Author: JT Smith
Category:
Author: JT Smith
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: webalizer
Announcement-ID: SuSE-SA:2001:040
Date: Tuesday, Nov 06th, 2001 12.00 MET
Affected SuSE versions: 7.1, 7.2, 7.3
Vulnerability Type: remote privilege escalation
(cross-site scripting)
Severity (1-10): 5
SuSE default package: no
Other affected systems: all linux-like systems using this version
of webalizer
Content of this advisory:
1) security vulnerability resolved: webalizer
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The webalizer is a widely used tool for analyzing web server logs and
produce statistics in HTML format.
An exploitable bug was found in webalizer which allows a remote attacker
to execute commands on other client machines or revealing sensitive
information by placing HTML tags in the right place. This is possible
due to missing sanity checks on untrusted data - hostnames and search
keywords in this case - that are received by webalizer. This kind of attack
is also known as "Cross-Site Scripting Vulnerability".
Additionally the untrusted data will be written to files on the server
running webalizer; this may lead to further problems when using this
data as input for third-party software/scripts.
There is no known temporary fix, so please update your system with
the new RPMs from our FTP server.
Download the update package from locations described below and install
the package with the command:
rpm -Uhv file.rpm
The md5sum for each file is in the line below. You can verify the
integrity of the rpm files using the command:
rpm --checksig --nogpg file.rpm
independently from the md5 signatures below.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/webalizer-2.01.06-140.i386.rpm
3525fd6ab9c27be34edad9bef05ff061
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/webalizer-2.01.06-140.src.rpm
898d975f34991a02f02da603b6bcd529
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/webalizer-2.01.06-139.i386.rpm
593a7f033158f57bac47cf2fa9cb83bc
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/webalizer-2.01.06-139.src.rpm
70ceb86a0373070a06f6d39ec0bc4377
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/webalizer-2.01.06-139.i386.rpm
74288622703dec120b18c0fbb5003917
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/webalizer-2.01.06-139.src.rpm
213f7a394052dc193be05a882768054a
Sparc Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/webalizer-2.01.06-54.sparc.rpm
5aa3b7511d704415498fbec3bfc2ccd5
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/webalizer-2.01.06-54.src.rpm
792efab485712286fc848234b1aa249d
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/webalizer-2.01.06-49.alpha.rpm
aa93070e8358b1cfd91b7fabffbfa985
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/webalizer-2.01.06-49.src.rpm
2065dd78c3f8147a94f97994fb37e6ce
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/webalizer-2.01.06-72.ppc.rpm
cc28460b1d6fac8f87cc4658fae45d3e
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/webalizer-2.01.06-72.src.rpm
7d7cec18f488f97187338723b0151426
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/webalizer-2.01.06-70.ppc.rpm
3630f538b0445ee462b73475b488b146
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/webalizer-2.01.06-70.src.rpm
4c998066d5eb545bb1551e246f2724c1
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- openssh
After stabilizing the openssh package, updates for the distributions
6.4-7.2 are currently being prepared. The update packages fix a security
problem related to the recently discovered problems with source ip
based access restrictions in a user's ~/.ssh/authorized_keys2 file.
The packages will appear shortly on our ftp servers. Please note that
packages for the distributions 6.3 and up including 7.0 containing
cryptographic software are located on the German ftp server ftp.suse.de,
all other packages can be found on ftp.suse.com at the usual location.
We will issue a dedicated Security announcement for the openssh package.
- nvi
Takeshi Uno found a format tag vulnerability in all versions of nvi.
The bug will be fixed in future version of SuSE Linux.
- Please watch out for more announcements that are currently in our queue.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.
===============================================
SuSE's security contact is <security@suse.com>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBO+e7oney5gA9JdPZAQEOhgf/YYGOy0R1hVScGRcrMR1jNNNzKSe/xtqS
SC5SO8qFKnSIT5aFhDbc1BMdmPIGiJp8c0CS9M9mPyRop6LT55uPPdtRoLMgZkp0
TQVWVldz1F8Ou6fIjDXcv5blHR94ZRLi2is6Tzn+x1GC5srMJA6FDNMmwVWWdtjp
nJGulyqBrTdNMb6GkFKdCstc55WCa4/GExKbb0bMaJz3JR8EFD6PlBltYbf8Zk3g
PUeBMEkP7BeuzNci9I5SfD76/zbC3tta7i6h6SsjPFS8TE0GOojWWrBcc2yHOCZQ
i7PiWXqvSD/GnfCRIn/BuUlqEw4sTf412l4Ls7V+ubWniK6tZRrjcA==
=n24I
-----END PGP SIGNATURE-----
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83
--
Trete durch die Form ein, und trete aus der Form heraus.
--
To unsubscribe, e-mail: suse-security-announce-unsubscribe@suse.com
For additional commands, e-mail: suse-security-announce-help@suse.com
Category:
Author: JT Smith
This is twice the transfer rate of regular 11Mbps 802.11b products.
The range is the first to ship based on Texas Instruments’ (TI) ACX100 chipset.”
Author: JT Smith
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory November 06, 2001 | | http://www.engardelinux.org/ ESA-20011106-01 | | | | Package: kernel | | Summary: Syncookie vulnerability | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW - -------- There are is a vulnerability in the kernel's syncookie code which can allow a remote attacker to potentially guess the cookie and bypass firewall rules. DETAIL - ------ Some firewall systems implement rules based on the TCP flags set. They may drop or reject incoming packets that have the SYN bit set, which normally indicates the start of a new connection. It is possible for an attacker to flood the server with SYN packets, causing a DoS attack. To protect against this DoS the kernel implements something called "syncookies". In the syncookie model, the server sends a cryptographically secure "cookie" back to the client with the "SYN ACK" packet. To finish the handshake, the client sends a final ACK, with the cookie, back to the server. This cookie is comprised of various bits including the source/destination address and port. The problem lies in the fact that: a) Many firewalls implement rules based upon the SYN flag. b) With syncookies enabled, the client need only send an ACK with a valid cookie. c) All the cookies come from the same source. While the cookies themselves are secure, they can be brute forced in a few hours on a fast connection. To fix this problem the syncookies are now tied into a particular port. Syncookies are enabled by default on EnGarde. SOLUTION - -------- All users should upgrade to the most recent version, as outlined in this advisory. Please note that kernel upgrades are not available through Guardian Digital Secure Update. Please follow the steps outlined below to upgrade your system manually. Updates can be obtained from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/ Please read and understand this entire section before you attempt to upgrade the kernel. Initial Steps ------------- 1) Verify the machine is either: a) booted into a "standard" kernel; or b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL) 2) Determine which kernels you currently have installed: # rpm -qa --qf "%{NAME}n" | grep kernel 3) Download the new kernels that match what you have installed (based on step 2) from the "UPDATED PACKAGES" section of this advisory. Installation Steps ------------------ 4) Install the new packages. The packages will automagically update /etc/lilo.conf by commenting out any old EnGarde images and replacing them with the new ones: # rpm --replacefiles -i <kernel 1> <kernel 2> ... 5) Re-run LILO. If you see any errors then open /etc/lilo.conf in your favorite text editor and make the appropriate changes: # /sbin/lilo Final Steps ----------- 6) If you did not see any LILO errors then your new kernel is now installed and your machine is ready to be rebooted: # reboot UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). Source Packages: SRPMS/kernel-2.2.19-1.0.21.src.rpm MD5 Sum: 08257690f8af73feab70e8720611100c Binary Packages: i386/kernel-2.2.19-1.0.21.i386.rpm MD5 Sum: 39618bc729d2b92a354f426ae794dbbd i386/kernel-lids-mods-2.2.19-1.0.21.i386.rpm MD5 Sum: 9135e610cd5ebd9e16e823a4b8d76995 i386/kernel-smp-lids-mods-2.2.19-1.0.21.i386.rpm MD5 Sum: 02a90cd041e405fa008fbb5f29e59ffb i386/kernel-smp-mods-2.2.19-1.0.21.i386.rpm MD5 Sum: de5734faa2fa08b6b30954524ba5197b i686/kernel-2.2.19-1.0.21.i686.rpm MD5 Sum: a52ba054ae0ee1c298963c2f511fce97 i686/kernel-lids-mods-2.2.19-1.0.21.i686.rpm MD5 Sum: 01d004993e324cabf4305816f9a85d0e i686/kernel-smp-lids-mods-2.2.19-1.0.21.i686.rpm MD5 Sum: f2d980723f90988b0c4fe0cfa2189dfe i686/kernel-smp-mods-2.2.19-1.0.21.i686.rpm MD5 Sum: 9b21a28a31b4f7cba4f30db9d68e53d8 REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY Credit for the discovery/fixing of this bug goes to: Manfred Spraul Andi Kleen <ak@suse.de> Official Web Site of the Linux Kernel: http://www.kernel.org/ Security Contact: security@guardiandigital.com EnGarde Advisories: http://www.engardelinux.org/advisories.html - -------------------------------------------------------------------------- $Id: ESA-20011106-01-kernel,v 1.1 2001/11/06 05:58:24 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple, <ryan@guardiandigital.com> Copyright 2001, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7531+HD5cqd57fu0RAkQoAJ9CilSgHhx8mm/+Tz3rv2ZXpxTCygCePVF/ tTcRXcfrB+u/FmNIxctui54= =l5kN -----END PGP SIGNATURE----- ------------------------------------------------------------------------ To unsubscribe email engarde-security-request@engardelinux.org with "unsubscribe" in the subject of the message. Copyright(c) 2001 Guardian Digital, Inc. EnGardeLinux.org ------------------------------------------------------------------------
Category:
Author: JT Smith
The election atmosphere is casual and self-deprecating. “I would like to publicly denounce … I mean announce…my candidacy to the GNOME Foundation Board,” wrote Glynn Foster, who also boasts of having an @goatsex.org email address.
Rhett Creighton, who could boast about his @mit.edu address but doesn’t, registered his candidacy with these comments: “I haven’t done doodly squat for GNOME. There is absolutely no reason to
vote for me. I ran last year and got the least number of votes (3,
including my own).
“I believe that free software is overrated. If elected, I will try to
adopt a for-profit software model to the GNOME foundation. Actually,
GNOME will stop making software altogether. Instead, it will make bowling
balls.”
Wrote the venerable George Lebl: “The GNOME world has been subjected to my crack since sometime
in ’97. At one point I have even been paid for my madness by
Eazel. By the time they realized their mistake of hiring me
it was too late.” He said if elected, he’ll press for world peace and a cure for cancer.
Maciej Stachowiak is not running for re-election, but was kind enough to proffer a voting list for others. “I would like to mention a few
of the current board members that I feel most deserve to be
re-elected, and a few non-members that I think deserve a seat. I don’t
know if the people I mention will choose to run, but I hope they do.”
Current board member Havoc Pennington was the only person who sounded really serious about getting elected. He was almost somber in comparison to others when announcing his candidacy. Pennington pointed out that things are going smoothly now and are expected to continue doing so. “The thing I
like best is the huge range of people working on things pretty
autonomously — we have the translation team, docs team, usability
team, release team, all of these building up their own communities and
getting stuff done.
“I think I only missed one or two board meetings this year, and
generally try to do a good job.”
All 11 spots on the GNOME foundation board are up for re-election. The election will be held by email from November 13 to 20. Only GNOME foundation members are eligible to vote. If you’d like to become a member, you must turn in an application by November 8. According to the Membership Policy, any contributor to GNOME is eligible for membership. Contributions may be code, documentation, translations, maintenance, or other “non-trivial activities.”
Category:
Author: JT Smith
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux - syncookies firewall breaking problem
Advisory number: CSSA-2001-038.0
Issue date: 2001, November 05
Cross reference:
______________________________________________________________________________
1. Problem Description
The Linux kernel implements a method called 'syn cookies' to avoid
denial of service attacks by using a stateless connection setup.
There is also a common form of firewalls, which are based on SYN
filtering to block only incoming TCP connections, but let outgoing
connections pass.
Unfortunately the syncookies design allows a remote attacker to
bypass SYN filtering firewalls in case there is one open port which
the attacker can flood.
The Linux 2.2 and 2.4 kernels had the syncookies state as a systemwide
global, so it was enabled for all sockets at once in case of flood to
an open port, allowing a remote attacker to gain access to firewalled
ports, effectively bypassing the firewall.
Even though the attack requires a very large number of IP packets,
it is not unthinkable for a determined attacker to exploit this problem.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
linux-2.2.10-14
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder linux-2.2.14-13S
OpenLinux eDesktop 2.4 All packages previous to
linux-2.2.14-9
OpenLinux Server 3.1 All packages previous to
linux-2.4.2-14S
OpenLinux Workstation 3.1 All packages previous to
linux-2.4.2-14D
3. Solution
Workaround
Disable syncookies by doing:
echo -n 0 > /proc/sys/net/ipv4/tcp_syncookies
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
f112b7346070972c44770b562df912db linux-kernel-binary-2.2.10-14.i386.rpm
7a8d2803e68227576998b9c12fb90976 linux-kernel-doc-2.2.10-14.i386.rpm
8c9a3a28c69d03efb6e325e1f83eca9a linux-kernel-include-2.2.10-14.i386.rpm
29020f946a358838cde15d54ee6a294c linux-source-alpha-2.2.10-14.i386.rpm
0a841ec165ee97425afb8d86f74a2eb4 linux-source-arm-2.2.10-14.i386.rpm
dead286ad1491ceccabde12fd24eab88 linux-source-common-2.2.10-14.i386.rpm
b8e37b6be024ceb02dbcff7e9191e067 linux-source-i386-2.2.10-14.i386.rpm
9789e6ea513b88f8dbdf4fd58405c69f linux-source-m68k-2.2.10-14.i386.rpm
14ae8aa4e6e075b1ce891048b4eb25ed linux-source-mips-2.2.10-14.i386.rpm
d85b4cc17890c262a776bef9c100aa07 linux-source-ppc-2.2.10-14.i386.rpm
9a4398514eea89a9cae7bd28038b7d6b linux-source-sparc-2.2.10-14.i386.rpm
5f0c0e296f83cc1a0ed8e8f2b03087ba linux-source-sparc64-2.2.10-14.i386.rpm
25901d75de5b22e8eda388895a261564 pcmcia-cs-3.0.14-5.i386.rpm
dfe1a96017b6a43949d740a5a2f17369 linux-2.2.10-14.src.rpm
f07c67c7eeb6778d2b7320591bbecd14 pcmcia-cs-3.0.14-5.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh --force linux-kernel-binary-2.2.10-14.i386.rpm
linux-kernel-doc-2.2.10-14.i386.rpm
linux-kernel-include-2.2.10-14.i386.rpm
linux-source-alpha-2.2.10-14.i386.rpm
linux-source-arm-2.2.10-14.i386.rpm
linux-source-common-2.2.10-14.i386.rpm
linux-source-i386-2.2.10-14.i386.rpm
linux-source-m68k-2.2.10-14.i386.rpm
linux-source-mips-2.2.10-14.i386.rpm
linux-source-ppc-2.2.10-14.i386.rpm
linux-source-sparc-2.2.10-14.i386.rpm
linux-source-sparc64-2.2.10-14.i386.rpm
pcmcia-cs-3.0.14-5.i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
e2f0150caeb4d7318716d05d5d4cb32e linux-kernel-binary-2.2.14-13S.i386.rpm
9c0940b9a84ff72c8a40e8a10add3d4b linux-kernel-doc-2.2.14-13S.i386.rpm
8cdfa9651a5e75d04a095696d4681663 linux-kernel-include-2.2.14-13S.i386.rpm
db564909d2065c238271ae63c9ffd49a linux-source-alpha-2.2.14-13S.i386.rpm
4f80288d523347ec39e9cc38e7230f50 linux-source-arm-2.2.14-13S.i386.rpm
9c915c6026e86680299522da3e053e72 linux-source-common-2.2.14-13S.i386.rpm
c7f9415335c293a9878b18abb5ed1864 linux-source-i386-2.2.14-13S.i386.rpm
3218946ecbd2b98c6661770757fa4e8d linux-source-m68k-2.2.14-13S.i386.rpm
6ab8925bdf73efe2b014ebcd3c2188bc linux-source-mips-2.2.14-13S.i386.rpm
035a4e5970bf0dc709c301daf751bc67 linux-source-ppc-2.2.14-13S.i386.rpm
d611132b945774cb4b3a0e57ef323f1b linux-source-sparc-2.2.14-13S.i386.rpm
3b4048225724cab325a247d66bac2afe linux-source-sparc64-2.2.14-13S.i386.rpm
d653ecbe3fa48e87f6c6ebbce81d8345 pcmcia-cs-3.1.4-5.i386.rpm
222e40903ce9f4fa823485984764369e linux-2.2.14-13S.src.rpm
d78e703763fe9828627006706d65292e pcmcia-cs-3.1.4-5.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh linux-kernel-binary-2.2.14-13S.i386.rpm
linux-kernel-doc-2.2.14-13S.i386.rpm
linux-kernel-include-2.2.14-13S.i386.rpm
linux-source-alpha-2.2.14-13S.i386.rpm
linux-source-arm-2.2.14-13S.i386.rpm
linux-source-common-2.2.14-13S.i386.rpm
linux-source-i386-2.2.14-13S.i386.rpm
linux-source-m68k-2.2.14-13S.i386.rpm
linux-source-mips-2.2.14-13S.i386.rpm
linux-source-ppc-2.2.14-13S.i386.rpm
linux-source-sparc-2.2.14-13S.i386.rpm
linux-source-sparc64-2.2.14-13S.i386.rpm
pcmcia-cs-3.1.4-5.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
3274fe3fbb7b302d6d0bee7186820fef hwprobe-20000214-6.i386.rpm
064ebec44665beb14eaa85ad4ecfc838 iBCS-2.1-12.i386.rpm
d87d3c6f0cb937a0e51e68c6984b2c62 iBCS-extras-2.1-12.i386.rpm
7fd4443b17bc58f072572548b3c54886 iBCS-module-2.1_2.2.14-12.i386.rpm
4366e46e2ff02f9dadde291a483f1cf2 linux-kernel-binary-2.2.14-9.i386.rpm
d54b1d4e4ad58022d5298e8c5359dad9 linux-kernel-doc-2.2.14-9.i386.rpm
320d182140b90c771993b031c66f2d4a linux-kernel-include-2.2.14-9.i386.rpm
ad69ebbc9d8ee30de552e81f5c3b3cdf linux-source-alpha-2.2.14-9.i386.rpm
3f5434fc2fe4486e258a5981cd65dc36 linux-source-arm-2.2.14-9.i386.rpm
a8fc5f92bf99b27674772966f390ce1d linux-source-common-2.2.14-9.i386.rpm
6fd8bde1cd3caf58195f6be09983a9cf linux-source-i386-2.2.14-9.i386.rpm
997e6d546da8149c8a9b4e78932a3ab5 linux-source-m68k-2.2.14-9.i386.rpm
27dcf591ef399c3b1a02011900cf92e3 linux-source-mips-2.2.14-9.i386.rpm
ce4998917dcded5161b954672b9e7728 linux-source-ppc-2.2.14-9.i386.rpm
7b258bc6c66ac6d9305bc71e41ecd24c linux-source-sparc-2.2.14-9.i386.rpm
fb5d48c243c3b10067f59f58f6f922f4 linux-source-sparc64-2.2.14-9.i386.rpm
d4fbca082ccb49d9a9ed26b2e4868767 pcmcia-cs-3.1.8-5.i386.rpm
b5465215f5dbe5c430e684a9899af9f7 hwprobe-20000214-6.src.rpm
ccbfc2eab5d5111866abcba90e551116 iBCS-2.1-12.src.rpm
ada8415ed350c5013bf29fc84931741b linux-2.2.14-9.src.rpm
14b4fb11304a0083ee44edd27dba4543 pcmcia-cs-3.1.8-5.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh hwprobe-20000214-6.i386.rpm iBCS-2.1-12.i386.rpm
iBCS-extras-2.1-12.i386.rpm
iBCS-module-2.1_2.2.14-12.i386.rpm
linux-kernel-binary-2.2.14-9.i386.rpm
linux-kernel-doc-2.2.14-9.i386.rpm
linux-kernel-include-2.2.14-9.i386.rpm
linux-source-alpha-2.2.14-9.i386.rpm
linux-source-arm-2.2.14-9.i386.rpm
linux-source-common-2.2.14-9.i386.rpm
linux-source-i386-2.2.14-9.i386.rpm
linux-source-m68k-2.2.14-9.i386.rpm
linux-source-mips-2.2.14-9.i386.rpm
linux-source-ppc-2.2.14-9.i386.rpm
linux-source-sparc-2.2.14-9.i386.rpm
linux-source-sparc64-2.2.14-9.i386.rpm
pcmcia-cs-3.1.8-5.i386.rpm
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
87b5f36b72bb16e6e834c59233106b37 linux-kernel-binary-2.4.2-14S.i386.rpm
5188757fbd1cbcc307d53c0bbbba6aed linux-kernel-include-2.4.2-14S.i386.rpm
4723ba116d77e1afaaab9108d4f67392 linux-source-alpha-2.4.2-14S.i386.rpm
8d5b667a2238e549d01523a9028d0def linux-source-arm-2.4.2-14S.i386.rpm
7b1040fce5eb2c13069f12e0f98f459f linux-source-common-2.4.2-14S.i386.rpm
d4d72adbd977c3cd736d6d292fa96f66 linux-source-i386-2.4.2-14S.i386.rpm
e13ee045818e08ea58ebac07e3a7683b linux-source-ia64-2.4.2-14S.i386.rpm
63f8af9364b41a5ed8529922b2b86085 linux-source-m68k-2.4.2-14S.i386.rpm
1efcb66cef3cfb73267bc383192977e5 linux-source-mips-2.4.2-14S.i386.rpm
eb531f7e844276dadcfb64a61e14d91b linux-source-ppc-2.4.2-14S.i386.rpm
bdbb2c789f16563881f1bb24384a1e13 linux-source-s390-2.4.2-14S.i386.rpm
afab346de67d5298b680d9f3f585df85 linux-source-sparc-2.4.2-14S.i386.rpm
4365699de967a365b09f92f683447b90 linux-source-superH-2.4.2-14S.i386.rpm
38226719588775988ffdd5db0adacb10 linux-2.4.2-14S.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh linux-kernel-binary-2.4.2-14S.i386.rpm
linux-kernel-include-2.4.2-14S.i386.rpm
linux-source-alpha-2.4.2-14S.i386.rpm
linux-source-arm-2.4.2-14S.i386.rpm
linux-source-common-2.4.2-14S.i386.rpm
linux-source-i386-2.4.2-14S.i386.rpm
linux-source-ia64-2.4.2-14S.i386.rpm
linux-source-m68k-2.4.2-14S.i386.rpm
linux-source-mips-2.4.2-14S.i386.rpm
linux-source-ppc-2.4.2-14S.i386.rpm
linux-source-s390-2.4.2-14S.i386.rpm
linux-source-sparc-2.4.2-14S.i386.rpm
linux-source-superH-2.4.2-14S.i386.rpm
/sbin/depmod -a
8. OpenLinux 3.1 Workstation
8.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
8.2 Verification
b170636148d3d057237913b3870d916f linux-kernel-binary-2.4.2-14D.i386.rpm
a1f3dd1fe8ac717999a8fc963227c40e linux-kernel-include-2.4.2-14D.i386.rpm
b033e7f2b3bea97b65b636cc5ab67de9 linux-source-alpha-2.4.2-14D.i386.rpm
c8fd9e36df0d6008fad4c3beb31e3bdb linux-source-arm-2.4.2-14D.i386.rpm
452b0df69c68d10f3bdac57c08e9cf17 linux-source-common-2.4.2-14D.i386.rpm
d7e8c4157df7a7b9bb0116f673c67b1d linux-source-i386-2.4.2-14D.i386.rpm
25911c50aa631b48712da3b877eb4c72 linux-source-ia64-2.4.2-14D.i386.rpm
3ea9d607e08b15ff646d45100754c05f linux-source-m68k-2.4.2-14D.i386.rpm
339be8f2e0fd2eafefb41c256acf0412 linux-source-mips-2.4.2-14D.i386.rpm
47ce33f13fde399aa62b0d20b677150b linux-source-ppc-2.4.2-14D.i386.rpm
9a3f948f6e104bb7bbc8c2105b218bcf linux-source-s390-2.4.2-14D.i386.rpm
fa3416e60a2af27c529a72cf446885ed linux-source-sparc-2.4.2-14D.i386.rpm
07f6fc32a1002845413fc77bdd7c61f0 linux-source-superH-2.4.2-14D.i386.rpm
1d13bd90b32d5fa065b0afa2484df0f2 linux-2.4.2-14D.src.rpm
8.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh linux-kernel-binary-2.4.2-14D.i386.rpm
linux-kernel-include-2.4.2-14D.i386.rpm
linux-source-alpha-2.4.2-14D.i386.rpm
linux-source-arm-2.4.2-14D.i386.rpm
linux-source-common-2.4.2-14D.i386.rpm
linux-source-i386-2.4.2-14D.i386.rpm
linux-source-ia64-2.4.2-14D.i386.rpm
linux-source-m68k-2.4.2-14D.i386.rpm
linux-source-mips-2.4.2-14D.i386.rpm
linux-source-ppc-2.4.2-14D.i386.rpm
linux-source-s390-2.4.2-14D.i386.rpm
linux-source-sparc-2.4.2-14D.i386.rpm
linux-source-superH-2.4.2-14D.i386.rpm
/sbin/depmod -a
9. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 10835.
10. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.
11. Acknowledgements
Caldera International Inc. wants to thank Andi Kleen of SuSE for
spotting and sending a patch and David Miller for refining it.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE75qM/18sy83A/qfwRAmQWAJ9+1yMqGz7TmiV5qO1bvgYpQjASuQCgtP6q
+bK2B7diVD8AM78+qv5yYkI=
=8D+y
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com
Category:
Author: JT Smith
Category:
Author: JT Smith
Author: JT Smith
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd
Original release date: November 05, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* BSDi BSD/OS Version 4.1 and earlier
* Debian GNU/Linux 2.1 and 2.1r4
* FreeBSD All released versions FreeBSD 4.x, 3.x, FreeBSD
4.3-STABLE, 3.5.1-STABLE prior to the correction date
* Hewlett-Packard HP9000 Series 700/800 running HP-UX releases
10.01, 10.10, 10.20, 11.00, and 11.11
* IBM AIX Versions 4.3 and AIX 5.1
* Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
* NetBSD 1.5.2 and earlier
* OpenBSD Version 2.9 and earlier
* Red Hat Linux 6.0 all architectures
* SCO OpenServer Version 5.0.6a and earlier
* SGI IRIX 6.5-6.5.13
* Sun Solaris 8 and earlier
* SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Overview
There are multiple vulnerabilities in several implementations of the
line printer daemon (lpd). The line printer daemon enables various
clients to share printers over a network. Review your configuration to
be sure you have applied all relevant patches. We also encourage you
to restrict access to the lpd service to only authorized users.
I. Description
There are multiple vulnerabilities in several implementations of the
line printer daemon (lpd), affecting several systems. Some of these
problems have been publicly disclosed previously. However, we believe
many system and network administrators may have overlooked one or more
of these vulnerabilities. We are issuing this document primarily to
encourage system and network administators to check their systems for
exposure to each of these vulnerabilities, even if they have addressed
some lpd vulnerabilities recently.
Most of these vulnerabilities are buffer overflows allowing a remote
intruder to gain root access to the lpd server. For the latest and
most detailed information about the known vulnerabilities, please see
the vulnerability notes linked to below.
VU#274043 - BSD line printer daemon buffer overflow in displayq()
There is a buffer overflow in several implementations of in.lpd, a BSD
line printer daemon. An intruder can send a specially crafted print
job to the target and then request a display of the print queue to
trigger the buffer overflow. The intruder may be able use this
overflow to execute arbitrary commands on the system with superuser
privileges.
The line printer daemon must be enabled and configured properly in
order for an intruder to exploit this vulnerability. This is, however,
trivial as the line printer daemon is commonly enabled to provide
printing functionality. In order to exploit the buffer overflow, the
intruder must launch his attack from a system that is listed in the
"/etc/hosts.equiv" or "/etc/hosts.lpd" file of the target system.
VU#388183 - IBM AIX line printer daemon buffer overflow in
kill_print()
A buffer overflow exists in the kill_print() function of the line
printer daemon (lpd) on AIX systems. An intruder could exploit this
vulnerability to obtain root privileges or cause a denial of service
(DoS). The intruder would need to be listed in the victim's
/etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this
vulnerability.
VU#722143 - IBM AIX line printer daemon buffer overflow in
send_status()
A buffer overflow exists in the send_status() function of the line
printer daemon (lpd) on AIX systems. An intruder could exploit this
vulnerability to obtain root privileges or cause a denial of service
(DoS). The intruder would need to be listed in the victim's
/etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this
vulnerability.
VU#466239 - IBM AIX line printer daemon buffer overflow in chk_fhost()
A buffer overflow exists in the chk_fhost() function of the line
printer daemon (lpd) on AIX systems. An intruder could exploit this
vulnerability to obtain root privileges or cause a denial of service
(DoS). The intruder would need control of the DNS server to exploit
this vulnerability.
VU#39001 - line printer daemon allows options to be passed to sendmail
There exists a vulnerability in the line printer daemon that permits
an intruder to send options to sendmail. These options could be used
to specify another configuration file allowing an intruder to gain
root access.
VU#30308 - line printer daemon hostname authentication bypassed with
spoofed DNS
A vulnerability exists in the line printer daemon (lpd) shipped with
the printer package for several systems. The authentication method was
not thorough enough. If a remote user was able to control their own
DNS so that their IP address resolved to the hostname of the print
server, access would be granted when it should not be.
VU#966075 - Hewlett-Packard HP-UX line printer daemon buffer overflow
A buffer overflow exists in HP-UX's line printer daemon (rlpdaemon)
that may allow an intruder to execute arbitrary code with superuser
privilege on the target system. The rlpdaemon is installed by default
and is active even if it is not being used. An intruder does not need
any prior knowledge, or privileges on the target system, in order to
exploit this vulnerability.
II. Impact
All of these vulnerabilities can be exploited remotely. In most cases,
they allow an intruder to execute arbitrary code with the privileges
of the lpd server. In some cases, an intruder must have access to a
machine listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some
cases, an intruder must be able to control a nameserver.
One vulnerability (VU#39001) allows you to specify options to sendmail
that can be used to execute arbitrary commands. Ordinarily, this
vulnerability is only exploitable from machines that are authorized to
use the lpd server. However, in conjunction with another vulnerability
(VU#30308), permitting intruders to gain access to the lpd service,
this vulnerability can be used by intruders not normally authorized to
use the lpd service.
For specific information about the impacts of each of these
vulnerabilities, please consult the CERT Vulnerability Notes Database
(http://www.kb.cert.org/vuls).
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.
Please contact your vendor directly.
This table represents the status of each vendor with regard to each
vulnerability. Please be aware that vendors produce multiple products;
if they are listed in this table, not all products may be affected. If
a vendor is not listed in the table below, then their status should be
considered unknown. For specific information about the status of each
of these vulnerabilities, please consult the CERT Vulnerability Notes
Database (http://www.kb.cert.org/vuls).
+ = Affected
- - = Not Affected
? = Unknown
VU# -> |274043 |388183 |722143 |466239 |39001 |30308 |966075
Vendors ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apple | - | ? | ? | ? | ? | ? | -
BSDI | + | ? | ? | ? | ? | ? | ?
Caldera | - | - | - | - | - | - | -
Cray | ? | - | - | - | - | ? | -
Debian | ? | ? | ? | ? | + | + | ?
Engarde | - | - | - | - | - | - | -
FreeBSD | + | - | - | - | - | - | -
Fujitsu | - | - | - | - | - | - | -
HP | ? | ? | ? | ? | ? | ? | +
IBM | - | + | + | + | - | + | -
Mandrake| ? | ? | ? | ? | + | ? | ?
NetBSD | + | ? | ? | ? | ? | ? | ?
OpenBSD | + | ? | ? | ? | ? | ? | ?
Red Hat | ? | ? | ? | ? | + | + | ?
SCO | + | ? | ? | ? | ? | ? | ?
SGI | + | ? | ? | ? | ? | ? | ?
SuSE | + | ? | ? | ? | ? | ? | ?
Sun | - | - | - | - | + | - | -
Restrict access to the lpd service
As a general practice, we recommend disabling all services that are
not explicitly required. You may wish to disable the line printer
daemon if there is not a patch available from your vendor.
If you cannot disable the service, you can limit your exposure to
these vulnerabilities by using a router or firewall to restrict access
to port 515/TCP (printer). Note that this does not protect you against
attackers from within your network.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, we have not received their
comments.
Apple Computer, Inc.
Mac OS X does not have the line printer daemon vulnerability issues
described in these advisories.
Berkeley Software Design, Inc. (BSDI)
Some (older) versions are affected. The current (BSD/OS 4.2) release
is not vulnerable. Systems are only vulnerable to attack from hosts
which are allowed via the /etc/hosts.lpd file (which is empty as
shipped).
BSD/OS 4.1 is the only vulnerable version which is still officially
supported by Wind River Systems. A patch (M410-044) is available in
the normal locations, ftp://ftp.bsdi.com/bsdi/patches or via our web
site at http://www.bsdi.com/support
Compaq
Compaq has not been able to reproduce the problems identified in this
advisory for TRU64 UNIX. We will continue testing and address the LPD
issues if a problem is discovered and provide patches as necessary.
Cray
Cray, Inc. has been unable to prove an lpd vulnerability. However, it
was deemed that a buffer overflow may be possible and so did tighten
up the code. See Cray SPR 721101 for more details.
Debian
http://www.debian.org/security/2000/20000109
FreeBSD, Inc.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01%3A58.lpd.asc
Hewlett-Packard Company
Hewlett-Packard has released
HPSBUX0108-163 Sec. Vulnerability in rlpdaemon
Bulletin and patches available from http://itrc.hp.com
Details to access http://itrc.hp.com are include at the last half of
any HP Bulletin.
IBM Corporation
http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256ac7005cf00a/$FILE/oar391.txt
Mandrake Software
http://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-054.php3
NetBSD
If lpd has been enabled, this issue affects NetBSD versions 1.5.2 and
prior releases, and NetBSD-current prior to August 30, 2001. lpd is
disabled by default in NetBSD installations.
Detailed information will be released subsequent to the publication of
this CERT advisory.
An up-to-date PGP signed copy of the release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG and http://www.NetBSD.ORG/Security/.
OpenBSD
http://www.openbsd.org/errata29.html#lpd
RedHat Inc.
http://www.redhat.com/support/errata/RHSA2000002-01.6.0.html
Santa Cruz Operation, Inc. (SCO)
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/
SGI
ftp://patches.sgi.com/support/free/security/advisories/20011003-01-P
SuSE
http://lists2.suse.com/archive/suse-security-announce/2001-Oct/0000.html
_________________________________________________________________
The CERT Coordination Center thanks Internet Security Systems and IBM
for the information provided in their advisories.
_________________________________________________________________
Feedback on this document can be directed to the author,
Jason A. Rafail
_________________________________________________________________
References
* http://www.kb.cert.org/vuls/id/274043
* http://www.kb.cert.org/vuls/id/388183
* http://www.kb.cert.org/vuls/id/722143
* http://www.kb.cert.org/vuls/id/466239
* http://www.kb.cert.org/vuls/id/39001
* http://www.kb.cert.org/vuls/id/30308
* http://www.kb.cert.org/vuls/id/966075
* http://www.kb.cert.org/vuls
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-30.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Revision History
November 05, 2001: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBO+boKKCVPMXQI2HJAQFLWgP/R8K+kw9GrKp0rF5hdrsiowPOBaO716OM
M4dRX+5Ek+svlY9/P948FfU4CyKG1c4M9FzSMgoKTUmvsnB+NVFgln/d0+jMfAy0
IyzHxyp5bSbF6pbfEyyr7gy8S3xaaVyDbAmhuLAW0Kiwy1xMmOFjZLu0W+A99rf7
XMm+KQhJe6o=
=pB53
-----END PGP SIGNATURE-----
Category:
Author: JT Smith
However, almost every week since it announced its Strategic Technology Protection Program, a new security flaw has cropped up.” From ZDNet News.
Category: