Linux Vulnerabilities : Dec 11 onwards

Hiya

Wietse Venema reported he found a denial of service vulnerability in
postfix. The SMTP session log that postfix keeps for debugging purposes
could grow to an unreasonable size

postfix

http://www.linuxsecurity.com/advisories/debian_advisory-1745.html

OpenSSH is a freely available, open source implementation of the
Secure Shell protocol. It provides secure encrypted communication
between two untrusted hosts over an insecure network.

The OpenSSH developers released[1] a new version of OpenSSH which
fixes a local vulnerability[2] related to the "UseLogin" option. If
this option is enabled, local users may be able to pass arbitrary
environment variables to the "login" process. By setting LD_PRELOAD
and using a malicious shared library, an attacker might execute
arbitrary code as root.

Please note that Conectiva Linux does not have the "UseLogin" option
enabled by default. Therefore, it's not vulnerable to attacks unless
the system administrator has turned it on.

openssh

http://www.linuxsecurity.com/advisories/other_advisory-1746.html

The OpenSSH team has reported a vulnerability in the OpenSSH server
that allows remote attackers to obtain root privilege if the server
has the UseLogin option enabled. This option is off by default on
OpenLinux, so a default installation is not vulnerable.

We nevertheless recommend to our customers to upgrade to the fixed
package.

Exploits of this vulnerability have apparently been circulated for
some time

Linux - Remote vulnerability in OpenSSH

http://www.linuxsecurity.com/advisories/caldera_advisory-1747.html

The default pam files for the passwd program did not include support
for md5 passwords, thus any password changes or post-install added
users would not have md5 passwords.

passwd

http://www.linuxsecurity.com/advisories/mandrake_advisory-1748.html

The new OpenSSH 3.0.2 fixes a vulnerability in the UseLogin option.
By default, Mandrake Linux does not enable UseLogin, but if the
administrator enables it, local users are able to pass environment
variables to the login process. This update also fixes a security
hole in the KerberosV support that is present in versions 2.9.9 and
3.0.0.

openssh

http://www.linuxsecurity.com/advisories/mandrake_advisory-1749.html

Updated glibc packages are available to fix an overflowable buffer
and for 7.x to fix a couple of non-security related bugs.

Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9

Red Hat Linux 7.0 - alpha, alphaev6, i386, i686

Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64

Red Hat Linux 7.2 - i386, i686

http://www.linuxsecurity.com/advisories/redhat_advisory-1750.html

Regards

eddie

 

Hiya

Might as well add this on here:

There is a problem in the glob(3) function of the Glibc library which
allows for exploitation of programs that pass user supplied input
directly to it.

http://www.linuxsecurity.com/advisories/other_advisory-1760.html

A malicious local user can pass environment variables to the login
process if the administrator enables the UseLogin option. This can
be abused to bypass authentication and gain root access.
Note that this option is not enabled by default on TSL.

http://www.linuxsecurity.com/advisories/other_advisory-1761.html

The 2.2.20 release of the Linux kernel fixes a number of bugs. In
addition there are some driver updates and SMP fixes in this package

http://www.linuxsecurity.com/advisories/other_advisory-1762.html

A remote format string vulnerability was found in the libgtop daemon by
Laboratory intexxia. By sending a specially crafted format string to
the server, a remote attacker could potentially execute arbitrary code
on the remote system with the daemon's permissions. By default libgtop
runs as the user nobody, but the flaw could be used to compromise local
system security by allowing the attacker to exploit other local
vulnerabilities. A buffer overflow was also found by Flavio Veloso
which could allow the client to execute code on the server. Both
vulnerabilities are patched in this update and will be fixed upstream
in version 1.0.14. libgtop_daemon is not invoked by default anywhere
in Mandrake Linux.

http://www.linuxsecurity.com/advisories/mandrake_advisory-1763.html

Updated Mailman packages are now available for Red Hat PowerTools 7 and
7.1. These updates fix cross-site scripting bugs which might allow another
server to be used to gain a user's private information from a server
running Mailman

http://www.linuxsecurity.com/advisories/redhat_advisory-1764.html

Updated Mailman packages are now available for Red Hat Linux 7.2. These
updates fix cross-site scripting bugs which might allow another server to
be used to gain a user's private information from a server running Mailman

http://www.linuxsecurity.com/advisories/redhat_advisory-1765.html

process if the administrator enables the UseLogin option. This can
be abused to bypass authentication and gain root access.
Note that this option is not enabled by default on TSL.

Updated, part II:
There was a file conflict in the packages in the two first advisories.
Packages are now fixed, and the MD5 sum is updated

http://www.linuxsecurity.com/advisories/other_advisory-1766.html

Regards

eddie

 

and a few more:

The file globbing (matching filenames against patterns such as "*.bak")
routines in the glibc exhibits an error that results in a heap corruption
and that may allow a remote attacker to execute arbitrary commands from
processes that take globbing strings from user input.
Tom Parker, Global InterSec LLC, addressed SuSE Security and illustrated
an attack scenario against the BSD-derived ftp daemon that is installed
as /usr/sbin/in.ftpd in SuSE Linux distributions. The said in.ftpd should
not be confused with the Washington University ftp daemon (wu-ftpd) that
comes installed as /usr/sbin/wu.ftpd in SuSE Linux and uses its own
globbing functions.

Since the attack against in.ftpd is based on a heap corruption in glibc,
the proper solution for the error is to exchange the responsible code in
the glibc globbing functions. It should be expected that other network
service daemons that accept user-supplied globbing strings such as rsyncd
can be exploited with this glibc globbing error. There is no satisfactory
workaround against the problem other than updating the glibc libraries
with a fixed version. We provide update packages for this purpose.

Users of the SuSE Linux 6.3 distribution should upgrade their systems
to a newer product since security update support for SuSE Linux 6.3
has been discontinued two years after the release.

http://www.linuxsecurity.com/advisories/suse_advisory-1767.html

Updated namazu packages are available for Red Hat Linux 7.0J. These
packages fix cross-site scripting vulnerability

http://www.linuxsecurity.com/advisories/redhat_advisory-1768.html

There is a format string vulnerability in stunnel which may allow an
attacker to exploit a victim by impersonating a mail server.

http://www.linuxsecurity.com/advisories/other_advisory-1769.html

The package 'gpm' contains the 'gpm-root' program, which can be used to
create mouse-activated menus on the console.
Among other problems, the gpm-root program contains a format string
vulnerability, which allows an attacker to gain root privileges

http://www.linuxsecurity.com/advisories/debian_advisory-1770.html

Regards

eddie

 

Might as well post here. No point opening a new thread.

Updated Mailman packages are now available for Red Hat Secure Web Server
3.2 (U.S.). These updates fix cross-site scripting bugs which might allow
another server to be used to gain a user's private information from a
server running Mailman.

http://www.linuxsecurity.com/advisories/redhat_advisory-1771.html

mutt-1.2.5.1 is released as an update to the last stable version of
mutt, mutt-1.2.5. The ONLY relevant change in this version is the
fix mentioned above. No other bugs present in 1.2.5 have been
fixed. You only want to upgrade to this version of mutt if you
absolutely have to stick with the mutt-1.2 series.

mutt-1.3.25 is the latest BETA version of mutt, and very close to
what will eventually become mutt-1.4. Personally, I'd recommend
that you download and use this version.

http://www.linuxsecurity.com/advisories/other_advisory-1772.html

Joost Pol found a buffer overflow in the address handling code of
mutt (a popular mail user agent). Even though this is a one byte
overflow this is exploitable.

This has been fixed upstream in version 1.2.5.1 and 1.3.25. The
relevant patch has been added to version 1.2.5-5 of the Debian
package.

http://www.linuxsecurity.com/advisories/debian_advisory-1773.html

The GNU C Library (glibc) is the standard library used by almost any
program in a common linux system.

There is a buffer overflow[1] discovered by Flávio Veloso in the
glibc's glob() function. By triggering this vulnerability[2], an
attacker could make a program which uses that function execute
arbitrary code.

http://www.linuxsecurity.com/advisories/other_advisory-1774.html

LibGTop (from the Gnome project) is a library that fetches system
related information such as CPU Load, Memory Usage and running
processes. It includes a daemon (libgtop_daemon) which can be used to
monitor processes remotely.

There are two libgtop_daemon vulnerabilities addressed by this
advisory:

The first one[1] was found by the Laboratory intexxia and is related
to a format string vulnerability in the libgtop_daemon logging
mechanisms. The second[2] was found later[3] by Flavio Veloso when
investigating the first and is a buffer overflow in the same part of
the code.

By exploiting any of the vulnerabilities an attacker would be able to
execute arbitrary code with the privileges of the user libgtop_daemon
is running as.

Notice that libgtop_daemon is not invoked by default anywhere in
Conectiva Linux, even if you're running Gnome as your desktop.

http://www.linuxsecurity.com/advisories/other_advisory-1775.html

The Exim maintainer, Philip Hazel, writes about this issue: "The
problem exists only in the case of a run time configuration which
directs or routes an address to a pipe transport without checking the
local part of the address in any way. This does not apply, for
example, to pipes run from alias or forward files, because the local
part is checked to ensure that it is the name of an alias or of a
local user. The bug's effect is that, instead of obeying the correct
pipe command, a broken Exim runs the command encoded in the local part
of the address."

This problem has been fixed in Exim version 3.12-10.2 for the stable
distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
unstable distribution. We recommend that you upgrade your exim
package.

http://www.linuxsecurity.com/advisories/debian_advisory-1776.html

The sparc binary for the mutt security fix described in DSA-096-1
is now available.

http://www.linuxsecurity.com/advisories/debian_advisory-1777.html

Regards

eddie

 

some more for the sheer hell of it. Again, no point making a new thread.

ProFTPD is a highly configurable FTP daemon written from scratch for
Unix and Unix-like operating systems.

This advisory addresses two security problems:

1. ProFTPD was not forward resolving reverse-resolved hostnames. A
remote attacker could explore this vulnerability[1] to bypass ProFTPD
access control lists or have false information (client hostname)
logged. It was discovered by Matthew S. Hallacy
<[email protected]>.

2. A DoS vulnerability[2] was found by Frank Denis. By sending a
malicious command to the server, a remote attacker could force the
process to consume all CPU and memory resources available to it.
Multiple attack instances could effectively bring the server down.

This update also fixes a Segmentation Fault problem, found[3] by
Mattias <[email protected]>, which was further analyzed and
considered by the developers as not exploitable

http://www.linuxsecurity.com/advisories/other_advisory-1793.html

There are some insecure permissions on configuration files and
executables with the bind 9.x packages shipped with Mandrake Linux 8.0
and 8.1. This update provides stricter permissions by making the
/etc/rndc.conf and /etc/rndc.key files read/write by the named user and
by making /sbin/rndc-confgen and /sbin/rndc read/write/executable only
by root

http://www.linuxsecurity.com/advisories/mandrake_advisory-1794.html

The use of LD_PRELOAD can make a program with privileges given by LIDS
execute attackers code. This mean that a root intruder can get every
capability or fs access you configured LIDS to grant. Moreover, if you
granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
deactivate LIDS and thus, access any file.

In some configurations, this also lead to users being able to become root.
(there must be a program granted CAP_SETUID which is not setuid)

http://www.linuxsecurity.com/advisories/other_advisory-1795.html

Updated namazu packages are available for Red Hat Linux 7.0J. These
packages fix cross-site scripting vulnerabilities. It also fixes a possible
buffer overflow

http://www.linuxsecurity.com/advisories/redhat_advisory-1796.html

The pine port, versions previous to pine-4.44, handles URLs in
messages insecurely. PINE allows users to launch a web browser to
visit a URL embedded in a message. Due to a programming error, PINE
does not properly escape meta-characters in the URL before passing it
to the command shell as an argument to the web browser.

The pine port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 6000 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.4 contains this problem since
it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

http://www.linuxsecurity.com/advisories/freebsd_advisory-1797.html

The webmail frontend IMP has a cross site scripting problem, allowing
a remote attacker to send you an E-mail with a malformed URL that when
clicked on will open your mail session to the attacker, allowing him
to read and delete your E-mails.


http://www.linuxsecurity.com/advisories/caldera_advisory-1798.html

Slash, the code that runs Slashdot and many other web sites, has a
vulnerability in recent versions that allows any logged-in user to
log in as any other user.

This allows users to take nearly full control of a Slash system (post
and delete stories, posting stories, edit users, post as other users,
etc., and do anything that a Slash user can do) by logging in to
an adminstrator's Slash account.

http://www.linuxsecurity.com/advisories/other_advisory-1799.html

Regards

eddie

 

and again:

Turbolinux

Exploitation of the conditions discovered during the audit could lead
to a denial of service or remote root compromise

http://www.linuxsecurity.com/advisories/turbolinux_advisory-1852.html

EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools

There is a signed integer handling vulnerability in rsync which can
allow an attacker to potentially gain root access.

http://www.linuxsecurity.com/advisories/other_advisory-1853.html

rsync

The rsync program allows users and administrators to synchronize files and
whole directory structures on different machines. It is common practise
to allow remote users to mirror ftp servers via anonymous rsync access.
There exist several signedness bugs within the rsync program which allow
remote attackers to write 0-bytes to almost arbitrary stack-locations,
therefore being able to control the programflow and obtaining a shell
remotely. These bugs have been fixed.

http://www.linuxsecurity.com/advisories/suse_advisory-1855.html

rsync

Sebastian Krahmer from SuSe did an audit on the rsync source code and
found several vulneranilities regarding the use of signed integers.
Some variables could receive a negative value, and this was a
condition that was not expected by the program. A remote attacker
could exploit this to execute commands on the rsync server

http://www.linuxsecurity.com/advisories/other_advisory-1856.html

rsync

Sebastian Krahmer found several places in rsync (a popular tool to
synchronise files between machines) where signed and unsigned numbers
were mixed which resulted in insecure code. This could be abused by
remote users to write 0-bytes in rsync's memory and trick rsync into
executing arbitrary code

http://www.linuxsecurity.com/advisories/debian_advisory-1857.html

Slackware 8.0 ChangeLog

patches/packages/rsync.tgz: Fixed a security hole by upgrading to
rsync-2.4.8pre1. This is the relevant information from the rsync NEWS file

http://www.linuxsecurity.com/advisories/slackware_advisory-1858.html

New rsync packages available

New rsync packages are available; these fix a remotely exploitable problem
in the I/O functions

http://www.linuxsecurity.com/advisories/redhat_advisory-1859.html

eddie