[eddie5659]

Hiya

The radius daemon as shipped with the radiusd-cistron package is
responsible for the RADIUS authentication service in networks and therefore
considered a security critical application.
ZARAZA reported security releated bugs in various radius server and
client software. The list of vulnerable servers includes the cistron radius
package. Within the cistron package, a buffer overflow in the digest
calculation function and miscalculations of attribute lengths have been
fixed which could allow remote attackers to execute arbitrary commands on
the system running the radius server. Beside the cistron radius package the
following radius packages have been vulnerable to the same attacks and have
been fixed: freeradius, radiusclient and livingston-radius.
The only workaround for this bug is to disable the radius-server until
the new packages have been installed.

http://www.linuxsecurity.com/advisor...sory-2044.html

A race condition in various utilities from the GNU fileutils
package may cause a root user to delete the whole filesystem.

http://www.linuxsecurity.com/advisor...sory-2045.html


The sudo program allows local users to execute certain configured
commands with root priviledges. Sudo contains a heap overflow in its
prompt assembling function. The input used to create the password prompt
is user controlled and not properly length-checked before copied to certain
heap locations. This allows local attackers to overflow the heap of sudo,
thus executing arbitrary commands as root.
We would like to thank GlobalInterSec for finding and researching
this vulnerability.
As a temporary workaround you may remove the setuid bit from sudo by
issuing the following command as root: "chmod -s /usr/bin/sudo".

http://www.linuxsecurity.com/advisor...sory-2046.html

Imlib versions prior to 1.9.13 would fall back to loading images
via the NetPBM package. NetPBM has various problems itself
that make it unsuitable for loading untrusted images. This
may allow attackers to construct images that, when loaded by
a viewer using Imlib, could cause crashes or potentially, the
execution of arbitrary code.

In addition, this version (1.9.14) also includes some further
fixes from the imlib team.

http://www.linuxsecurity.com/advisor...sory-2047.html

DocBook is a document markup language that can be transformed into
other formats using a stylesheet. The default stylesheet provided
with Red Hat Linux has an insecure option enabled

http://www.linuxsecurity.com/advisor...sory-2048.html

Updated mod_python packages have been made available for Red Hat Linux 7.2.
These updates close a security issue in mod_python which allows the
publisher handler to use modules which have only been indirectly imported.

http://www.linuxsecurity.com/advisor...sory-2049.html

The Nautilus file manager (used by default in the GNOME desktop
environment) writes metadata files containing information about files and
directories that have been visited in the file manager.
The metadata file code in Red Hat Linux 7.2 can be tricked into chasing
a symlink and overwriting the symlink target.

The errata packages repair this problem in two ways. First they create
metadata files using mkstemp() and then renaming the files, instead of
creating the files in-place with a fixed filename. This patch in the errata
packages was backported from the latest upstream version of Nautilus on
cvs.gnome.org.

Second, Nautilus used to have a preference to store metadata only in the
user's home directory, rather than in each directory being browsed.
This errata removes the preference and hardcodes its value to always
use the home directory. This disables the shared-metadata functionality,
so if two users browse the same directory they may see different icons,
emblems, and so forth.

http://www.linuxsecurity.com/advisor...sory-2050.html

Regards

eddie

[eddie5659]

Updated mod_python packages have been made available for Red Hat Linux 7.2
and 7.3. These updates close a security issue in mod_python which allows
the publisher handler to use modules which have only been indirectly imported.

http://www.linuxsecurity.com/advisor...sory-2056.html

Netfilter ("iptables") can leak information about how port forwarding
is done in unfiltered ICMP packets. The older "ipchains" code is not
affected.

This bug only affects users using the Network Address Translation
features of firewalls built with netfilter ("iptables"). Red Hat
Linux's firewall configuration tools use "ipchains," and those
configurations are not vulnerable to this bug.

http://www.linuxsecurity.com/advisor...sory-2057.html


"dhcp" is a Dynamic Host Configuration Protocol Server and Client.

Versions ranging from 3 to 3.0.1rc8 (inclusive) have a format string
vulnerability[1] that could be exploited remotely. Considering the
usage of the DHCP service, this usually means the local area network
in this case.

By default, these versions of DHCP are compiled with the dns update
feature enabled. This feature allows the DHCP service to update dns
records. The code in DHCP that logs this update has a format string
vulnerability that could be exploited, since the update message
contains data provided by the attacker, such as a hostname. A
successful exploitation would give an attacker the same privileges
the DHCP daemon has, tipically root.

http://www.linuxsecurity.com/advisor...sory-2058.html

On current OpenBSD systems, any local user (being or not in the wheel
group) can fill the kernel file descriptors table, leading to a denial of
service. Because of a flaw in the way the kernel checks closed file
descriptors 0-2 when running a setuid program, it is possible to combine
these bugs and earn root access by winning a race condition.

http://www.linuxsecurity.com/advisor...sory-2062.html

The following bug exists in the netfilter NAT implementation: When the
first packet of a connection is hitting a NAT rule, and this packet
causes the NAT box itself to reply with an ICMP error message, the
inner IP packet inside the ICMP error message is not un-NAT'ed
correctly. This leads to the ability to discover which ports of a
host are NATed and where the packet will really go. This can also lead to
those ICMP error packets being dropped by stateful firewalls not
recognizing the related connection.

http://www.linuxsecurity.com/advisor...sory-2063.html

ISC DHCPD in its version 3 introduced new dns-update features. ISC DHCPD
is vulnerable to a format string bug attack, while reporting the result of
a dns-update request. Since ISC DHCPD runs with root privileges,
attackers can use this bug to gain unauthorized access, to the system
running ISC DHCPD, as root user.

http://www.linuxsecurity.com/advisor...sory-2065.html

Updated perl-Digest-MD5 packages are available which work around a bug in
the utf8 interaction between perl-Digest-MD5 and Perl.

http://www.linuxsecurity.com/advisor...sory-2066.html

Regards

eddie

[eddie5659]

One component of the XML Extras package in Mozilla 0.9.9 and
earlier allows remote attackers to read arbitrary files and list
directories on a client system. This exploit is performed by opening a
URL
that redirects the browser to the file on the client and reading the
results using the responseText property.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0354 to this issue.

Users of Mozilla are advised to upgrade to these errata packages which
have
been patched and are not vulnerable to this issue

http://www.linuxsecurity.com/advisor...sory-2078.html

The shadow package contains several useful programs to maintain the
entries in the /etc/passwd and /etc/shadow files.
The SuSE Security Team discovered a vulnerability that allows local
attackers to destroy the contents of these files or to extend the group
privileges of certain users. This is possible by setting evil filesize
limits before invoking one of the programs modifying the system files.
Depening on the permissions of the system binaries this allows a local
attacker to gain root privileges in the worst case. This however is not
possible in a default installation.
The bug has been fixed by ensuring the integrity of the data written
to temporary files before moving them to the appropriate location of the
system. There is no workaround so we recommend an update in any case.
It is necessary to update the shadow package as well as the pam-modules
package in order to prevent the truncation attacks.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web

http://www.linuxsecurity.com/advisor...sory-2072.html

A buffer overflow exists in OpenSSH if KerberosTgtPassing or
AFSTokenPassing has been enabled in the sshd_config file. A
malicious user, possibly remote, could use this vulnerability
to gain privileged access to the system.

http://www.linuxsecurity.com/advisor...sory-2074.html

problem description, brief discussion, solution, upgrade information

Lukemftp (ftp(1), /usr/bin/ftp, /usr/bin/pftp) is a compfortable ftp
client from NetBSD.
A buffer overflow could be triggered by an malicious ftp server while the
client parses the PASV ftp command. An attacker who control an ftp server
to which a client using lukemftp is connected can gain remote access to
the clients machine with the privileges of the user running lukeftp.

The lukemftp RPM package is installed by default.
You need to update the package, as no temporary workaround is possbible.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.


http://www.linuxsecurity.com/advisor...sory-2073.html

Wojciech Purczynski reported a race condition in some utilities in the
GNU fileutils package that may cause root to delete the entire
filesystem. This only affects version 4.1 stable and 4.1.6 development
versions, and the authors have fixed this in the latest development
version.

http://www.linuxsecurity.com/advisor...sory-2075.html

Several buffer overflows were found in the tcpdump package by FreeBSD
developers during a code audit, in versions prior to 3.5. However,
newer versions of tcpdump, including 3.6.2, are also vulnerable to
another buffer overflow in the AFS RPC decoding functions, which was
discovered by Nick Cleaton. These vulnerabilities could be used by
a remote attacker to crash the the tcpdump process or possibly even
be exploited to execute arbitrary code as the user running tcpdump,
which is usually root.

The newer libpcap 0.6 has also been audited to make it more safe by
implementing better buffer boundary checks in several functions.


http://www.linuxsecurity.com/advisor...sory-2076.html

Updated mpg321 packages are available for Red Hat Linux 7.2, which fix
a buffer overflow in the network streaming code as well as other bugs

http://www.linuxsecurity.com/advisor...sory-2077.html


Regards

eddie

[eddie5659]

A vulnerability exists in all versions of Webmin prior to 0.970 that
allows a remote attacker to login to Webmin as any user. All users
of Webmin are encouraged to upgrade immediately.

Users of Mandrake Linux 8.0 and earlier will need to install some
additional perl modules for this new version of webmin to work
correctly

http://www.linuxsecurity.com/advisor...sory-2081.html

The "Dynamic Host Configuration Protocol" (DHCP) server from the Internet
Software Consortium allows hosts on a TCP/IP network to request and be
assigned IP addresses, and also to discover information about the network
to which they are attached.

A remote exploitable format string vulnerability was found in the logging
routines of the dynamic DNS code of dhcpd. This vulnerability allows an
attacker, usually within the LAN served by the DHCP server, to get remote
root access to the host running dhcpd.

The dhcp/dhcp-server package is not installed by default nor is the
dynamic DNS feature enabled by default.
As temporary workaround the dynamic DNS feature could be disabled via
dhcpd's config file with the following lines:
ddns-update-style none;
ddns-updates off;
After updating the package or modifying the config file you have to run:
rcdhcpd restart
as root to restart all instances of running dhcpd processes

http://www.linuxsecurity.com/advisor...sory-2082.html

Updated package are available which close a
remotely-exploitable vulnerability in unpatched versions of
fetchmail prior to 5.9.10.

"When retrieving mail from an IMAP server, the fetchmail e-mail
client will allocate an array to store the sizes of the messages
which it will attempt to fetch. The size of the array is
determined by the number of messages that the server claims to
have. Unpatched versions of fetchmail prior to 5.9.10 did not check
whether the number of e-mails the server claimed was too high, allowing
a malicious server to cause the fetchmail process to write data outside
of the array bounds.

Users of fetchmail are advised to upgrade to this errata package which is
not vulnerable to this issue.

http://www.linuxsecurity.com/advisor...sory-2083.html

"Imlib versions prior to 1.9.13 would fall back to
loading images via the NetPBM package, which has various
problems making it unsuitable for loading untrusted images.
Imlib 1.9.13 also fixes various problems in arguments passed
to malloc().

These problems may allow attackers to construct images that,
when loaded by a viewer using Imlib, could cause crashes
or potentially the execution of arbitrary code.

Users are advised to upgrade to these errata packages, which
contain Imlib 1.9.13.


http://www.linuxsecurity.com/advisor...sory-2084.html

"The sharutils package contains a set of tools for encoding
and decoding packages of files in binary or text format.

The uudecode utility would create an output file without checking
to see if it was about to write to a symlink or a pipe. If a user
uses uudecode to extract data into open shared directories, such
as /tmp, this vulnerability could be used by a local attacker to
overwrite files or lead to privilege escalation.


http://www.linuxsecurity.com/advisor...sory-2085.html

Updated webmin packages, which ship on the YDL Tasty Morsels
CD-ROM, are available. The updates close a security problem
which allows a remote attacker to login to webmin as any user.

http://www.linuxsecurity.com/advisor...sory-2086.html

DESCRIPTION
"imap"[4] is a package that contains POP2, POP3 and IMAP servers
developed at the University of Washington (UW).

Marcell Fodor published[1] a remote buffer overflow
vulnerability[2][3] in the IMAP server. This vulnerability can be
exploited by a remote attacker after he or she has been successfully
authenticated by the server. Arbitrary code could then be executed,
but with the privileges of the authenticated user.

This vulnerability only affects the IMAP server available in this
package.

The updated packages have been fixed with the patch made available by
the author[5].

http://www.linuxsecurity.com/advisor...sory-2087.html

Regards

eddie

[eddie5659]

Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

http://www.linuxsecurity.com/advisor...sory-2096.html

problem description, brief discussion, solution, upgrade information

The tcpdump program may be used to capture and decode network traffic.
Tcpdump decodes certain packets such as AFS requests in a wrong way
resulting in a buffer overflow. Since running tcpdump requires root
privileges this may lead to a root compromise of the system running
tcpdump. We strongly recommend an update for administrators using
tcpdump to monitor their networks since the only safe workaround is to
not use it at all.
Additionally to the fixed tcpdump packages we provide new libpcap
packages. Libpcap on which most network monitoring programs rely also
contained overflows which however are only exploitable by local attackers
if you installed programs using libpcap setuid. This is not found in a
default install.


http://www.linuxsecurity.com/advisor...sory-2097.html

Mozilla is an open-source web browser designed for standards
compliance, performance and portability.

GreyMagic Security found[1] a vulnerability[2] in mozilla prior to
version 1.0rc1 which allows a hostile site to read and list user
files. The vulnerability was related to the XMLHTTP, a component that
is primarily used for retrieving XML documents from a web server.

This update also solves other vulnerabilities:
- IRC Buffer Overflow Vulnerability[3]
- Local File Detection Vulnerability[4]
- JavaScript Interpreter Denial Of Service Vulnerability[5]
- Null Character Cookie Stealing Vulnerability[6]*

* Conectiva Linux 8 is not vulnerable.

The packages included with this update are of Mozilla 1.0rc2, which
fixes all the problems listed above.

These vulnerabilities also affect the Galeon web browser, since it
uses the Mozilla engine. There will be no updated Galeon packages for
Conectiva Linux 6.0 and 7.0. Galeon in these versions of the
distribution was in its early stages of development and will not work
with the new Mozilla packages. A new version of Galeon for these
distributions would need many other updated packages and will not be
provided.

http://www.linuxsecurity.com/advisor...sory-2098.html

Fermin J. Serna discovered a problem in the dhcp server and client
package from versions 3.0 to 3.0.1rc8, which are affected by a format
string vulnerability that can be exploited remotely. By default, these
versions of DHCP are compiled with the dns update feature enabled,
which allows DHCP to update DNS records. The code that logs this
update has an exploitable format string vulnerability; the update
message can contain data provided by the attacker, such as a hostname.
A successful exploitation could give the attacker elevated privileges
equivalent to the user running the DHCP daemon, which is the user dhcpd
in Mandrake Linux 8.x, but root in earlier versions.

http://www.linuxsecurity.com/advisor...sory-2099.html

Updated tcpdump, libpcap, and arpwatch packages are available for Red
Hat Linux 6.2 and 7.x. These updates close a buffer overflow when handling
NFS packets

http://www.linuxsecurity.com/advisor...sory-2100.html

FreeBSD features an accept_filter(9) mechanism which allows an
application to request that the kernel pre-process incoming connections.
For example, the accf_http(9) accept filter prevents accept(2) from
returning until a full HTTP request has been buffered.

No accept filters are enabled by default. A system administrator must
either compile the FreeBSD kernel with a particular accept filter
option (such as ACCEPT_FILTER_HTTP) or load the filter using
kldload(8) in order to utilize accept filters.


http://www.linuxsecurity.com/advisor...sory-2102.html

rc is the system startup script (/etc/rc). It is run when the FreeBSD
is booted multi-user, and performs a multitude of tasks to bring the
system up. One of these tasks is to remove lock files left by X
Windows, as their existence could prevent one from restarting the X
Windows server

http://www.linuxsecurity.com/advisor...sory-2103.html

Regards

eddie