Linux Advisory Watch – November 22nd 2002

27
By:  Benjamin D.
Thomas
– Linux Advisory Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes pointers
to updated packages and descriptions of each vulnerability.

This week, advisories were released for squid, wwoffled, lynx, tcpdump, fetchmail,
courier, KDE SSL, nullmailer, mhonarc, smrsh, bind, ypserv, getbyname, ftpd,
Red Hat kernel, samba, windowmaker, dhcp, php, and gtetrinet.   The
distributors include Caldera, Debian, FreeBSD, Gentoo, Mandrake, NetBSD, OpenPKG,
Red Hat, SuSE, and Trustix.

LinuxSecurity Feature Extras:

Security:
MySQL and PHP (3 of 3)
This is the third installation of a 3
part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a
MySQL server to the basic level, one has to abide by the following guidelines.

FEATURE: 
Security: Physical and Service (1 of 3)
– The first installation
of a 3 part article covering everything from physical security and service
security to LAMP security (Linux Apache MySQL PHP).

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]


 

Package: squid
Date: 11-14-2002
Description: Several
bugfixes and cleanup of the Gopher client, both to correct some security
issues and to make Squid properly render certain Gopher menus. Security
fixes in how Squid parses FTP directory listings into HTML. FTP data channels
are now sanity checked to match the address of the requested FTP server.
This to prevent theft or injection of data. See the new ftp_sanitycheck
directive if this sanity check is not desired. The MSNT auth helper has
been updated to v2.0.3+fixes for buffer overflow security issues found
in this helper. A security issue in how Squid forwards proxy authentication
credentials has been fixed.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-046.0/RPMS

squid-2.5-20020429.i386.rpm
fdda342fe954cf6ea304046781a555c8        

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2574.html

 

Package: KDE
SSL
Date: 11-15-2002
Description: Konqueror’s
cross site scripting (XSS) protection fails to initialize the domains on
sub-(i)frames correctly. As a result, Javascript can access any foreign
subframe which is defined in the HTML source. KDE’s SSL implementation
fails to check the basic constraints on certificates and as a result may
accept certificates as valid that were signed by an issuer who was not
authorized to do so.
Vendor Alerts: Caldera: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE  

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2579.html

 

Package: wwoffled
Date: 11-18-2002
Description: wwwoffled
allows remote attackers to cause a denial of service and possibly execute
arbitrary code via a negative Content-Length value.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Workstation/CSSA-2002-048.0/RPMS
wwwoffle-2.6b-3MR.i386.rpm
d54de95d9db4d19501e6b50ef63f2e31 
 

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2586.html

 

Package: lynx
Date: 11-18-2002
Description: If
lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used
to force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-049.0/RPMS
lynx-2.8.4-1.i386.rpm
86aa0c385c7b4789aa33fe57dc209490 

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2587.html

 

Package: tcpdump
Date: 11-19-2002
Description: There
is a miscalculation in the use of the sizeof operator in tcpdump, allowing,
at the least, a denial-of-service attack.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-050.0/RPMS
tcpdump-3.6.2-4.i386.rpm
88099679d803eb7f1583f99ccaa68fed        

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2594.html

 

Package: fetchmail
Date: 11-21-2002
Description: Several
buffer overflows have been found in fetchmail. These bugs may be remotely
exploited if fetchmail is running in multidrop mode.
Vendor Alerts: Caldera: 

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-051.0/RPMS
fetchmail-6.1.0-3.i386.rpm
434fea1951a0d2f3b84aacef99c64406    

fetchmailconf-6.1.0-3.i386.rpm
f4a95f399c696a47d30cb42076a16537        

Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2599.html

 

 

Package: courier
Date: 11-15-2002
Description: A
problem in the Courier sqwebmail package, a CGI program to grant authenticated
access to local mailboxes, has been discovered.  The program did not
drop permissions fast enough upon startup under certain circumstances so
a local shell user can execute the sqwebmail binary and manage to read
an arbitrary file on the local filesystem.
Vendor Alerts: Debian: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE      

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2577.html
 

 

Gentoo:

Gentoo Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2588.html

 

 

Package: nullmailer
Date: 11-15-2002
Description: A
problem has been discovered in nullmailer, a simple relay-only mail transport
agent for hosts that relay mail to a fixed set of smart relays.  When
a mail is to be delivered locally to a user that doesn’t

exist, nullmailer
tries to deliver it, discovers a user unknown error and stops delivering. 
Unfortunately, it stops delivering entirely, not only this mail. 
Hence, it’s very easy to craft a denial of service.
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/n/nullmailer/
nullmailer_1.00RC5-16.1woody2_ia64.deb
Size/MD5 checksum:  
144246 c508c104d7b775e84641aabdc2adf209

 

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2584.html

 

 

Package: mhonarc
Date: 11-19-2002
Description: Steven
Christey discovered a cross site scripting vulnerability in mhonarc, a
mail to HTML converter.  Carefully crafted message headers can introduce
cross site scripting when mhonarc is configured to display all headers
lines on the web.  However, it is often useful to restrict the displayed
header lines to To, From and Subject, in which case the vulnerability cannot
be exploited.
Vendor Alerts: Debian: 

http://security.debian.org/pool/updates/main/m/
mhonarc/mhonarc_2.4.4-1.2_all.deb
Size/MD5 checksum:  
453352 8e7f1a40ff78e0bef2d1c9593545baee

Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2589.html

 

 

Package: smrsh
Date: 11-15-2002
Description: Users
with a local account and the ability to create or modify their `.forward’
files can circumvent the smrsh restrictions.  This is mostly of consequence
to systems which have local users that are not

normally allowed
access to a login shell, as such users may abuse this bug in order to execute
arbitrary commands with normal privileges. 
Vendor Alerts: FreeBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2575.html

 

 

Package: bind
Date: 11-15-2002
Description: BIND
SIG Cached RR Overflow Vulnerability
:  A remote attacker may be
able to cause a name server with recursion enabled to execute arbitrary
code with the privileges of the name server process. BIND OPT DoS and
BIND SIG Expiry Time DoS
: A remote attacker may be able to cause the
name server process to crash.
Vendor Alerts: FreeBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2576.html
 

NetBSD:

NetBSD Vendor
Advisory:

http://www.linuxsecurity.com/advisories/netbsd_advisory-2591.html
 

OpenPKG:

OpenPKG Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2580.html
 

Trustix:

Trustix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2581.html

 

 

 

Package: ypserv
Date: 11-18-2002
Description: A
memory leak that could be triggered remotely was discovered in ypserv 2.5
and earlier.  This could lead to a Denial of Service as repeated requests
for a non-existant map will result in ypserv consuming more and more memory,
and also running more slowly.  If the system runs out of available
memory, ypserv would also be killed.
Vendor Alerts: Mandrake: 

http://www.mandrakesecure.net/en/ftp.php
9.0/RPMS/ypserv-2.5-1.1mdk.i586.rpm
d422a834b1869149b38bf1c8a1e8a4d6  
 
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2590.html

 

 

Package: getbyname
Date: 11-15-2002
Description: getnetbyname(3)
and getnetbyaddr(3) lacked important boundary checks, and are vulnerable
to malicious DNS responses, which could cause a buffer overrun on the stack. 
The vulnerability could cause a remote root compromise, if a privileged
process uses these library functions.
Vendor Alerts: NetBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

 
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2592.html

 

 

Package: ftpd
Date: 11-15-2002
Description: NetBSD’s
ftpd responds to the STAT command in a way that is not standards conformant,
when a filename that contains “n[0-9]” is specified.  This could
be used by a malicious party to corrupt state tables in firewall devices
between an FTP client and a NetBSD FTP server.
Vendor Alerts: NetBSD: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

 
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2593.html

 

 

Package: Red
Hat kernel
Date: 11-16-2002
Description: The
kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are vulnerable to
a local denial of service attack. Updated packages are available which
address this vulnerability, as well as bugs in several drivers.
Vendor Alerts: Red Hat: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

 
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2578.html
 

Trustix:

Trustix Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2582.html

 

 

 

Package: samba
Date: 11-18-2002
Description: The
error consists of a buffer overflow in a commonly used routine that accepts
user input and may write up to 127 bytes past the end of the buffer allocated
with static length, leaving enough room for an exploit. The resulting vulnerability
can be exploited locally in applications using the sm_smbpass Pluggable
Authentication Module (PAM). It may be possible to exploit this vulnerability
remotely, causing the running smbd to crash or even to execute arbitrary
code.
Vendor Alerts: SuSE: 

 

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
samba-2.2.5-124.i586.rpm
f0a94ef6cc49165d4dace59caaf359d7

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
samba-client-2.2.5-124.i586.rpm
f694fb4aaabffa98b6a76941cb2c0eaf
    
 
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2598.html
 

Gentoo:

Gentoo Vendor
Advisory:

http://www.linuxsecurity.com/advisories/other_advisory-2597.html

 

 

 

Package: windowmaker
Date: 11-18-2002
Description: A
possible scenario for this vulnerability could be that of an attacker making
a specially crafted image available and convincing an unsuspecting user
to set it as a background image.
Vendor Alerts: Conectiva: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE   

 
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2583.html

 

 

Package: dhcp
Date: 11-18-2002
Description: Simon
Kelley pointed out a vulnerability in the way quotes inside these assignments
are treated. By exploiting this, a malicious DHCP server (or attackers
able to spoof DHCP responses) can execute arbitrary shell commands on the
DHCP client (which is run by root).
Vendor Alerts: Conectiva: 

ftp://atualizacoes.conectiva.com.br/8/RPMS/
dhcpcd-1.3.22pl3-1U80_1cl.i386.rpm 

 
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2585.html

 

 

Package: php
Date: 11-20-2002
Description: Two
vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second
one may give an open-relay script if mail() function is not carefully used
in PHP scripts.
Vendor Alerts: Gentoo: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

 
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2595.html

 

 

Package: gtetrinet
Date: 11-20-2002
Description: Several
buffer overflows was found in gtetrinet versions below 0.4.3. According
to the authors these could be remotley explotied. 
Vendor Alerts: Gentoo: 

PLEASE SEE VENDOR
ADVISORY FOR UPDATE

 
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2595.html