[eddie5659]

Hiya

"UW imapd is an IMAP daemon from the University of Washington. Version
2000c and previous versions have a bug that allows a malicious user to
construct a malformed request which overflows an internal buffer, enabling
that user to execute commands on the server with the user's UID/GID.

To exploit this problem the user has to have successfully authenticated to
the imapd service. Therefore, this vulnerability mainly affects free email
providers or mail servers where the user has no shell access to the system.
On other systems, in which the user already has shell access, users can
already run commands under their own UIDs/GIDs.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0379 to this issue.

Users of imapd are advised to upgrade to these errata packages containing
version 2001a of imapd. They are not vulnerable to this issue."
(from Red Hat Advisory)

http://www.linuxsecurity.com/advisor...sory-2121.html

"The [nss_ldap] module provides authentication for user access to a system by
consulting a directory using LDAP. Versions of [nss_ldap] prior to version
144 include a format string bug in the logging function. The packages
included in this erratum update [nss_ldap] to version 144, fixing this bug.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0374 to this issue.

Due to differences in the default behavior of the [nss_ldap] module when
performing account management, the version of authconfig included in
[Yellow Dog Linux 2.2] will generate incorrect /etc/pam.d/system-auth files for this
version of [nss_ldap]. This update includes an updated version of
authconfig for [Yellow Dog Linux 2.2] which addresses this problem.

Our thanks go to the pam_ldap team at padl.com for bringing this to our
attention."
(from Red Hat Advisory)

http://www.linuxsecurity.com/advisor...sory-2122.html

"tcpdump is a command-line tool for monitoring network traffic. Versions of
tcpdump up to and including 3.6.2 have a buffer overflow that can be
triggered when tracing the network by a bad NFS packet.

We are not yet aware if this issue is fully exploitable; however, users of
tcpdump are advised to upgrade to these errata packages which contain a
patch for this issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0380 to this issue. This issue was found by
David Woodhouse of Red Hat."
(from Red Hat Advisory)

http://www.linuxsecurity.com/advisor...sory-2123.html

"Ghostscript is a program for displaying PostScript files or printing
them to non-PostScript printers.

An untrusted PostScript file can cause ghostscript to execute arbitrary
commands due to insufficient checking. Since ghostscript is often used
during the course of printing a document (and is run as user 'lp'), all
users should install these fixed packages.

The problem is fixed in the 6.53 source release of GNU Ghostscript, and the
fix has been backported and applied to the packages referenced by this
advisory.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0363 to this issue."
(from Red Hat Advisory)

http://www.linuxsecurity.com/advisor...sory-2124.html

"XChat is a popular cross-platform IRC client.

Versions of XChat prior to 1.8.9 do not filter the response from an IRC
server when a /dns query is executed. Because XChat resolves hostnames by
passing the configured resolver and hostname to a shell, an IRC server may
return a maliciously formatted response that executes arbitrary commands
with the privileges of the user running XChat.

All users of XChat are advised to update to these errata packages
containing XChat version 1.8.9 which is not vulnerable to this issue."
(from Red Hat Advisory

http://www.linuxsecurity.com/advisor...sory-2125.html

Ethereal is a package designed for monitoring network traffic on your
system. Several security issues have been found in Ethereal:

Due to improper string and error handling in Ethereal's ASN.1 parser, it is
possible for a malformed SNMP or LDAP packet to cause a memory allocation
or buffer overrun error in Ethereal versions before 0.9.2 (CAN-2002-0013
CAN-2002-0012)

The ASN.1 parser in Ethereal 0.9.2 and earlier allows remote attackers to
cause a denial of service (crash) via a certain malformed packet, which
causes Ethereal to allocate memory incorrectly, possibly due to zero-length
fields. (CAN-2002-0353)

The SMB dissector in Ethereal prior to version 0.9.2 allows remote
attackers to cause a denial of service (crash) or execute arbitrary code
via malformed packets that cause Ethereal to dereference a NULL pointer.
(CAN-2002-0401)

A buffer overflow in X11 dissector in Ethereal before 0.9.3 allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code while Ethereal is parsing keysyms. (CAN-2002-0402)

The DNS dissector in Ethereal before 0.9.3 allows remote attackers to
cause a denial of service (CPU consumption) via a malformed packet
that causes Ethereal to enter an infinite loop. (CAN-2002-0403)

A vulnerability in GIOP dissector in Ethereal before 0.9.3 allows remote
attackers to cause a denial of service (memory consumption). (CAN-2002-0404)

Users of Ethereal should update to the errata packages containing Ethereal
version 0.9.4 which is not vulnerable to these issues."
(from Red Hat Advisory)

http://www.linuxsecurity.com/advisor...sory-2127.html

"BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. Versions of BIND 9 prior to 9.2.1 have a bug
that causes certain requests to the BIND name server (named) to fail an
internal consistency check, causing the name server to stop responding to
requests. This can be used by a remote attacker to cause a denial of
service (DOS) attack against name servers.

[Yellow Dog Linux 2.x] shipped with versions of BIND vulnerable to
this issue. All users of BIND are advised to upgrade to the errata
packages containing BIND 9.2.1 which is not vulnerable to this issue."
(from Red Hat Advisory)

http://www.linuxsecurity.com/advisor...sory-2126.html

Regards

eddie

[eddie5659]

When loading pages with a specially prepared (or erroneous) stylesheet,
mozilla and X windows (not restricted to XFree) exhibit any of two
undesireable behaviours. This seems to depend on the local system
configuration, especially to the presence of xfs, but bug reports so far
are inconclusive.
In one scenario, X simply crashes, taking everything with it. This will result
in the loss of unsaved work.
In scenario two, memory useage of the X server explodes until the machine
reaches the thrashing point, at which point only a hard kill (-9) of the
X server can save it, provided there are enough system resources left to
issue the kill.

Some systems see no crash, but random misbehaviour of X components that often
require a shutdown of the X server to fix. See the follow ups in bugzilla
for a full description of these various behaviours.

The bug is triggered by a huge font setting done through CSS. Depending on
the end user's system configuration, this will either trigger an abort in
the XFree86 code ("Beziers this large not supported") or cause an
explosive use of memory. It is unknown how much memory could get consumed,
but follow-ups to the mozilla bug verify that machines with 1 GB of
memory still reach the thrashing point

http://www.linuxsecurity.com/advisor...sory-2128.html

Two cross-site scripting vulnerabilities have been discovered in versions
of Mailman prior to version 2.0.11.

http://www.linuxsecurity.com/advisor...sory-2129.html

Two cross-site scripting vulnerabilities have been discovered in versions
of Mailman prior to version 2.0.11.

http://www.linuxsecurity.com/advisor...sory-2130.html

With its default configuration, LPRng will accept job submissions from
any host, which is not appropriate in a workstation environment. We
are grateful to Matthew Caron for pointing out this configuration
problem.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0378 to this issue.

The updated packages from this advisory change the job submission
policy (in /etc/lpd.perms) so that jobs from remote hosts are refused
by default.

Those running print servers may want to adjust this policy as
appropriate, for example to give access to certain hosts or subnets.
For details on how to do this see the lpd.perms(5) man page.

Since Red Hat Linux 7.1, default installations include ipchains rules
blocking remote access to the print spooler IP port; as a result those
installations already reject remote job submissions. However, Red Hat
Linux 7 machines and any machine upgraded to a later release (as
opposed to
having been freshly installed) will not have ipchains rules in place
by default.

http://www.linuxsecurity.com/advisor...sory-2131.html

An untrusted PostScript file that uses .locksafe or .setsafe to
reset the current page device can force the ghostscript program
to execute arbitrary commands.

http://www.linuxsecurity.com/advisor...sory-2133.html

The IGMP report suppression mechanism can be exploited for launching
an insider denial of service attack against a host connected to a
Multicast group.

Instead of sending a IGMP membership report to the Multicast group
ethernet address as is the norm, an attacker sends the report addressed to
the victim's ethernet address. The victim host on seeing the IGMP report
suppresses its own IGMP report as per the IGMP standard. The querier
router then never gets an IGMP report effectively cutting off traffic
from that group.

http://www.linuxsecurity.com/advisor...sory-2134.html

Regards

eddie

[eddie5659]

The Apache Web server contains a security vulnerability which can be used
to launch a denial of service attack, or in some cases, allow remote code
execution.

http://www.linuxsecurity.com/advisor...sory-2146.html

From the original Apache advisory:

Versions of the Apache web server up to and including 1.3.24 and 2.0
up to and including 2.0.36 contain a bug in the routines which deal
with invalid requests which are encoded using chunked encoding. This
bug can be triggered remotely by sending a carefully crafted invalid
request.

On TSL, this can be used in a denial of service attack but is not belived
to be exploitable in any other manner.

http://www.linuxsecurity.com/advisor...sory-2147.html

From the Apache site:

"While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows. Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential a remote exploit vulnerability."

The complete text of the Apache announcement may be found here:
http://httpd.apache.org/info/securit...n_20020617.txt

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue:
http://cve.mitre.org/cgi-bin/cvename...=CAN-2002-0392

http://www.linuxsecurity.com/advisor...sory-2148.html

Mark Litchfield found a denial of service attack in the Apache
web-server. While investigating the problem the Apache Software
Foundation discovered that the code for handling invalid requests which
use chunked encoding also might allow arbitrary code execution.

This has been fixed in version 1.3.9-14.1-1.21.20000309-1 of the Debian
apache-perl package and we recommand that you upgrade your apache-perl
package immediately.

An update for the soon to be released Debian GNU/Linux 3.0/woody
distribution will be available soon.

http://www.linuxsecurity.com/advisor...sory-2150.html

A Denial of Service attack was discovered by Mark Litchfield in the
Apache webserver. As well, while investigating this problem, the
Apache Software Foundation discovered that the code for handling
invalid requests that use chunked encoding may also allow arbitrary
code to be executed on 64bit architectures.

All versions of Apache prior to 1.3.26 and 2.0.37 are vulnerable to
this problem. A patched version of Apache is currently available for
Single Network Firewall 7.2, with patched versions of Apache soon to
be available for the other supported Mandrake Linux versions.

http://www.linuxsecurity.com/advisor...sory-2151.html

A Denial of Service attack was discovered by Mark Litchfield in the
Apache webserver. As well, while investigating this problem, the
Apache Software Foundation discovered that the code for handling
invalid requests that use chunked encoding may also allow arbitrary
code to be executed on 64bit architectures.

All versions of Apache prior to 1.3.26 and 2.0.37 are vulnerable to
this problem. This update provides patched versions of Apache for the
remaining supported Mandrake Linux versions.

http://www.linuxsecurity.com/advisor...sory-2152.html

Regards

eddie

[eddie5659]

Updated mailman packages are now available for Red Hat Secure Web Server 3.2 (U.S.). These updates resolve a cross-site scripting vulnerability present in versions of Mailman prior to 2.0.11.

http://www.linuxsecurity.com/advisor...sory-2170.html

Several vulnerabilities have been reported in OpenSSH if the
S/KEY or BSD Auth features have been enabled, or if
PAMAuthenticationViaKbdInt has been enabled

http://www.linuxsecurity.com/advisor...sory-2171.html

This advisory is an update to DSA-134-3: this advisory contains
updated information that is relevant to all Debian installations of
OpenSSH (the ssh package). DSA-134-4 supersedes previous versions of DSA-134

http://www.linuxsecurity.com/advisor...sory-2172.html

Under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in.

http://www.linuxsecurity.com/advisor...sory-2173.html

There has been discovered a couple of bugs in serveral versions of OpenSSH including version 3.1p1 which is shipped with TSL. As later versions of OpenSSH introduces rather large changes in functionality and our public testing revealed a few issues not yet solved, we chose to apply the patches supplied by the OpenSSH project rather than upgrade to the latest version

http://www.linuxsecurity.com/advisor...sory-2174.html

The mod_ssl team have upgraded their code due to a off-by-one buffer overflow bug in the compatibility functionality (mapping of old directives to new ones)

We don't have any indication that this issue is in any way exploitable, but since the upstream vendor has released a new version, we want to upgrade the package.

http://www.linuxsecurity.com/advisor...sory-2175.html

OpenSSH[1] is a very popular and versatile tool that uses encrypted connections between hosts and is commonly used for remote administration.

ISS[5] published[4] an advisory concerning a remote vulnerability in OpenSSH that could be used by remote attackers to obtain root
privileges on the server where OpenSSH is running.

The vulnerability is present in two authentication mechanisms:
ChallengeResponse and PAMAuthenticationViaKbdInt. If these mechanisms are not necessary in your installation, they can be disabled by the following entries in /etc/ssh/sshd_config:

ChallengeResponseAuthentication no
PAMAuthenticationViaKbdInt no

Please note that any changes made to the sshd_config file require a
service restart to be effective.

http://www.linuxsecurity.com/advisor...sory-2176.html

Regards

eddie