|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Jan 18 2001 - 16:29:39 CST
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 080 (00.56)
Thursday, January 18, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
Online training in security for sysadmins and security professionals.
More than 2,000 professionals are already using the program -- includes
audio lectures, course books, and hourly quizzes so you can know what
you have and haven't mastered.
Sign up today for the online programs leading to GIAC certification in
Security Essentials.
http://www.sans.org
----------------------------------------------------------------------
We wanted to remind everyone of our internal process for publishing
items in the Security Alert Consensus. Our goal is to minimize and
distill the overload of security-related data into a manageable
quantity. During this process we try to verify and confirm as much as
possible; yet we take the stance that it is better to compose an alert
for a potential (unconfirmed) problem than not to alert on the problem
at all. However, we are going to start making better indications of
the status of reports: whether it's been confirmed by a vendor or
follow-up reports, whether the researcher is known to be credible and
whether an exploit has been published. We hope that will better help
people assess the risk involved.
That said, this week was our biggest week in the history of Security
Express/Security Alert Consensus. WireX decided to go on a wild spree
to find tmp file handling problems-it wound up with 12 popular
open-source applications (which include Apache, wu-ftpd, tcpdump and
mgetty). All these problems are reported under the 'Cross-Platform'
category. If you have not subscribed to this category, you can view
this entire issue in its final archive location:
http://archives.neohapsis.com/archives/securityexpress/2001/
For those of you with a little spare time, the Honeynet Project has
released its Forensic Challenge, in which you can try your hand at being
a computer crime sleuth by analyzing a compromised system and creating
a comprehensive report. Winners get a copies of Hacking Exposed, Second
Edition.
http://archives.neohapsis.com/archives/incidents/2001-01/0094.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{00.56.015} Win - MS01-001: Web Client NTLM Authentication Vulnerability
{00.56.037} Win - MSHTML.dll object redefinition DoS
{00.56.038} Win - OmniHTTPd statsconfig.pl multiple vulnerabilities
{00.56.040} Win - Windows Media Player Java vulnerability via custom
skins
{00.56.004} Linux - RESOLV_HOST_CONF/HOSTALIASES glibc vulnerability
{00.56.014} Linux - jaZip DISPLAY environment variable buffer overflow
{00.56.018} Linux - Various reported vulnerabilities in ReiserFS
{00.56.029} Linux - Update {00.27.010}: Remote command execution in ISC
DHCP client
{00.56.034} Linux - Glibc incorrectly loads libraries from ld.so.cache
for suid/sgid apps
{00.56.036} Linux - Update {00.54.002}: Macromedia Shockwave Flash
plug-in buffer overflow
{00.56.041} Linux - TrendMicro InterScan Viruswall multiple
vulnerabilities
{00.56.044} Linux - SuSE rctab insecure temp file handling
{00.56.006} BSD - Update {00.49.018}: bash creates insecure tmp files
for << processing
{00.56.007} BSD - Update {00.52.026}: Stunnel syslog() format string
vulnerability
{00.56.008} BSD - Update {00.47.017}: OpenSSH allows malicious server
to access X display/ssh-agent
{00.56.009} BSD - Update {00.52.013}: Zope miscalculates local roles
{00.56.010} BSD - Update {00.48.005}: Joe DEADJOE file creation follows
symlinks
{00.56.011} BSD - Update {00.49.019}: syslog-ng missing '>' DoS
{00.56.003} Sol - exrecover buffer overflow
{00.56.017} Sol - arp -f buffer overflow
{00.56.001} Cross - Update {00.55.017}: Lotus Domino incorrect user
mailbox access vulnerability
{00.56.005} Cross - PHP Apache module OPTIONS directory configuration
vulnerability
{00.56.012} Cross - Interbase contains hard-coded user-name backdoor
{00.56.013} Cross - Update {00.53.033}: Oracle Internet Application
Server vulnerabilities
{00.56.016} Cross - Compaq Insight Manager authentication user-name
buffer overflow
{00.56.019} Cross - wu-ftpd privatepw temp file race condition
{00.56.020} Cross - Inn insecure temporary file handling
{00.56.021} Cross - Arpwatch insecure temp file handling
{00.56.022} Cross - sdiff insecure temp file handling
{00.56.023} Cross - Mgetty insecure temp file handling
{00.56.024} Cross - Rdist insecure temp file handling
{00.56.025} Cross - Getty_ps insecure temp file handling
{00.56.026} Cross - Gpm insecure temp file handling
{00.56.027} Cross - Squid insecure temp file handling
{00.56.028} Cross - Vpop3d (linuxconf) insecure temp file handling
{00.56.030} Cross - Yahoo Instant Messenger sends passwords in the clear
{00.56.031} Cross - Multiple vulnerabilities in splitvt
{00.56.032} Cross - htpasswd/htdigest (Apache) insecure temp file
handling
{00.56.033} Cross - Eagle USA shipping software sends user
name/password clear text
{00.56.035} Cross - Basilix Web mail system .class/.inc file disclosure
{00.56.039} Cross - Shadow-utils useradd insecure temp file handling
{00.56.042} Cross - ProFTPd various memory leaks
{00.56.043} Cross - exmh insecure temp file handling
{00.56.045} Cross - Oracle XSQL servlet client-supplied style-sheet
vulnerability
- --- Windows News -------------------------------------------------------
*** {00.56.015} Win - MS01-001: Web Client NTLM Authentication
Vulnerability
Microsoft has released MS01-001 ("Web Client NTLM Authentication
Vulnerability"). Internet Explorer will automatically send NTLM
credentials to untrusted zones, allowing a malicious Web site to gain
a user's NTLM hash. The attacker could then use the hash to impersonate
the user.
Affects: Office 2000, Windows 2000, Windows ME
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-001.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0002.html
*** {00.56.037} Win - MSHTML.dll object redefinition DoS
A recent report details a denial of service in MSHTML.dll, which is used
by Internet Explorer and Outlook to parse HTML pages. A malicious
e-mail or Web site can cause IE/Outlook to crash by redefining an active
scripting object.
Microsoft has apparently confirmed the bug and will fix it in future IE
updates.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0024.html
*** {00.56.038} Win - OmniHTTPd statsconfig.pl multiple vulnerabilities
The OmniHTTPd server version 2.07 comes with sample CGI names
statsconfig.pl that allow a remote attacker to overwrite arbitrary files
on the system (pending proper permissions of the Web server service),
as well as execute arbitrary PERL code.
A third-party patch for statsconfig.pl is located at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0248.html
*** {00.56.040} Win - Windows Media Player Java vulnerability via
custom skins
A vulnerability has been found in the Windows Media Player that allows
a malicious Web site to force-download a custom skin (theme) for the
player that contains a Java applet. Since the skin is placed in a
predictable place, the malicious Web site can then invoke the applet
under the local security context, bypassing security restrictions and
gaining read access to the user's system.
No patches have been made available.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0023.html
- --- Linux News ---------------------------------------------------------
*** {00.56.004} Linux - RESOLV_HOST_CONF/HOSTALIASES glibc vulnerability
A bug in glibc versions 2.1.9x and after causes glibc to improperly
unset the RESOLV_HOST_CONF environment variable before executing a
program with setuid or setgid permissions; this may result in a local
attacker being able to read arbitrary files via setuid/setgid
applications. Ping, SSH and traceroute have been reported as being
capable of exercising this bug. An additional similar security risk has
been fixed with the HOSTALIASES environment variable.
A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0222.html
Slackware has released updated tarballs, which are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0186.html
Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0012.html
Source: Red Hat, Slackware, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0131.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0153.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0186.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0222.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0012.html
*** {00.56.014} Linux - jaZip DISPLAY environment variable buffer
overflow
The jaZip application version 0.32 contains a buffer overflow in the
handling of the DISPLAY environment variable. A local attacker can
execute arbitrary code under root privileges. An exploit has been
published.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0228.html
*** {00.56.018} Linux - Various reported vulnerabilities in ReiserFS
A report has surfaced that indicates a buffer overflow in earlier
versions (3.5.28 indicated as vulnerable) of the ReiserFS file system.
However, many users running 3.5.29 and later have not been able to
reproduce the problem. However, they were able to reproduce an anomaly
that causes directory listings to be altered if a directory name of a
certain length is created.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0127.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0139.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0147.html
*** {00.56.029} Linux - Update {00.27.010}: Remote command execution in
ISC DHCP client
Caldera has released updated packages to fix the vulnerability discussed
in {00.35.001} ("Update to {00.27.010}: Remote command execution in ISC
DHCP client").
Updated Caldera RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0250.html
Source: Caldera
http://archives.neohapsis.com/archives/bugtraq/2001-01/0250.html
*** {00.56.034} Linux - Glibc incorrectly loads libraries from
ld.so.cache for suid/sgid apps
Red Hat has released an advisory detailing a vulnerability in glibc that
causes it to incorrectly use libraries found in ld.so.cache. This
vulnerability could allow an attacker to cause a setuid/setgid
application to create/overwrite an arbitrary file.
Red Hat has released updated glibc RPMs, listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0013.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0013.html
*** {00.56.036} Linux - Update {00.54.002}: Macromedia Shockwave Flash
plug-in buffer overflow
There are some interesting twists to the vulnerability discussed in
{00.54.002} ("Macromedia Shockwave Flash plug-in buffer overflow"). A
separately maintained open-source Flash plug-in by Oliver Debon is
vulnerable to a buffer overflow in the DefineSound tag. To determine
which Flash plug-in you have, enter "about:plugins" into your Netscape
URL bar, and look to see if Oliver Debon's name appears in the Flash
plug-in description.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0236.html
*** {00.56.041} Linux - TrendMicro InterScan Viruswall multiple
vulnerabilities
TrendMicro's InterScan Viruswall version 3.0.1 and 3.6.x have been
reported to be vulnerable to two particular vulnerabilities:
Authentication and password changes are done over clear-text HTTP
connections, and the (un)installation of the software uses insecure
temporary file handling, possibly resulting in a local attacker being
able to insert cron jobs that execute with root privileges.
TrendMicro says the vulnerabilities will be fixed in the next version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0235.html
*** {00.56.044} Linux - SuSE rctab insecure temp file handling
SuSE's rctab application insecurely creates/handles temporary files,
which can result in a local attacker overwriting a file or
enabling/disabling a system daemon. It may be possible to elevate
privilege in the process. An exploit has been published.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0226.html
- --- BSD News -----------------------------------------------------------
*** {00.56.006} BSD - Update {00.49.018}: bash creates insecure tmp
files for << processing
FreeBSD has released an updated bash port, which fixes the vulnerability
discussed in {00.49.018} ("bash creates insecure tmp files for <<
processing").
The port collection as of Nov. 29 contains the corrected version.
Individual packages available for download are available at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0212.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0212.html
*** {00.56.007} BSD - Update {00.52.026}: Stunnel syslog() format
string vulnerability
FreeBSD has released an updated stunnel port, which fixes the
vulnerability discussed in {00.52.026} ("Stunnel syslog() format string
vulnerability").
The ports collection as of Dec. 20 contains the corrected version.
Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0214.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0214.html
*** {00.56.008} BSD - Update {00.47.017}: OpenSSH allows malicious
server to access X display/ssh-agent
FreeBSD has released an updated OpenSSH port, which fixes the
vulnerability discussed in {00.47.017} ("OpenSSH allows malicious server
to access X display/ssh-agent").
The ports collection as of Nov. 14 contains an updated version.
Individual packages are available for download at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0210.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0210.html
*** {00.56.009} BSD - Update {00.52.013}: Zope miscalculates local roles
FreeBSD has released an updated Zope port, which fixes the vulnerability
discussed in {00.52.013} ("Zope miscalculates local roles").
The ports collection as of Dec. 20 contains an updated version.
Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0215.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0215.html
*** {00.56.010} BSD - Update {00.48.005}: Joe DEADJOE file creation
follows symlinks
FreeBSD has released an updated Joe port, which fixes the vulnerability
discussed in {00.48.005} ("Joe DEADJOE file creation follows symlinks").
The ports collection as of Dec. 12 contains an updated version.
Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0213.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0213.html
*** {00.56.011} BSD - Update {00.49.019}: syslog-ng missing '>' DoS
FreeBSD has released an updated syslog-ng port, which fixes the
vulnerability discussed in {00.49.019} ("syslog-ng missing '>' DoS").
The ports collection as of Nov. 25 contains an updated syslog-ng port.
Individual files available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0211.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0211.html
- --- Solaris News -------------------------------------------------------
*** {00.56.003} Sol - exrecover buffer overflow
A buffer overflow in /usr/lib/exrecover could allow local attackers to
execute arbitrary code as root. Solaris 2.4, 2.5 and 2.6 ship with
exrecover setuid root.
Solaris 7 and 8 do not give setuid permission to exrecover, and it can
be removed for earlier platforms by executing:
chmod -s /usr/lib/exrecover
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0119.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0123.html
*** {00.56.017} Sol - arp -f buffer overflow
Sun has released a security advisory that details a buffer overflow in
the -f parameter of the arp binary. Since Solaris 2.4 through 7 ship
arp setgid root, this can lead to a local attacker executing arbitrary
code as root.
Sun released the following patches:
5.7: 109709-01
5.7_x86: 109710-01
5.6: 109719-01
5.6_x86: 109720-01
5.5.1: 109721-01
5.5.1_x86: 109722-01
5.5: 109707-01
5.5_x86: 109708-01
5.4: 109723-01
5.4_x86: 109724-01
Source: Sun
http://archives.neohapsis.com/archives/sun/2001-q1/0000.html
- --- Cross-Platform News ------------------------------------------------
*** {00.56.001} Cross - Update {00.55.017}: Lotus Domino incorrect user
mailbox access vulnerability
As a follow-up to the vulnerability discussed in {00.55.017} ("Lotus
Domino incorrect user mailbox access vulnerability"), we report that
Lotus doesn't believe the vulnerability exists, and many people have
not been able to successfully reproduce the problem.
Source: Lotus (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0209.html
*** {00.56.005} Cross - PHP Apache module OPTIONS directory
configuration vulnerability
PHP Apache module versions before 4.0.4pl1 contain a security
vulnerability that would allow an attacker to be able to use the
per-directory PHP configuration values of one directory in conjunction
with any other script. This is due to PHP's incorrect handling of PHP
configuration options in combination with OPTIONS requests: The
configuration options linger before use in the next request processed
by that HTTP child.
Version 4.0.4pl1 fixes the problem, and is available from:
http://www.php.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0220.html
*** {00.56.012} Cross - Interbase contains hard-coded user-name backdoor
Interbase versions 4.x and 5.x, as well as derivatives (Interbase 6.x
and Firebird 0.9-3), contain a hard-coded backdoor that allow a remote
attacker to gain unlimited access to the database service.
Both Interbase and Firebird applications have updates available. There
is no way to disable the backdoor access-an upgrade is required.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q1/0000.html
*** {00.56.013} Cross - Update {00.53.033}: Oracle Internet Application
Server vulnerabilities
Oracle has released an official patch that corrects the vulnerability
discussed in {00.53.033} ("Oracle Internet Application Server
vulnerabilities").
Patch No. 1554571 is available from:
http://metalink.oracle.com/ (support access required)
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0206.html
*** {00.56.016} Cross - Compaq Insight Manager authentication user-name
buffer overflow
Compaq's Insight remote-management agents contain a remotely exploitable
buffer overflow in the authentication process that would allow a remote
attacker to execute arbitrary code on the system. An exploit has been
published.
Compaq has released new agents for Windows and Tru64. More information
is available at:
http://www.compaq.com/products/servers/management/agentsecurity.html
Source: Compaq
http://archives.neohapsis.com/archives/tru64/2001-q1/0005.html
http://archives.neohapsis.com/archives/compaq/2001-q1/0015.html
*** {00.56.019} Cross - wu-ftpd privatepw temp file race condition
The privatepw application that shipped with wu-ftpd version 2.6.1 uses
insecure temp file handling, which results in a local race condition.
A patch has been made available.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0252.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0252.html
*** {00.56.020} Cross - Inn insecure temporary file handling
Inn version 2.2.3 insecurely handles temporary files. The problem stems
from a misconfiguration of inn by using a nonprivate temporary
directory.
WireX has a patched version, as well as updated Immunix RPMs, for
download:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0169.html
Caldera has published a workaround:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0258.html
Source: Immunix, Caldera, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0169.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0258.html
*** {00.56.021} Cross - Arpwatch insecure temp file handling
Arpwatch version 2.1a4 insecurely handles temp files, resulting in a
local race condition.
Version 2.1a10 fixes the vulnerability.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0161.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0161.html
*** {00.56.022} Cross - sdiff insecure temp file handling
The sdiff application (a part of the diffutils package), version 2.7,
insecurely handles temporary files, resulting in a local race condition.
A fix will be included in a future release. Immunix and Mandrake have
released their own updated versions.
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0195.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html
Source: Immunix, Mandrake, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0195.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html
*** {00.56.023} Cross - Mgetty insecure temp file handling
Mgetty versions 1.1.22 and 1.1.23 insecurely handle temporary files,
resulting in a local race condition.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0178.html
Updated Caldera RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0259.html
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0001.html
Source: Immunix, Caldera, Mandrake, Debian (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0178.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0259.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0001.html
*** {00.56.024} Cross - Rdist insecure temp file handling
Rdist version 6.1.5 insecurely handles temporary files, resulting in a
local race condition.
A fix will be applied to a future release. Immunix and Mandrake have
released updates that include their own fixes.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0175.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0175.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
*** {00.56.025} Cross - Getty_ps insecure temp file handling
Getty_ps version 2.0.7j insecurely handles temporary files, resulting
in a local race condition.
An official patch is not available. Immunix and Mandrake have released
their own patched updates.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0174.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0174.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
*** {00.56.026} Cross - Gpm insecure temp file handling
Gpm version 1.19.3 insecurely handles temporary files, resulting in a
local race condition.
A patch has been made available.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0179.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0179.html
*** {00.56.027} Cross - Squid insecure temp file handling
Certain versions and configurations of squid (versions 2.3 through 2.4)
insecurely handle temporary files when sending out software-update
notifications. This may lead to a local race condition.
Patches have been applied to the latest stable and development versions
of squid.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0180.html
Updated Trustix RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html
Source: Immunix, Mandrake, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0180.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0212.html
*** {00.56.028} Cross - Vpop3d (linuxconf) insecure temp file handling
The vpop3d application shipped with the linuxconf package, versions
1.19r through 1.23r, insecurely handles temporary files, resulting in
a local race condition.
A patch has been made available in an updated version.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0217.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0217.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
*** {00.56.030} Cross - Yahoo Instant Messenger sends passwords in the
clear
A report has surfaced that indicates Yahoo Instant Messenger may send
user names and passwords in the clear. This has yet to be confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0230.html
*** {00.56.031} Cross - Multiple vulnerabilities in splitvt
Splitvt versions prior to 1.6.5 contain multiple buffer overflows as
well as a format string vulnerability. The vulnerabilities would allow
local attackers to elevate their privileges, which could include gaining
egid utmp or euid root. An exploit has been published.
Version 1.6.5 fixes the vulnerability and is available at:
http://www.devolution.com/~slouken/projects/splitvt/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0232.html
*** {00.56.032} Cross - htpasswd/htdigest (Apache) insecure temp file
handling
The htpasswd and htdigest utilities provided with Apache versions 1.3.14
and 2.0a9 insecurely handle temporary files, which may result in a local
race condition.
No official patches have been made available. Immunix has provided its
own fix.
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
*** {00.56.033} Cross - Eagle USA shipping software sends user
name/password clear text
A recent report indicates that the Eagle USA shipment tracking software
will send user name and passwords in clear text to a remote Web server.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0191.html
*** {00.56.035} Cross - Basilix Web mail system .class/.inc file
disclosure
The Basilix Web mail system version 0.9.7beta (possibly other versions)
stores all its configuration information in various .class and .inc
files in the Web root. If the server allows access to these files, it
is possible for a remote attacker to retrieve the configuration
information, which could include database authentication details.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0198.html
*** {00.56.039} Cross - Shadow-utils useradd insecure temp file handling
The useradd application shipped with the shadow-utils package is
vulnerable to a possible race condition because of insecure temporary
file handling. However, the vulnerability requires /etc/default to be
world-writable, which is a misconfiguration.
Immunix and Mandrake have released updated RPMs.
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0171.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0171.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0010.html
*** {00.56.042} Cross - ProFTPd various memory leaks
Various reports indicate ProFTPd is vulnerable to two different memory
leaks caused by repetitive calls to the SIZE or USER commands. Both can
be done remotely; the SIZE DoS requires a login (although anonymous will
work), and the USER DoS does not require any prior login. These
vulnerabilities are unconfirmed.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0122.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0132.html
*** {00.56.043} Cross - exmh insecure temp file handling
exmh has been reported to insecurely handle temporary files, resulting
in a local race condition.
More information can be found at:
http://www.beedub.com/exmh/symlink.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0223.html
*** {00.56.045} Cross - Oracle XSQL servlet client-supplied style-sheet
vulnerability
The Oracle XSQL servlet shipped with Oracle version 8.1.7 (tested with
Windows 2000) has been found to accept client-supplied XML style sheets,
which could contain scripting code that is executed on the target
server.
Oracle is working on a patch. A suggested workaround is to set
'allow-client-style=no' for every xsql page.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0018.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6Z2AY+LUG5KFpTkYRAncvAKCUsaMBstp5uPplq4a7wXlKKLBgkwCgpTtK
I0nB/OnOiMoEx9l3wOgzOQg=
=TvFQ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Online training in security for sysadmins and security professionals.
More than 2,000 professionals are already using the program -- includes
audio lectures, course books, and hourly quizzes so you can know what
you have and haven't mastered.
Sign up today for the online programs leading to GIAC certification in
Security Essentials.
http://www.sans.org
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.sans.org/sansnews/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site (http://www.sans.org).
Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL, you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved.
Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).
Powered by Neohapsis, a Chicago-based security assessment and
integration services consulting group. infoneohapsis.com |
http://www.neohapsis.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]