NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2002

From: Network Computing and The SANS Institute (sans+ZZ05679657417336644_at_sans.org)
Date: Thu Nov 21 2002 - 15:09:39 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 046 (02.46)
                  Thursday, November 21, 2002
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus

************************* Begin Advertisement ************************

This issue sponsored by Rainbow Technologies' Instant Private Web.

Secure your Web applications, e-mail, and Extranet in one day. Tired
of managing and deploying VPN clients. Instant Private Web does not
require changes to ANY of your INFRASTRUCTURE. Learn When to VPN and
when Not to VPN - Download the Whitepaper here.
http://www.rainbow.com/techwebdaily2

************************** End Advertisement *************************

If you haven't heard already, trojan copies of tcpdump and libpcap
were found last week. Attackers broke into the official distribution
site and modified the source tarballs, which were downloaded between
November 11th and November 13th. What's worse, these files were
propagated to mirrors, so it's hard to say what the total exposure
is. If you downloaded tcpdump or libpcap source tarballs in the last
10 days, you should definitely verify the checksums of the files.
http://archives.neohapsis.com/archives/cc/2002-q4/0003.html

This vulnerability brings up a good point--verifying file
downloads. How often do you yank a software package or update from
a site (or, worse, a mirror of that site) and run/use it without
verifying that the file hasn't been trojaned? Note that while virus
checkers do their part in finding viral activity, unique trojans are a
different beast entirely. You have to wonder how secure each various
software mirror site is...and thus, how trustworthy the mirrored
files are.

If you haven't been verifying your downloads, you should definitely
start. Sure, it may take an extra minute to run an MD5 checksum
program over the downloaded file, but that one minute can save you
from being the next victim.

Until next week,
-- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{02.46.019} Win - TFTPD32 multiple vulnerabilities
{02.46.023} Win - KeyFocus HTTP server Web root escaping
{02.46.026} Win - PlanetWeb HTTP server GET request overflow
{02.46.029} Win - Hyperion FTP server ftproot escaping
{02.46.002} Linux - sqWebmail local file reading
{02.46.003} Linux - Update {02.40.013}: Apache hostname CSS, ab
            overflow and shared memory vulnerabilities
{02.46.004} Linux - Update {02.37.005}: PHP mail() command may bypass
            safe_mode
{02.46.005} Linux - Update {02.41.012}: syslog-ng macro expansion
            overflow
{02.46.006} Linux - Update {02.35.017}: Python insecure temp file
            handling
{02.46.007} Linux - Update {02.27.004}: Squid 2.4.STABLE7 released,
            with security fixes
{02.46.008} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
            certificate basic constraints
{02.46.009} Linux - Update {02.45.006}: Window Maker image size integer
            overflow
{02.46.010} Linux - nullmailer local delivery DoS
{02.46.011} Linux - Update {02.29.016}: wwwoffle negative content len
            field overflow
{02.46.012} Linux - Update {02.43.007}: ypserv memory leak DoS
{02.46.015} Linux - Update {02.36.004}: MHonarc HTML mail CSS
            vulnerability
{02.46.030} Linux - Linux kernel lcall7 DoS
{02.46.013} BSD - Update {02.40.024}: Sendmail smrsh execution
            restriction bypass
{02.46.018} BSD - NetBSD ftpd STAT response may affect firewall
{02.46.031} BSD - Update {02.42.020}: Heimdal kadmind multiple
            vulnerabilities
{02.46.032} BSD - Update {02.26.002}: DNS libresolve/resolver buffer
            overflow
{02.46.022} SGI - Update {01.45.008}: Lots and lots of lpd problems
{02.46.017} Other - Tru64 OSIS LDAP auth vulnerability
{02.46.001} Cross - Update {02.45.007}: BIND SIG cached RR overflow + 2
            DoS
{02.46.014} Cross - dhcpcd response command execution
{02.46.016} Cross - HPUX and Tru64 IGMP DoS
{02.46.020} Cross - Zeroo HTTP server request overflow
{02.46.021} Cross - iPlanet admin CSS leads to command execution
{02.46.024} Cross - phpBB CGI quick reply module phpbb_root_path
            vulnerability
{02.46.025} Cross - Mozilla jar: handler deflate overflow
{02.46.027} Cross - ezhttpbench.php CGI AnalyseSite file reading
{02.46.028} Cross - tinyhttpd HTTP server Web root escaping

- --- Windows News -------------------------------------------------------

*** {02.46.019} Win - TFTPD32 multiple vulnerabilities

The TFTPD32 tftp server for Windows version 2.50.2 reportedly
contains two vulnerabilities: remote retrieval of arbitrary files;
and a buffer overflow in the handling of large file names, which
leads to the execution of arbitrary code.

These vulnerabilities are not confirmed. The advisory indicates
version 2.51 contains a fix.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0076.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0077.html

*** {02.46.023} Win - KeyFocus HTTP server Web root escaping

KeyFocus HTTP server prior to version 2.0.0 allows a remote attacker
to access limited files outside the Web root.

The advisory indicates vendor confirmation; version 2.0.0 is supposed
to contain a fix.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0073.html

*** {02.46.026} Win - PlanetWeb HTTP server GET request overflow

PlanetWeb HTTP server prior to version 1.15 reportedly contains a
buffer overflow in the handling of particular GET requests. Further
details were not provided.

A patch is available at:
http://www.planetdns.net/client/pdnsweb32v115.exe

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0240.html

*** {02.46.029} Win - Hyperion FTP server ftproot escaping

Hyperion FTP server version 2.8.1 allows an attacker capable of
logging into the FTP service (particularly as anonymous) to view
directory listings outside the ftproot.

This vulnerability is not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0069.html

- --- Linux News ---------------------------------------------------------

*** {02.46.002} Linux - sqWebmail local file reading

A Debian advisory indicates the sqWebmail CGI does not properly drop
permissions, thereby allowing a local attacker to read arbitrary
files on the system.

Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0628.html

*** {02.46.003} Linux - Update {02.40.013}: Apache hostname CSS, ab
overflow and shared memory vulnerabilities

Debian released updated Apache-Perl packages, which fix the
vulnerability discussed in {02.40.013} ("Apache host name CSS, ab
overflow and shared memory vulnerabilities").

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0586.html

*** {02.46.004} Linux - Update {02.37.005}: PHP mail() command may
bypass safe_mode

Conectiva released updated php4 packages, which fix the vulnerability
discussed in {02.37.005} ("PHP mail() command may bypass safe_mode").

Updated RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0017.html

*** {02.46.005} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow

Conectiva released updated syslog-ng packages, which fix the
vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
overflow").

Updated RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0019.html

*** {02.46.006} Linux - Update {02.35.017}: Python insecure temp file
handling

Caldera released updated Python packages, which fix the vulnerability
discussed in {02.35.017} ("Python insecure temp file handling").

Updated RPMs are listed at the reference URL below.

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0013.html

*** {02.46.007} Linux - Update {02.27.004}: Squid 2.4.STABLE7 released,
with security fixes

Caldera released updated Squid packages, which fix the vulnerability
discussed in {02.27.004} ("Squid 2.4.STABLE7 released, with security
fixes").

Updated RPMs are listed at the reference URL below.

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0014.html

*** {02.46.008} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
certificate basic constraints

Caldera released updated kdelibs packages, which fix the vulnerability
discussed in {02.33.043} ("KDE Konqueror ignores SSL certificate
basic constraints").

Updated RPMs are listed at the reference URL below.

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0015.html

*** {02.46.009} Linux - Update {02.45.006}: Window Maker image size
integer overflow

Conectiva released updated Window Maker packages, which fix the
vulnerability discussed in {02.45.006} ("Window Maker image size
integer overflow").

Updated RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0020.html

*** {02.46.010} Linux - nullmailer local delivery DoS

A Debian advisory indicates the nullmailer service contains a denial of
service vulnerability that causes it to cease working when attempting
to deliver an e-mail message to a nonexistent local user account.

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0648.html

*** {02.46.011} Linux - Update {02.29.016}: wwwoffle negative content
len field overflow

Caldera released updated wwwoffle packages, which fix the vulnerability
discussed in {02.29.016} ("wwwoffle negative content len field
overflow").

Updated RPMs are listed at the reference URL below.

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0016.html

*** {02.46.012} Linux - Update {02.43.007}: ypserv memory leak DoS

Mandrake released updated ypserv packages, which fix the vulnerability
discussed in {02.43.007} ("ypserv memory leak DoS").

Updated RPMs are listed at the reference URL below.

Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0156.html

*** {02.46.015} Linux - Update {02.36.004}: MHonarc HTML mail CSS
vulnerability

Debian released updated mhonarc packages, which fix the vulnerability
discussed in {02.36.004} ("MHonarc HTML mail CSS vulnerability").

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0679.html

*** {02.46.030} Linux - Linux kernel lcall7 DoS

A denial of service in the Linux Kernel involves incorrect parameter
handling of system call 7. This lets a local user crash the
system. Kernels 2.4.20-rc1 and prior are reportedly vulnerable.

A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0215.html

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0043.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0247.html

Source: SecurityFocus Bugtraq, Red Hat, Trustix
http://archives.neohapsis.com/archives/bugtraq/2002-11/0157.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0191.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0215.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0043.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0247.html

- --- BSD News -----------------------------------------------------------

*** {02.46.013} BSD - Update {02.40.024}: Sendmail smrsh execution
restriction bypass

FreeBSD released updates, which fix the vulnerability discussed in
{02.40.024} ("Sendmail smrsh execution restriction bypass").

A full list of corrected branches and dates are listed at the reference
URL below.

Source: FreeBSD
http://archives.neohapsis.com/archives/bugtraq/2002-11/0225.html

*** {02.46.018} BSD - NetBSD ftpd STAT response may affect firewall

A NetBSD advisory indicates the ftp daemon included with NetBSD may
send a non-RFC STAT command response that could confuse state-based
firewalls into opening a tunnel; this is identical to how the firewall
would open a tunnel to accommodate an ftp data transfer.

NetBSD update information is listed at the reference URL below.

Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0245.html

*** {02.46.031} BSD - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities

FreeBSD released updates, which fix the vulnerability discussed in
{02.42.020} ("Heimdal kadmind multiple vulnerabilities").

Updates are listed at the reference URL below.

Source: FreeBSD
http://archives.neohapsis.com/archives/bugtraq/2002-11/0158.html

*** {02.46.032} BSD - Update {02.26.002}: DNS libresolve/resolver
buffer overflow

FreeBSD and NetBSD released updates, which fix the vulnerability
discussed in {02.26.002} ("DNS libresolve/resolver buffer overflow").

FreeBSD updates:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0170.html

NetBSD updates:
http://archives.neohapsis.com/archives/netbsd/2002-q4/0246.html

Source: FreeBSD, NetBSD
http://archives.neohapsis.com/archives/bugtraq/2002-11/0170.html
http://archives.neohapsis.com/archives/netbsd/2002-q4/0246.html

- --- SGI News -----------------------------------------------------------

*** {02.46.022} SGI - Update {01.45.008}: Lots and lots of lpd problems

SGI released updates, which fix the vulnerability discussed in
{01.45.008} ("Lots and lots of lpd problems").

Updates are listed at the reference URL below.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q4/0047.html

- --- Other News ---------------------------------------------------------

*** {02.46.017} Other - Tru64 OSIS LDAP auth vulnerability

An HP/Compaq advisory indicates the OSIS LDAP authentication module
contains a vulnerability that allows a remote attacker to access the
system with elevated privileges. It is unknown at this time if this
vulnerability relates to the recent nss_ldap/pam_ldap vulnerabilities.

Update information is available at the reference URL below.

Source: HP/Compaq
http://archives.neohapsis.com/archives/compaq/2002-q4/0014.html

- --- Cross-Platform News ------------------------------------------------

*** {02.46.001} Cross - Update {02.45.007}: BIND SIG cached RR overflow
+ 2 DoS

Multiple vendors released updated bind packages, which fix the
vulnerability discussed in {02.45.007} ("BIND SIG cached RR overflow +
2 DoS").

Updated BIND source versions:
ftp://ftp.isc.org/isc/bind/src/4.9.11/bind-4.9.11-REL.tar.gz
ftp://ftp.isc.org/isc/bind/src/8.2.7/bind-src.tar.gz
ftp://ftp.isc.org/isc/bind/src/8.3.4/bind-src.tar.gz

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0107.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0622.html

FreeBSD update information:
http://archives.neohapsis.com/archives/bugtraq/2002-11/0223.html

OpenBSD update information:
http://archives.neohapsis.com/archives/openbsd/2002-11/1461.html

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0010.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0787.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0018.html

NetBSD update information:
http://archives.neohapsis.com/archives/netbsd/2002-q4/0243.html

*** {02.46.014} Cross - dhcpcd response command execution

A Conectiva advisory indicates the possibility of a malicious DHCP
server (or spoofed response) causing a dhcpcd shell script to execute
arbitrary command-line commands.

Updated Conectiva RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0021.html

*** {02.46.016} Cross - HPUX and Tru64 IGMP DoS

An HP/Compaq advisory indicates that both HP-UX and Tru64 have a
vulnerability in the handling of IGMP packets, which causes a denial
of service attack.

Update information for both OSs is available at the reference URL
below.

Source: HP/Compaq
http://archives.neohapsis.com/archives/compaq/2002-q4/0013.html

*** {02.46.020} Cross - Zeroo HTTP server request overflow

The Zeroo HTTP server version 1.5 reportedly contains a buffer overflow
in the handling of large URL requests, which allows a remote attacker
to execute arbitrary code.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0226.html

*** {02.46.021} Cross - iPlanet admin CSS leads to command execution

iPlanet WebServer versions 4.x SP11 and prior contain two
vulnerabilities that could be used in conjunction to cause an
unsuspecting administrator to execute arbitrary commands. The two
vulnerabilities include a cross-site scripting bug and insecure use
of Perl open() calls in the administrative CGIs.

The advisory indicates vendor confirmation.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0078.html

*** {02.46.024} Cross - phpBB CGI quick reply module phpbb_root_path
vulnerability

The 'quick reply' module for the phpBB PHP CGI suite passes the
phpbb_root_path URL parameter to an include() call, which allows a
remote attacker to execute arbitrary PHP code on the system if URL
fopen wrappers are enabled.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0188.html

*** {02.46.025} Cross - Mozilla jar: handler deflate overflow

The Mozilla browser reportedly contains a heap overflow in the handling
of 'jar:' URLs, which allows a malformed .jar file to potentially
execute arbitrary code.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0208.html

*** {02.46.027} Cross - ezhttpbench.php CGI AnalyseSite file reading

The ezhttpbench.php PHP CGI allows a remote attacker to view files
readable by the Web server by submitting a file name value for the
'AnalyseSite' URL parameter.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0116.html

*** {02.46.028} Cross - tinyhttpd HTTP server Web root escaping

The thinyhttpd HTTP server version 0.1.0 allows attackers to access
files outside the Web root by using '..' in the URL request.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0130.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE93UPW+LUG5KFpTkYRApLVAJ0a/DS1Y/qKlpc5R73y6XVZlo2O3QCgmUs/
y7aRz2kFPCUG9dq/fWE3qkw=
=MJkN
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by Rainbow Technologies' Instant Private Web.

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <sanssans.org>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online.
http://www.sans.org/newlook/digests/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]