Thomas
Linux Advisory Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes pointers
to updated packages and descriptions of each vulnerability. Significant vulnerabilities discovered in BIND this week.Linux Advisory Watch – November 15th 2002
This week, advisories were released for PXE, libpng, python, html2ps, kdenetwork,
masqmail, apache-perl, bind, kadmind, smrsh, resolver, perl-MailTools, nss_ldap,
php, traceroute, kpgp, apache, kdelibs, and syslog-ng. The distributors
include Caldera, Debian, Guardian Digital’s EnGarde Secure Linux, FreeBSD, Gentoo,
Red Hat, and SuSE.
LinuxSecurity Feature Extras:
FEATURE:
Security: Physical and Service (1 of 3) – The first installation
of a 3 part article covering everything from physical security and service
security to LAMP security (Linux Apache MySQL PHP).FEATURE:
Security: Apache (2 of 3) – This is the second installation of
a 3 part article on LAMP (Linux Apache MySQL PHP). Apache is the most widely
used HTTP-server in the world today.
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Package: | PXE |
Date: | 11-11-2002 |
Description: | The PXE server can be crashed by using corrupt DHCP packets. This bug could be used to cause a denial-of-service attack. |
Vendor Alerts: | Caldera:
|
Package: | libpng |
Date: | 11-12-2002 |
Description: | There are two buffer overflow vulnerabilities in the libpng code:one of which can allow attackers to cause a denial of service, and the other that can cause a denial of service with the possibility of executing arbitrary code. |
Vendor Alerts: | Caldera:
|
Package: | python |
Date: | 11-14-2002 |
Description: | os._execvpe from os.py in Python creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack. |
Vendor Alerts: | Caldera:
|
Package: | html2ps |
Date: | 11-08-2002 |
Description: | The SuSE Security Team found a vulnerability in html2ps, a HTML to PostScript converter, that opened files based on unsanitized input insecurely. This problem can be exploited when html2ps is installed as filter within lrpng and the attacker has previously gained access to the lp account. |
Vendor Alerts: | Debian:
|
Package: | kdenetwork |
Date: | 11-11-2002 |
Description: | It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. |
Vendor Alerts: | Debian:
SuSE:
|
Package: | masqmail |
Date: | 11-12-2002 |
Description: | A set of buffer overflows have been discovered in masqmail, a mail transport agent for hosts without permanent internet connection. In addition to this privileges were dropped only after reading a user supplied configuration file. Together this could be exploited to gain unauthorized root access to the machine on which masqmail is installed. |
Vendor Alerts: | Debian:
|
Package: | apache-perl |
Date: | 11-13-2002 |
Description: | These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross site scripting attack, or steal cookies from other web site users. |
Vendor Alerts: | Debian:
|
Package: | bind |
Date: | 11-14-2002 |
Description: | A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a remote attacker to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). This buffer overflow can be exploited to obtain access to the victim host under the account the named process is running with, usually root. |
Vendor Alerts: | Debian:
FreeBSD:
Mandrake:
Red Hat:
SuSE:
EnGarde:
Conectiva:
|
Package: | kadmind |
Date: | 11-14-2002 |
Description: | A remote attacker may send a specially formatted request to k5admind or kadmind, triggering the stack buffer overflow and potentially causing the administrative server to execute arbitrary code as root on the KDC. The attacker need not be authenticated in order to trigger the bug. Compromise of the KDC has an especially large impact, as theft of the Kerberos database could allow an attacker to impersonate any Kerberos principal in the realm(s) present in the database. |
Vendor Alerts: | FreeBSD:
|
Package: | smrsh |
Date: | 11-12-2002 |
Description: | Users with a local account and the ability to create or modify their `.forward’ files can circumvent the smrsh restrictions. This is mostly of consequence to systems which have local users that are not normally allowed access to a login shell, as such users may abuse this bug in order to execute arbitrary commands with normal privileges. |
Vendor Alerts: | FreeBSD:
|
Package: | resolver |
Date: | 11-12-2002 |
Description: | A malicious attacker could spoof DNS queries with specially crafted responses that will not fit in the supplied buffer. This might cause some applications to fail (denial-of-service). |
Vendor Alerts: | FreeBSD:
|
Package: | perl-MailTools |
Date: | 11-07-2002 |
Description: | A vulnerability was discovered in Mail::Mailer perl module by the SuSE security team during an audit. The vulnerability allows remote attackers to execute arbitrary commands in certain circumstances due to the usage of mailx as the default mailer, a program that allows commands to be embedded in the mail body. |
Vendor Alerts: | Mandrake:
|
Package: | nss_ldap |
Date: | 11-07-2002 |
Description: | A buffer overflow vulnerability exists in nss_ldap versions prior to 198. When nss_ldap is configured without a value for the “host” keyword, it attempts to configure itself using SRV records stored in DNS. nss_ldap does not check that the data returned by the DNS query will fit into an internal buffer, thus exposing it to an overflow. |
Vendor Alerts: | Mandrake:
|
Package: | php |
Date: | 11-11-2002 |
Description: | PHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers and content into the message. |
Vendor Alerts: | Red Hat:
Conectiva:
|
Package: | traceroute |
Date: | 11-12-2002 |
Description: | Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point. |
Vendor Alerts: | SuSE:
|
Package: | kgpg |
Date: | 11-10-2002 |
Description: | A bug in Kgpg’s key generation affects all secret keys generated through Kgpg’s wizard. (Bug does not affect keys created in console/expert mode). All keys created through the wizard have an empty passphrase, which means that if someone has access to your computer and can read your secret key, he/she can decrypt your files whitout the need of a passphrase. |
Vendor Alerts: | Gentoo:
|
Package: | apache |
Date: | 11-11-2002 |
Description: | A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host. |
Vendor Alerts: | Gentoo:
|
Package: | kdelibs |
Date: | 11-11-2002 |
Description: | The vulnerability potentially enables local or remote attackers to compromise a victim’s account and execute arbitrary commands on the local system with the victim’s privileges, such as erasing files, accessing data or installing trojans. |
Vendor Alerts: | Gentoo:
|
Package: | syslog-ng |
Date: | 11-14-2002 |
Description: | When dealing with this expansion, syslog-ng fails to account for characters which are not part of the macro, which leads to incorrect bounds checking and a possible buffer overflow if there are enough non-macro characters being used. |
Vendor Alerts: | Conectiva:
|