[ISN] Linux Advisory Watch - February 9th 2001 (fwd)

Dave Dittrich dittrich at cac.washington.edu
Fri Feb 9 06:43:00 PST 2001


---------- Forwarded message ----------
Date: Fri, 9 Feb 2001 00:17:31 -0500
Subject: [ISN] Linux Advisory Watch - February 9th 2001
From: vuln-newsletter-admins at linuxsecurity.com
To: ISN at SECURITYFOCUS.COM

+----------------------------------------------------------------+

| LinuxSecurity.com Linux Advisory Watch |

| February 9th, 2000 Volume 2, Number 6a |

+----------------------------------------------------------------+

Editors: Dave Wreski Benjamin Thomas
dave at linuxsecurity.com ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for glibc, proftp, bind,
ja-xklock, ja-elvis, ja-helvis, dc20ctrl, mars_nwe, XEmacs, SSH1,
slocate, and the 2.2/2.4 kernel. The vendors include Caldera,
Conectiva, FreeBSD, Immunix, Red Hat, and TurboLinux.

Caldera's kernel advisory can not be ignored. They report that an
attacker can read large parts of the kernel's memory by bypassing a
negative offset to sysctl(). Also, a race condition exist that may
allow an attacker to modify running processes. Also this week,
FreeBSD releases many advisories that may lead to root compromises.
We advise that you update immediately.

Real World Linux Security: Bob Toxen's Perspective:
In this interview, Bob introduces his new book, discusses the "seven
deadly sins" of Linux security, and outlines the benefits of the open
source software model. He also points out the pitfalls that many system
administrators fall into and how to avoid them.

http://www.linuxsecurity.com/feature_stories/feature_story-76.html



# OpenDoc Publishing #

Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red
Hat 6.2 and Red Hat 6.2 PowerTools edition.

http://www.linuxsecurity.com/sponsors/opendocs.html


HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html



+---------------------------------+

| Installing a new package: | ------------------------------//

+---------------------------------+

# rpm -Uvh
# dpkg -i

Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.

+---------------------------------+

| Checking Package Integrity: | -----------------------------//

+---------------------------------+

The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.

# md5sum
ebf0d4a0d236453f63a797ea20f0758b

The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing




+---------------------------------+

| Conectiva | ----------------------------//

+---------------------------------+


* Conectiva: 'proftp' DoS
February 8th, 2001

1) A memoy leak will happen everytime a SIZE command is given,
provided that the scoreboard file is not writable. The default
installation is *not* vulnerable to this problem; 2) A similar
problem existed with the USER command. Every USER command would cause
the server to use more memory.

ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
proftpd-1.2.0rc3-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
proftpd-doc-1.2.0rc3-1cl.i386.rpm

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1143.html




* Conectiva: 'glibc' local vulnerability
February 5th, 2001

Local vulnerabilities were found in the glibc package shipped with
Conectiva Linux that would allow an attacker to overwrite any file on
the system. Many environment variables were honored when running a
SUID program, and it was shown that even "trusted" libraries could be
used to overwrite files on the system.

PLEASE SEE VENDOR ADVISORY FOR UPDATE

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1130.html



+---------------------------------+

| Caldera | ----------------------------//

+---------------------------------+

* Caldera: two kernel security problems
February 8th, 2001

There are two security problems in 2.2 and 2.4 kernels. By passing a
negative offset to sysctl(), an attacker can read large parts of
Linux kernel memory. In addition, a race condition has been
discovered that allows an attacker to attach via ptrace to a setuid
process, allowing him to modify the running process.

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

RPMS/linux-source-i386-2.2.10-11.i386.rpm
0d779697b36fbad15c66fa5fb050982c

Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1141.html



+---------------------------------+

| FreeBSD | ----------------------------//

+---------------------------------+



* FreeBSD: 'ja-elvis' and 'ko-helvis' ports vulnerability
February 7th, 2001

Unprivileged local users may gain root privileges on the local
system. If you have not chosen to install the ja-elvis or ko-helvis
ports/packages, then your system is not vulnerable to this problem.

PLEASE SEE VENDOR ADVISORY FOR UPDATED PACKAGES

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1138.html



* FreeBSD: 'dc20ctrl' ports vulnerability
February 7th, 2001

Unprivileged local users may gain increased privileges on the local
system including potentially unauthorized access to the serial port
devices. If you have not chosen to install the dc20ctrl port/package,
then your system is not vulnerable to this problem.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/graphics/dc20ctrl-0.4_1.tgz

Vendor Advisory:
http://www.linuxsecurity.com/advisories/index.html



* FreeBSD: 'mars_nwe' ports vulnerability
February 7th, 2001

Malicious remote users may cause arbitrary code to be executed on the
local system, potentially gaining root access. If you have not chosen
to install the mars_nwe port/package, then your system is not
vulnerable to this problem.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/net/mars_nwe-0.99.b19_1.tgz

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1140.html



* FreeBSD: 'bind' vulnerabilies [UPDATED]
February 7th, 2001

Malicious remote users can cause the named daemon to crash, if it is
configured to allow zone transfers and recursive queries.

i386
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-3-stable/net/bind-8.2.2p7.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/net/bind-8.2.2p7.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/net/bind-8.2.2p7.tgz

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1134.html



* FreeBSD: 'ja-xklock' ports vulnerability
February 7th, 2001

Malicious remote users can cause the named daemon to crash, if it is
configured to allow zone transfers and recursive queries.

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1136.html



+---------------------------------+

| Immunix | ----------------------------//

+---------------------------------+

* Immunix: 'glibc' vulnerability [UPDATED]
February 5th, 2001

The glibc packages that WireX released for Immunix 6.2 on January 19,
2001 in advisory IMNX-2000-62-043-01, did not fix the security
problems outlined that they intended to. New glibc packages have been
released which fix the glibc security problem. As an added bonus,
these packages also allow Kylix to run properly on Immunix 6.2.

http://immunix.org/ImmunixOS/6.2/updates/RPMS/
glibc-2.1.3-22_StackGuard_3.i386.rpm
ae87b4f205f8f03711fd99c19647624c

http://immunix.org/ImmunixOS/6.2/updates/RPMS/
glibc-devel-2.1.3-22_StackGuard_3.i386.rpm
f8de4cf2334af98dd2999227403a493a

http://immunix.org/ImmunixOS/6.2/updates/RPMS/
glibc-profile-2.1.3-22_StackGuard_3.i386.rpm
33631d683818f8ca419a18fb40c19194

http://immunix.org/ImmunixOS/6.2/updates/RPMS/
scd-2.1.3-22_StackGuard_3.i386.rpm
6ab5d6610b63eaeb15218cb0698cf8f1

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1131.html



+---------------------------------+

| Red Hat | ----------------------------//

+---------------------------------+

* Red Hat 7.0: 'XEmacs' vulnerability
February 6th, 2001

The XEmacs package as shipped with Red Hat Linux 7 has a security
problem with gnuserv and gnuclient.

i386:
ftp://updates.redhat.com/7.0/i386/xemacs-21.1.14-2.7.i386.rpm
916e1d40cdf26266c7ae0b04c6e4ade6

ftp://updates.redhat.com/7.0/i386/xemacs-el-21.1.14-2.7.i386.rpm
3a62c3d7f3867917c6ce1b2d55f4ea03

ftp://updates.redhat.com/7.0/i386/xemacs-info-21.1.14-2.7.i386.rpm
1d75d7880c07e884137665362c1b62f2

Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1133.html



* Red Hat 6.2: 'XEmacs' vulnerability
February 6th, 2001

The XEmacs package as shipped with Red Hat PowerTools 6.2 has a
security problem with gnuserv and gnuclient, due to a buffer overflow
and weak security.

i386:
ftp://updates.redhat.com/powertools/6.2/i386/
xemacs-21.1.14-2.62.i386.rpm
661aae1be3097c403df3d38eb5f6ae80

ftp://updates.redhat.com/powertools/6.2/i386/
xemacs-el-21.1.14-2.62.i386.rpm
03fab61adb2f874f95dfc895e1ede878

ftp://updates.redhat.com/powertools/6.2/i386/
xemacs-info-21.1.14-2.62.i386.rpm
bae82e4622a0b4b810eaa690446442b5

Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1132.html



+---------------------------------+

| TurboLinux | ----------------------------//

+---------------------------------+



* TurboLinux: 'slocate' vulnerability
February 8th, 2001

Secure Locate maintains an index of the entire filesystem, including
files only visible by root. The slocate binary is setgid "slocate" so
it can read this index. The heap-corruption vulnerability may
com-promise disclosure of these files if exploited. When running
slocate, users are able to specify a database of their own as a
commandline parameter. A subtle vulnerability exists in slocate's
reading of these user-supplied databases that may allow a local user
to execute arbitrary code with effective gid slocate.

ftp://ftp.turbolinux.com/pub/updates/6.0
security/slocate-2.3-2.i386.rpm
2218c7eff5c4541202417b78238b3174

Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-1142.html




* SSH1 Session Key Vulnerability
February 7th, 2001

A would be attacker could obtain and store all the encrypted packets
belonging to a specific client-server connection but that would
provide no real value unless she is able to: Decrypt them without
having the session key used for the encryption This is equivalent to
breaking the crypto algorithm used or Exploit some design or
implementation problem on either client or server to obtain the
session key and the proceed to decrypt the stored session using any
implementation of the crypto algorithm used.

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1135.html











------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com

To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV at SecurityFocus.com with a message body of
"SIGNOFF ISN".




More information about the Linux mailing list