June 11, 2004

Linux Advisory Watch - June 11, 2004

Author: Benjamin D. Thomas

This week, advisories were released for gatos, jftpgw, ethereal, gallery, rsync,
log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid, tla, Ethereal,
tripwire, sitecopy, mailman, apache, mdkonline, xpcd, mod_ssl, ksymoops, and
kerberos5. The distributors include Debain, Fedora, FreeBSD, Gentoo, Mandrake,
NetBSD, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and Turbo Linux.

Unnecessary Software

Each week system administrators
are inundated by hundreds of vendor advisories for every type of software imaginable.
From time to time the patches are critical from a security perspective, but
on other occasions they are merely a fix to a known bug. It is advisable to
update all software on a consistent basis so that a bug in software does not
result in a system vulnerability.

Unfortunately because of the great
number of advisories each week, it could be a full time job applying them. Applying
10 patches to 30 servers could possibly take days if an automated process isn't
used. Everyone would agree, this is poor utilization of resources.

There are several solutions to the
problem. First, it is often a good idea to choose a specialized distribution,
or spend time configuring a broad one. For example, those building a Web server
should choose a distribution such as EnGarde Linux that has already been optimized
and secured to perform these services. If an administrator wishes to use a distribution
such as Debian, it is important that the necessary time is take to remove everything
not in use. For example, there is no need for a Web server to have a compiler,
X-windows, or games. This option requires system expertise, but is feasible.

No matter what system is installed,
it will almost always be the case that at least some unnecessary software is
installed on it. On an RPM based system, it can be removed with the following
command: /bin/rpm -e <packagename> Removing unnecessary software
can potentially reduce administration work load. There will no longer be a need
to keep that software up-to-date, and it no longer has the potential to turn
into a vulnerability.

It should be a priority to remove
unnecessary setuid/setgid binaries. Vulnerabilities in these can often lead
to root compromise, so they should only be used when necessary. To find setuid/setgid
binaries on a system, simply use the following command: find / -type f -perm
Remove each that is not in use and it can greatly reduce the risk
of compromise.

Until next time, cheers!
Benjamin D. Thomas
Editor LinuxSecurity.com


Feature Extras:

with Brian Wotring, Lead Developer for the Osiris Project

- Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc. He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author of
Mac OS X Security and a long-standing member of the Shmoo Group, an organization
of security and cryptography professionals.

Digital Launches Next Generation Secure Mail Suite
- Guardian
Digital, the premier open source security company, announced the availability
of the next generation Secure Mail Suite, the industry's most secure open
source corporate email system. This latest edition has been optimized to support
the changing needs of enterprise and small business customers while continually
providing protection from the latest in email security threats.

and National Security
- As the open source industry
grows and becomes more widely accepted, the use of Linux as a secure operating
system is becoming a prominent choice among corporations, educational institutions
and government sectors. With national security concerns at an all time high,
the question remains: Is Linux secure enough to successfully operate the government
and military's most critical IT applications?

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe

Distribution: Debian
  6/8/2004 gatos
escalation vulnerability

If initialization fails due to a missing configuration file, root privileges
are not dropped, and xatitv executes the system(3) function without sanitizing
user-supplied environment variables.

Debian advisory 4434

  6/8/2004 jftpgw
string vulnerability

A remote user could potentially cause arbitrary code to be executed with
the privileges of the jftpgw server process.

Debian advisory 4435

  6/8/2004 ethereal
overflow vulnerabilities

Several buffer overflow vulnerabilities were discovered in ethereal.

Debian advisory 4436

  6/8/2004 gallery

A remote attacker could gain access to the gallery "admin" user without
proper authentication.

Debian advisory 4437

  6/8/2004 rsync
traversal vulnerability

A remote user could cause an rsync daemon to write files outside of the
intended directory tree, if the daemon is not configured with the 'chroot'

Debian advisory 4438

  6/8/2004 log2mail
string vulnerability

Exploit could cause arbitrary code to be executed with the privileges of
the log2mail process.

Debian advisory 4439

  6/8/2004 kernel
Privilege escalation vulnerability

Due to flushing the TLB too early it is possible for an attacker to trigger
a local root exploit. This fix is to the sparc-built kernel and the kernel

Debian advisory 4440

  6/8/2004 lha

Fixes multiple buffer overflows and multiple directory traversal vulnerabilities.

Debian advisory 4441

  6/8/2004 postgresql
of service vulnerability

It possible to exploit this problem and crash the surrounding application.

Debian advisory 4442

  6/10/2004 cvs
overflow vulnerability

Derek Robert Price discovered a potential buffer overflow vulnerability
in the CVS server.

Debian advisory 4462

Distribution: Fedora
  6/8/2004 cups

Among other bugs, this fixes a failure to use encryption when required.

Fedora advisory 4429

  6/8/2004 ethereal

This patch fixes three DoS vulns and a buffer overflow.

Fedora advisory 4430

  6/8/2004 net-tools
Excessive privilege vulnerability

netlink_listen & netlink_receive_dump should both check the source of the
packets by looking at nl_pid and ensuring that it is 0 before performing
any reconfiguration of network interfaces.

Fedora advisory 4431

  6/8/2004 krb5
buffer overflows

Exploitation could lead to denial of service or arbitrary code execution.

Fedora advisory 4433

  6/10/2004 squirrelmail

Patch fixes a SQL injection and cross-site scripting flaw.

Fedora advisory 4460

  6/10/2004 squid
overflow vulnerability

A remotely-exploitable buffer overflow allows the execution of arbitrary

Fedora advisory 4461

Distribution: FreeBSD
  6/8/2004 kernel
privilege vulnerability

Jailed processes can manipulate host routing tables.

FreeBSD advisory 4428

Distribution: Gentoo
  6/8/2004 tla
    Heap overflow

This vulnerability could allow execution of arbitrary code with the rights
of the user running tla. Note: Important errata included at bottom.

Gentoo advisory 4423

  6/8/2004 MPlayer,
xine-lib Multiple vulnerabilities
    Heap overflow

A remote attacker, posing as a RTSP stream server, can execute arbitrary
code with the rights of the user of the software playing the stream.

Gentoo advisory 4424

  6/8/2004 Ethereal

Exploitation may allow an attacker to run arbitrary code or crash the program.

Gentoo advisory 4425

  6/8/2004 tripwire
string vulnerability

Attacker could cause execution of arbitrary code with permissions of the
user running tripwire, which could be the root user.

Gentoo advisory 4426

  6/8/2004 sitecopy

When connected to a malicious WebDAV server, these vulnerabilities could
allow execution of arbitrary code with the rights of the user running sitecopy.

Gentoo advisory 4427

  6/10/2004 Mailman

Mailman contains a bug allowing 3rd parties to retrieve member passwords.

Gentoo advisory 4457

  6/10/2004 apache
overflow vulnerability

A bug in mod_ssl may allow a remote attacker to execute remote code when
Apache is configured a certain way.

Gentoo advisory 4458

  6/10/2004 cvs

Several serious new vulnerabilities have been found in CVS, which may allow
an attacker to remotely compromise a CVS server.

Gentoo advisory 4459

Distribution: Mandrake
  6/8/2004 mdkonline

Though not a security problem per se, this is important to any who use Mandrake
Online to patch their systems.

Mandrake advisory 4417

  6/8/2004 xpcd
overflow vulnerability

Problem could be exploited by a local attacker to obtain root privileges.

Mandrake advisory 4418

  6/8/2004 mod_ssl
overflow vulnerability

A remote attacker may be able to execute arbitrary code via a client certificate
with a long subject DN.

Mandrake advisory 4419

  6/8/2004 apache2
overflow vulnerability

When mod_ssl is configured to trust the issuing CA, a remote attacker may
be able to execute arbitrary code via a client certificate with a long subject

Mandrake advisory 4420

  6/8/2004 krb5
overflow vulnerabilities

This could lead to root privileges, though it requires successfull authentication
plus a non-default configuration to exploit.

Mandrake advisory 4421

  6/8/2004 tripwire
string vulnerability

Exploit could allow a local user to execute arbitrary code with the rights
of the user running tripwire (typically root).

Mandrake advisory 4422

  6/10/2004 krb5

The original patch provided contained a bug where rule-based entries on
systems without HAVE_REGCOMP would not work.

Mandrake advisory 4452

  6/10/2004 mdkonline

The previous update did not parse noarch packages, and new archs have been
added (ia64, amd64, x86_64, ppc64) as well. As well, the mdkapplet now forces
a restart when changes to itself have occurred.

Mandrake advisory 4453

  6/10/2004 cvs

This patch addresses four seperate security issues with cvs.

Mandrake advisory 4454

  6/10/2004 squid
overflow vulnerability

This buffer overflow can be exploited by a remote attacker by sending an
overly long password, and grants the ability to execute arbitrary code.

Mandrake advisory 4455

  6/10/2004 ksymoops
temporary file vulnerability

The script fails to do proper checking when copying a file to the /tmp directory.

Mandrake advisory 4456

Distribution: NetBSD
  6/8/2004 cvs
    Heap overflow

CVS had heap overflow vulnerabilities which can be trigged remotely by malicious
people on the net.

NetBSD advisory 4416

Distribution: OpenBSD
  6/10/2004 cvs

While no exploits are known to exist for these bugs under OpenBSD at this
time, some of the bugs have proven exploitable on other operating systems.

OpenBSD advisory 4451

Distribution: Red
  6/8/2004 cvs
of service vulnerabilities

Updated cvs packages that fix remote denial of service vulnerabilities are
now available. (This is a legacy Red Hat fix, released by the Fedora Project).

Red Hat advisory 4432

  6/9/2004 Ethereal

Patch fixes a buffer overflow plus several denail of service vulnerabilities

Red Hat advisory 4443

  6/9/2004 krb5
overflow vulnerabilities

Updated Kerberos 5 (krb5) packages which correct buffer overflows in the
krb5_aname_to_localname function are now available.

Red Hat advisory 4444

  6/9/2004 squid
overflow vulnerability

If Squid is configured to use the NTLM authentication helper, a remote attacker
could potentially execute arbitrary code by sending a lengthy password.

Red Hat advisory 4445

  6/9/2004 cvs

This patch resolves many outstanding vulnerabilities of cvs.

Red Hat advisory 4446

Distribution: Slackware
  6/8/2004 mod_ssl
overflow vulnerability

May allow remote attackers to execute arbitrary code via a client certificate
with a long subject DN, if mod_ssl is configured to trust the issuing CA.

Slackware advisory 4414

  6/8/2004 php
path vulnerability

Exploitation of this issue requires a static library at an insecure path,
and could allow denial of service or arbitrary code execution.

Slackware advisory 4415

  6/10/2004 cvs

Resolves many vulnerabilities, including a buffer overflow.

Slackware advisory 4450

Distribution: Suse
  6/10/2004 cvs

These bugs allow remote attackers to execute arbitrary code as the user
the CVS server runs as.

SUSE advisory 4448

  6/10/2004 squid
overflow vulnerability

Squid is vulnerable to a buffer overflow that can be exploited remotely
by using a long password to execute arbitrary code.

SUSE advisory 4449

Distribution: Trustix
  6/8/2004 apache
overflow vulnerability

Stack-based buffer overflow may allow remote attackers to execute arbitrary
code via a client certificate with a long subject DN.

Trustix advisory 4412

  6/8/2004 kerberos5
overflow vulnerabilities

Exploitation of these flaws requires an unusual combination of factors,
including successful authentication to a vulnerable service and a non-default
configuration on the target service.

Trustix advisory 4413

  6/10/2004 squid
overflow vulnerability

Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy
Cache could allow a remote attacker to execute arbitrary code.

Trustix advisory 4447

Distribution: Turbolinux
  6/8/2004 Multiple
Click Here!