Linux Devices reports that Invair Technologies of Stuttgart, Germany, has “unveiled a new Linux-PDA this week at CeBIT 2002 in Hanover, Germany.”

NetworkWorldFusion: “The market for secure, business-grade instant messaging software is picking up steam, with several start-ups now offering packages that automatically encrypt real-time chat sessions between users. However, these packages do not yet offer secure communications with users of popular consumer-oriented IM systems from AOL, Microsoft and others.” Read more here.

The Register: “As we reported earlier , German Linux distributor SuSE was barred from distributing its product in Germany after a trademark infringement action was brought by a company which admitted it was only looking to make a fast buck. After surrendering a quick out-of-court settlement to the extortionist, which did not include license fees, SuSE is now permitted to distribute its software unimpeded.” Read more here.

FreeBSD: “An attacker can supply commands enclosed in single quotes (”) in a URL embedded in a message sent to the victim. If the user then decides to view the URL, PINE will launch a command shell which will then execute the attacker’s commands with the victim’s privileges. It is possible to obfuscate the URL so that it will not necessarily seem dangerous to the victim.”

=============================================================================
FreeBSD-SA-02:05                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          pine port insecure URL handling [REVISED]

Category:       ports
Module:         pine
Announced:      2002-01-04
Revised:        2002-01-10
Credits:        zen-parse zen-parse@gmx.net>
Affects:        Ports collection prior to the correction date
Corrected:      2002-01-10 16:47:18 UTC
FreeBSD only:   NO

0.   Revision History

v1.0  2002-01-04  Initial release.
v1.1  2002-01-10  Corrected vulnerable versions and the `Corrected details'
                  section.

I.   Background

PINE is an application for reading mail and news.

II.  Problem Description

The pine port, versions previous to pine-4.44, handles URLs in
messages insecurely.  PINE allows users to launch a web browser to
visit a URL embedded in a message.  Due to a programming error, PINE
does not properly escape meta-characters in the URL before passing it
to the command shell as an argument to the web browser.

The pine port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 6000 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.4 contains this problem since
it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

An attacker can supply commands enclosed in single quotes ('') in a
URL embedded in a message sent to the victim.  If the user then
decides to view the URL, PINE will launch a command shell which will
then execute the attacker's commands with the victim's privileges.  It
is possible to obfuscate the URL so that it will not necessarily seem
dangerous to the victim.

IV.  Workaround

1) Deinstall the pine port/package if you have it installed.

V.   Solution

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:

[i386] 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.44.tgzftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.44.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

NOTE: It may be several days before updated packages are available.

3) Download a new port skeleton for the pine port from:
 
http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgzftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

VI.  Correction details

The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD Ports Collection since
4.4-RELEASE.

Path                                                             Revision
-------------------------------------------------------------------------
ports/mail/pine4/Makefile                                            1.61
ports/mail/pine4/distinfo                                            1.20
ports/mail/pine4/files/patch-aa                                       1.4
ports/mail/pine4/files/patch-ac                                      1.11
ports/mail/pine4/files/patch-af                                      1.12
ports/mail/pine4/files/patch-ai                                      1.11
ports/mail/pine4/files/patch-aj                                       1.5
ports/mail/pine4/files/patch-ak                                       1.6
ports/mail/pine4/files/patch-al                                      1.11
ports/mail/pine4/files/patch-am                                       1.6
ports/mail/pine4/files/patch-an                                       1.5
ports/mail/pine4/files/patch-ap                                       1.3
ports/mail/pine4/files/patch-at                                       1.6
ports/mail/pine4/files/patch-au                                       1.4
ports/mail/pine4/files/patch-ax                                       1.5
ports/mail/pine4/files/patch-az                                       1.3
ports/mail/pine4/files/patch-be                                       1.1
ports/mail/pine4/files/patch-bf                                       1.1
ports/mail/pine4/files/patch-bg                                       1.1
ports/mail/pine4/files/patch-reply.c                                  1.2
-------------------------------------------------------------------------

LIDS.org: “The use of LD_PRELOAD can make a program with privileges given by LIDS
execute attackers code. This mean that a root intruder can get every
capability or fs access you configured LIDS to grant. Moreover, if you
granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
deactivate LIDS and thus, access any file.”

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

LIDS Advisory 1   TEXT Version  ================
- -----------------------------[BUG #1]-------------------------
Severity : CRITICAL
Discovery : Stealth
Original advisory : http://www.team-teso.net/advisories/teso-advisory-012.txt

Description :
- -------------

The use of LD_PRELOAD can make a program with privileges given by LIDS
execute attackers code. This mean that a root intruder can get every
capability or fs access you configured LIDS to grant. Moreover, if you
granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
deactivate LIDS and thus, access any file.

In some configurations, this also lead to users being able to become root.
(there must be a program granted CAP_SETUID which is not setuid)

Systems affected :
- ------------------

Every LIDS patch whose version is lower or equal to 1.1.0 for 2.4 series
Every LIDS patch whose version is lower or equal to 0.11.0pre1 for 2.2 series

You can find a Little shell script here to see that you are vulnerable :
http://www.lids.org/download/test-lids.sh http://www.lids.org/download/test-lids.sh.asc 

Remember that it's only a silly test that do obvious things and that those
tests may fail if it is not run in the context I wanted it to be run.

Solution :
- ----------

For 2.4 users :
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gzhttp://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz.asc

For 2.2 users :
Use the patch against 0.10.1 :
http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gzhttp://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz.asc

0.11.0pre2 version is not vulnerable but it is broken.
- -----------------------------[BUG #2]-------------------------
Severity : CRITICAL
Discovery : Phil (pbi at cartel-info dot fr)

Description:
- ------------
Programs launched before LIDS is sealed keep full CAPS after the sealing.
We could imagine a shell code that make a daemon from pre-sealing era
deactivate LIDS using CAP_SYS_RAWIO or CAP_SYS_MODULE.

Systems affected :
- ------------------
Same as BUG #1

Solution :
- ------------------
Same as BUG #1
- -----------------------------[BUG #3]-------------------------
Severity : CRITICAL
Discovery : Stealth

Description:
- ------------
Program in a shell Script which inherit LIDS capability/acls can be redirect
to other evil program using PATH, ALIAS etc. That evil program can also gain
that capability/acls from its parent -- the shell script. 


Systems affected :
- ------------------
Same as BUG #1

Solution :
- ------------------
Same as BUG #1

- ------------------------------------------------------------------------

LIDS TEAM 
Jan-9-2002

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see  http://www.gnupg.org

iD8DBQE8PJLCtTu2CrbvsCgRAo/QAJoCRJe3jrdJ/DN0ph51upEuAyzFywCcCIEK
piv8rSX+smCQe7dKttcUAZg=
=Wpmc
-----END PGP SIGNATURE-----

Juergen Kreileder writes “Symantec says they’ve received W32.Donut, the first .NET virus: ‘This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'”

OS News: “I’m a happy BeOS refugee this morning after having just tried Simply GNUstep . Simply GNUstep is a new Operating System that runs on the latest Linux kernel compiled with the latest GNU compiler. This new OS is way more (perhaps by being less) than just-another-Linux-distribution. It aims to be similar, extremely similar, to Apple’s OS X. However, Simply GNUstep, unlike OS X, will run on your PC. In fact, you can be running it in under 15 minutes from this very moment.” Read more here.

Posted on LinuxSecurity.com: Updated namazu packages are available for Red Hat Linux 7.0J. These
packages fix cross-site scripting vulnerabilities. It also fixes a possible
buffer overflow.
Namazu is a full-text search engine. Namazu 2.0.9 and earlier may
inadvertently include malicious HTML tags or scripts in a dynamically
generated page, based on unvalidated input from untrustworthy sources.
Also, a buffer overflow vulnerability exists in the buffer size of an
environment variable.

Lori Monroe writes:
Wusage 8.0 Web Server Log Analysis Software has been released for the Linux operating system. Other operating systems will follow quickly over the course of the next few days.

Wusage is a Web server log analysis package that runs just as well on
virtually every operating system. Wusage also can read logs generated by nearly every type of Web server, including Apache, Microsoft IIS, WebStar, and many others. Wusage has always provided superior web site statistics. Wusage 8.0 does more than any other statistical program on the market, especially considering the very reasonable shareware cost.
Wusage 8.0 has several new reports such as the % of successful downloads and the site navigation graph. Here are some of the new features Wusage 8.0 provides.

Extremely fast reverse DNS lookups! Wusage 8.0 can translate from IP address to hostname hundreds of times per second. This feature makes turning on reverse DNS lookups a very realistic option for most users.

When setting log file locations (the logfiles option), * and ? wildcards are now permitted in the last component of the path. Example: /home/www/logs/access_log*

Greatly improved progress display, for both Unix and Windows.

Multiple virtual server names are supported for each web site.

Automatic discovery of Microsoft IIS server names when Wusage is running on the server itself. Users no longer need to specify W3SVCx as the virtual server name to analyze; Wusage can look up the W3SVCx name based on the domain name.

The site navigation graph reveals how your web site is truly used. This highly informative graph provides a visual guide to the most frequently followed paths through your web site. The navigation graph is often surprising; it often contradicts the way webmasters think their site is designed. This feature provides a tremendous amount of information; we utilize the open source graphviz and ghostscript packages (both free, and easily installed separately) in order to create the best available visual representation of your users’ true behavior. The graph is presented as a PDF file (Portable Document Format) to facilitate easy printing of this large report, which is often best appreciated when taped to a whiteboard or simply laid out on the floor. We simply can’t say enough about this great new feature.

The “Documents by Directory” report no longer requires hundreds of files and subdirectories. This report is now rendered via Javascript, allowing just a few files to contain the report data for all subdirectory reports. This feature saves a great deal of disk space.
Document structure is now displayed. Easily view a list of “components,” such as images and frames, that make up each document on your web site.

Percentage of successful downloads is displayed for every object. For pages, this percentage takes into account whether or not the user succeeded in downloading all of the images that make up the page. Extremely useful when you wish to evaluate the quality of an end user’s experience! Wusage 8 analyzes eight pages simultaneously to limit the performance impact of this great new feature; it can also be turned off if performance becomes a concern.
“Stolen” objects report: see which of your images, audio files, etc. are being embedded in OTHER web sites.

Separate subreports for pages, images, audio, video, and so on. User-editable “subtypes” allow you to add more subreports and edit the definition of existing subreports.

“Subtypes” can also be used as a better basis for historical charts, such as the “page views” chart.

Historical charts are now accessible from the “home page” of each report set. This change addresses a common concern among users who had difficulty locating the “View Chart” buttons in the 7.0 series.

CGI scripts, keywords and parameters report tells you everything you need to know about your interactive pages.

Screen resolution and depth report tells you how many pixels your users can see, and with how many colors. Stop wondering what your site looks like to your customers; now you know for sure!

Improved user-identifying cookie handling code deals gracefully with servers that log a cookie on the first request and servers that log cookies only when they come back from the client. Wusage no longer counts single-access “visits” as such, because they are typically the result of identity-masking software that skews the number of visits. Instead, the program counts these “stealthy” accesses and scales them according to the average accesses per visit for more typical “non-stealthy” users.

Document titles are displayed in addition to URLs. Wusage 8 analyzes eight pages simultaneously to limit the performance impact of this great new feature; it can also be turned off if performance becomes a concern.

Additional user-definable output features ease the localization of reports.

Important aesthetic improvements.

Efficiency and memory usage improvements.

Wusage is used & loved worldwide by 1000’s of single web site owners, small companies, large companies and worldwide conglomerates, educational institutions, government entities, ISP’s and hosting companies.

Download Wusage today by visiting our download page at http://www.boutell.com/wusage and try the fully functional version for 30 days before ordering or paying for anything. Yes we will provide you with technical support, email or give us a call!

Cari Jaquet writes:
Qualys, Inc., a leader in Managed Vulnerability Assessment, announces the detection and analysis of a new and potentially dangerous Remote Shell Trojan, referenced as RST.b, with backdoor and self-replicating functionality. Machines can become infected through binary email attachment or downloaded files.

RST.b then installs a backdoor that listens for network traffic coming through any UDP port, making this trojan different and significantly more dangerous than the Remote Shell Trojan identified earlier by Qualys in September 2001. RST.b detection and cleansing tools are available at https://www.qualys.com/forms/remoteshellb.html.

Once infected with RST.b, systems start listening for network traffic on any UDP port. To activate the backdoor, attackers send specially-crafted UDP packets to launch arbitrary commands, scouring the system for sensitive data, vandalizing or completely destroying the files on the infected host. RST.b also has self-replicating capabilities, making it likely to spread across binary files on the infected host, a function that has previously been used in trojans and viruses affecting other operating systems, including Microsoft Windows. Another dangerous aspect of RST.b is that it allows hackers to query the Internet and find infected systems, increasing the speed and likelihood of exposure.

“As a leading provider of security threat management solutions, SecurityFocus alerts the community about potentially dangerous network threats,” said Ryan Russell, Incident Analyst for SecurityFocus. ?SecurityFocus appreciates the contribution Qualys has made to the community by providing the analysis required to combat the RST.b virus as well as their diligence in developing tools to help organizations eliminate exposed or infected systems.”

“The most significant worry with RST.b is its unique ability to receive and execute payloads through the network, making it a threat to even the most secured hosts,” explained Gerhard Eschelbeck, Vice President of Engineering at Qualys.”On a positive note, during our analysis, we discovered programming errors in the virus trojan code that limit RST.b capabilities to self-replicate as efficiently as intended,? Eschelbeck continued.

For more information about Qualys, please visit http://www.qualys.com.