[ISN] Linux Advisory Watch - June 11th 2004

InfoSec News isn at c4i.org
Mon Jun 14 04:11:34 EDT 2004


+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  June 11th, 2004                          Volume 5, Number 24a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave at linuxsecurity.com     ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes point

This week, advisories were released for gatos, jftpgw, ethereal, gallery,
rsync, log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid,
tla, Ethereal, tripwire, sitecopy, mailman, apache, mdkonline, xpcd,
mod_ssl, ksymoops, and kerberos5. The distributors include Debain, Fedora,
FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, SuSE,
Trustix, and Turbo Linux.

-----

>> Internet Productivity Suite:  Open Source Security <<

Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available.  Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.


http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10

-----

Unnecessary Software

Each week system administrators are inundated by hundreds of vendor
advisories for every type of software imaginable.  From time to time the
patches are critical from a security perspective, but on other occasions
they are merely a fix to a known bug.  It is advisable to update all
software on a consistent basis so that a bug in software does not result
in a system vulnerability.

Unfortunately because of the great number of advisories each week, it
could be a full time job applying them.  Applying 10 patches to 30 servers
could possibly take days if an automated process isn't used.  Everyone
would agree, this is poor utilization of resources.

There are several solutions to the problem.  First, it is often a good
idea to choose a specialized distribution, or spend time configuring a
broad one.  For example, those building a Web server should choose a
distribution such as EnGarde Linux that has already been optimized and
secured to perform these services.  If an administrator wishes to use a
distribution such as Debian, it is important that the necessary time is
take to remove everything not in use.  For example, there is no need for a
Web server to have a compiler, X-windows, or games.  This option requires
system expertise, but is feasible.

No matter what system is installed, it will almost always be the case that
at least some unnecessary software is installed on it. On an RPM based
system, it can be removed with the following command:  /bin/rpm -e
<packagename> Removing unnecessary software can potentially reduce
administration work load.  There will no longer be a need to keep that
software up-to-date, and it no longer has the potential to turn into a
vulnerability.

It should be a priority to remove unnecessary setuid/setgid binaries.
Vulnerabilities in these can often lead to root compromise, so they should
only be used when necessary.  To find setuid/setgid binaries on a system,
simply use the following command:  find / -type f -perm +6000 Remove each
that is not in use and it can greatly reduce the risk of compromise.

Until next time, cheers!
Benjamin D. Thomas
ben at linuxsecurity.com

----

Interview with Brian Wotring, Lead Developer for the Osiris Project

Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc.He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author
of Mac OS X Security and a long-standing member of the Shmoo Group, an
organization of security and cryptography professionals.

http://www.linuxsecurity.com/feature_stories/feature_story-164.html

--------------------------------------------------------------------

Guardian Digital Launches Next Generation Secure Mail Suite

Guardian Digital, the premier open source security company, announced the
availability of the next generation Secure Mail Suite, the industry's most
secure open source corporate email system. This latest edition has been
optimized to support the changing needs of enterprise and small business
customers while continually providing protection from the latest in email
security threats.

http://www.linuxsecurity.com/feature_stories/feature_story-166.html

--------------------------------------------------------------------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 6/8/2004 - gatos
   Privilege escalation vulnerability

   If initialization fails due to a missing configuration file, root
   privileges are not dropped, and xatitv executes the system(3)
   function without sanitizing user-supplied environment variables.
   http://www.linuxsecurity.com/advisories/debian_advisory-4434.html

 6/8/2004 - jftpgw
   Format string vulnerability

   A remote user could potentially cause arbitrary code to be
   executed with the privileges of the jftpgw server process.
   http://www.linuxsecurity.com/advisories/debian_advisory-4435.html

 6/8/2004 - ethereal
   Buffer overflow vulnerabilities

   Several buffer overflow vulnerabilities were discovered in
   ethereal.
   http://www.linuxsecurity.com/advisories/debian_advisory-4436.html

 6/8/2004 - gallery
   Unauthenticated access

   A remote attacker could gain access to the gallery "admin" user
   without proper authentication.
   http://www.linuxsecurity.com/advisories/debian_advisory-4437.html

 6/8/2004 - rsync
   Directory traversal vulnerability

   A remote user could cause an rsync daemon to write files outside
   of the intended directory tree, if the daemon is not configured
   with the 'chroot' option.
   http://www.linuxsecurity.com/advisories/debian_advisory-4438.html

 6/8/2004 - log2mail
   Format string vulnerability

   Exploit could cause arbitrary code to be executed with the
   privileges of the log2mail process.
   http://www.linuxsecurity.com/advisories/debian_advisory-4439.html

 6/8/2004 - kernel
   2.2.20 Privilege escalation vulnerability

   Due to flushing the TLB too early it is possible for an attacker
   to trigger a local root exploit.  This fix is to the sparc-built
   kernel and the kernel source.
   http://www.linuxsecurity.com/advisories/debian_advisory-4440.html

 6/8/2004 - lha
   Multiple vulnerabilities

   Fixes multiple buffer overflows and multiple directory traversal
   vulnerabilities.
   http://www.linuxsecurity.com/advisories/debian_advisory-4441.html

 6/8/2004 - postgresql
   Denial of service vulnerability

   It possible to exploit this problem and crash the surrounding
   application.
   http://www.linuxsecurity.com/advisories/debian_advisory-4442.html

 6/10/2004 - cvs
   Buffer overflow vulnerability

   Derek Robert Price discovered a potential buffer overflow
   vulnerability in the CVS server.
   http://www.linuxsecurity.com/advisories/debian_advisory-4462.html


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

 6/8/2004 - cups
   Non-encryption vulnerability

   Among other bugs, this fixes a failure to use encryption when
   required.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4429.html

 6/8/2004 - ethereal
   Multiple vulnerabilies

   This patch fixes three DoS vulns and a buffer overflow.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4430.html

 6/8/2004 - net-tools Excessive privilege vulnerability
   Multiple vulnerabilies

   netlink_listen & netlink_receive_dump should both check the source
   of the packets by looking at nl_pid and ensuring that it is 0
   before performing any reconfiguration of network interfaces.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4431.html

 6/8/2004 - krb5
   Multiple buffer overflows

   Exploitation could lead to denial of service or arbitrary code
   execution.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4433.html

 6/10/2004 - squirrelmail
   Multiple vulnerabilities

   Patch fixes a SQL injection and cross-site scripting flaw.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4460.html

 6/10/2004 - squid
   Buffer overflow vulnerability

   A remotely-exploitable buffer overflow allows the execution of
   arbitrary code.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4461.html


+---------------------------------+
|  Distribution: FreeBSD          | ----------------------------//
+---------------------------------+

 6/8/2004 - kernel
   Excessive privilege vulnerability

   Jailed processes can manipulate host routing tables.
   http://www.linuxsecurity.com/advisories/freebsd_advisory-4428.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 6/8/2004 - tla
   Heap overflow vulnerability

   This vulnerability could allow execution of arbitrary code with
   the rights of the user running tla. Note: Important errata
   included at bottom.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4423.html

 6/8/2004 - MPlayer, xine-lib Multiple vulnerabilities
   Heap overflow vulnerability

   A remote attacker, posing as a RTSP stream server, can execute
   arbitrary code with the rights of the user of the software playing
   the stream.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4424.html

 6/8/2004 - Ethereal
   Multiple vulnerabilities

   Exploitation may allow an attacker to run arbitrary code or crash
   the program.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4425.html

 6/8/2004 - tripwire
   Format string vulnerability

   Attacker could cause execution of arbitrary code with permissions
   of the user running tripwire, which could be the root user.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4426.html

 6/8/2004 - sitecopy
   Multiple vulnerabilities

   When connected to a malicious WebDAV server, these vulnerabilities
   could allow execution of arbitrary code with the rights of the
   user running sitecopy.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4427.html

 6/10/2004 - Mailman
   Password leak

   Mailman contains a bug allowing 3rd parties to retrieve member
   passwords.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4457.html

 6/10/2004 - apache
   Buffer overflow vulnerability

   A bug in mod_ssl may allow a remote attacker to execute remote
   code when Apache is configured a certain way.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4458.html

 6/10/2004 - cvs
   Multiple vulnerabilities

   Several serious new vulnerabilities have been found in CVS, which
   may allow an attacker to remotely compromise a CVS server.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4459.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 6/8/2004 - mdkonline
   Squid incompatability

   Though not a security problem per se, this is important to any who
   use Mandrake Online to patch their systems.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4417.html

 6/8/2004 - xpcd
   Buffer overflow vulnerability

   Problem could be exploited by a local attacker to obtain root
   privileges.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4418.html

 6/8/2004 - mod_ssl
   Buffer overflow vulnerability

   A remote attacker may be able to execute arbitrary code via a
   client certificate with a long subject DN.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4419.html

 6/8/2004 - apache2
   Buffer overflow vulnerability

   When mod_ssl is configured to trust the issuing CA, a remote
   attacker may be able to execute arbitrary code via a client
   certificate with a long subject DN.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4420.html

 6/8/2004 - krb5
   Buffer overflow vulnerabilities

   This could lead to root privileges, though it requires successfull
   authentication plus a non-default configuration to exploit.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4421.html

 6/8/2004 - tripwire
   Format string vulnerability

   Exploit could allow a local user to execute arbitrary code with
   the rights of the user running tripwire (typically root).
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4422.html

 6/10/2004 - krb5
   Patch fix

   The original patch provided contained a bug where rule-based
   entries on systems without HAVE_REGCOMP would not work.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4452.html

 6/10/2004 - mdkonline
   Patch fix

   The previous update did not parse noarch packages, and new archs
   have been added (ia64, amd64, x86_64, ppc64) as well.  As well,
   the mdkapplet now forces a restart when changes to itself have
   occurred.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4453.html

 6/10/2004 - cvs
   Multiple vulnerabilities

   This patch addresses four seperate security issues with cvs.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4454.html

 6/10/2004 - squid
   Buffer overflow vulnerability

   This buffer overflow can be exploited by a remote attacker by
   sending an overly long password, and grants the ability to execute
   arbitrary code.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4455.html

 6/10/2004 - ksymoops
   Insecure temporary file vulnerability

   The script fails to do proper checking when copying a file to the
   /tmp directory.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-4456.html


+---------------------------------+
|  Distribution: NetBSD           | ----------------------------//
+---------------------------------+

 6/8/2004 - cvs
   Heap overflow vulnerabilities

   CVS had heap overflow vulnerabilities which can be trigged
   remotely by malicious people on the net.
   http://www.linuxsecurity.com/advisories/netbsd_advisory-4416.html


+---------------------------------+
|  Distribution: OpenBSD          | ----------------------------//
+---------------------------------+

 6/10/2004 - cvs
   Multiple vulnerabilities

   While no exploits are known to exist for these bugs under OpenBSD
   at this time, some of the bugs have proven exploitable on other
   operating systems.
   http://www.linuxsecurity.com/advisories/openbsd_advisory-4451.html


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

 6/8/2004 - cvs
   Denial of service vulnerabilities

   Updated cvs packages that fix remote denial of service
   vulnerabilities are  now available. (This is a legacy Red Hat fix,
   released by the Fedora Project).
   http://www.linuxsecurity.com/advisories/redhat_advisory-4432.html

 6/9/2004 - Ethereal
   Multiple vulnerabilities

   Patch fixes a buffer overflow plus several denail of service
   vulnerabilities
   http://www.linuxsecurity.com/advisories/redhat_advisory-4443.html

 6/9/2004 - krb5
   Buffer overflow vulnerabilities

   Updated Kerberos 5 (krb5) packages which correct buffer overflows
   in the krb5_aname_to_localname function are now available.
   http://www.linuxsecurity.com/advisories/redhat_advisory-4444.html

 6/9/2004 - squid
   Buffer overflow vulnerability

   If Squid is configured to use the NTLM authentication helper, a
   remote attacker could potentially execute arbitrary code by
   sending a lengthy password.
   http://www.linuxsecurity.com/advisories/redhat_advisory-4445.html

 6/9/2004 - cvs
   Multiple vulnerabilities

   This patch resolves many outstanding vulnerabilities of cvs.
   http://www.linuxsecurity.com/advisories/redhat_advisory-4446.html


+---------------------------------+
|  Distribution: Slackware        | ----------------------------//
+---------------------------------+

 6/8/2004 - mod_ssl
   Buffer overflow vulnerability

   May allow remote attackers to execute arbitrary code via a client
   certificate with a long subject DN, if mod_ssl is configured to
   trust the issuing CA.
   http://www.linuxsecurity.com/advisories/slackware_advisory-4414.html

 6/8/2004 - php
   Insecure path vulnerability

   Exploitation of this issue requires a static library at an
   insecure path, and could allow denial of service or arbitrary code
   execution.
   http://www.linuxsecurity.com/advisories/slackware_advisory-4415.html

 6/10/2004 - cvs
   Multiple vulnerabilities

   Resolves many vulnerabilities, including a buffer overflow.
   http://www.linuxsecurity.com/advisories/slackware_advisory-4450.html


+---------------------------------+
|  Distribution: Suse             | ----------------------------//
+---------------------------------+

 6/10/2004 - cvs
   Multiple vulnerabilities

   These bugs allow remote attackers to execute arbitrary code as the
   user the CVS server runs as.
   http://www.linuxsecurity.com/advisories/suse_advisory-4448.html

 6/10/2004 - squid
   Buffer overflow vulnerability

   Squid is vulnerable to a buffer overflow that can be exploited
   remotely by using a long password to execute arbitrary code.
   http://www.linuxsecurity.com/advisories/suse_advisory-4449.html


+---------------------------------+
|  Distribution: Trustix          | ----------------------------//
+---------------------------------+

 6/8/2004 - apache
   Buffer overflow vulnerability

   Stack-based buffer overflow may allow remote attackers to execute
   arbitrary code via a client certificate with a long subject DN.
   http://www.linuxsecurity.com/advisories/trustix_advisory-4412.html

 6/8/2004 - kerberos5
   Buffer overflow vulnerabilities

   Exploitation of these flaws requires an unusual combination of
   factors, including successful authentication to a vulnerable
   service and a non-default configuration on the target service.
   http://www.linuxsecurity.com/advisories/trustix_advisory-4413.html

 6/10/2004 - squid
   Buffer overflow vulnerability

   Remote exploitation of a buffer overflow vulnerability in Squid
   Web Proxy Cache could allow a remote attacker to execute arbitrary
   code.
   http://www.linuxsecurity.com/advisories/trustix_advisory-4447.html


+---------------------------------+
|  Distribution: Turbolinux       | ----------------------------//
+---------------------------------+

 6/8/2004 - Multiple
   Pkgs Multiple vulnerabilities

   cvs (2 issues), tcpdump (2 issues), apache (multiple issues) have
   been resolved.
   http://www.linuxsecurity.com/advisories/turbolinux_advisory-4411.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------





More information about the ISN mailing list