[eddie5659]

Hiya

CUPS is a well known and widely used printing system for unix-like
systems. iDFENSE reported several security issues with CUPS that can
lead to local and remote root compromise. The following list
includes all vulnerabilities:
- integer overflow in HTTP interface to gain remote
access with CUPS privileges
- local file race condition to gain root (bug mentioned
above has to be exploited first)
- remotely add printers
- remote denial-of-service attack due to negative length in
memcpy() call
- integer overflow in image handling code to gain higher privileges
- gain local root due to buffer overflow of 'options' buffer
- design problem to gain local root (needs added printer, see above)
- wrong handling of zero width images can be abused to gain higher
privileges
- file descriptor leak and denial-of-service due to missing checks
of return values of file/socket operations

Since SuSE 8.1 CUPS is the default printing system.

As a temporary workaround CUPS can be disabled and an alternative
printing system like LPRng can be installed instead.

New CUPS packages are available on our FTP servers. Please, install
them to fix your system.


http://www.linuxsecurity.com/advisor...sory-2709.html

"The pdftops filter in the Xpdf and CUPS packages contains an integer
overflow that can be exploited to gain the privileges of the target user
or in some cases the increased privileges of the 'lp' user if installed
setuid. There are multiple ways of exploiting this vulnerability."


http://www.linuxsecurity.com/advisor...sory-2710.html

"This vulnerability can make leafnode's nntpd server, named leafnode, go
into an unterminated loop when a particular article is requested. The
connection becomes irresponsive, and the server hogs the CPU. The client
will have to terminate the connection and connect again, and may fall
prey to the same problem; ultimately, there may be so many leafnode
processes hogging the CPU that no serious work is possible any more and
the super user has to kill all running leafnode processes."


http://www.linuxsecurity.com/advisor...sory-2711.html

A cross site scripting vulnerability has been discovered in
squirrelmail, a feature-rich webmail package written in PHP4.
Squirrelmail doesn't sanitize user provided variables in all places,
leaving it vulnerable to a cross site scripting attack.

For the current stable distribution (woody) this problem has been
fixed in version 1.2.6-1.3. The old stable distribution (potato) is
not affected since it doesn't contain a squirrelmail package.

An updated package for the current unstable distribution (sid) is
expected soon.

We recommend that you upgrade your squirrelmail package.



http://www.linuxsecurity.com/advisor...sory-2712.html

Stefan Esser from e-matters reported various bugs in MySQL. Within the
MySQL server the password checking and a signedness issue has been fixed.
These could lead to a remote compromise of the system running an unpatched
MySQL server. In order to exploit this bug, the remote attacker needs a
valid MySQL account.
Further, a buffer overflow in the mysqlclient library has been reported
and fixed. Applications using this library (as commonly used from within
PHP scripts) are vulnerable to this attack and could also be compromised
by remote attackers.

Since there is no workaround possible except shutting down the MySQL
server, we strongly recommend an update.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

To be sure the update takes effect you have to restart the MySQL server
by executing the following command as root:

/etc/rc.d/mysql restart

If you run applications which utilize the mysqlclient library (i.e. software
that accesses a MySQL database server) make sure you restart them again to
force the use of the patched libraries.

We thank MySQL Product and Release Engineer Lenz Grimmer as well as
e-matters Stefan Esser who discovered the bugs for their committment to
security matters and the communication of them.

http://www.linuxsecurity.com/advisor...sory-2713.html

Earl Hood, author of mhonarc, a mail to HTML converter, discovered a
cross site scripting vulnerability in this package. A specially
crafted HTML mail message can introduce foreign scripting content in
archives, by-passing MHonArc's HTML script filtering.

For the current stable distribution (woody) this problem has been
fixed in version 2.5.2-1.3.

For the old stable distribution (potato) this problem has been fixed
in version 2.4.4-1.3.

For the unstable distribution (sid) this problem has been fixed in
version 2.5.14-1.

We recommend that you upgrade your mhonarc package.


http://www.linuxsecurity.com/advisor...sory-2714.html

A vulnerability in Pine version 4.44 and earlier releases can cause
Pine to crash when sent a carefully crafted email.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

Pine, developed at the University of Washington, is a tool for reading,
sending, and managing electronic messages (including mail and news).

A security problem was found in versions of Pine 4.44 and earlier. In these
versions, Pine does not allocate enough memory for the parsing and escaping
of the "From" header, allowing a carefully crafted email to cause a
buffer overflow on the heap. This will result in Pine crashing.

All users of Pine on Red Hat Linux are advised to update to these errata
packages containing a patch to version 4.44 of Pine that fixes this
vulnerability.


http://www.linuxsecurity.com/advisor...sory-2715.html

Regards

eddie

[eddie5659]

A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases, which allows to use a specially crafted URL to return
the unprocessed source of a JSP page, or, under special circumstances,
a static resource which would otherwise have been protected by a
security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
identified as CAN-2002-1148.

For the current stable distribution (woody) this problem has been
fixed in version 4.0.3-3woody2.

The old stable distribution (potato) does not contain tomcat packages.

For the unstable distribution (sid) this problem does not exist in the
current version 4.1.16-1.

We recommend that you upgrade your tomcat packages.


http://www.linuxsecurity.com/advisor...sory-2740.html

Ethereal is a package designed for monitoring network traffic on your
system. Several security issues have been found in the Ethereal packages
distributed with Red Hat Linux versions 7.2, 7.3, and 8.0

Multiple integer signedness errors in the BGP dissector in Ethereal
0.9.7 and earlier allow remote attackers to cause a denial of service
(infinite loop) via malformed messages. This problem was discovered by
Silvio Cesare. CAN-2002-1355

Ethereal 0.9.7 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via malformed
packets to the LMP, PPP, or TDS dissectors. CAN-2002-1356

Users of Ethereal should update to the erratum packages containing Ethereal
version 0.9.8 which is not vulnerable to these issues

http://www.linuxsecurity.com/advisor...sory-2741.html

Heap-based buffer overflow in fetchmail does not account for the
"@" character when determining buffer lengths for local addresses,
which allows remote attackers to execute arbitrary code via a
header with a large number of local addresses.


http://www.linuxsecurity.com/advisor...sory-2742.html

The pdftops filter found in both the xpdf and CUPS packages
suffers from an integer overflow that can be exploited to gain
the privilege of the victim user.


http://www.linuxsecurity.com/advisor...sory-2743.html

iDefense reported several security problems in CUPS that can
lead to local and remote root compromise. An integer overflow
in the HTTP interface can be used to gain remote access with
CUPS privilege. A local file race condition can be used to
gain root privilege, although the previous bug must be exploited
first. An attacker can remotely add printers to the vulnerable
system. A remote DoS can be accomplished due to negative length
in the memcpy() call. An integer overflow in image handling code
can be used to gain higher privilege. An attacker can gain local
root privilege due to a buffer overflow of the 'options' buffer.
A design problem can be exploited to gain local root access,
however this needs an added printer (which can also be done, as
per a previously noted bug). Wrong handling of zero-width images
can be abused to gain higher privilege. Finally, a file descriptor
leak and DoS due to missing checks of return values of file/socket
operations.

MandrakeSoft recommends all users upgrade these CUPS packages
immediately.


http://www.linuxsecurity.com/advisor...sory-2744.html

A vulnerability was discovered by Simon Kelley in the dhcpcd DHCP
client daemon. dhcpcd has the ability to execute an external script
named dhcpcd-.exe when an IP address is assigned to that
network interface. The script sources the file
/var/lib/dhcpcd/dhcpcd-.info which contains shell variables
and DHCP assignment information. The way quotes are handled inside
these assignments is flawed, and a malicious DHCP server can execute
arbitrary shell commands on the vulnerable DHCP client system. This
can also be exploited by an attacker able to spoof DHCP responses.

Mandrake Linux packages contain a sample /etc/dhcpc/dhcpcd.exe file
and encourages all users to upgrade immediately. Please note that
when you do upgrade, you will have to restart the network for the
changes to take proper effect by issuing "service network restart"
as root.


http://www.linuxsecurity.com/advisor...sory-2745.html

iDEFENSE discovered an integer overflow in the pdftops filter from the
xpdf and xpdf-i packages that can be exploited to gain the privileges
of the target user. This can lead to gaining privileged access to the
'lp' user if thee pdftops program is part of the print filter.

For the current stable distribution (woody) xpdf-i is only a dummy
package and the problem was fixed in xpdf already.

For the old stable distribution (potato) this problem has been
fixed in version 0.90-8.1.

For the unstable distribution (sid) this problem has been
fixed in version 2.01-2.

We recommend that you upgrade your xpdf-i package.


http://www.linuxsecurity.com/advisor...sory-2746.html

Regards

eddie

[eddie5659]

VIM (Vi IMproved) is a version of the vi editor.

VIM allows a user to set the modeline differently for each edited text
file by placing special comments in the files. Georgi Guninski found that
these comments can be carefully crafted in order to call external programs.
This could allow an attacker to create a text file such that when it is
opened arbitrary commands are executed.

Users of VIM are advised to upgrade to these errata packages which have
been patched to disable the usage of dangerous functions in modelines.


http://www.linuxsecurity.com/advisor...sory-2767.html

A review was completed by the SuSE Security Team on the OpenLDAP
server software, and this audit revealed several buffer overflows
and other bugs that remote attackers could exploit to gain unauthorized
access to the system running the vulnerable OpenLDAP servers.
Additionally, various locally exploitable bugs in the OpenLDAP v2
libraries have been fixed as well.


http://www.linuxsecurity.com/advisor...sory-2768.html

Two vulnerabilities have been discovered in Bugzilla, a web-based bug
tracking system, by its authors. The Common Vulnerabilities and
Exposures Project identifies the following vulnerabilities:

* CAN-2003-0012 (BugTraq ID 6502): The provided data collection
script intended to be run as a nightly cron job changes the
permissions of the data/mining directory to be world-writable every
time it runs. This would enable local users to alter or delete the
collected data.

* CAN-2003-0013 (BugTraq ID 6501): The default .htaccess scripts
provided by checksetup.pl do not block access to backups of the
localconfig file that might be created by editors such as vi or
emacs (typically these will have a .swp or ~ suffix). This allows
an end user to download one of the backup copies and potentially
obtain your database password.

This does not affect the Debian installation because there is no
.htaccess as all data file aren't under the CGI path as they are on
the standard Bugzilla package. Additionally, the configuration is
in /etc/bugzilla/localconfig and hence outside of the web directory.


http://www.linuxsecurity.com/advisor...sory-2769.html

Stefano Zacchiroli found a buffer overrun in the url_filename
function, which would make wget segfault on very long urls.

Steven M. Christey discovered that wget did not verify the FTP
server response to a NLST command: it must not contain any
directory information, since that can be used to make a FTP
client overwrite arbitrary files.


http://www.linuxsecurity.com/advisor...sory-2770.html

"fnord 1.6 contained a buffer overrun in the CGI code. However, since
the function does not return, this does not appear to be exploitable."


http://www.linuxsecurity.com/advisor...sory-2771.html

"The Internet Software Consortium (ISC) has discovered several buffer
overflow vulnerabilities in their implementation of DHCP (ISC DHCPD).
These vulnerabilities may allow remote attackers to execute arbitrary
code on affected systems. At this time, we are not aware of any
exploits."

http://www.linuxsecurity.com/advisor...sory-2772.html

The Internet Software Consortium discoverd several vulnerabilities
during an audit of the ISC DHCP Daemon. The vulnerabilities exist in
error handling routines within the minires library and may be
exploitable as stack overflows. This could allow a remote attacker to
execute arbitrary code under the user id the dhcpd runs under, usually
root. Other DHCP servers than dhcp3 doesn't seem to be affected.

For the stable distribution (woody) this problem has been
fixed in version 3.0+3.0.1rc9-2.1.

The old stable distribution (potato) does not contain dhcp3 packages.

For the unstable distribution (sid) this problem has been fixed in
version 3.0+3.0.1rc11-1.

We recommend that you upgrade your dhcp3-server package.


http://www.linuxsecurity.com/advisor...sory-2773.html

Regards

eddie

[eddie5659]

The package "dhcp" provides a Dynamic Host Configuration Protocol[1]
server developed by ISC (ISC DHCPD).

During an internal source code audit, the ISC developers found
several stack-based buffer overflow vulnerabilities[2,3] in the error
handling routines of the minires library. This library is used by the
NSUPDATE feature, which is present in dhcp versions newer than 3.0
and allows the DHCP server to dynamically update DNS server records.

A remote attacker which can send messages directly to the DHCP server
can exploit these vulnerabilities to execute arbitrary code in the
server context with the privileges of the root user.

The packages provided with this announcement fix these
vulnerabilities with a patch from ISC. Please note that Conectiva
Linux versions prior to 8 do not ship dhcp 3.0 and therefore are not
vulnerable to this problem.

http://www.linuxsecurity.com/advisor...sory-2805.html

libpng is a library used to create and manipulate PNG (Portable
Network Graphics) image files.

Glenn Randers-Pehrson discovered a buffer overflow vulnerability in
unpatched libpng versions prior to 1.0.15 and 1.2.5(*) (inclusive).

Programs such as web browsers and various others common applications
make use of libpng. An attacker could exploit this vulnerability to
remotely run arbitrary code or crash such applications by using a
specially crafted png image.

This update provides patched versions of libpng with fixes for this
vulnerability.

* The libpng-1.2.X series is available only in Conectiva Linux 8 in
the libpng3 package.

http://www.linuxsecurity.com/advisor...sory-2806.html

The KDE team discovered several vulnerabilities in the K Desktop
Environment. In some instances KDE fails to properly quote parameters
of instructions passed to a command shell for execution. These
parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an
e-mail, a webpage or files on a network filesystem or other untrusted
source.

By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable sytem using the victim's account and
privileges. The KDE Project is not aware of any existing exploits of
these vulnerabilities. The patches also provide better safe guards
and check data from untrusted sources more strictly in multiple
places.

For the current stable distribution (woody), these problems have been fixed
in version 2.2.2-2.2.

The old stable distribution (potato) does not contain KDE packages.

For the unstable distribution (sid), these problems will most probably
not be fixed but new packages for KDE 3.1 for sid are expected for
this year.

We recommend that you upgrade your KDE packages.

http://www.linuxsecurity.com/advisor...sory-2807.html

According to research done by Steve Christey [0], directory traversal
vulnerabilities exist in many FTP clients including wget [1].
Resolution of this issue was handled primarily through Mark Cox of
Red Hat whose patches were incorporated into the wget 1.8.2 HEAD
development branch of the vendor. The Common Vulnerabilities and
Exposures (CVE) project assigned the id CAN-2002-1344 [2] to the
problem.

Please check whether you are affected by running "/bin/rpm -q
wget". If you have the "wget" package installed and its version is
affected (see above), we recommend that you immediately upgrade it

http://www.linuxsecurity.com/advisor...sory-2808.html

The KDE team discovered several vulnerabilities in the K Desktop
Environment. In some instances KDE fails to properly quote parameters
of instructions passed to a command shell for execution. These
parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an
e-mail, a webpage or files on a network filesystem or other untrusted
source.

By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable system using the victim's account and
privileges. The KDE Project is not aware of any existing exploits of
these vulnerabilities. The patches also provide better safe guards
and check data from untrusted sources more strictly in multiple
places.

For the current stable distribution (woody), these problems have been fixed
in version 2.2.2-9.2.

The old stable distribution (potato) does not contain KDE packages.

For the unstable distribution (sid), these problems will most probably
not be fixed but new packages for KDE 3.1 for sid are expected for
this year.

We recommend that you upgrade your KDE packages.


http://www.linuxsecurity.com/advisor...sory-2809.html

The KDE team discovered several vulnerabilities in the K Desktop
Environment. In some instances KDE fails to properly quote parameters
of instructions passed to a command shell for execution. These
parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an
e-mail, a webpage or files on a network filesystem or other untrusted
source.

By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable system using the victim's account and
privileges. The KDE Project is not aware of any existing exploits of
these vulnerabilities. The patches also provide better safe guards
and check data from untrusted sources more strictly in multiple
places.

For the current stable distribution (woody), these problems have been fixed
in version 2.2.2-14.2.

The old stable distribution (potato) does not contain KDE packages.

For the unstable distribution (sid), these problems will most probably
not be fixed but new packages for KDE 3.1 for sid are expected for
this year.

We recommend that you upgrade your KDE packages.


http://www.linuxsecurity.com/advisor...sory-2810.html

The KDE team discovered several vulnerabilities in the K Desktop
Environment. In some instances KDE fails to properly quote parameters
of instructions passed to a command shell for execution. These
parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an
e-mail, a webpage or files on a network filesystem or other untrusted
source.

By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable system using the victim's account and
privileges. The KDE Project is not aware of any existing exploits of
these vulnerabilities. The patches also provide better safe guards
and check data from untrusted sources more strictly in multiple
places.

For the current stable distribution (woody), these problems have been
fixed in version 2.2.2-8.2. Please note that we are unable to provide
updated packages for both MIPS architectures since the compilation of
kdemultimedia triggers an internal compiler error on these machines.

The old stable distribution (potato) does not contain KDE packages.

For the unstable distribution (sid), these problems will most probably
not be fixed but new packages for KDE 3.1 for sid are expected for
this year.

We recommend that you upgrade your KDE packages

http://www.linuxsecurity.com/advisor...sory-2811.html

Regards

eddie