OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ20708403432025738_at_sans.org)
Date: Thu Jul 11 2002 - 15:25:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    Re: Your personalized newsletter
     
                     -- Security Alert Consensus --
                           Number 027 (02.27)
                         Thursday, July 11, 2002
                           Created for you by
                 Network Computing and the SANS Institute
                           Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    The Center for Internet Security Will Soon Release Benchmark Security
    Standards For Securing Apache Servers; SANS Will Launch A New Training
    Program Based On The Benchmark on August 28 in DC.
    See for course outline: http://www.sans.org/CIS_Apache
    Register for the DC Course:
    https://registration.sans.org/cgi-bin/SecuringApache_register

    ----------------------------------------------------------------------

    This week's recap is not as grim as in weeks prior. While vendors
    are still releasing patches for the previous DNS resolver, OpenSSH
    and Apache vulnerabilities, the notable items this week include a
    security update to the Squid proxy server (item {02.27.004}) and two
    problems in the iPlanet Web Server search feature (items {02.27.009}
    and {02.27.016}).

    On the lighter side of security, an advisory released this week
    details various security problems in the new Sharp Zaurus PDA. If
    you connect your Zaurus to a network of some sort, an attacker
    can potentially access the FTP service -- and your files --
    unhindered. So, much like a laptop or a desktop, you need to be weary
    when connecting other portable computing devices to public networks.
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0093.html

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.27.011} Win - Worldspan gateway malformed connection DoS
    {02.27.013} Win - BEA Weblogic connection flood DoS
    {02.27.015} Win - MyWebServer large URL DoS
    {02.27.019} Win - Argosoft Mail Server Pro arbitrary file retrieval
    {02.27.021} Win - KF Web Server %00 directory browsing
    {02.27.005} Linux - Update {02.25.023}: OpenSSH version 3.4 available,
                security vulnerabilities
    {02.27.010} Linux - Updated Mandrake kernels
    {02.27.008} Sol - SUNWspvnc weak password protocol
    {02.27.001} AIX - DFSWeb scripts relative command execution
    {02.27.002} AIX - SMIT scripts relative command execution
    {02.27.003} AIX - Update {02.26.002}: DNS libresolve/resolver buffer
                overflow
    {02.27.017} NApps - Watchguard Firebox DVCP service DoS
    {02.27.012} Other - MacOSX SoftwareUpdate unauthenticated downloads
    {02.27.004} Cross - Squid 2.4.STABLE7 released, with security fixes
    {02.27.006} Cross - Ethereal 0.9.5 released, with security fixes
    {02.27.007} Cross - Lotus Domino R4 file download
    {02.27.009} Cross - iPlanet Web Server search CGI file reading
    {02.27.014} Cross - Urlcount.cgi report CSS vulnerability
    {02.27.016} Cross - iPlanet Web Server search CGI overflow
    {02.27.018} Cross - Inktomi Traffic Server traffic_manager command line
                overflow
    {02.27.020} Cross - Xircon IRC client large message DoS

    - --- Windows News -------------------------------------------------------

    *** {02.27.011} Win - Worldspan gateway malformed connection DoS

    The Worldspan gateway daemon shipped with Worldspan for Windows
    version 4.1 crashes when sent malformed data, leading to a denial of
    service attack.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0048.html

    *** {02.27.013} Win - BEA Weblogic connection flood DoS

    BEA Weblogic versions 7.0 and prior that use the performance pack
    (enabled by default) crash when a remote attacker causes a particular
    connection flood, leading to a denial of service attack.

    The advisory indicates confirmation by the vendor, which released
    a patch.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0008.html

    *** {02.27.015} Win - MyWebServer large URL DoS

    MyWebServer version 1.02 crashes when a remote attacker submits a
    large URL request, leading to a denial of service attack.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0073.html

    *** {02.27.019} Win - Argosoft Mail Server Pro arbitrary file retrieval

    The HTTP server included with Argosoft Mail Server Pro version
    1.8.1.5 allows remote attackers to view/download arbitrary files
    located outside the Webroot by using reverse directory traversal
    ('..') notation in URL requests.

    This vulnerability is confirmed; a patch is available at:
    http://www.argosoft.com/applications/mailserver/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0029.html

    *** {02.27.021} Win - KF Web Server %00 directory browsing

    KF Web Server version 1.0.2 displays directory indexes regardless
    of the existence of a default HTML document (index.html). This
    vulnerability is triggered by appending '%00' to the URL request.

    This vulnerability is confirmed by the vendor, which released version
    1.0.3. It is available at:
    http://www.keyfocus.net/kfws/download/

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0007.html

    - --- Linux News ---------------------------------------------------------

    *** {02.27.005} Linux - Update {02.25.023}: OpenSSH version 3.4
                    available, security vulnerabilities

    Mandrake released updated OpenSSH packages, which fix the vulnerability
    discussed in {02.25.023} ("OpenSSH version 3.4 available, security
    vulnerabilities").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0027.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0027.html

    *** {02.27.010} Linux - Updated Mandrake kernels

    Mandrake released updated kernel packages, which fix various
    vulnerabilities previously reported in SAC.

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0042.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0042.html

    - --- Solaris News -------------------------------------------------------

    *** {02.27.008} Sol - SUNWspvnc weak password protocol

    Sun's SUNWspvnc package, which provides a modified VNC client and
    server, reportedly uses a weak authentication method. As a result,
    attackers who are capable of observing the initial client-server
    traffic would be able to recover the valid password.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0003.html

    - --- AIX News -----------------------------------------------------------

    *** {02.27.001} AIX - DFSWeb scripts relative command execution

    IBM released APAR IY29749, which fixes various DFSWeb scripts to use
    absolute file names when executing external commands.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q3/0000.html

    *** {02.27.002} AIX - SMIT scripts relative command execution

    IBM released APARs IY23359 and IY29579, which fix potential security
    problems in various SMIT scripts that do not use absolute file names
    when executing external commands.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q3/0000.html

    *** {02.27.003} AIX - Update {02.26.002}: DNS libresolve/resolver
                    buffer overflow

    IBM released APARs, which fix the vulnerability discussed in
    {02.26.002} ("DNS libresolve/resolver buffer overflow").

    Install APAR IY32719 for AIX 4.3 and APAR IY32746 for AIX 5.1.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q3/0001.html

    - --- Network Appliances News --------------------------------------------

    *** {02.27.017} NApps - Watchguard Firebox DVCP service DoS

    The DVCP service included with the Watchguard Firebox running firmware
    prior to version 6.0.b1140 crashes when a remote attacker submits
    a particular stream of malformed data to the service, leading to a
    denial of service attack.

    This vulnerability is confirmed and fixed in firmware version
    6.0.b1140.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0012.html

    - --- Other News ---------------------------------------------------------

    *** {02.27.012} Other - MacOSX SoftwareUpdate unauthenticated downloads

    A released advisory indicates the MacOSX SoftwareUpdate component
    downloads software updates over unauthenticated HTTP before executing
    them with root privileges. It's possible for a malicious proxy server
    or attacker who is capable of redirecting traffic to feed trojaned
    updates to the system.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0061.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.27.004} Cross - Squid 2.4.STABLE7 released, with security fixes

    Squid version 2.4.STABLE7 was released. The new version contains
    several security fixes, many of which were previously reported in SAC.

    Source code available at:
    http://www.squid-cache.org/Versions/v2/2.4/

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0003.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0002.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q3/0191.html

    Source: SecurityFocus Bugtraq, Red Hat, Conectiva, SuSE
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0036.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0003.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0002.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q3/0191.html

    *** {02.27.006} Cross - Ethereal 0.9.5 released, with security fixes

    Ethereal version 0.9.5 was released. This version corrects security
    vulnerabilities found in various protocol decode plugins.

    Source code is available from:
    http://www.ethereal.com/

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0001.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0001.html

    *** {02.27.007} Cross - Lotus Domino R4 file download

    An advisory indicates the R4 series of the Lotus Domino server allows
    a remote attacker to download files from the Webroot (regardless
    of any access control lists) by appending a '?' character to the
    request. Requests for admin.nsf and other default databases appear
    to be immune. The Domino R5 series is reportedly not vulnerable. Only
    files in the default Webroot are vulnerable to exposure.

    The advisory indicates vendor confirmation.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0001.html

    *** {02.27.009} Cross - iPlanet Web Server search CGI file reading

    iPlanet Web Server versions 6.0SP2 and prior contain a bug in the
    search CGI interface that allows a remote attacker to use reverse
    directory traversal notation in the 'NS-query-pat' URL parameter to
    access and read files outside the Webroot.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0085.html

    *** {02.27.014} Cross - Urlcount.cgi report CSS vulnerability

    PowerBASIC Inc.'s Urlcount CGI contains a cross-site scripting
    vulnerability in the handling of URLs inserted in generated reports.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0072.html

    *** {02.27.016} Cross - iPlanet Web Server search CGI overflow

    The search service included with iPlanet Web Server versions
    6.0 and prior contains a buffer overflow in the handling of the
    'NS-rel-doc-name' URL parameter, allowing a remote attacker to execute
    arbitrary code.

    The advisory indicates confirmation by the vendor, which fixed this
    vulnerability in the latest service packs.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0011.html

    *** {02.27.018} Cross - Inktomi Traffic Server traffic_manager command
                    line overflow

    The traffic_manager utility shipped with Inktomi Traffic Server
    versions 5.2.2 and prior contains a buffer overflow in the handling
    of a long 'path' argument, resulting in the execution of arbitrary
    code under root privileges.

    This vulnerability is confirmed by the vendor, which published a
    workaround that is available at:
    http://support.inktomi.com/kb/070202-003.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0023.html

    *** {02.27.020} Cross - Xircon IRC client large message DoS

    The Xircon IRC client version .10B4 contains a denial of service
    whereby an attacker sends a large private message to the vulnerable
    user, which causes the user to be disconnected from the IRC server.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0005.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9LeI2+LUG5KFpTkYRAj40AJoDmxQJy7vI491CD4Oc833AmNCrEgCePZiQ
    5xfoOgvBwsF+vpoLopmjPiI=
    =2oiC
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    The Center for Internet Security Will Soon Release Benchmark Security
    Standards For Securing Apache Servers; SANS Will Launch A New Training
    Program Based On The Benchmark on August 28 in DC.
    See for course outline: http://www.sans.org/CIS_Apache
    Register for the DC Course:
    https://registration.sans.org/cgi-bin/SecuringApache_register

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.sans.org/sansnews/

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).