|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ79257943026416795_at_sans.org)
Date: Thu Jan 09 2003 - 16:25:35 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 001 (03.01)
Thursday, January 9, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT: Exploiting Web Applications -- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation, Session
Hijacking and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete
guide to protection!
http://www.spidynamics.com/mktg/webappsecurity39
************************** End Advertisement *************************
Welcome back! After a two-week holiday break, SAC is now back
on track and ready to go for 2003. We also expanded our coverage
during the break. In addition to our normal categories, we now have
specific Mac OS (all versions), Digital/Compaq/HP Tru64 and mobile
devices (such as cell phones and PDAs) categories. You can add these
new categories to your subscription by following the subscription
change instructions at the bottom of this e-mail. And don't worry;
we didn't use any of the new categories this week, so you won't miss
anything. You'll also notice the 'Network Appliances' category was
renamed to 'Network Devices'. You do not need to make any subscription
changes as a result of this renaming.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.01.027} Win - IPD bypass via subst
{03.01.031} Win - Multiple Winamp overflows
{03.01.032} Win - MS02-072: Windows shell/audio file overflow
{03.01.001} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{03.01.002} Linux - Update {02.50.004}: Multiple MySQL vulnerabilities
{03.01.003} Linux - Update {02.49.008}: OpenLDAP2 multiple
vulnerabilities
{03.01.004} Linux - Update {02.29.004}: libpng progressive image
loading overflows
{03.01.005} Linux - Update {02.49.014}: wget directory recursion
vulnerability
{03.01.006} Linux - Update {02.45.008}: Perl Safe.pm reuse opmask
modification
{03.01.007} Linux - Update {02.49.017}: tcpdump BGP decoding overflow
{03.01.008} Linux - Update {02.50.007}: Kernel /proc/pid/mem mmap DoS
{03.01.013} Linux - Update {02.45.026}: KDE Lisa/resLISa multiple
vulnerabilities
{03.01.014} Linux - Update {02.49.019}: Cyrus SASL library overflows
{03.01.015} Linux - Update {02.45.007}: BIND SIG cached RR overflow + 2
DoS
{03.01.016} Linux - Update {02.50.024}: Fetchmail local address
creation vulnerability
{03.01.019} Linux - typespeed local buffer overflow
{03.01.022} Linux - Update {02.46.014}: dhcpcd response command
execution
{03.01.023} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS
vulnerabilities
{03.01.024} Linux - Update {02.36.004}: MHonarc HTML mail CSS
vulnerability
{03.01.025} Linux - Update {02.45.022}: Pine 4.44 malformed From field
vulnerability
{03.01.026} BSD - FreeBSD fpathconf syscall vulnerability
{03.01.017} HPUX - JFS sticky bit vulnerability
{03.01.012} NetDev - Cisco products SSH reload DoS
{03.01.009} Cross - Lynx CRLF header injection
{03.01.010} Cross - CUPS multiple vulnerabilities
{03.01.011} Cross - OpenWebmail sessionid path vulnerability
{03.01.018} Cross - Update {02.50.014}: PFingerd host name format
string vulnerability
{03.01.020} Cross - Sendmail 8.12.7 available
{03.01.021} Cross - Bugzilla CSS vulnerabilities
{03.01.028} Cross - libmcrypt buffer overflows and memory leak
{03.01.029} Cross - PHP 4.3.0 released, with security fixes
{03.01.030} Cross - Tanne library syslog format vulnerabilities
{03.01.033} Cross - xpdf/pdftops integer overflow
- --- Windows News -------------------------------------------------------
*** {03.01.027} Win - IPD bypass via subst
The Integrity Protection Driver (IPD) versions 1.3 and prior do not
correctly handle drive mappings created by the subst command, thereby
allowing a local attacker to potentially bypass IPD's file protections.
The vendor confirmed this vulnerability and released an updated
version.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0000.html
http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0001.html
*** {03.01.031} Win - Multiple Winamp overflows
Winamp versions 3.0 and 2.81 reportedly contain multiple buffer
overflows that allow a malicious MP3 file to execute arbitrary code
on the user's system.
The vendor confirmed these vulnerabilities and released updates,
available at:
http://www.winamp.com
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0186.html
*** {03.01.032} Win - MS02-072: Windows shell/audio file overflow
Microsoft released MS02-072 ("Windows shell/audio file overflow"). The
Windows Shell framework included with Windows XP contains a buffer
overflow in the handling of large audio file attributes, resulting
in the execution of arbitrary code by a malicious MP3 or WMA file.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-072.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0021.html
- --- Linux News ---------------------------------------------------------
*** {03.01.001} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
Mandrake released updated Apache packages, which fix the
vulnerabilities discussed in {02.40.013} ("Apache host name CSS,
ab overflow and shared memory vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0350.html
*** {03.01.002} Linux - Update {02.50.004}: Multiple MySQL
vulnerabilities
Mandrake and Trustix released updated MySQL packages, which fix
the vulnerabilities discussed in {02.50.004} ("Multiple MySQL
vulnerabilities").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0351.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0196.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0004.html
Source: Mandrake, Trustix, SuSE (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0351.html
http://archives.neohapsis.com/archives/bugtraq/2002-12/0196.html
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0004.html
*** {03.01.003} Linux - Update {02.49.008}: OpenLDAP2 multiple
vulnerabilities
Conectiva released updated OpenLDAP packages, which fix the
vulnerabilities discussed in {02.49.008} ("OpenLDAP2 multiple
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0028.html
*** {03.01.004} Linux - Update {02.29.004}: libpng progressive image
loading overflows
Debian released updated libpng packages, which fix the vulnerability
discussed in {02.29.004} ("libpng progressive image loading
overflows").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q4/0086.html
*** {03.01.005} Linux - Update {02.49.014}: wget directory recursion
vulnerability
Trustix released updated wget packages, which fix the vulnerability
discussed in {02.49.014} ("wget directory recursion vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Trustix
http://archives.neohapsis.com/archives/bugtraq/2002-12/0198.html
*** {03.01.006} Linux - Update {02.45.008}: Perl Safe.pm reuse opmask
modification
Trustix released updated Perl packages, which fix the vulnerability
discussed in {02.45.008} ("Perl Safe.pm reuse opmask modification").
Updated RPMs are listed at the reference URL below.
Source: Trustix
http://archives.neohapsis.com/archives/bugtraq/2002-12/0200.html
*** {03.01.007} Linux - Update {02.49.017}: tcpdump BGP decoding
overflow
Trustix released updated tcpdump packages, which fix the vulnerability
discussed in {02.49.017} ("tcpdump BGP decoding overflow").
Updated RPMs are listed at the reference URL below.
Source: Trustix
http://archives.neohapsis.com/archives/bugtraq/2002-12/0201.html
*** {03.01.008} Linux - Update {02.50.007}: Kernel /proc/pid/mem mmap
DoS
Trustix released updated kernel packages, which fix the vulnerability
discussed in {02.50.007} ("Kernel /proc/pid/mem mmap DoS").
Updated RPMs are listed at the reference URL below.
Source: Trustix
http://archives.neohapsis.com/archives/bugtraq/2002-12/0202.html
*** {03.01.013} Linux - Update {02.45.026}: KDE Lisa/resLISa multiple
vulnerabilities
Debian released updated kdenetwork packages, which fix the
vulnerabilities discussed in {02.45.026} ("KDE Lisa/resLISa multiple
vulnerabilities").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/1129.html
*** {03.01.014} Linux - Update {02.49.019}: Cyrus SASL library overflows
Multiple vendors released updated Cyrus-SASL packages, which fix
the vulnerability discussed in {02.49.019} ("Cyrus SASL library
overflows").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q4/1275.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q4/0089.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0029.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0002.html
Source: SuSE, Debian, Conectiva, Red Hat
http://archives.neohapsis.com/archives/linux/suse/2002-q4/1275.html
http://archives.neohapsis.com/archives/vendor/2002-q4/0089.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0002.html
*** {03.01.015} Linux - Update {02.45.007}: BIND SIG cached RR overflow
+ 2 DoS
Caldera/SCO released updated BIND packages, which fix the vulnerability
discussed in {02.45.007} ("BIND SIG cached RR overflow + 2 DoS").
Updated RPMs are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0029.html
*** {03.01.016} Linux - Update {02.50.024}: Fetchmail local address
creation vulnerability
Debian and SuSE released updated Fetchmail packages, which fix the
vulnerability discussed in {02.50.024} ("Fetchmail local address
creation vulnerability").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q4/0090.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0000.html
Source: Debian, SuSE
http://archives.neohapsis.com/archives/vendor/2002-q4/0090.html
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0000.html
*** {03.01.019} Linux - typespeed local buffer overflow
The typespeed typing utility/game contains a locally exploitable buffer
overflow that lets a local attacker gain group id 'games' privileges.
Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q4/0091.html
*** {03.01.022} Linux - Update {02.46.014}: dhcpcd response command
execution
Debian released updated dhcpcd packages, which fix the vulnerability
discussed in {02.46.014} ("dhcpcd response command execution").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q4/0093.html
*** {03.01.023} Linux - Update {02.38.006}: Squirrel mail CGI multiple
CSS vulnerabilities
Debian released updated Squirrel mail packages, which fix the
vulnerabilities discussed in {02.38.006} ("Squirrel mail CGI multiple
CSS vulnerabilities").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0003.html
*** {03.01.024} Linux - Update {02.36.004}: MHonarc HTML mail CSS
vulnerability
Debian released updated MHonarc packages, which fix the vulnerability
discussed in {02.36.004} ("MHonarc HTML mail CSS vulnerability").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0004.html
*** {03.01.025} Linux - Update {02.45.022}: Pine 4.44 malformed From
field vulnerability
Red Hat released updated Pine packages, which fix the vulnerability
discussed in {02.45.022} ("Pine 4.44 malformed From field
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0000.html
- --- BSD News -----------------------------------------------------------
*** {03.01.026} BSD - FreeBSD fpathconf syscall vulnerability
A FreeBSD advisory indicates that the fpathconf system call may leak
a file descriptor, thereby leading to a local denial of service
attack. A local root privilege elevation attack is also possible
(this exploitation was confirmed by a third party).
FreeBSD 4.4-4.7 and 5.0 as of Jan. 7, 2003, contain a fix.
Source: VulnWatch, FreeBSD (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0006.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0057.html
- --- HP-UX News ---------------------------------------------------------
*** {03.01.017} HPUX - JFS sticky bit vulnerability
HP released a patch that fixes a bug in JFS's handling (or lack of
handling) of the +s 'sticky bit' within the file system.
Apply the appropriate patch:
HPUX 10.20: PHKL_27832, PHKL_27833
HPUX 11.00: PHKL_27932
HPUX 11.04: PHKL_24201
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q4/0075.html
- --- Network Devices News -----------------------------------------------
*** {03.01.012} NetDev - Cisco products SSH reload DoS
Cisco has released an advisory indicating various Cisco devices running
IOS versions 12.0S, 12.0ST, 12.1T, 12.1E, 12.2, 12.2T, and 12.2S,
can be caused remotely to reboot by sending a malformed SSH packet
to the device, if the SSH service is running. All products running
the above versions of IOS and using SSH are affected. NOT affected
are the Cisco Catalyst series running CatOS, VPN3000, PIX firewalls,
SN5400 series, and NetRanger products.
Cisco confirmed this vulnerability. Patches are currently in production
and available from Cisco.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q4/0005.html
- --- Cross-Platform News ------------------------------------------------
*** {03.01.009} Cross - Lynx CRLF header injection
The Lynx Web browser potentially allows malformed URLs to insert
arbitrary HTTP headers into the request. This could allow modification
of the Host header or submission of extra cookies by an unsuspecting
user.
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0199.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q4/0082.html
Source: Trustix, Debian (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-12/0199.html
http://archives.neohapsis.com/archives/vendor/2002-q4/0082.html
*** {03.01.010} Cross - CUPS multiple vulnerabilities
The CUPS (Common Unix Printing System) prior to version 1.1.18 contains
multiple vulnerabilities: integer overflows leading to local privilege
elevation; a PID file race condition; the remote addition of arbitrary
printers; remote heap overflows; an options string buffer overflow;
0-width image arbitrary code execution; and file descriptor leaks.
The vendor confirmed these vulnerabilities fixed them in version
1.1.18.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0001.html
Source: VulnWatch, SuSE
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0117.html
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0001.html
*** {03.01.011} Cross - OpenWebmail sessionid path vulnerability
The OpenWebmail CGI suite versions 1.71 and prior contain a
vulnerability in the handling of the sessionid URL parameter that could
allow an attacker, who can somehow place a file on the target system,
to gain root privileges (because the Openmail CGIs use suidperl to
run as root).
The vendor confirmed this vulnerability and released patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0192.html
http://archives.neohapsis.com/archives/bugtraq/2002-12/0205.html
*** {03.01.018} Cross - Update {02.50.014}: PFingerd host name format
string vulnerability
The vendor released version 0.7.9, which fixes the vulnerability
discussed in {02.50.014} ("PFingerd host name format string
vulnerability").
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0253.html
*** {03.01.020} Cross - Sendmail 8.12.7 available
Sendmail 8.12.7 was released. This version contains one previously
reported security-related fix in the smrsh utility.
The latest Sendmail source is available at:
ftp://ftp.sendmail.org/pub/sendmail/
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2002-q4/0000.html
*** {03.01.021} Cross - Bugzilla CSS vulnerabilities
A Debian advisory indicates that the Bugzilla CGI suite contains
various cross-site scripting vulnerabilities.
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q4/0092.html
*** {03.01.028} Cross - libmcrypt buffer overflows and memory leak
The libmcrypt library prior to version 2.5.5 contains multiple buffer
overflows and a memory leak. Applications using the libmcrypt library
may be vulnerable to various types of attack.
The vendor confirmed these vulnerabilities and released version 2.5.5.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0020.html
*** {03.01.029} Cross - PHP 4.3.0 released, with security fixes
PHP 4.3.0 was released. It contains a few security fixes, including
one for a buffer overflow in the wordwrap() function, as well as
corrections to the included MySQL client.
Latest PHP versions are available from:
http://www.php.net/
Source: PHP
http://archives.neohapsis.com/archives/php/2002-12/0050.html
*** {03.01.030} Cross - Tanne library syslog format vulnerabilities
The Tanne HTTP authentication library contains two format string
vulnerabilities in the handling of syslog() parameters.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0011.html
*** {03.01.033} Cross - xpdf/pdftops integer overflow
The pdftops filter contains an integer overflow in the handling of a
large color space, resulting in a heap overflow and the execution of
arbitrary code. It's possible to remotely trigger this vulnerability
via CUPS/lpd.
The vendor confirmed this vulnerability and released a patch,
available at:
ftp://ftp.foolabs.com/pub/xpdf/xpdf-2.01-patch1
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2003-q1/0007.html
Source: VulnWatch, Debian
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0122.html
http://archives.neohapsis.com/archives/vendor/2003-q1/0007.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+He0m+LUG5KFpTkYRAmvpAKCGxS9tqX2Duby+rKToXi9owxpF0QCeNB9W
H5t6S0xg5ts+C1FqIefvMrw=
=Msmd
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT: Exploiting Web Applications -- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation, Session
Hijacking and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete
guide to protection!
http://www.spidynamics.com/mktg/webappsecurity39
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
https://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <sans
sans.org>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl/
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online.
http://www.sans.org/newsletters/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]