Linux Vulnerabilities: Febuary

Hiya

Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.

When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).

This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.

The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already.

For the stable distribution (woody) this problem has been fixed in
version 3.0+3.0.1rc9-2.2.

The old stable distribution (potato) does not contain dhcp3 packages.

For the unstable distribution (sid) this problem has been fixed in
version 1.1.2-1.

We recommend that you upgrade your dhcp3 package when you are using
the dhcrelay server.


http://www.linuxsecurity.com/advisories/debian_advisory-2820.html

Multiple vulnerabilities have been found in MIT Kerberos 5 releases
prior to release 1.2.5. MIT recommends updating to 1.2.7 if possible.

http://www.linuxsecurity.com/advisories/other_advisory-2821.html

Vincent Danen of Mandrake Linux noticed that according to the change
log [0] for MySQL release 3.23.55 [1] a vulnerbility has been fixed
where a double-free pointer bug in mysql_change_user() handling
enabled a specially hacked version of MySQL client to crash mysqld.
The vendor states that one needs to successfully login to the server
by using a valid user account to be able to exploit this bug.

Please check whether you are affected by running "/bin/rpm -q
mysql". If you have the "mysql" package installed and its version is
affected (see above), we recommend that you immediately upgrade it


http://www.linuxsecurity.com/advisories/other_advisory-2822.html

The developers of tomcat discovered several problems in tomcat version
3.x. The Common Vulnerabilities and Exposures project identifies the
following problems:

. CAN-2003-0042: A maliciously crafted request could return a
directory listing even when an index.html, index.jsp, or other
welcome file is present. File contents can be returned as well.

. CAN-2003-0043: A malicious web application could read the contents
of some files outside the web application via its web.xml file in
spite of the presence of a security manager. The content of files
that can be read as part of an XML document would be accessible.

. CAN-2003-0044: A cross-site scripting vulnerability was discovered
in the included sample web application that allows remote attackers
to execute arbitrary script code.

For the stable distribution (woody) this problem has been fixed in
version 3.3a-4.1.

The old stable distribution (potato) does not contain tomcat packages.

For the unstable distribution (sid) this problem has been fixed in
version 3.3.1a-1.

We recommend that you upgrade your tomcat package.



http://www.linuxsecurity.com/advisories/debian_advisory-2823.html

The developers of courier, an integrated user side mail server,
discovered a problem in the PostgreSQL auth module. Not all
potentially malicious characters were sanitized before the username
was passed to the PostgreSQL engine. An attacker could inject
arbitrary SQL commands and queries exploiting this vulnerability. The
MySQL auth module is not affected.

For the stable distribution (woody) this problem has been fixed in
version 0.37.3-3.3.

The old stable distribution (potato) does not contain courier packages.

For the unstable distribution (sid) this problem has been fixed in
version 0.40.2-3.

We recommend that you upgrade your courier-authpostgresql package.

http://www.linuxsecurity.com/advisories/debian_advisory-2824.html

Kerberos is a network authentication system.

A problem has been found in the Kerberos ftp client. When retrieving a
file with a filename beginning with a pipe character, the ftp client will
pass the filename to the command shell in a system() call. This could
allow a malicious ftp server to write to files outside of the current
directory or execute commands as the user running the ftp client.

The Kerberos ftp client runs as the default ftp client when the Kerberos
package krb5-workstation is installed on a Red Hat Linux distribution.

All users of Kerberos are advised to upgrade to these errata packages which
contain a backported patch and are not vulnerable to this issue.


http://www.linuxsecurity.com/advisories/redhat_advisory-2825.html

Double-free vulnerabiity in CVS allows remote attackers to cause
a denial of service and possibly execute arbitrary code via a
malformed Directory request.

http://www.linuxsecurity.com/advisories/caldera_advisory-2826.html

Regards

eddie

 

Hiya

An insecure use of a temporary file has been found in Python. This erratum
provides updated Python packages.

[updated Feb 12 2003]
Updated packages for Red Hat Linux 7.3 are available that fix a binary
incompatibility change in the original erratum packages that affected
redhat-config-users, and to add back the missing python-tools package.

http://www.linuxsecurity.com/advisories/redhat_advisory-2849.html

Updated PAM packages are now available for Red Hat Linux 7.1, 7.2, 7.3, and
8.0. These packages correct a bug in pam_xauth's handling of authorization
data for the root user.


http://www.linuxsecurity.com/advisories/redhat_advisory-2850.html

New fileutils packages for Red Hat Linux 6.2, 7.0, 7.1, 7.2 and 7.3 fix a
race condition in recursive remove and move commands.


http://www.linuxsecurity.com/advisories/redhat_advisory-2851.html

Hironori Sakamoto, one of the w3m developers, found two security
vulnerabilities in w3m and associated programs. The w3m browser does
not properly escape HTML tags in frame contents and img alt
attributes. A malicious HTML frame or img alt attribute may deceive a
user to send his local cookies which are used for configuration. The
information is not leaked automatically, though.

For the stable distribution (woody) these problems have been fixed in
version 0.3.p23.3-1.5. Please note that the update also contains an
important patch to make the program work on the powerpc platform again.

The old stable distribution (potato) is not affected by these
problems.

For the unstable distribution (sid) these problems have been fixed in
version 0.3.p24.17-3 and later.

We recommend that you upgrade your w3mmee-ssl packages.

http://www.linuxsecurity.com/advisories/debian_advisory-2852.html

Mozilla is an open-source web browser designed for standards
compliance, performance and portability.

This update addresses several vulnerabilities found after the mozilla
1.0rc2 release, wich was the last version sent as an official
update[1] for Conectiva Linux distributions. A complete list of such
vulnerabilities can be obtained in [2,3], and details about the most
known ones in [5,6,7,8,9].

A remote attacker could exploit these vulnerabilities by creating
malicious web pages that, when acessed, would crash the browser,
potentially allow remote arbitrary code execution or cause some sort
of unexpected behavior.

The packages from this update are of Mozilla 1.2.1, which is the
latest stable release[10] from mozilla.org and includes fixes for the
known vulnerabilities. Besides the security fixes, it also includes
several new features and other minor corrections.

The vulnerabilities aforementioned also affect the Galeon web
browser, which uses the Mozilla engine. Galeon is being updated to
the version 1.2.7 in Conectiva Linux 8, but not in Conectiva Linux
6.0 and 7.0. The Galeon version distributed in these versions of
Conectiva Linux was in its early stages of development and would not
work with the new Mozilla packages. A new version of Galeon for these
distributions would need many other updated packages and therefore
will not be provided.

http://www.linuxsecurity.com/advisories/connectiva_advisory-2853.html

Hironori Sakamoto, one of the w3m developers, found two security
vulnerabilities in w3m and associated programs. The w3m browser does
not properly escape HTML tags in frame contents and img alt
attributes. A malicious HTML frame or img alt attribute may deceive a
user to send his local cookies which are used for configuration. The
information is not leaked automatically, though.

For the stable distribution (woody) these problems have been fixed in
version 0.3-2.4.

The old stable distribution (potato) is not affected by these
problems.

For the unstable distribution (sid) these problems have been fixed in
version 0.3.2.2-1 and later.

We recommend that you upgrade your w3m and w3m-ssl packages.

http://www.linuxsecurity.com/advisories/debian_advisory-2855.html

The util-linux package provides the mcookie utility, a tool for
generating random cookies that can be used for X authentication. The
util-linux packages that were distributed with Mandrake Linux 8.2 and
9.0 had a patch that made it use /dev/urandom instead of /dev/random,
which resulted in the mcookie being more predictable than it would
otherwise be. This patch has been removed in these updates, giving
mcookie a better source of entropy and making the generated cookies
less predictable. Thanks to Dirk Mueller for pointing this out.

http://www.linuxsecurity.com/advisories/mandrake_advisory-2854.html

Regards

eddie

 

Hiya

A problem has been discovered in slocate, a secure locate replacement.
A buffer overflow in the setuid program slocate can be used to execute
arbitrary code as superuser.

For the stable distribution (woody) this problem has been
fixed in version 2.6-1.3.1.

The old stable distribution (potato) is not affected by this problem.

For the unstable distribution (sid) this problem has been fixed in
version 2.7-1.

We recommend that you upgrade your slocate package immediately.

http://www.linuxsecurity.com/advisories/debian_advisory-2880.html

LDAP servers and clients, as well as interfaces to other protocols.
Note that this does not include the slapd interface to X.500 and
therefore does not require the ISODE package.


Problem description:
Several minor security issues where fixed in the new upstream version:
1.2.13

http://www.linuxsecurity.com/advisories/trustix_advisory-2882.html

MySQL is a true multi-user, multi-threaded SQL (Structured Query
Language) database server. MySQL is a client/server implementation
that consists of a server daemon (mysqld) and many different client
programs/libraries.


Problem description:
The new upstream version of mysql, 3.23.55, included several minor
security fixes.


http://www.linuxsecurity.com/advisories/trustix_advisory-2883.html

PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions). The
postgresql package includes the client programs and libraries that
you'll need to access a PostgreSQL DBMS server. These PostgreSQL
client programs are programs that directly manipulate the internal
structure of PostgreSQL databases on a PostgreSQL server. These client
programs can be located on the same machine with the PostgreSQL
server, or may be on a remote machine which accesses a PostgreSQL
server over a network connection. This package contains the docs
in HTML for the whole package, as well as command-line utilities for
managing PostgreSQL databases on a PostgreSQL server.


http://www.linuxsecurity.com/advisories/trustix_advisory-2884.html

From the openssl advisory:
OpenSSL version since 0.9.6c supposedly treat block cipher padding
errors like MAC verification errors during record decryption
(see http://www.openssl.org/~bodo/tls-cbc.txt), but MAC verification
was still skipped after detection of a padding error, which allowed
the timing attack. (Note that it is likely that other SSL/TLS
implementations will have similar problems.)

OpenSSL 0.9.6i and 0.9.7a perform a MAC computation even if incorrrect
block cipher padding has been found to minimize information leaked via
timing. For earlier versions starting with 0.9.6e, the enclosed
security patch can be used.

http://www.linuxsecurity.com/advisories/trustix_advisory-2885.html

The initscripts package contains the basic system scripts used to boot
your Trustix system, change run levels, and shut the system down
cleanly. Initscripts also contains the scripts that activate and
deactivate most network interfaces.

PAM (Pluggable Authentication Modules) is a system security tool
which allows system administrators to set authentication policy
without having to recompile programs which do authentication.

The SysVinit package contains a group of processes that control
the very basic functions of your system. SysVinit includes the init
program, the first program started by the Linux kernel when the
system boots. Init then controls the startup, running and shutdown
of all other programs.


http://www.linuxsecurity.com/advisories/trustix_advisory-2881.html

"Due to a remotely exploitable security hole being discovered that
effects all previous Webmin releases, version 1.070 is now available
for download from http://www.webmin.com/ and mirror sites. This
problem was reported by Cintia M. Imanishi, but fortunately there
have been no known malicious exploits of it yet. However, all users
should upgrade to 1.070 as soon as possible."


http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html

Regards

eddie