Linux Advisory Watch – April 11th, 2003

21
By Benjamin D.
Thomas

This week, advisories were released for snort, sendmail, samba, dhcp, file,
kernel ptrace, zlib, man, mutt, metrics, moxftp, glibc, heimdal, seti, kde,
apache, cvs, kerberos, mysql, httpd, and openssl.  The distributors include
Conectiva, Debian, Gentoo, Immunix, FreeBSD, Mandrake, Slackware, SuSE, and
Trustix.

LinuxSecurity Feature Extras:

Making
It Big: Large Scale Network Forensics (Part 2 of 2)
Proper methodology
for computer forensics would involve a laundry-list of actions and thought processes
that an investigator needs to consider in order to have the basics covered.

Making
It Big: Large Scale Network Forensics (Part 1 of 2)
– Computer forensics
have hit the big time. A previously superniche technology, forensics have
moved into the collective consciousness of IT sys. admins. and Corporate CSOs.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]
 

 

The Linux Advisory Watch newsletter is developed by the community of volunteers
at LinuxSecurity.com and sponsored
by Guardian Digital, Inc., the open
source security company.    

 


 

 

Package: snort
Description: A
remote atacker able to insert specially crafted RPC traffic in the network
being monitored by snort may crash the sensor or execute arbitrary code
in the context of it, which is run by the root user.
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3114.html

 

Package: sendmail
Description: It
is believed to be possible for remote attackers to cause a Denial of Service
condition and to even execute arbitrary commands with the same permissions
under which the sendmail daemon runs, which is root. 
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3115.html
 

Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3119.html
 

NetBSD:

NetBSD Vendor
Advisory:

http://www.linuxsecurity.com/advisories/netbsd_advisory-3121.html
 

Slackware:

Slackware Vendor
Advisory:

http://www.linuxsecurity.com/advisories/slackware_advisory-3086.html

 

Package: samba
Description: The
SuSE Security Team performed a security audit in parts of the Samba project
code and found various problems in both the client and server implementations.
Among these problems is a buffer overflow[1] vulnerability in the packet
fragment re-assembly code. A remote attacker who is able to connect to
the samba server may gain root privileges on it by exploiting this vulnerability. 
The vulnerability also affects the client library code, thus it is possible
to exploit applications which use samba library functions by using a malicious
samba server to send traffic to them.  Additionally, a race condition[2]
was discovered which could allow a local attacker to overwrite critical
system files. 
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3116.html
http://www.linuxsecurity.com/advisories/connectiva_advisory-3142.html
 

Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3127.html
 

Gentoo:

Gentoo Vendor
Advisory:

http://www.linuxsecurity.com/advisories/gentoo_advisory-3146.html
 

Immunix:

Immunix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/immunix_advisory-3129.html
 

Mandrake:

Mandrake Vendor
Advisory:

http://www.linuxsecurity.com/advisories/mandrake_advisory-3135.html
 

Red Hat:

Red Hat Vendor
Advisory:

http://www.linuxsecurity.com/advisories/redhat_advisory-3148.html
 

Slackware:

Slackware Vendor
Advisory:

http://www.linuxsecurity.com/advisories/slackware_advisory-3138.html
 

SuSE:

SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-3139.html
 

Trustix:

Trustix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/trustix_advisory-3140.html

 

 

Package: dhcp
Description: Florian
Lohoff discovered[2] a vulnerability[3,4] in the way dhcrelay (part of
the dhcp package) forwards malicious BOOTP packets it receives to the dhcp
servers it contacts. An attacker could exploit this vulnerability to generate
a “storm” of BOOTP packets, causing a denial of service condition or a
misbehavior by the part of the dhcp server. 
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3117.html
 

Turbo Linux:

Turbo Linux Vendor
Advisory:

http://www.linuxsecurity.com/advisories/turbolinux_advisory-3113.html

 

Package: file
Description: iDefense
has found a buffer overflow vulnerability[1] in the file command. This
vulnerability can be triggered by the use of specially crafted files.
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3122.html

 

Package: kernel
ptrace
Description: When
a process requires a feature that a certain kernel module provides, 
the kernel will spawn a child process, give it root privileges and call
/sbin/modprobe to load that module. A local attacker can create such a
process, make it request a kernel module and wait for the child process
to be spawned. Before the privilege change, the attacker can attach to
this child process and insert code that will later be run with root privileges. 
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3123.html
 

Red Hat:

Red Hat Vendor
Advisory:

http://www.linuxsecurity.com/advisories/redhat_advisory-3149.html

 

Package: zlib
Description: Richard
Kettlewell discovered[1] a buffer overflow vulnerability[2] in the gzprintf()
function provided by zlib. If a program passes unsafe data to this function
(e.g. data from remote images or network traffic), it is possible for a
remote attacker to execute arbitrary code or to cause a denial of service
in such programs. 
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3131.html

 

Package: man
Description: Jack
Lloyd found[1] a local vulnerability in the man utility. Because of a problem
with a value returned by the my_xsprintf() function, man could try to execute
a program called “unsafe” when reading a manpage file with certain characteristics.
If an attacker can put a malicious executable file called “unsafe” in the
system PATH and let a user open a specially created manpage, it could run
arbitrary commands with the privileges of this user.
Vendor Alerts: Conectiva:

Contectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3132.html

 

Package: mutt
Description: Byrial
Jensen discovered a couple of off-by-one buffer overflow in the IMAP code
of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and
threading.  This problem could potentially allow a remote malicious
IMAP server to cause a denial of service (crash) and possibly execute arbitrary
code via a specially crafted mail folder.
Vendor Alerts: Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3124.html
 

Red Hat:

Red Hat Vendor
Advisory:

http://www.linuxsecurity.com/advisories/redhat_advisory-3111.html
 

Slackware:

Slackware Vendor
Advisory:

http://www.linuxsecurity.com/advisories/slackware_advisory-3087.html

 

Package: metrics
Description: Paul
Szabo and Matt Zimmerman discoverd two similar problems in metrics, a tools
for software metrics.  Two scripts in this package, “halstead” and
“gather_stats”, open temporary files without taking appropriate security
precautions.  “halstead” is installed as a user program, while “gather_stats”
is only used in an auxiliary script included in the source code. 
These vulnerabilities could allow a local attacker to overwrite files owned
by the user running the scripts, including root.
Vendor Alerts: Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3125.html

 

Package: moxftp
Description: Knud
Erik Højgaard discovered a vulnerability in moxftp (and xftp respectively),
an Athena X interface to FTP.  Insufficient bounds checking could
lead to execution of arbitrary code, provided by a malicious FTP server.  
Erik Tews fixed this.
Vendor Alerts: Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3143.html

 

Package: glibc
Description: eEye
Digital Security discovered an integer overflow in the xdrmem_getbytes()
function which is also present in GNU libc.  This function is part
of the XDR (external data representation) encoder/decoder derived from
Sun’s RPC implementation.  Depending upon the application, this vulnerability
can cause buffer overflows and could possibly be exploited to execute arbitray
code.
Vendor Alerts: Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3144.html

 

Package: heimdal
Description: A
cryptographic weakness in version 4 of the Kerberos protocol allows an
attacker to use a chosen-plaintext attack to impersonate any principal
in a realm.  Additional cryptographic weaknesses in the krb4 implementation
permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized
client principals if triple-DES keys are used to key krb4 services. 
These attacks can subvert a site’s entire Kerberos authentication infrastructure.
Vendor Alerts: Debian:

Debian Vendor
Advisory:

http://www.linuxsecurity.com/advisories/debian_advisory-3153.html

 

Package: seti
Description: “There
is a buffer overflow in the server responds handler. Sending an overly
large string followed by a newline (‘n’) character to the client will
trigger this overflow. This has been tested with various versions of the
client. All versions are presumed to have this flaw in some form.”
Vendor Alerts: Gentoo:

Gentoo Vendor
Advisory:

http://www.linuxsecurity.com/advisories/gentoo_advisory-3147.html
 

FreeBSD:

FreeBSD Vendor
Advisory:

http://www.linuxsecurity.com/advisories/freebsd_advisory-3133.html

 

Package: kde
Description: An
attacker can prepare a malicious PostScript or PDF file which will provide
the attacker with access to the victim’s account and privileges when the
victim opens this malicious file for viewing or when the victim browses
a directory containing such malicious file and has file previews enabled.
Vendor Alerts: Gentoo:

Gentoo Vendor
Advisory:

http://www.linuxsecurity.com/advisories/gentoo_advisory-3154.html

 

Package: apache
Description: “Remote
exploitation of a memory leak in the Apache HTTP Server causes the daemon
to over utilize system resources on an affected system. The problem is
HTTP Server’s handling of large chunks of consecutive linefeed characters.
The web server allocates an eighty-byte buffer for each linefeed character
without specifying an upper limit for allocation. Consequently, an attacker
can remotely exhaust system resources by generating many requests containing
these characters.”
Vendor Alerts: Gentoo:

Gentoo Vendor
Advisory:

http://www.linuxsecurity.com/advisories/gentoo_advisory-3145.html

 

Package: cvs
Description: Stefan
Esser discovered a double free() bug in CVS that can be remotely exploited
by anonymous users to gain write access to the CVS repository. This write
access can be converted into execute access using the CVS protocol commands
“Checkin-prog” and “Update-prog”.
Vendor Alerts: Immunix:

Immunix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/immunix_advisory-3130.html

 

Package: kerberos
Description: Multiple
vulnerabilities have been found in the MIT Kerberos suite. This release
removes triple-DES support in Kerberos IV and cross-realm authentication
in Kerberos IV, as both are known to be insecure. This release also fixes
two denial of service attacks against the Kerberos daemons.
Vendor Alerts: Immunix:

Immunix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/immunix_advisory-3134.html

 

Package: mysql
Description: Multiple
vulnerabilities including signed integer vulnerability have been resolved.
Vendor Alerts: Immunix:

Immunix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/immunix_advisory-3151.html

 

Package: httpd
Description: Updated
httpd packages which fix a number of security issues are now available
for Red Hat Linux 8.0 and 9.

 
Vendor Alerts: Red Hat:

Red Hat Vendor
Advisory:

http://www.linuxsecurity.com/advisories/redhat_advisory-3152.html

 

Package: openssl
Description: Researchers
from the University of Stanford have discovered certain weaknesses in OpenSSL’s
RSA decryption algorithm. It allows remote attackers to compute the private
RSA key of a server by observing its timing behavior. This bug has been
fixed by enabling “RSA blinding”, by default.    
Vendor Alerts: Red Hat:

Red Hat Vendor
Advisory:

http://www.linuxsecurity.com/advisories/suse_advisory-3112.html

Category:

  • Security