Linux Advisory Watch – November 15, 2002

29
By:  Benjamin D.
Thomas

Linux Advisory Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes pointers
to updated packages and descriptions of each vulnerability. Significant vulnerabilities discovered in BIND this week.Linux Advisory Watch – November 15th 2002

This week, advisories were released for PXE, libpng, python, html2ps, kdenetwork,
masqmail, apache-perl, bind, kadmind, smrsh, resolver, perl-MailTools, nss_ldap,
php, traceroute, kpgp, apache, kdelibs, and syslog-ng.  The distributors
include Caldera, Debian, Guardian Digital’s EnGarde Secure Linux, FreeBSD, Gentoo,
Red Hat, and SuSE.

LinuxSecurity Feature Extras:

FEATURE: 
Security: Physical and Service (1 of 3)
– The first installation
of a 3 part article covering everything from physical security and service
security to LAMP security (Linux Apache MySQL PHP).

FEATURE: 
Security: Apache (2 of 3)
– This is the second installation of
a 3 part article on LAMP (Linux Apache MySQL PHP). Apache is the most widely
used HTTP-server in the world today.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]


 

Package: PXE
Date: 11-11-2002
Description: The
PXE server can be crashed by using corrupt DHCP packets. This bug could
be used to cause a denial-of-service attack.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-044.0/RPMS
pxe-0.1-33.i386.rpm
75380c0629500bcb6ac3185fd7f68cf9 

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2551.html

 

Package: libpng
Date: 11-12-2002
Description: There
are two buffer overflow vulnerabilities in the libpng code:one of which
can allow attackers to cause a denial of service, and the other that can
cause a denial of service with the possibility of executing arbitrary code.
Vendor Alerts: Caldera: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2558.html

 

 

Package: python
Date: 11-14-2002
Description: os._execvpe
from os.py in Python creates temporary files with predictable names, which
could allow local users to execute arbitrary code via a symlink attack.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-045.0/RPMS

python-1.5.2-23.i386.rpm
d02a87d515a2e0295b61a70e21d85d67 

python-devel-1.5.2-23.i386.rpm
f026986740ce3b24aa75a6ef6d6f813d 

python-docs-1.5.2-23.i386.rpm
a4d8a3a8a6011f4d87d1a3c3e75150d1 

python-tools-1.5.2-23.i386.rpm
6283c3abfb5a339d6f3c8e1b2b0304fc 

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2573.html

 

 

Package: html2ps
Date: 11-08-2002
Description: The
SuSE Security Team found a vulnerability in html2ps, a HTML to PostScript
converter, that opened files based on unsanitized input insecurely. 
This problem can be exploited when html2ps is installed as filter within
lrpng and the attacker has previously gained access to the lp account.
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/h/html2ps/
html2ps_1.0b1-8.1_all.deb
Size/MD5 checksum:  
134728 5932b4a4d5942c839b1a65817becf641

 

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2545.html

 

 

Package: kdenetwork
Date: 11-11-2002
Description: It
is possible for a local attacker to exploit a buffer overflow condition
in resLISa, a restricted version of KLISa.  The vulnerability exists
in the parsing of the LOGNAME environment variable, an overly long value
will overwrite the instruction pointer thereby allowing an attacker to
seize control of

the executable.
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/k/
kdenetwork/klisa_2.2.2-14.2_i386.deb
Size/MD5 checksum:  
150248 447ca978df2eabe8971f0106d75dd5df

 

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2549.html
 

SuSE:

SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2553.html

 

 

Package: masqmail
Date: 11-12-2002
Description: A
set of buffer overflows have been discovered in masqmail, a mail transport
agent for hosts without permanent internet connection.  In addition
to this privileges were dropped only after reading a user

supplied configuration
file.  Together this could be exploited to gain unauthorized root
access to the machine on which masqmail is installed.
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/m/
masqmail/masqmail_0.1.16-2.1_i386.deb
Size/MD5 checksum:   
88358 586f60f60d81dc17379df547f5796f8a

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2555.html

 

 

Package: apache-perl
Date: 11-13-2002
Description: These
vulnerabilities could allow an attacker to enact a denial of service against
a server or execute a cross site scripting attack, or steal cookies from
other web site users. 
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/a/apache-perl/
apache-perl_1.3.9-14.1-1.21.20000309-1.1_i386.deb
Size/MD5 checksum:  
956320 da48dac81fbc5f66e7f9f350c2eb90bb

 

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2563.html

 

 

 

Package: bind
Date: 11-14-2002
Description: A
buffer overflow in BIND 8 versions 8.3.3 and earlier allows a remote attacker
to execute arbitrary code via a certain DNS server response containing
SIG resource records (RR).  This buffer overflow can be exploited
to obtain access to the victim host under the account the named process
is running with, usually root.
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/b/bind/
dnsutils_8.2.3-0.potato.3_i386.deb
Size/MD5 checksum:  
340444 31b08eaeb38c0df2ed1cb6cb6fa3f5de

http://security.debian.org/pool/updates/main/b/bind/
bind_8.2.3-0.potato.3_i386.deb
Size/MD5 checksum:  
572016 540d025d851c207596f02f293d32dbca

http://security.debian.org/pool/updates/main/b/bind/
bind-dev_8.2.3-0.potato.3_i386.deb
Size/MD5 checksum:  
309622 476724d25b348bdfa3f314bf8777e05a

 

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2569.html
 

FreeBSD:
 

FreeBSD Vendor
Advisory:

http://www.linuxsecurity.com/advisories/freebsd_advisory-2566.html

Mandrake:

Mandrake Vendor
Advisory:

http://www.linuxsecurity.com/advisories/mandrake_advisory-2572.html

Red Hat:

Red Hat Vendor
Advisory:

http://www.linuxsecurity.com/advisories/redhat_advisory-2559.html

SuSE:

SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2568.html

EnGarde:

EnGarde Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2564.html

Conectiva:

Conectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2570.html
 

 

 

Package: kadmind
Date: 11-14-2002
Description: A
remote attacker may send a specially formatted request to k5admind or kadmind,
triggering the stack buffer overflow and potentially causing the administrative
server to execute arbitrary code as root on the KDC.  The attacker
need not be authenticated in order to trigger the bug.  Compromise
of the KDC has an especially large impact, as theft of the Kerberos database
could allow an attacker to impersonate any Kerberos principal in the realm(s)
present in the database.
Vendor Alerts: FreeBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2560.html

 

Package: smrsh
Date: 11-12-2002
Description: Users
with a local account and the ability to create or modify their `.forward’
files can circumvent the smrsh restrictions.  This is mostly of consequence
to systems which have local users that are not

normally allowed
access to a login shell, as such users may abuse this bug in order to execute
arbitrary commands with normal privileges.
Vendor Alerts: FreeBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2561.html

 

 

Package: resolver
Date: 11-12-2002
Description: A
malicious attacker could spoof DNS queries with specially crafted responses
that will not fit in the supplied buffer.  This might cause some applications
to fail (denial-of-service).
Vendor Alerts: FreeBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2562.html

 

 

Package: perl-MailTools
Date: 11-07-2002
Description: A
vulnerability was discovered in Mail::Mailer perl module by the SuSE security
team during an audit.  The vulnerability allows remote attackers to
execute arbitrary commands in certain circumstances due to the usage of
mailx as the default mailer, a program that allows commands to be embedded
in the mail body. 
Vendor Alerts: Mandrake: 

9.0/RPMS/perl-MailTools-1.47-1.1mdk.noarch.rpm
4fbfa7cc821ce3e785fb2449eb58afb8 
http://www.mandrakesecure.net/en/ftp.php
 

Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html

 

 

Package: nss_ldap
Date: 11-07-2002
Description: A
buffer overflow vulnerability exists in nss_ldap versions prior to 198. 
When nss_ldap is configured without a value for the “host”  keyword,
it attempts to configure itself using SRV records stored in

 DNS. 
nss_ldap does not check that the data returned by the DNS query will fit
into an internal buffer, thus exposing it to an overflow.
Vendor Alerts: Mandrake: 

9.0/RPMS/nss_ldap-202-1.1mdk.i586.rpm
da577902f504bf8f345446635fcc3cf7 

9.0/RPMS/pam_ldap-156-1.1mdk.i586.rpm
b70c25f7b8a3b5f86149dd199003a4ff 

http://www.mandrakesecure.net/en/ftp.php
 

Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html

 

 

Package: php
Date: 11-11-2002
Description: PHP
versions up to and including 4.2.2 contain vulnerabilities in the mail()
function allowing local script authors to bypass safe mode restrictions
and possibly allowing remote attackers to insert arbitrary mail headers
and content into the message.
Vendor Alerts: Red Hat: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2550.html

Conectiva:

Conectiva Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2565.html

 

 

Package: traceroute
Date: 11-12-2002
Description: Traceroute-nanog
requires root privilege to open a raw socket. It does not relinquish these
privileges after doing so. This allows a malicious user to gain root access
by exploiting a buffer overflow at a later point. 
Vendor Alerts: SuSE: 

ftp://ftp.suse.com/pub/suse/i386/update/
8.0/n1/traceroute-6.1.1-0.i386.rpm
afe01bf0b151eca2f42fa5737c99bdc7 

SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2554.html

 

 

Package: kgpg
Date: 11-10-2002
Description: A
bug in Kgpg’s key generation affects all secret keys generated through
Kgpg’s wizard. (Bug does not affect keys created in console/expert mode).
All keys created through the wizard have an empty passphrase, which means
that if someone has access to your computer and can read your secret key,
he/she can decrypt your files whitout the need of a passphrase.
Vendor Alerts: Gentoo: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2548.html

 

Package: apache
Date: 11-11-2002
Description: A
vulnerability exists in the SSI error pages of Apache 2.0 that involves
incorrect filtering of server signature data. The vulnerability could enable
an attacker to hijack web sessions, allowing a range of potential compromises
on the targeted host.
Vendor Alerts: Gentoo: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2552.html

 

Package: kdelibs
Date: 11-11-2002
Description: The
vulnerability potentially enables local or remote attackers to compromise
a victim’s account and execute arbitrary commands on the local system with
the victim’s privileges, such as erasing files, accessing data or installing
trojans.
Vendor Alerts: Gentoo: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2567.html

 

Package: syslog-ng
Date: 11-14-2002
Description: When
dealing with this expansion, syslog-ng fails to account for characters
which are not part of the macro, which leads to incorrect bounds checking
and a possible buffer overflow if there are enough non-macro characters
being used.
Vendor Alerts: Conectiva: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2571.html