worm known as Ramen is exploiting multiple Red Hat 6.2-7.0 systems. Servers running wu-ftp, rpc.statd, or LPRng could be vulnerable to could be vulnerable to exploit. After attacking a system, Ramen defaces index.html if it is a webserver, and then continues to scan for other vulnerable systems. Here we have provided you with specific links to close the vulnerabilities that the Ramen worm exploits: Red Hat 6.2 - wu-ftpd 6/23/2000 23:14 : RedHat: wu-ftpd update http://www.linuxsecurity.com/advisories/redhat_advisory-500.html Red Hat 6.2 - nfs-utils 7/17/2000 23:19 : RedHat: Updated package for nfs-utils available http://www.linuxsecurity.com/advisories/redhat_advisory-562.html 7/21/2000 13:32 : RedHat: UPDATE: nfs-utils vulnerability http://www.linuxsecurity.com/advisories/redhat_advisory-572.html Red Hat 7.0 - LPRng 09/26/2000 13:28 : Redhat: 'LPRng' vulnerability http://www.linuxsecurity.com/advisories/redhat_advisory-753.html =================================================================== # FREE VISOR with purchase of Guardian Digital's Linux Lockbox # Guardian Digital has just announced an offer for a free Handspring Visor with the purchase of any secure Linux Lockbox. The Lockbox is an Open Source network server appliance engineered to be a complete secure e-business solution. It can be used as a commerce server, webserver, DNS, mail, and database server. Please see Guardian Digital's website for details. http://www.guardiandigital.com/visoroffer.html # OpenDoc Publishing # Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva | ----------------------------// +---------------------------------+ * Conectiva: 'MySQL' buffer overflow January 26th, 2001 MySQL is a very popular database. Versions older than 3.23.31 have a buffer overflow vulnerability that could be exploited remotely depending on how the database access is configured (via web, for example). ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ MySQL-3.23.32-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ MySQL-client-3.23.32-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ MySQL-devel-3.23.32-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ MySQL-devel-static-3.23.32-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ MySQL-bench-3.23.32-2cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1093.html * Conectiva: 'icecast' format string vulnerabiity January 25th, 2001 "icecast" is a server used to distribute audio streams to compatible clients such as winamp, mpg123, xmms and many others. The "Packet Knights" group has found a format string vulnerability on this program that could be used to remotely execute arbitrary code on the server with the privileges of the user running it, normally root. This can lead to remote root compromise. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ icecast-1.3.7-3cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1086.html +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: 'glibc' vulnerability January 25th, 2001 he ELF shared library loader that is part of glibc supports the LD_PRELOAD environment variable that lets a user request that additional shared libraries should be loaded when starting a program. Normally, this feature should be disabled for setuid applications because of its security implications. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1085.html * Caldera: 'kdesu' password sniffing January 23rd, 2001 KDE2 comes with a program called kdesu that is used to run certain administration commands under the account of the super user (for instance, every time the KDE control center asks you for the root password, you actually talk to kdesu). PLEASE SEE VENDOR ADVISORY FOR UPDATE ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1081.html +---------------------------------+ | Debian | ----------------------------// +---------------------------------+ * Debian: 'exmh' temp file vulnerability January 26th, 2001 Former versions of the exmh program used /tmp for storing temporary files. No checks were made to ensure that nobody placed a symlink with the same name in /tmp in the meantime and thus was vulnerable to a symlink attack. This could lead to a malicious local user being able to overwrite any file writable by the user executing exmh. Upstream developers have reported and fixed this. The exmh program now use /tmp/login now unless TMPDIR or EXMHTMPDIR is set. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-all/exmh_2.1.1-1.1_all.deb MD5 checksum: 326c6374703977be603579435d328cf8 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1094.html * Debian: 'apache' vulnerabilities January 26th, 2001 WireX have found some occurrences of insecure opening of temporary files in htdigest and htpasswd. Both programs are not installed setuid or setgid and thus the impact should be minimal. The Apache group has released another security bugfix which fixes a vulnerability in mod_rewrite which may result the remote attacker to access arbitrary files on the web server. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/apache_1.3.9-13.2_i386.deb MD5 checksum: 252886b62b347fe41d492b22a23ef1f8 http://security.debian.org/dists/stable/updates/main/ binary-i386/apache-common_1.3.9-13.2_i386.deb MD5 checksum: 0b3df81c96378160a86d8c47f2e06424 http://security.debian.org/dists/stable/updates/main/ binary-i386/apache-dev_1.3.9-13.2_i386.deb MD5 checksum: 719bb4743340715230f0ca6d9167dc21 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1091.html * Debian: 'php' vulnerability January 25th, 2001 It is possible to specify PHP directives on a per-directory basis which leads to a remote attacker crafting an HTTP request that would cause the next page to be served with the wrong values for these directives. Also even if PHP is installed, it can be activated and deactivated on a per-directory or per-virtual host basis using the "engine=on" or "engine=off" directive. PLEASE SEE VENDOR ADVISORY FOR COMPLETE UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1089.html * Debian: 'squid' update January 25th, 2001 WireX discovered a potential temporary file race condition in the way that squid sends out email messages notifying the administrator about updating the program. This could lead to arbitrary files to get overwritten. However the code would only be executed if running a very bleeding edge release of squid, running a server whose time is set some number of months in the past and squid is crashing. Read it as hardly to exploit. This version also containes more upstream bugfixes wrt. dots in hostnames and unproper HTML quoting. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/squid-cgi_2.2.5-3.1_i386.deb MD5 checksum: bd1fcb943bb2c2ea86f95a1e0a5fa482 http://security.debian.org/dists/stable/updates/main/ binary-i386/squid_2.2.5-3.1_i386.deb MD5 checksum: 04ccb01c216b5beb3949c751121c8fcb http://security.debian.org/dists/stable/updates/main/ binary-i386/squidclient_2.2.5-3.1_i386.deb MD5 checksum: 39bfe66b003157e90937d28ab6a0193a Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1088.html * Debian: 'wu-ftpd' vulnerabilities January 23rd, 2001 Security people at WireX have noticed a temp file creation bug and the WU-FTPD development team has found a possible format string bug in wu-ftpd. Both could be remotely exploited, though no such exploit exists currently. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/wu-ftpd_2.6.0-5.2_i386.deb MD5 checksum: 5cdd2172e1b2459f1115cf034c91fe40 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1073.html * Debian: 'jazip' vulnerability January 23rd, 2001 With older versions of jazip a user could gain root access for members of the floppy group to the local machine. The interface doesn't run as root anymore and this very exploit was prevented. The program now also truncates DISPLAY to 256 characters if it is bigger, which closes the buffer overflow (within xforms). PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/jazip_0.33-1_i386.deb MD5 checksum: f74f5c4038a4ca62695ba42efac2d60b Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1074.html * Debian: 'tinyproxy' vulnerability January 23rd, 2001 PkC have found a heap overflow in tinyproxy that could be remotely exploited. An attacker could gain a shell (user nobody) remotely. We recommend you upgrade your tinyproxy package immediately. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/tinyproxy_1.3.1-2_i386.deb MD5 checksum: e542b2d9f936912d2b5d39eb2adbf39d Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1078.html * Debian: Updated 'wu-ftpd' ia32 packages January 23rd, 2001 This additional advisory only announces a recompile of the package for the Intel ia32 architecture. The upload from yesterday was lacking PAM support. This only required a recompile and contains no other fixes. http://www.linuxsecurity.com/advisories/debian_advisory-1080.html * Debian: 'splitvt' multiple vulnerabilities January 22nd, 2001 It was reported recently that splitvt is vulnerable to numerous buffer overflow attack and a format string attack. An attacker was able to gain access to the tty group. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/splitvt_1.6.5-0potato1_i386.deb MD5 checksum: ccb41228b11505bb25dc2f09830b3964 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1071.html * Debian: 'sash' incorrection permissions January 22nd, 2001 Versions of sash prior to 3.4-4 did not clone /etc/shadow properly which lead into readable files for anybody. This was fixed by the Debian maintainer. http://security.debian.org/dists/stable/updates/main/ binary-i386/sash_3.4-6_i386.deb MD5 checksum: 4273648c65527f88855887f97bb6eeab Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1070.html * Debian: 'mysql' remote buffer overflow January 22nd, 2001 Nicolas Gregoire has reported a buffer overflow in the mysql server that leads to a remote exploit. An attacker could gain mysqld privileges (and thus gaining access to all the databases). PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/mysql-client_3.22.32-4_i386.deb MD5 checksum: 031e0992c9af127c7de18283b010f9c6 http://security.debian.org/dists/stable/updates/main/ binary-i386/mysql-server_3.22.32-4_i386.deb MD5 checksum: 6c5d13c169629390112c6db75e5a0d29 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1072.html * Debian: 'micq' remote buffer overflow January 22nd, 2001 PkC has reported that there is a buffer overflow in sprintf() in micq versions 0.4.6, that allows to a remote attacker able to sniff packets to the ICQ server to execute arbitrary code on the victim system. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES http://security.debian.org/dists/stable/updates/main/ binary-i386/micq_0.4.3-4_i386.deb MD5 checksum: b5a2d7327ffc35ab49a1e4f64c6f2567 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1062.html +---------------------------------+ | FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: UPDATE: 'crontab' vulnerability January 25th, 2001 Malicious local users can read arbitrary local files that conform to a valid crontab file syntax. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1090.html * FreeBSD: 'bind' remote DoS January 24th, 2001 Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1082.html * FreeBSD: Several 'XFree86' ports vulnerabilities January 23rd, 2001 Local or remote users may cause a denial of service attack against an X server or certain X applications. Local users may obtain elevated privileges with certain X applications. If you have not chosen to install the XFree86 3.3.6 port/package or the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or later, then your system is not vulnerable to this problem. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1079.html * FreeBSD: 'ipfw/ip6fw' vulnerability January 23rd, 2001 Remote attackers who construct TCP packets with the ECE flag set may bypass certain ipfw rules, allowing them to potentially circumvent the firewall. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1076.html * FreeBSD: 'crontab' vulnerability January 23rd, 2001 Malicious local users can read arbitrary local files that conform to a valid crontab file syntax. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1077.html +---------------------------------+ | Mandrake | ----------------------------// +---------------------------------+ * Mandrake: 'MySQL' vulnerability January 26th, 2001 A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this. PLEASE SEE VENDOR ADVISORY FOR COMPLETE UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1096.html * Mandrake: 'exmh' temp file vulnerability January 26th, 2001 All versions of exmh prior to 2.3.1 use the /tmp directory for storing temporary files. This was done in an insecure manner as exmh did not check to ensure that nobody placed a symlink with the same name in /tmp in the meantime and thus was vulnerable to a symlink attack. This could lead to a malicious local user being able to overwrite any file writable by the user executing exmh. These updated versions of exmh now use /tmp/username unless TMPDIR or EXMHTMPDIR is set. 7.2/RPMS/exmh-2.2-4.1mdk.noarch.rpm http://www.linux-mandrake.com/en/ftp.php3 efdd5d3fecc72805d1099693a6dfc7cb 7.2/SRPMS/exmh-2.2-4.1mdk.src.rpm http://www.linux-mandrake.com/en/ftp.php3 1ac6b56522683d758aeda0e2c14fb7b6 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1095.html * Mandrake: 'MySQL' & 'php' vulnerabilities January 22nd, 2001 A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this. PLEASE SEE VENDOR ADVISORY FOR COMPLETE UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1063.html +---------------------------------+ | Red Hat | ----------------------------// +---------------------------------+ * Red Hat: 'micq' buffer overflow January 25th, 2001 New micq packages are available which fix a buffer overflow vulnerability. A buffer overflow exists in the micq package, which allows arbitrary commands to be executed. This update fixes the problem. ftp://updates.redhat.com/powertools/7.0/i386/micq-0.4.6-2.i386.rpm f3225579995fae731b7db74d7f8c3763 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1087.html * Red Hat: 'php' updates January 24th, 2001 Clients uploading "multipart/form-data" information with form requests could cause PHP 3.0.17 to crash. The GD module was not compiled into the previously-issued PHP 4.0.3pl1 errata packages. The php-mysql package is linked against an older version of the libmysqlclient shared library, which was obsoleted by a previous MySQL errata. Security holes in versions 4.0.0 through 4.0.4 of the PHP Apache module have been found. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1084.html * Red Hat: 'icecast' format string vulnerability January 24th, 2001 A string format vulnerability that allows the execution of arbitrary commands exists in all versions of icecast. A patch was posted to Bugtraq to solve the problem and has been incorporated into this update. All users of icecast should apply this update. PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES ftp://updates.redhat.com/powertools/7.0/i386/ icecast-1.3.8.beta2-3.i386.rpm 9fc78917546ab1bc41fb9951d47bf749 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1083.html * Red Hat: 'mysql' vulnerabilities January 23rd, 2001 The MySQL database that shipped with Red Hat Linux 7 and the updates for it have been reported by the MySQL authors to have security problems. These problems (buffer overflow and information protection issues) have been fixed in version 3.23.32, which also contains the earlier fixes. ftp://updates.redhat.com/7.0/i386/mysql-3.23.32-1.7.i386.rpm d8097aa8c188b386803267446286a01a ftp://updates.redhat.com/7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm 528a72c7b017458f6cad65978b93305e ftp://updates.redhat.com/7.0/i386/mysql-server-3.23.32-1.7.i386.rpm 8ec7d8b903e1608de50f49196837e40c ftp://updates.redhat.com/7.0/i386/mysqlclient9-3.23.22-3.i386.rpm 38a96abb2b68fa9354f715da47767386 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1075.html +---------------------------------+ | SuSE | ----------------------------// +---------------------------------+ * SuSE: 'glibc' vulnerability January 26th, 2001 Its flexibility allows for some environment variables to influence the linking process such as preloading shared libraries as well as defining the path in which the linker will search for the shared libraries. Special care must be exercised when runtime-linking setuid- or setgid-binaries SuSE-6.2 ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/ shlibs-2.1.1-30.i386.rpm b6b4cfe73e46c5b3bd5b626d68dfa584 Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1092.html +---------------------------------+ | Trustix | ----------------------------// +---------------------------------+ * Trustix: 'glibc' vulnerability January 21st, 2001 Trustix is, like many other linux distributions, based on Glibc 2.1.3 and is therefore open to the "preload hole" discussed in various postings to bugtraq and other lists. This is a local security hole, and all users of TSL should upgrade their boxes. glibc-2.1.3-14tr.i586.rpm d69cb9bf4b4e2054eca741b66bea7efe glibc-devel-2.1.3-14tr.i586.rpm 89dc092c40a710f50461565ad77cd73b glibc-profile-2.1.3-14tr.i586.rpm f28b091857fa5819f89a5196d2cd9677 nscd-2.1.3-14tr.i586.rpm 8bbd1a727271cda776377960fd5a5207 ftp://ftp.trustix.net/pub/Trustix/updates/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1069.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".