Linux Advisory Watch – November 14th 2003

33

Author: Benjamin D. Thomas

This week, advisories were released
for thhtpd, cups, ethereal, mpg123, xinetd, hylafax, postgresql, conquest, epic4,
glibc, and and zebra. The distributors include Conectiva, Debian, Mandrake,
Red Hat, and SuSE. The recent news has been
flooded with reports about a looming security FUD campaign against Linux. Although
I have strong opinions on this matter, I’ve decided to keep quiet about it this
week simply because additional hype will not help the situation. Readers of
this newsletter are already aware of the merits of Linux and its potential for
achieving an acceptable state of security. Rather than re-hash the same old
rhetoric, I’ve decided to write about something a little bit more practical
this week, tunneling through SSH.

As you probably saw last week, the fifth vulnerability listed
on the SANS Top 10 for Unix list is ‘clear text services.’ Sadly, these will
remain a problem for years to come simply because many older applications are
dependent on these. For example, a Web development team may use an HTML editor
that has a built in FTP client. The moment that you suggest they stop using
this editor, and start using SFTP or SCP, they’ll laugh in your face. Unfortunately,
there is always a balance between security and convenience, and convenience
usually wins. In most cases, a compromise can be established by tunneling insecure
plaintext services through SSH.

Probably the biggest misconception is that tunneling is difficult.
In fact, it is quite the opposite. A tunnel can be setup in less than a minute
and put a stop to years of paranoia. A tunnel can be established as a simple
command at the commandline.

For example, to establish a tunnel:
prompt$ ssh -L 2121:remotehost:21 bdthomas@remotehost -i keyfile.key

To establish FTP connection: (at new terminal)
prompt$ ftp -p localhost 2121

At both terminals, you will authenticate as normal. Looking
at the example above, you’ll see that the user is trying to make a secure FTP
connection to ‘remotehost.’ To establish the tunnel, the SSH option ‘-L 2121:remotehost:21’
was given. This simply means, listen on local port 2121 and forward to remote
port 21. The options can be changed to fit any port requirement of any plaintext
service.

If you’ve never giving SSH tunneling a try, hopefully I’ve
given you enough information to be interested. Sometimes it can be a lifesaver
because of its simplicity. There is a large amount of information available
on Google. Also, Brian Hatch has written several good pieces that are available
on LinuxSecurity.com

http://www.linuxsecurity.com/articles/documentation_article-6822.html

 

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity Feature
Extras:

OpenVPN:
An Introduction and Interview with Founder, James Yonan

– In this article, Duane Dunston gives a brief introduction to OpenVPN and interviews
its founder James Yonan.

R00ting
The Hacker

– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 

asj@linux.org.sa

 
Distribution: Conectiva
  11/7/2003 thhtpd
    Multiple
vulnerabilities

Multiple vulnerabilities including sensitive file disclosure, cross-site
scription, and directory traversal vulnerabilities have been fixed.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3765.html

 
  11/7/2003 net-snmp
    Multiple
vulnerabilities

“net-snmp” version 5.0.9 was released to address a security vulnerability
in previous 5.0.x versions where an existing user/community could get access
to data in MIB objects that were explicitly excluded from their view.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3766.html

 
  11/7/2003 cups
    DoS Vulnerability

It has been reported that the IPP daemon from the Cups package can under
some circumstances enter a loop and consume excessive CPU resources, causing
the service to become slow and unresponsive.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3767.html

 
  11/7/2003 ethereal
    Multiple
vulnerabilities

This update announcement addresses several vulnerabilities[2] in ethereal
versions prior to 0.9.16. These vulnerabilities can be exploited by an attacker
who can insert crafted packets in the wire being monitored by ethereal or
make an user open a trace file with such packets inside.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3770.html

 
  11/12/2003 mpg123
    Buffer
overflow vulnerability

When used to play mp3 audio streams over the network, audio servers can
exploit this vulnerability by sending a carefully crafted response to the
client which will overflow a buffer on the heap and execute arbitrary code.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3778.html

 
  11/12/2003 xinetd
    Multiple
vulnerabilities

A memory leak and several other problems have been fixed in the latest version
of xinetd.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3779.html

 
  11/12/2003 hylafax
    Format
string vulnerability

This vulnerability can be exploited by a remote attacker to execute arbitrary
code with the privileges of the root user in the host where hfaxd is running.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3780.html

 
  11/13/2003 postgresql
    Multiple
buffer overflow vulnerabilities

Multiple buffer overflow vulnerabilities in the to_ascii() function have
been fixed.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3781.html

 
 
Distribution: Debian
  11/7/2003 postgresql
    Remote
buffer overflow vulnerability

Tom Lane discovered a buffer overflow in the to_ascii function in PostgreSQL.
This allows remote attackers to execute arbitrary code on the host running
the database.

http://www.linuxsecurity.com/advisories/debian_advisory-3771.html

 
  11/10/2003 conquest
    Buffer
overflow vulnerability

Steve Kemp discovered a buffer overflow in the environment variable handling
of conquest, a curses based, real-time, multi-player space warfare game,
which could lead a local attacker to gain unauthorised access to the group
conquest.

http://www.linuxsecurity.com/advisories/debian_advisory-3772.html

 
  11/10/2003 epic4
    Buffer
overflow vulnerability

A malicious server could craft a reply which triggers the client to allocate
a negative amount of memory. This could lead to a denial of service if the
client only crashes, but may also lead to executing of arbitrary code under
the user id of the chatting user.

http://www.linuxsecurity.com/advisories/debian_advisory-3773.html

 
  11/11/2003 omega-rpg
buffer overflow vulnerability
    Buffer
overflow vulnerability

Steve Kemp discovered a buffer overflow in the commandline and environment
variable handling of omega-rpg.

http://www.linuxsecurity.com/advisories/debian_advisory-3776.html

 
 
Distribution: Mandrake
  11/11/2003 hylafax
    buffer
overflow vulnerability

The SuSE Security Team discovered a format bug condition that allows remote
attackers to execute arbitrary code as the root user.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3777.html

 
  11/12/2003 fileutils/coreutils
Denial of service vulnerability
    buffer
overflow vulnerability

A memory starvation denial of service vulnerability in the ls program was
discovered.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3783.html

 
 
Distribution: Red
Hat
  11/10/2003 ethereal
    Buffer
overflow vulnerability

Updated Ethereal packages that fix a number of exploitable security issues
are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-3775.html

 
  11/12/2003 glibc
    Multiple
vulnerabilities

Updated glibc packages that resolve vulnerabilities and address several
bugs are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-3784.html

 
  11/12/2003 PostgreSQL
    Buffer
overflow vulnerability

Updated PostgreSQL packages that correct a buffer overflow in the to_ascii
routines are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-3785.html

 
  11/12/2003 zebra
    Multiple
vulnerabilities

Updated zebra packages that close a locally-exploitable and a remotely-exploitable
denial of service vulnerability are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-3786.html

 
 
Distribution: SuSE
  11/10/2003 hylafax
    Remote
code execution vulnerability

The SuSE Security Team found a format bug condition during a code review
of the hfaxd server. It allows remote attackers to execute arbitrary code
as root. However, the bug can not be triggered in hylafax’ default configuration.

http://www.linuxsecurity.com/advisories/suse_advisory-3774.html

 

Category:

  • Linux