![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Fri, 26 Jan 2001 18:39:23 -0500
From: vuln-newsletter-admins@LINUXSECURITY.COM
Subject: [ISN] Linux Advisory Watch - January 26th 2001
To: ISN@SECURITYFOCUS.COM
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 26th, 2001 Volume 2, Number 4a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for icecast, MySQL, kdesu, glibc,
splitvt, micq, sash, wu-ftpd, jazip, tinyproxy, squid, php, apache,
exmh, ipfw, ip6fw, XFree86, crontab, and bind. The vendors include
Conectiva, Caldera, Debian, FreeBSD, Mandrake, Red Hat, SuSE, and
Trustix.
It has been a very active week in Linux security. Most of the focus
has surrounded the Ramen worm, but other problems have surfaced.
Among then, a few vulnerabilities found may result in remote root
compromises. With this, it is extremely important to verify which
packages you have installed and update accordingly.
===================================================================
Are you vulnerable to Ramen?
A self-propagating worm known as Ramen is exploiting multiple
Red Hat 6.2-7.0 systems. Servers running wu-ftp, rpc.statd, or
LPRng could be vulnerable to could be vulnerable to exploit.
After attacking a system, Ramen defaces index.html if it is a
webserver, and then continues to scan for other vulnerable systems.
Here we have provided you with specific links to close the
vulnerabilities that the Ramen worm exploits:
Red Hat 6.2 - wu-ftpd
6/23/2000 23:14 : RedHat: wu-ftpd update
http://www.linuxsecurity.com/advisories/redhat_advisory-500.html
Red Hat 6.2 - nfs-utils
7/17/2000 23:19 : RedHat: Updated package for nfs-utils available
http://www.linuxsecurity.com/advisories/redhat_advisory-562.html
7/21/2000 13:32 : RedHat: UPDATE: nfs-utils vulnerability
http://www.linuxsecurity.com/advisories/redhat_advisory-572.html
Red Hat 7.0 - LPRng
09/26/2000 13:28 : Redhat: 'LPRng' vulnerability
http://www.linuxsecurity.com/advisories/redhat_advisory-753.html
===================================================================
# FREE VISOR with purchase of Guardian Digital's Linux Lockbox #
Guardian Digital has just announced an offer for a free Handspring Visor
with the purchase of any secure Linux Lockbox. The Lockbox is an Open
Source network server appliance engineered to be a complete secure
e-business solution. It can be used as a commerce server, webserver, DNS,
mail, and database server. Please see Guardian Digital's website for
details.
http://www.guardiandigital.com/visoroffer.html
# OpenDoc Publishing #
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red
Hat 6.2 and Red Hat 6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'MySQL' buffer overflow
January 26th, 2001
MySQL is a very popular database. Versions older than 3.23.31 have a
buffer overflow vulnerability that could be exploited remotely
depending on how the database access is configured (via web, for
example).
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
MySQL-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
MySQL-client-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
MySQL-devel-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
MySQL-devel-static-3.23.32-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
MySQL-bench-3.23.32-2cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1093.html
* Conectiva: 'icecast' format string vulnerabiity
January 25th, 2001
"icecast" is a server used to distribute audio streams to compatible
clients such as winamp, mpg123, xmms and many others. The "Packet
Knights" group has found a format string vulnerability on this
program that could be used to remotely execute arbitrary code on the
server with the privileges of the user running it, normally root.
This can lead to remote root compromise.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
icecast-1.3.7-3cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1086.html
+---------------------------------+
| Caldera | ----------------------------//
+---------------------------------+
* Caldera: 'glibc' vulnerability
January 25th, 2001
he ELF shared library loader that is part of glibc supports the
LD_PRELOAD environment variable that lets a user request that
additional shared libraries should be loaded when starting a program.
Normally, this feature should be disabled for setuid applications
because of its security implications.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1085.html
* Caldera: 'kdesu' password sniffing
January 23rd, 2001
KDE2 comes with a program called kdesu that is used to run certain
administration commands under the account of the super user (for
instance, every time the KDE control center asks you for the root
password, you actually talk to kdesu).
PLEASE SEE VENDOR ADVISORY FOR UPDATE
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1081.html
+---------------------------------+
| Debian | ----------------------------//
+---------------------------------+
* Debian: 'exmh' temp file vulnerability
January 26th, 2001
Former versions of the exmh program used /tmp for storing temporary
files. No checks were made to ensure that nobody placed a symlink
with the same name in /tmp in the meantime and thus was vulnerable to
a symlink attack. This could lead to a malicious local user being
able to overwrite any file writable by the user executing exmh.
Upstream developers have reported and fixed this. The exmh program
now use /tmp/login now unless TMPDIR or EXMHTMPDIR is set.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-all/exmh_2.1.1-1.1_all.deb
MD5 checksum: 326c6374703977be603579435d328cf8
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1094.html
* Debian: 'apache' vulnerabilities
January 26th, 2001
WireX have found some occurrences of insecure opening of temporary
files in htdigest and htpasswd. Both programs are not installed
setuid or setgid and thus the impact should be minimal. The Apache
group has released another security bugfix which fixes a
vulnerability in mod_rewrite which may result the remote attacker to
access arbitrary files on the web server.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/apache_1.3.9-13.2_i386.deb
MD5 checksum: 252886b62b347fe41d492b22a23ef1f8
http://security.debian.org/dists/stable/updates/main/
binary-i386/apache-common_1.3.9-13.2_i386.deb
MD5 checksum: 0b3df81c96378160a86d8c47f2e06424
http://security.debian.org/dists/stable/updates/main/
binary-i386/apache-dev_1.3.9-13.2_i386.deb
MD5 checksum: 719bb4743340715230f0ca6d9167dc21
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1091.html
* Debian: 'php' vulnerability
January 25th, 2001
It is possible to specify PHP directives on a per-directory basis
which leads to a remote attacker crafting an HTTP request that would
cause the next page to be served with the wrong values for these
directives. Also even if PHP is installed, it can be activated and
deactivated on a per-directory or per-virtual host basis using the
"engine=on" or "engine=off" directive.
PLEASE SEE VENDOR ADVISORY FOR COMPLETE UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1089.html
* Debian: 'squid' update
January 25th, 2001
WireX discovered a potential temporary file race condition in the way
that squid sends out email messages notifying the administrator about
updating the program. This could lead to arbitrary files to get
overwritten. However the code would only be executed if running a
very bleeding edge release of squid, running a server whose time is
set some number of months in the past and squid is crashing. Read it
as hardly to exploit. This version also containes more upstream
bugfixes wrt. dots in hostnames and unproper HTML quoting.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/squid-cgi_2.2.5-3.1_i386.deb
MD5 checksum: bd1fcb943bb2c2ea86f95a1e0a5fa482
http://security.debian.org/dists/stable/updates/main/
binary-i386/squid_2.2.5-3.1_i386.deb
MD5 checksum: 04ccb01c216b5beb3949c751121c8fcb
http://security.debian.org/dists/stable/updates/main/
binary-i386/squidclient_2.2.5-3.1_i386.deb
MD5 checksum: 39bfe66b003157e90937d28ab6a0193a
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1088.html
* Debian: 'wu-ftpd' vulnerabilities
January 23rd, 2001
Security people at WireX have noticed a temp file creation bug and
the WU-FTPD development team has found a possible format string bug
in wu-ftpd. Both could be remotely exploited, though no such exploit
exists currently.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/wu-ftpd_2.6.0-5.2_i386.deb
MD5 checksum: 5cdd2172e1b2459f1115cf034c91fe40
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1073.html
* Debian: 'jazip' vulnerability
January 23rd, 2001
With older versions of jazip a user could gain root access for
members of the floppy group to the local machine. The interface
doesn't run as root anymore and this very exploit was prevented. The
program now also truncates DISPLAY to 256 characters if it is bigger,
which closes the buffer overflow (within xforms).
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/jazip_0.33-1_i386.deb
MD5 checksum: f74f5c4038a4ca62695ba42efac2d60b
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1074.html
* Debian: 'tinyproxy' vulnerability
January 23rd, 2001
PkC have found a heap overflow in tinyproxy that could be remotely
exploited. An attacker could gain a shell (user nobody) remotely. We
recommend you upgrade your tinyproxy package immediately.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/tinyproxy_1.3.1-2_i386.deb
MD5 checksum: e542b2d9f936912d2b5d39eb2adbf39d
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1078.html
* Debian: Updated 'wu-ftpd' ia32 packages
January 23rd, 2001
This additional advisory only announces a recompile of the package
for the Intel ia32 architecture. The upload from yesterday was
lacking PAM support. This only required a recompile and contains no
other fixes.
http://www.linuxsecurity.com/advisories/debian_advisory-1080.html
* Debian: 'splitvt' multiple vulnerabilities
January 22nd, 2001
It was reported recently that splitvt is vulnerable to numerous
buffer overflow attack and a format string attack. An attacker was
able to gain access to the tty group.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/splitvt_1.6.5-0potato1_i386.deb
MD5 checksum: ccb41228b11505bb25dc2f09830b3964
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1071.html
* Debian: 'sash' incorrection permissions
January 22nd, 2001
Versions of sash prior to 3.4-4 did not clone /etc/shadow properly
which lead into readable files for anybody. This was fixed by the
Debian maintainer.
http://security.debian.org/dists/stable/updates/main/
binary-i386/sash_3.4-6_i386.deb
MD5 checksum: 4273648c65527f88855887f97bb6eeab
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1070.html
* Debian: 'mysql' remote buffer overflow
January 22nd, 2001
Nicolas Gregoire has reported a buffer overflow in the mysql server
that leads to a remote exploit. An attacker could gain mysqld
privileges (and thus gaining access to all the databases).
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/mysql-client_3.22.32-4_i386.deb
MD5 checksum: 031e0992c9af127c7de18283b010f9c6
http://security.debian.org/dists/stable/updates/main/
binary-i386/mysql-server_3.22.32-4_i386.deb
MD5 checksum: 6c5d13c169629390112c6db75e5a0d29
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1072.html
* Debian: 'micq' remote buffer overflow
January 22nd, 2001
PkC has reported that there is a buffer overflow in sprintf() in micq
versions 0.4.6, that allows to a remote attacker able to sniff
packets to the ICQ server to execute arbitrary code on the victim
system.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
http://security.debian.org/dists/stable/updates/main/
binary-i386/micq_0.4.3-4_i386.deb
MD5 checksum: b5a2d7327ffc35ab49a1e4f64c6f2567
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1062.html
+---------------------------------+
| FreeBSD | ----------------------------//
+---------------------------------+
* FreeBSD: UPDATE: 'crontab' vulnerability
January 25th, 2001
Malicious local users can read arbitrary local files that conform to
a valid crontab file syntax.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1090.html
* FreeBSD: 'bind' remote DoS
January 24th, 2001
Malicious remote users can cause the named daemon to crash, if it is
configured to allow zone transfers and recursive queries.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1082.html
* FreeBSD: Several 'XFree86' ports vulnerabilities
January 23rd, 2001
Local or remote users may cause a denial of service attack against an
X server or certain X applications. Local users may obtain elevated
privileges with certain X applications. If you have not chosen to
install the XFree86 3.3.6 port/package or the XFree86-aoutlibs
port/package, or you are running XFree86 4.0.1 or later, then your
system is not vulnerable to this problem.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1079.html
* FreeBSD: 'ipfw/ip6fw' vulnerability
January 23rd, 2001
Remote attackers who construct TCP packets with the ECE flag set may
bypass certain ipfw rules, allowing them to potentially circumvent
the firewall.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1076.html
* FreeBSD: 'crontab' vulnerability
January 23rd, 2001
Malicious local users can read arbitrary local files that conform to
a valid crontab file syntax.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1077.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: 'MySQL' vulnerability
January 26th, 2001
A security problem exists in all versions of MySQL after 3.23.2 and
prior to 3.23.31. The problem is that the SHOW GRANTS command could
be executed by any user making it possible for anyone with a MySQL
account to get the crypted password from the mysql.user table. The
new 3.23.31 version fixes this.
PLEASE SEE VENDOR ADVISORY FOR COMPLETE UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1096.html
* Mandrake: 'exmh' temp file vulnerability
January 26th, 2001
All versions of exmh prior to 2.3.1 use the /tmp directory for
storing temporary files. This was done in an insecure manner as exmh
did not check to ensure that nobody placed a symlink with the same
name in /tmp in the meantime and thus was vulnerable to a symlink
attack. This could lead to a malicious local user being able to
overwrite any file writable by the user executing exmh. These updated
versions of exmh now use /tmp/username unless TMPDIR or EXMHTMPDIR is
set.
7.2/RPMS/exmh-2.2-4.1mdk.noarch.rpm
http://www.linux-mandrake.com/en/ftp.php3
efdd5d3fecc72805d1099693a6dfc7cb
7.2/SRPMS/exmh-2.2-4.1mdk.src.rpm
http://www.linux-mandrake.com/en/ftp.php3
1ac6b56522683d758aeda0e2c14fb7b6
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1095.html
* Mandrake: 'MySQL' & 'php' vulnerabilities
January 22nd, 2001
A security problem exists in all versions of MySQL after 3.23.2 and
prior to 3.23.31. The problem is that the SHOW GRANTS command could
be executed by any user making it possible for anyone with a MySQL
account to get the crypted password from the mysql.user table. The
new 3.23.31 version fixes this.
PLEASE SEE VENDOR ADVISORY FOR COMPLETE UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1063.html
+---------------------------------+
| Red Hat | ----------------------------//
+---------------------------------+
* Red Hat: 'micq' buffer overflow
January 25th, 2001
New micq packages are available which fix a buffer overflow
vulnerability. A buffer overflow exists in the micq package, which
allows arbitrary commands to be executed. This update fixes the
problem.
ftp://updates.redhat.com/powertools/7.0/i386/micq-0.4.6-2.i386.rpm
f3225579995fae731b7db74d7f8c3763
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1087.html
* Red Hat: 'php' updates
January 24th, 2001
Clients uploading "multipart/form-data" information with form
requests could cause PHP 3.0.17 to crash. The GD module was not
compiled into the previously-issued PHP 4.0.3pl1 errata packages. The
php-mysql package is linked against an older version of the
libmysqlclient shared library, which was obsoleted by a previous
MySQL errata. Security holes in versions 4.0.0 through 4.0.4 of the
PHP Apache module have been found.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1084.html
* Red Hat: 'icecast' format string vulnerability
January 24th, 2001
A string format vulnerability that allows the execution of arbitrary
commands exists in all versions of icecast. A patch was posted to
Bugtraq to solve the problem and has been incorporated into this
update. All users of icecast should apply this update.
PLEASE SEE VENDOR ADVISORY FOR OTHER ARCHITECTURES
ftp://updates.redhat.com/powertools/7.0/i386/
icecast-1.3.8.beta2-3.i386.rpm
9fc78917546ab1bc41fb9951d47bf749
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1083.html
* Red Hat: 'mysql' vulnerabilities
January 23rd, 2001
The MySQL database that shipped with Red Hat Linux 7 and the updates
for it have been reported by the MySQL authors to have security
problems. These problems (buffer overflow and information protection
issues) have been fixed in version 3.23.32, which also contains the
earlier fixes.
ftp://updates.redhat.com/7.0/i386/mysql-3.23.32-1.7.i386.rpm
d8097aa8c188b386803267446286a01a
ftp://updates.redhat.com/7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm
528a72c7b017458f6cad65978b93305e
ftp://updates.redhat.com/7.0/i386/mysql-server-3.23.32-1.7.i386.rpm
8ec7d8b903e1608de50f49196837e40c
ftp://updates.redhat.com/7.0/i386/mysqlclient9-3.23.22-3.i386.rpm
38a96abb2b68fa9354f715da47767386
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1075.html
+---------------------------------+
| SuSE | ----------------------------//
+---------------------------------+
* SuSE: 'glibc' vulnerability
January 26th, 2001
Its flexibility allows for some environment variables to influence
the linking process such as preloading shared libraries as well as
defining the path in which the linker will search for the shared
libraries. Special care must be exercised when runtime-linking
setuid- or setgid-binaries
SuSE-6.2
ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/
shlibs-2.1.1-30.i386.rpm
b6b4cfe73e46c5b3bd5b626d68dfa584
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1092.html
+---------------------------------+
| Trustix | ----------------------------//
+---------------------------------+
* Trustix: 'glibc' vulnerability
January 21st, 2001
Trustix is, like many other linux distributions, based on Glibc 2.1.3
and is therefore open to the "preload hole" discussed in various
postings to bugtraq and other lists. This is a local security hole,
and all users of TSL should upgrade their boxes.
glibc-2.1.3-14tr.i586.rpm
d69cb9bf4b4e2054eca741b66bea7efe
glibc-devel-2.1.3-14tr.i586.rpm
89dc092c40a710f50461565ad77cd73b
glibc-profile-2.1.3-14tr.i586.rpm
f28b091857fa5819f89a5196d2cd9677
nscd-2.1.3-14tr.i586.rpm
8bbd1a727271cda776377960fd5a5207
ftp://ftp.trustix.net/pub/Trustix/updates/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1069.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".