Thomas – Linux Advisory Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes pointers
to updated packages and descriptions of each vulnerability.
This week, advisories were released for squid, wwoffled, lynx, tcpdump, fetchmail,
courier, KDE SSL, nullmailer, mhonarc, smrsh, bind, ypserv, getbyname, ftpd,
Red Hat kernel, samba, windowmaker, dhcp, php, and gtetrinet. The
distributors include Caldera, Debian, FreeBSD, Gentoo, Mandrake, NetBSD, OpenPKG,
Red Hat, SuSE, and Trustix.
LinuxSecurity Feature Extras:
Security:
MySQL and PHP (3 of 3) – This is the third installation of a 3
part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a
MySQL server to the basic level, one has to abide by the following guidelines.
FEATURE:
Security: Physical and Service (1 of 3) – The first installation
of a 3 part article covering everything from physical security and service
security to LAMP security (Linux Apache MySQL PHP).
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
| Package: | squid |
| Date: | 11-14-2002 |
| Description: | Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus. Security fixes in how Squid parses FTP directory listings into HTML. FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. See the new ftp_sanitycheck directive if this sanity check is not desired. The MSNT auth helper has been updated to v2.0.3+fixes for buffer overflow security issues found in this helper. A security issue in how Squid forwards proxy authentication credentials has been fixed. |
| Vendor Alerts: | Caldera:
|
| Package: | KDE SSL |
| Date: | 11-15-2002 |
| Description: | Konqueror’s cross site scripting (XSS) protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript can access any foreign subframe which is defined in the HTML source. KDE’s SSL implementation fails to check the basic constraints on certificates and as a result may accept certificates as valid that were signed by an issuer who was not authorized to do so. |
| Vendor Alerts: | Caldera:
|
| Package: | wwoffled |
| Date: | 11-18-2002 |
| Description: | wwwoffled allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length value. |
| Vendor Alerts: | Caldera:
|
| Package: | lynx |
| Date: | 11-18-2002 |
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. |
| Vendor Alerts: | Caldera:
|
| Package: | tcpdump |
| Date: | 11-19-2002 |
| Description: | There is a miscalculation in the use of the sizeof operator in tcpdump, allowing, at the least, a denial-of-service attack. |
| Vendor Alerts: | Caldera:
|
| Package: | fetchmail |
| Date: | 11-21-2002 |
| Description: | Several buffer overflows have been found in fetchmail. These bugs may be remotely exploited if fetchmail is running in multidrop mode. |
| Vendor Alerts: | Caldera:
|
| Package: | courier |
| Date: | 11-15-2002 |
| Description: | A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem. |
| Vendor Alerts: | Debian:
Gentoo:
|
| Package: | nullmailer |
| Date: | 11-15-2002 |
| Description: | A problem has been discovered in nullmailer, a simple relay-only mail transport agent for hosts that relay mail to a fixed set of smart relays. When a mail is to be delivered locally to a user that doesn’t exist, nullmailer tries to deliver it, discovers a user unknown error and stops delivering. Unfortunately, it stops delivering entirely, not only this mail. Hence, it’s very easy to craft a denial of service. |
| Vendor Alerts: | Debian:
|
| Package: | mhonarc |
| Date: | 11-19-2002 |
| Description: | Steven Christey discovered a cross site scripting vulnerability in mhonarc, a mail to HTML converter. Carefully crafted message headers can introduce cross site scripting when mhonarc is configured to display all headers lines on the web. However, it is often useful to restrict the displayed header lines to To, From and Subject, in which case the vulnerability cannot be exploited. |
| Vendor Alerts: | Debian:
|
| Package: | smrsh |
| Date: | 11-15-2002 |
| Description: | Users with a local account and the ability to create or modify their `.forward’ files can circumvent the smrsh restrictions. This is mostly of consequence to systems which have local users that are not normally allowed access to a login shell, as such users may abuse this bug in order to execute arbitrary commands with normal privileges. |
| Vendor Alerts: | FreeBSD:
|
| Package: | bind |
| Date: | 11-15-2002 |
| Description: | BIND SIG Cached RR Overflow Vulnerability: A remote attacker may be able to cause a name server with recursion enabled to execute arbitrary code with the privileges of the name server process. BIND OPT DoS and BIND SIG Expiry Time DoS: A remote attacker may be able to cause the name server process to crash. |
| Vendor Alerts: | FreeBSD:
NetBSD:
OpenPKG:
Trustix:
|
| Package: | ypserv |
| Date: | 11-18-2002 |
| Description: | A memory leak that could be triggered remotely was discovered in ypserv 2.5 and earlier. This could lead to a Denial of Service as repeated requests for a non-existant map will result in ypserv consuming more and more memory, and also running more slowly. If the system runs out of available memory, ypserv would also be killed. |
| Vendor Alerts: | Mandrake:
|
| Package: | getbyname |
| Date: | 11-15-2002 |
| Description: | getnetbyname(3) and getnetbyaddr(3) lacked important boundary checks, and are vulnerable to malicious DNS responses, which could cause a buffer overrun on the stack. The vulnerability could cause a remote root compromise, if a privileged process uses these library functions. |
| Vendor Alerts: | NetBSD:
|
| Package: | ftpd |
| Date: | 11-15-2002 |
| Description: | NetBSD’s ftpd responds to the STAT command in a way that is not standards conformant, when a filename that contains “n[0-9]” is specified. This could be used by a malicious party to corrupt state tables in firewall devices between an FTP client and a NetBSD FTP server. |
| Vendor Alerts: | NetBSD:
|
| Package: | Red Hat kernel |
| Date: | 11-16-2002 |
| Description: | The kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are vulnerable to a local denial of service attack. Updated packages are available which address this vulnerability, as well as bugs in several drivers. |
| Vendor Alerts: | Red Hat:
Trustix:
|
| Package: | samba |
| Date: | 11-18-2002 |
| Description: | The error consists of a buffer overflow in a commonly used routine that accepts user input and may write up to 127 bytes past the end of the buffer allocated with static length, leaving enough room for an exploit. The resulting vulnerability can be exploited locally in applications using the sm_smbpass Pluggable Authentication Module (PAM). It may be possible to exploit this vulnerability remotely, causing the running smbd to crash or even to execute arbitrary code. |
| Vendor Alerts: | SuSE:
Gentoo:
|
| Package: | windowmaker |
| Date: | 11-18-2002 |
| Description: | A possible scenario for this vulnerability could be that of an attacker making a specially crafted image available and convincing an unsuspecting user to set it as a background image. |
| Vendor Alerts: | Conectiva:
|
| Package: | dhcp |
| Date: | 11-18-2002 |
| Description: | Simon Kelley pointed out a vulnerability in the way quotes inside these assignments are treated. By exploiting this, a malicious DHCP server (or attackers able to spoof DHCP responses) can execute arbitrary shell commands on the DHCP client (which is run by root). |
| Vendor Alerts: | Conectiva:
|
| Package: | php |
| Date: | 11-20-2002 |
| Description: | Two vulnerabilities exists in mail() PHP function. The first one allows to execute any program/script bypassing safe_mode restriction, the second one may give an open-relay script if mail() function is not carefully used in PHP scripts. |
| Vendor Alerts: | Gentoo:
|
| Package: | gtetrinet |
| Date: | 11-20-2002 |
| Description: | Several buffer overflows was found in gtetrinet versions below 0.4.3. According to the authors these could be remotley explotied. |
| Vendor Alerts: | Gentoo:
|
