OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Jan 18 2001 - 16:29:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    Re: Your personalized newsletter

                       -- Security Alert Consensus --
                             Number 080 (00.56)
                         Thursday, January 18, 2001
                              Created for you by
                  Network Computing and the SANS Institute
                             Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    Online training in security for sysadmins and security professionals.
    More than 2,000 professionals are already using the program -- includes
    audio lectures, course books, and hourly quizzes so you can know what
    you have and haven't mastered.
    Sign up today for the online programs leading to GIAC certification in
    Security Essentials.
    http://www.sans.org

    ----------------------------------------------------------------------

    We wanted to remind everyone of our internal process for publishing
    items in the Security Alert Consensus. Our goal is to minimize and
    distill the overload of security-related data into a manageable
    quantity. During this process we try to verify and confirm as much as
    possible; yet we take the stance that it is better to compose an alert
    for a potential (unconfirmed) problem than not to alert on the problem
    at all. However, we are going to start making better indications of
    the status of reports: whether it's been confirmed by a vendor or
    follow-up reports, whether the researcher is known to be credible and
    whether an exploit has been published. We hope that will better help
    people assess the risk involved.

    That said, this week was our biggest week in the history of Security
    Express/Security Alert Consensus. WireX decided to go on a wild spree
    to find tmp file handling problems-it wound up with 12 popular
    open-source applications (which include Apache, wu-ftpd, tcpdump and
    mgetty). All these problems are reported under the 'Cross-Platform'
    category. If you have not subscribed to this category, you can view
    this entire issue in its final archive location:
    http://archives.neohapsis.com/archives/securityexpress/2001/

    For those of you with a little spare time, the Honeynet Project has
    released its Forensic Challenge, in which you can try your hand at being
    a computer crime sleuth by analyzing a compromised system and creating
    a comprehensive report. Winners get a copies of Hacking Exposed, Second
    Edition.
    http://archives.neohapsis.com/archives/incidents/2001-01/0094.html

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {00.56.015} Win - MS01-001: Web Client NTLM Authentication Vulnerability
    {00.56.037} Win - MSHTML.dll object redefinition DoS
    {00.56.038} Win - OmniHTTPd statsconfig.pl multiple vulnerabilities
    {00.56.040} Win - Windows Media Player Java vulnerability via custom
                skins
    {00.56.004} Linux - RESOLV_HOST_CONF/HOSTALIASES glibc vulnerability
    {00.56.014} Linux - jaZip DISPLAY environment variable buffer overflow
    {00.56.018} Linux - Various reported vulnerabilities in ReiserFS
    {00.56.029} Linux - Update {00.27.010}: Remote command execution in ISC
                DHCP client
    {00.56.034} Linux - Glibc incorrectly loads libraries from ld.so.cache
                for suid/sgid apps
    {00.56.036} Linux - Update {00.54.002}: Macromedia Shockwave Flash
                plug-in buffer overflow
    {00.56.041} Linux - TrendMicro InterScan Viruswall multiple
                vulnerabilities
    {00.56.044} Linux - SuSE rctab insecure temp file handling
    {00.56.006} BSD - Update {00.49.018}: bash creates insecure tmp files
                for << processing
    {00.56.007} BSD - Update {00.52.026}: Stunnel syslog() format string
                vulnerability
    {00.56.008} BSD - Update {00.47.017}: OpenSSH allows malicious server
                to access X display/ssh-agent
    {00.56.009} BSD - Update {00.52.013}: Zope miscalculates local roles
    {00.56.010} BSD - Update {00.48.005}: Joe DEADJOE file creation follows
                symlinks
    {00.56.011} BSD - Update {00.49.019}: syslog-ng missing '>' DoS
    {00.56.003} Sol - exrecover buffer overflow
    {00.56.017} Sol - arp -f buffer overflow
    {00.56.001} Cross - Update {00.55.017}: Lotus Domino incorrect user
                mailbox access vulnerability
    {00.56.005} Cross - PHP Apache module OPTIONS directory configuration
                vulnerability
    {00.56.012} Cross - Interbase contains hard-coded user-name backdoor
    {00.56.013} Cross - Update {00.53.033}: Oracle Internet Application
                Server vulnerabilities
    {00.56.016} Cross - Compaq Insight Manager authentication user-name
                buffer overflow
    {00.56.019} Cross - wu-ftpd privatepw temp file race condition
    {00.56.020} Cross - Inn insecure temporary file handling
    {00.56.021} Cross - Arpwatch insecure temp file handling
    {00.56.022} Cross - sdiff insecure temp file handling
    {00.56.023} Cross - Mgetty insecure temp file handling
    {00.56.024} Cross - Rdist insecure temp file handling
    {00.56.025} Cross - Getty_ps insecure temp file handling
    {00.56.026} Cross - Gpm insecure temp file handling
    {00.56.027} Cross - Squid insecure temp file handling
    {00.56.028} Cross - Vpop3d (linuxconf) insecure temp file handling
    {00.56.030} Cross - Yahoo Instant Messenger sends passwords in the clear
    {00.56.031} Cross - Multiple vulnerabilities in splitvt
    {00.56.032} Cross - htpasswd/htdigest (Apache) insecure temp file
                handling
    {00.56.033} Cross - Eagle USA shipping software sends user
                name/password clear text
    {00.56.035} Cross - Basilix Web mail system .class/.inc file disclosure
    {00.56.039} Cross - Shadow-utils useradd insecure temp file handling
    {00.56.042} Cross - ProFTPd various memory leaks
    {00.56.043} Cross - exmh insecure temp file handling
    {00.56.045} Cross - Oracle XSQL servlet client-supplied style-sheet
                vulnerability

    - --- Windows News -------------------------------------------------------

    *** {00.56.015} Win - MS01-001: Web Client NTLM Authentication
                    Vulnerability

    Microsoft has released MS01-001 ("Web Client NTLM Authentication
    Vulnerability"). Internet Explorer will automatically send NTLM
    credentials to untrusted zones, allowing a malicious Web site to gain
    a user's NTLM hash. The attacker could then use the hash to impersonate
    the user.

    Affects: Office 2000, Windows 2000, Windows ME

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/ms01-001.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0002.html

    *** {00.56.037} Win - MSHTML.dll object redefinition DoS

    A recent report details a denial of service in MSHTML.dll, which is used
    by Internet Explorer and Outlook to parse HTML pages. A malicious
    e-mail or Web site can cause IE/Outlook to crash by redefining an active
    scripting object.

    Microsoft has apparently confirmed the bug and will fix it in future IE
    updates.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0024.html

    *** {00.56.038} Win - OmniHTTPd statsconfig.pl multiple vulnerabilities

    The OmniHTTPd server version 2.07 comes with sample CGI names
    statsconfig.pl that allow a remote attacker to overwrite arbitrary files
    on the system (pending proper permissions of the Web server service),
    as well as execute arbitrary PERL code.

    A third-party patch for statsconfig.pl is located at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html

    *** {00.56.040} Win - Windows Media Player Java vulnerability via
                    custom skins

    A vulnerability has been found in the Windows Media Player that allows
    a malicious Web site to force-download a custom skin (theme) for the
    player that contains a Java applet. Since the skin is placed in a
    predictable place, the malicious Web site can then invoke the applet
    under the local security context, bypassing security restrictions and
    gaining read access to the user's system.

    No patches have been made available.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0023.html

    - --- Linux News ---------------------------------------------------------

    *** {00.56.004} Linux - RESOLV_HOST_CONF/HOSTALIASES glibc vulnerability

    A bug in glibc versions 2.1.9x and after causes glibc to improperly
    unset the RESOLV_HOST_CONF environment variable before executing a
    program with setuid or setgid permissions; this may result in a local
    attacker being able to read arbitrary files via setuid/setgid
    applications. Ping, SSH and traceroute have been reported as being
    capable of exercising this bug. An additional similar security risk has
    been fixed with the HOSTALIASES environment variable.

    A patch is available at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0222.html

    Slackware has released updated tarballs, which are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0186.html

    Updated Red Hat RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0012.html

    Source: Red Hat, Slackware, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0131.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0153.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0186.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0222.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0012.html

    *** {00.56.014} Linux - jaZip DISPLAY environment variable buffer
                    overflow

    The jaZip application version 0.32 contains a buffer overflow in the
    handling of the DISPLAY environment variable. A local attacker can
    execute arbitrary code under root privileges. An exploit has been
    published.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0228.html

    *** {00.56.018} Linux - Various reported vulnerabilities in ReiserFS

    A report has surfaced that indicates a buffer overflow in earlier
    versions (3.5.28 indicated as vulnerable) of the ReiserFS file system.
    However, many users running 3.5.29 and later have not been able to
    reproduce the problem. However, they were able to reproduce an anomaly
    that causes directory listings to be altered if a directory name of a
    certain length is created.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0127.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0139.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0147.html

    *** {00.56.029} Linux - Update {00.27.010}: Remote command execution in
                    ISC DHCP client

    Caldera has released updated packages to fix the vulnerability discussed
    in {00.35.001} ("Update to {00.27.010}: Remote command execution in ISC
    DHCP client").

    Updated Caldera RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0250.html

    Source: Caldera
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0250.html

    *** {00.56.034} Linux - Glibc incorrectly loads libraries from
                    ld.so.cache for suid/sgid apps

    Red Hat has released an advisory detailing a vulnerability in glibc that
    causes it to incorrectly use libraries found in ld.so.cache. This
    vulnerability could allow an attacker to cause a setuid/setgid
    application to create/overwrite an arbitrary file.

    Red Hat has released updated glibc RPMs, listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0013.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0013.html

    *** {00.56.036} Linux - Update {00.54.002}: Macromedia Shockwave Flash
                    plug-in buffer overflow

    There are some interesting twists to the vulnerability discussed in
    {00.54.002} ("Macromedia Shockwave Flash plug-in buffer overflow"). A
    separately maintained open-source Flash plug-in by Oliver Debon is
    vulnerable to a buffer overflow in the DefineSound tag. To determine
    which Flash plug-in you have, enter "about:plugins" into your Netscape
    URL bar, and look to see if Oliver Debon's name appears in the Flash
    plug-in description.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0236.html

    *** {00.56.041} Linux - TrendMicro InterScan Viruswall multiple
                    vulnerabilities

    TrendMicro's InterScan Viruswall version 3.0.1 and 3.6.x have been
    reported to be vulnerable to two particular vulnerabilities:
    Authentication and password changes are done over clear-text HTTP
    connections, and the (un)installation of the software uses insecure
    temporary file handling, possibly resulting in a local attacker being
    able to insert cron jobs that execute with root privileges.

    TrendMicro says the vulnerabilities will be fixed in the next version.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0235.html

    *** {00.56.044} Linux - SuSE rctab insecure temp file handling

    SuSE's rctab application insecurely creates/handles temporary files,
    which can result in a local attacker overwriting a file or
    enabling/disabling a system daemon. It may be possible to elevate
    privilege in the process. An exploit has been published.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0226.html

    - --- BSD News -----------------------------------------------------------

    *** {00.56.006} BSD - Update {00.49.018}: bash creates insecure tmp
                    files for << processing

    FreeBSD has released an updated bash port, which fixes the vulnerability
    discussed in {00.49.018} ("bash creates insecure tmp files for <<
    processing").

    The port collection as of Nov. 29 contains the corrected version.
    Individual packages available for download are available at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0212.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0212.html

    *** {00.56.007} BSD - Update {00.52.026}: Stunnel syslog() format
                    string vulnerability

    FreeBSD has released an updated stunnel port, which fixes the
    vulnerability discussed in {00.52.026} ("Stunnel syslog() format string
    vulnerability").

    The ports collection as of Dec. 20 contains the corrected version.
    Individual packages available for download are listed at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0214.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0214.html

    *** {00.56.008} BSD - Update {00.47.017}: OpenSSH allows malicious
                    server to access X display/ssh-agent

    FreeBSD has released an updated OpenSSH port, which fixes the
    vulnerability discussed in {00.47.017} ("OpenSSH allows malicious server
    to access X display/ssh-agent").

    The ports collection as of Nov. 14 contains an updated version.
    Individual packages are available for download at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0210.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0210.html

    *** {00.56.009} BSD - Update {00.52.013}: Zope miscalculates local roles

    FreeBSD has released an updated Zope port, which fixes the vulnerability
    discussed in {00.52.013} ("Zope miscalculates local roles").

    The ports collection as of Dec. 20 contains an updated version.
    Individual packages available for download are listed at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0215.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0215.html

    *** {00.56.010} BSD - Update {00.48.005}: Joe DEADJOE file creation
                    follows symlinks

    FreeBSD has released an updated Joe port, which fixes the vulnerability
    discussed in {00.48.005} ("Joe DEADJOE file creation follows symlinks").

    The ports collection as of Dec. 12 contains an updated version.
    Individual packages available for download are listed at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0213.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0213.html

    *** {00.56.011} BSD - Update {00.49.019}: syslog-ng missing '>' DoS

    FreeBSD has released an updated syslog-ng port, which fixes the
    vulnerability discussed in {00.49.019} ("syslog-ng missing '>' DoS").

    The ports collection as of Nov. 25 contains an updated syslog-ng port.
    Individual files available for download are listed at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0211.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0211.html

    - --- Solaris News -------------------------------------------------------

    *** {00.56.003} Sol - exrecover buffer overflow

    A buffer overflow in /usr/lib/exrecover could allow local attackers to
    execute arbitrary code as root. Solaris 2.4, 2.5 and 2.6 ship with
    exrecover setuid root.

    Solaris 7 and 8 do not give setuid permission to exrecover, and it can
    be removed for earlier platforms by executing:

    chmod -s /usr/lib/exrecover

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0119.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0123.html

    *** {00.56.017} Sol - arp -f buffer overflow

    Sun has released a security advisory that details a buffer overflow in
    the -f parameter of the arp binary. Since Solaris 2.4 through 7 ship
    arp setgid root, this can lead to a local attacker executing arbitrary
    code as root.

    Sun released the following patches:
    5.7: 109709-01
    5.7_x86: 109710-01
    5.6: 109719-01
    5.6_x86: 109720-01
    5.5.1: 109721-01
    5.5.1_x86: 109722-01
    5.5: 109707-01
    5.5_x86: 109708-01
    5.4: 109723-01
    5.4_x86: 109724-01

    Source: Sun
    http://archives.neohapsis.com/archives/sun/2001-q1/0000.html

    - --- Cross-Platform News ------------------------------------------------

    *** {00.56.001} Cross - Update {00.55.017}: Lotus Domino incorrect user
                    mailbox access vulnerability

    As a follow-up to the vulnerability discussed in {00.55.017} ("Lotus
    Domino incorrect user mailbox access vulnerability"), we report that
    Lotus doesn't believe the vulnerability exists, and many people have
    not been able to successfully reproduce the problem.

    Source: Lotus (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0209.html

    *** {00.56.005} Cross - PHP Apache module OPTIONS directory
                    configuration vulnerability

    PHP Apache module versions before 4.0.4pl1 contain a security
    vulnerability that would allow an attacker to be able to use the
    per-directory PHP configuration values of one directory in conjunction
    with any other script. This is due to PHP's incorrect handling of PHP
    configuration options in combination with OPTIONS requests: The
    configuration options linger before use in the next request processed
    by that HTTP child.

    Version 4.0.4pl1 fixes the problem, and is available from:
    http://www.php.net/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0220.html

    *** {00.56.012} Cross - Interbase contains hard-coded user-name backdoor

    Interbase versions 4.x and 5.x, as well as derivatives (Interbase 6.x
    and Firebird 0.9-3), contain a hard-coded backdoor that allow a remote
    attacker to gain unlimited access to the database service.

    Both Interbase and Firebird applications have updates available. There
    is no way to disable the backdoor access-an upgrade is required.

    Source: CERT
    http://archives.neohapsis.com/archives/cc/2001-q1/0000.html

    *** {00.56.013} Cross - Update {00.53.033}: Oracle Internet Application
                    Server vulnerabilities

    Oracle has released an official patch that corrects the vulnerability
    discussed in {00.53.033} ("Oracle Internet Application Server
    vulnerabilities").

    Patch No. 1554571 is available from:
    http://metalink.oracle.com/ (support access required)

    Source: Oracle (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0206.html

    *** {00.56.016} Cross - Compaq Insight Manager authentication user-name
                    buffer overflow

    Compaq's Insight remote-management agents contain a remotely exploitable
    buffer overflow in the authentication process that would allow a remote
    attacker to execute arbitrary code on the system. An exploit has been
    published.

    Compaq has released new agents for Windows and Tru64. More information
    is available at:
    http://www.compaq.com/products/servers/management/agentsecurity.html

    Source: Compaq
    http://archives.neohapsis.com/archives/tru64/2001-q1/0005.html
    http://archives.neohapsis.com/archives/compaq/2001-q1/0015.html

    *** {00.56.019} Cross - wu-ftpd privatepw temp file race condition

    The privatepw application that shipped with wu-ftpd version 2.6.1 uses
    insecure temp file handling, which results in a local race condition.

    A patch has been made available.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0252.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0252.html

    *** {00.56.020} Cross - Inn insecure temporary file handling

    Inn version 2.2.3 insecurely handles temporary files. The problem stems
    from a misconfiguration of inn by using a nonprivate temporary
    directory.

    WireX has a patched version, as well as updated Immunix RPMs, for
    download:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0169.html

    Caldera has published a workaround:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0258.html

    Source: Immunix, Caldera, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0169.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0258.html

    *** {00.56.021} Cross - Arpwatch insecure temp file handling

    Arpwatch version 2.1a4 insecurely handles temp files, resulting in a
    local race condition.

    Version 2.1a10 fixes the vulnerability.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0161.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0161.html

    *** {00.56.022} Cross - sdiff insecure temp file handling

    The sdiff application (a part of the diffutils package), version 2.7,
    insecurely handles temporary files, resulting in a local race condition.

    A fix will be included in a future release. Immunix and Mandrake have
    released their own updated versions.

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0195.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html

    Source: Immunix, Mandrake, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0195.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html

    *** {00.56.023} Cross - Mgetty insecure temp file handling

    Mgetty versions 1.1.22 and 1.1.23 insecurely handle temporary files,
    resulting in a local race condition.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0178.html

    Updated Caldera RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0259.html

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2001-q1/0001.html

    Source: Immunix, Caldera, Mandrake, Debian (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0178.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0259.html
    http://archives.neohapsis.com/archives/vendor/2001-q1/0001.html

    *** {00.56.024} Cross - Rdist insecure temp file handling

    Rdist version 6.1.5 insecurely handles temporary files, resulting in a
    local race condition.

    A fix will be applied to a future release. Immunix and Mandrake have
    released updates that include their own fixes.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0175.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0175.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    *** {00.56.025} Cross - Getty_ps insecure temp file handling

    Getty_ps version 2.0.7j insecurely handles temporary files, resulting
    in a local race condition.

    An official patch is not available. Immunix and Mandrake have released
    their own patched updates.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0174.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0174.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    *** {00.56.026} Cross - Gpm insecure temp file handling

    Gpm version 1.19.3 insecurely handles temporary files, resulting in a
    local race condition.

    A patch has been made available.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0179.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0179.html

    *** {00.56.027} Cross - Squid insecure temp file handling

    Certain versions and configurations of squid (versions 2.3 through 2.4)
    insecurely handle temporary files when sending out software-update
    notifications. This may lead to a local race condition.

    Patches have been applied to the latest stable and development versions
    of squid.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0180.html

    Updated Trustix RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html

    Source: Immunix, Mandrake, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0180.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html

    *** {00.56.028} Cross - Vpop3d (linuxconf) insecure temp file handling

    The vpop3d application shipped with the linuxconf package, versions
    1.19r through 1.23r, insecurely handles temporary files, resulting in
    a local race condition.

    A patch has been made available in an updated version.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0217.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0217.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    *** {00.56.030} Cross - Yahoo Instant Messenger sends passwords in the
                    clear

    A report has surfaced that indicates Yahoo Instant Messenger may send
    user names and passwords in the clear. This has yet to be confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0230.html

    *** {00.56.031} Cross - Multiple vulnerabilities in splitvt

    Splitvt versions prior to 1.6.5 contain multiple buffer overflows as
    well as a format string vulnerability. The vulnerabilities would allow
    local attackers to elevate their privileges, which could include gaining
    egid utmp or euid root. An exploit has been published.

    Version 1.6.5 fixes the vulnerability and is available at:
    http://www.devolution.com/~slouken/projects/splitvt/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0232.html

    *** {00.56.032} Cross - htpasswd/htdigest (Apache) insecure temp file
                    handling

    The htpasswd and htdigest utilities provided with Apache versions 1.3.14
    and 2.0a9 insecurely handle temporary files, which may result in a local
    race condition.

    No official patches have been made available. Immunix has provided its
    own fix.

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Source: Immunix
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    *** {00.56.033} Cross - Eagle USA shipping software sends user
                    name/password clear text

    A recent report indicates that the Eagle USA shipment tracking software
    will send user name and passwords in clear text to a remote Web server.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0191.html

    *** {00.56.035} Cross - Basilix Web mail system .class/.inc file
                    disclosure

    The Basilix Web mail system version 0.9.7beta (possibly other versions)
    stores all its configuration information in various .class and .inc
    files in the Web root. If the server allows access to these files, it
    is possible for a remote attacker to retrieve the configuration
    information, which could include database authentication details.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0198.html

    *** {00.56.039} Cross - Shadow-utils useradd insecure temp file handling

    The useradd application shipped with the shadow-utils package is
    vulnerable to a possible race condition because of insecure temporary
    file handling. However, the vulnerability requires /etc/default to be
    world-writable, which is a misconfiguration.

    Immunix and Mandrake have released updated RPMs.

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0171.html

    Source: Immunix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0171.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html

    *** {00.56.042} Cross - ProFTPd various memory leaks

    Various reports indicate ProFTPd is vulnerable to two different memory
    leaks caused by repetitive calls to the SIZE or USER commands. Both can
    be done remotely; the SIZE DoS requires a login (although anonymous will
    work), and the USER DoS does not require any prior login. These
    vulnerabilities are unconfirmed.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0122.html
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0132.html

    *** {00.56.043} Cross - exmh insecure temp file handling

    exmh has been reported to insecurely handle temporary files, resulting
    in a local race condition.

    More information can be found at:
    http://www.beedub.com/exmh/symlink.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0223.html

    *** {00.56.045} Cross - Oracle XSQL servlet client-supplied style-sheet
                    vulnerability

    The Oracle XSQL servlet shipped with Oracle version 8.1.7 (tested with
    Windows 2000) has been found to accept client-supplied XML style sheets,
    which could contain scripting code that is executed on the target
    server.

    Oracle is working on a patch. A suggested workaround is to set
    'allow-client-style=no' for every xsql page.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0018.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6Z2AY+LUG5KFpTkYRAncvAKCUsaMBstp5uPplq4a7wXlKKLBgkwCgpTtK
    I0nB/OnOiMoEx9l3wOgzOQg=
    =TvFQ
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Online training in security for sysadmins and security professionals.
    More than 2,000 professionals are already using the program -- includes
    audio lectures, course books, and hourly quizzes so you can know what
    you have and haven't mastered.
    Sign up today for the online programs leading to GIAC certification in
    Security Essentials.
    http://www.sans.org

    ----------------------------------------------------------------------

    If this e-mail was passed to you and you would like to begin receiving
    our security e-mail newsletter on a weekly basis, we invite you to
    subscribe today at http://www.sans.org/sansnews/. Become
    a Security Alert Consensus member!

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site (http://www.sans.org).

    Special Note:
    To better secure your confidential information, we will no longer
    include personal URLs in our Consensus newsletter mailings. Instead, we
    have created a new form, located at http://www.sans.org/sansurl. There,
    you can enter the SD number located near your name at the top of the
    newsletter. When you submit this form, an e-mail containing a URL will
    be sent to you at the e-mail address on record. With this URL, you can
    make changes to your account (edit the content of your Consensus
    mailing, for example) without endangering the security of your personal
    URL. If you'd like to change your e-mail address or other information
    or unsubscribe to this newsletter, please visit your new URL as
    described above. If you have any problems or questions, e-mail us at
    <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online at
    http://archives.neohapsis.com/.

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
    Rights Reserved.

    Distributed by Network Computing (http://www.networkcomputing.com) and
    The SANS Institute (http://www.sans.org).

    Powered by Neohapsis, a Chicago-based security assessment and
    integration services consulting group. infoneohapsis.com |
    http://www.neohapsis.com/