OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #072
From: Network Computing and The SANS Institute (sanssans.org)
Date: Wed Nov 22 2000 - 14:35:49 CST


Re: Your personalized newsletter

                    -- Security Alert Consensus --
                         Number 072 (00.48)
                     Wednesday, November 22, 2000
                         Created for you by
               Network Computing and the SANS Institute

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find only the information pertaining to the categories you
requested. If you have any problems or questions, please e-mail us at
<consensusnwc.com>.

----------------------------------------------------------------------

Tivoli SecureWay Privacy Manager protects privacy while supporting
dynamic roles, which enables access decisions to be based on the
relationship between the requester and the subject of the data. To
learn more about this access control solution, click here.

http://info.tivoli.com/security/nc47

----------------------------------------------------------------------

This week has many vendors playing catch-up to recently reported
vulnerabilities. FreeBSD and RedHat released a few updates for
weaknesses discussed weeks ago. For other vendors, the vulnerabilities
are not so recent, as in case of the SGI InPerson item {00.48.016}
originally published in 1997.

Vulnerability-wise, this week doesn't hold any Internet-wide threats.
The notables include a local vulnerability in Vixie cron ({00.48.004}),
a memory disclosure bug in RealServer ({00.48.021}) and another reason
not to run the classic phf (buffer overflow in environment variable
{00.48.037}).

Until next week and Happy Thanksgiving,
- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{00.48.006} Win - MS00-088: Default Exchange User Account
{00.48.007} Win - Update {00.44.002}: MS00-080: IIS Insecure Session
            Cookies
{00.48.014} Win - Pelesoft Netsnap HTTP Server Buffer Overflow
{00.48.017} Win - IE/Outlook .chm Vulnerabilities
{00.48.034} Win - WinVNC Insecure Registry Permissions
{00.48.035} Win - NetCPlus SmartServer3 Multiple Vulnerabilities
{00.48.036} Win - NetCPlus BrowseGate Insecure Password Storage
{00.48.001} Linux - Update {00.47.017}: OpenSSH Allows Malicious Server
            To Access X display/ssh-agent
{00.48.003} Linux - Update {00.47.021}: Modutils Local Command Execution
{00.48.005} Linux - Joe DEADJOE File Creation Follows Symlinks
{00.48.012} Linux - Update {00.45.037}: Multiple tcpdump Buffer
            Overflows
{00.48.015} Linux - Cups Allows Remote Attackers To Use Printers
{00.48.020} Linux - socks5 Connection Request Buffer Overflow
{00.48.024} Linux - RedHat Fixes Netscape Buffer Overflows
{00.48.029} Linux - Update {00.45.018}: Pine 4.30 Now Available
{00.48.008} BSD - telnet TERMCAP DoS
{00.48.009} BSD - Update {00.46.015}: tcsh Creates Insecure tmp Files
            For << Processing
{00.48.010} BSD - Update {00.45.041}: ncurses Library Buffer Overflows
{00.48.011} BSD - Update {00.36.021}: mgetty/faxrunq Local Symlink
            Attack
{00.48.013} BSD - Update {00.43.020}: Curl Log Message Buffer Overflow
{00.48.018} BSD - ppp 'deny_incoming' Does Not Deny Traffic
{00.48.027} BSD - Update {00.41.012}: thttpd ssi Remote Arbitrary File
            Access
{00.48.028} BSD - Update {00.43.003}: PHP Logging Format Bug Overflow
{00.48.023} NApps - WatchGuard Firebox Connection Flood DoS
{00.48.032} HPUX - Update {00.47.006}: Security Vulnerability In
            auto_params
{00.48.033} HPUX - Update {00.33.016}: HP-UX ftpd Remote Code Execution
            Via Format String
{00.48.016} SGI - InPerson Local Vulnerabilities
{00.48.002} Cross - Update {00.47.002}: Bind ZXFR DoS
{00.48.004} Cross - User Readable Crontab Directory/Local Privilege
            Elevation
{00.48.019} Cross - DCScripts.com DCForum CGI Multiple Vulnerabilities
{00.48.021} Cross - RealServer Runtime Memory Disclosure
{00.48.022} Cross - Marc Brinkmann CGIForum Remote File Viewing
{00.48.025} Cross - Ethereal AFS ACL Parsing Buffer Overflow
{00.48.026} Cross - Oracle Connection Manager Control Buffer Overflow
{00.48.030} Cross - AdCycle build.cgi Information Disclosure/DoS
{00.48.031} Cross - Ultimate Bulletin Board Private Forums Viewable
{00.48.037} Cross - phf HTTP_X Buffer Overflow

- --- Windows News -------------------------------------------------------

*** {00.48.006} Win - MS00-088: Default Exchange User Account

Microsoft has released MS00-088 ("Patch Available For Exchange User
Account Vulnerability"). Early versions of Exchange 2000 installed a
default user account with a known password on the system. Exchange 2000
installation CDs with lack 'Rev. A' under the title are vulnerable.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-088.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q4/0064.html

*** {00.48.007} Win - Update {00.44.002}: MS00-080: IIS Insecure
                Session Cookies

Microsoft has re-released MS00-080, due to problems in the IIS 4.0 Alpha
patch and IIS 5.0 x86 patch.

FAQ and updated patches:
http://www.microsoft.com/technet/security/bulletin/fq00-080.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q4/0071.html

*** {00.48.014} Win - Pelesoft Netsnap HTTP Server Buffer Overflow

A buffer overflow was found in Pelesoft's Netsnap webcam software prior
to version 1.2.9. A large request to the included Web server allows a
remote attacker to execute arbitrary code.

Version 1.2.9 fixes the vulnerability and is available at:
http://www.netsnap.com/

Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0077.html

*** {00.48.017} Win - IE/Outlook .chm Vulnerabilities

An advisory was released detailing how an attacker can use compiled help
files (.chm) to discover the location of the temporary download
directory used by IE. Given this information, a malicious Web site or
e-mail could have a user unknowingly download trojan .chm files and then
cause the files to execute (due to knowing the location of downloaded
files).

This affects Internet Explorer version 5.X, Outlook and Outlook Express.

No patches have been made available.

Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0081.html

*** {00.48.034} Win - WinVNC Insecure Registry Permissions

WinVNC version 3.3.x uses insecure registry permissions on sensitive
authentication information stored in the Windows registry.

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0253.html

*** {00.48.035} Win - NetCPlus SmartServer3 Multiple Vulnerabilities

NetCPlus' SmartServer3 has been found to contain multiple
vulnerabilities. Two remote denial of services were found which would
allow a remote attacker to cause the service to stop responding to SMTP
and POP connections. Also, the password storage scheme used has been
found to be extremely weak, allowing anyone with filesystem access to
the mail server to retrieve all users' passwords.

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0256.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0254.html

*** {00.48.036} Win - NetCPlus BrowseGate Insecure Password Storage

NetCPlus' BrowseGate has been found to insecurely store user passwords
do to a weak encoding scheme.

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0255.html

- --- Linux News ---------------------------------------------------------

*** {00.48.001} Linux - Update {00.47.017}: OpenSSH Allows Malicious
                Server To Access X display/ssh-agent

Trustix and Debian have released updated packages which correct the
vulnerability discussed in {00.47.017} ("OpenSSH Allows Malicious Server
To Access X display/ssh-agent").

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2000-11/0217.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2000-q4/0066.html

Source: Trustix, Debian (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-11/0217.html
http://archives.neohapsis.com/archives/vendor/2000-q4/0066.html

*** {00.48.003} Linux - Update {00.47.021}: Modutils Local Command
                Execution

Multiple Linux vendors have released updates which fix the vulnerability
discussed in {00.47.021} ("Modutils Local Command Execution").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0057.html

Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2000-q4/0019.html

Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2000-11/0229.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2000-q4/0069.html

Source: Mandrake, Immunix, RedHat, Debian (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0057.html
http://archives.neohapsis.com/archives/linux/immunix/2000-q4/0019.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0229.html
http://archives.neohapsis.com/archives/vendor/2000-q4/0069.html

*** {00.48.005} Linux - Joe DEADJOE File Creation Follows Symlinks

Joe's Own Editor (joe) version 2.8 (and possibly earlier) contain a
vulnerability that allows a local attacker to cause a user to append
text to the end of an arbitrary file by creating a symlink between Joe's
DEADJOE temporary file and the target file.

Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2000-11/0273.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0058.html

Source: SecurityFocus Bugtraq, RedHat, Mandrake
http://archives.neohapsis.com/archives/bugtraq/2000-11/0227.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0273.html
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0058.html

*** {00.48.012} Linux - Update {00.45.037}: Multiple tcpdump Buffer
                Overflows

SuSE and Debian have released updated tcpdump packages which correct
the vulnerability discussed in {00.45.037} ("Multiple tcpdump Buffer
Overflows").

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2000-q4/0681.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2000-q4/0070.html

Source: SuSE, Debian
http://archives.neohapsis.com/archives/linux/suse/2000-q4/0681.html
http://archives.neohapsis.com/archives/vendor/2000-q4/0070.html

*** {00.48.015} Linux - Cups Allows Remote Attackers To Use Printers

Some vendors ship cups configurations that allow remote attackers to
use printer resources accessible by cups. Another side effect of older
versions of cups caused dial-on-demand lines and Internet connections
to be affected by broadcast queries.

Mandrake and Debian have released updated packages to address the
problems.

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0056.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2000-q4/0068.html

Source: Mandrake, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0056.html
http://archives.neohapsis.com/archives/vendor/2000-q4/0068.html

*** {00.48.020} Linux - socks5 Connection Request Buffer Overflow

An exploit has been released that reportedly allows a remote attacker
to execute arbitrary code in a connection request to the socks5 server
versions 1.0r8 through 1.0r10, and possibly others. However, the
attacker does need to successfully authenticate to the socks5 service
before he or she can exploit the vulnerability.

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0219.html

*** {00.48.024} Linux - RedHat Fixes Netscape Buffer Overflows

RedHat has released updated Netscape packages which fix the
vulnerabilities discussed in {00.46.019} ("FreeBSD Netscape Port Update
Corrects Buffer Overflow").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2000-11/0247.html

Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-11/0247.html

*** {00.48.029} Linux - Update {00.45.018}: Pine 4.30 Now Available

Mandrake has released an updated Pine package which fixes vulnerabilties
discussed in {00.45.018} ("Pine 4.30 Now Available").

Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0059.html

Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2000-q4/0059.html

- --- BSD News -----------------------------------------------------------

*** {00.48.008} BSD - telnet TERMCAP DoS

FreeBSD has released an advisory detailing a remote denial of service
whereby an attacker can specify an alternate TERMCAP file. By specifying
a large file, the system may take significant time to process it.

FreeBSD 4.1.1-STABLE and 3.5.1-STABLE after 11/19/2000 have the patch
applied. For all others, a patch can be found at:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/
telnetd.patch.v1.1

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0286.html

*** {00.48.009} BSD - Update {00.46.015}: tcsh Creates Insecure tmp
                Files For << Processing

FreeBSD has released updated patches for csh, tcsh and 44bsd-csh to
correct the vulnerability discussed in {00.46.015} ("tcsh Creates
Insecure tmp Files For << Processing").

Patches and correction dates for each component are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0288.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0288.html

*** {00.48.010} BSD - Update {00.45.041}: ncurses Library Buffer
                Overflows

FreeBSD has released an advisory listing updated ncurses ports which
correct the vulnerability discussed in {00.45.041} ("ncurses Library
Buffer Overflows").

File downloads and correction dates are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0287.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0287.html

*** {00.48.011} BSD - Update {00.36.021}: mgetty/faxrunq Local Symlink
                Attack

FreeBSD has released an updated mgetty port which corrects the
vulnerability discussed in {00.36.021} ("mgetty/faxrunq Local Symlink
Attack").

The ports collection after 9/10/2000 is updated. Individual file
downloads are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0282.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0282.html

*** {00.48.013} BSD - Update {00.43.020}: Curl Log Message Buffer
                Overflow

FreeBSD has released an updated curl port which fixes the
vulnerabilities discussed in {00.43.020} ("Curl Log Message Buffer
Overflow").

The ports collection after 10/30/2000 contains the fixes. Individual
files for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0283.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0283.html

*** {00.48.018} BSD - ppp 'deny_incoming' Does Not Deny Traffic

FreeBSD has released an advisory detailing how versions of ppp
incorrectly handle the 'net deny_incoming' command. This causes users
to think they are protected from incoming traffic, when in reality they
are not.

FreeBSD 4.1.1-STABLE and 3.5.1-STABLE after 10/30/2000 correct the
problem. A patch is available at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0186.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0186.html

*** {00.48.027} BSD - Update {00.41.012}: thttpd ssi Remote Arbitrary
                File Access

FreeBSD has released an updated thttpd port which fixes the
vulnerability discussed in {00.41.012} ("thttpd ssi Remote Arbitrary
File Access").

The updated port packages are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0284.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0284.html

*** {00.48.028} BSD - Update {00.43.003}: PHP Logging Format Bug
                Overflow

FreeBSD has released updated PHP ports which correct the vulnerability
discussed in {00.43.003} ("PHP Logging Format Bug Overflow").

Updated port packages are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-11/0285.html

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-11/0285.html

- --- Network Appliances News --------------------------------------------

*** {00.48.023} NApps - WatchGuard Firebox Connection Flood DoS

WatchGuard has confirmed a vulnerability in the Firebox II which would
allow a remote attacker to cause the unit to stop responding by making
multiple connection attempts to a proxied service.

WatchGaurd expects to have a fix out this week, which will be available
for download at:
https://www.watchguard.com/support

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0224.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0246.html

- --- HP-UX News ---------------------------------------------------------

*** {00.48.032} HPUX - Update {00.47.006}: Security Vulnerability In
                auto_params

HP has released patches for HP-UX 10.26 and 10.16. The patches correct
the vulnerability discussed in {00.47.006} ("Security Vulnerability In
auto_params").

Apply the appropriate patch:
HP-UX 10.26: PHCO_22591
HP-UX 10.16: PHCO_22634

Source: HP
http://archives.neohapsis.com/archives/hp/2000-q4/0054.html

*** {00.48.033} HPUX - Update {00.33.016}: HP-UX ftpd Remote Code
                Execution Via Format String

HP has released patches for HP-UX 10.26 and 10.16 for the vulnerability
discussed in {00.33.016} ("HP-UX ftpd Remote Code Execution Via Format
String").

Apply the appropriate patch:
HP-UX 10.26: PHNE_22124
HP-UX 10.16: PHNE_22703

Source: HP
http://archives.neohapsis.com/archives/hp/2000-q4/0054.html

- --- SGI News -----------------------------------------------------------

*** {00.48.016} SGI - InPerson Local Vulnerabilities

SGI has released an advisory detailing vulnerabilities in the inpview
application which is included in the company's InPerson suite. The
vulnerabilities, which have been discussed since 1997, allow a local
user to gain root access.

InPerson has been replaced with SGIMeeting; therefore, there will be no
updates to the vulnerable application. SGI recommends removing the
InPerson package by running: versions remove InPerson.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2000-q4/0072.html

- --- Cross-Platform News ------------------------------------------------

*** {00.48.002} Cross - Update {00.47.002}: Bind ZXFR DoS

Trustix and SuSE Linux have released updated BIND packages which correct
the denial of service attack discussed in {00.47.002} ("Bind ZXFR DoS").

IBM has acknowledged the vulnerability and assigned it APAR IY14512.

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2000-11/0217.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2000-q4/0657.html

Source: Trustix, SuSE, IBM (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-11/0217.html
http://archives.neohapsis.com/archives/linux/suse/2000-q4/0657.html
http://archives.neohapsis.com/archives/aix/2000-q4/0010.html

*** {00.48.004} Cross - User Readable Crontab Directory/Local Privilege
                Elevation

A vulnerability was found in Vixie cron which allows a local attacker
to raise his or her privilege if the crontab directory is readable by
the attacker. An exploit has been published.

Debian 2.2 is reported vulnerable, as are other Unix systems that have
installed Vixie cron manually. RedHat, Mandrake, Cobalt Corel, Slackware
and Trustix Linux are not vulnerable, nor is FreeBSD.

A suggested workaround is to run:
chmod 700 /var/spool/cron

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2000-q4/0067.html

Source: Debian, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vendor/2000-q4/0067.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0237.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0244.html

*** {00.48.019} Cross - DCScripts.com DCForum CGI Multiple
                Vulnerabilities

The DCForum CGI from DCScripts.com (versions 1.0 through 6.0) contains
multiple vulnerabilities that allow a remote attacker to view files on
the system as well as potentially delete the CGI application.

Vendor-supplied instructions for fixing the problem are available at:
http://www.dcscripts.com/dcforum/dcfNews/124.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0218.html

*** {00.48.021} Cross - RealServer Runtime Memory Disclosure

Real Networks RealServer versions 7 and earlier contain a logic error
that allows a remote attacker to view the memory used by the RealServer.
This memory could potentially contain configuration information,
connection authentication information and other sensitive data.

Real Networks has released an update. It's available at:
http://service.real.com/help/faq/security/memory.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0236.html

*** {00.48.022} Cross - Marc Brinkmann CGIForum Remote File Viewing

The CGIForum script from www.marcbrinkmann.de allows remote attackers
to view arbitrary files (viewable by the Web server process) by
submitting a malformed 'thesection' parameter.

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0263.html

*** {00.48.025} Cross - Ethereal AFS ACL Parsing Buffer Overflow

A buffer overflow has been found in Ethereal versions 0.8.13 and
earlier. A remote attacker could construct packets with particular AFS
ACLs, which could lead to the arbitrary execution of code on the system
running Ethereal. This problem is related to {00.45.037} ("Multiple
tcpdump Buffer Overflows").

No patches have been made available. Product homepage:
http://www.ethereal.com/

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0251.html

*** {00.48.026} Cross - Oracle Connection Manager Control Buffer
                Overflow

A buffer overflow has been found in Oracle's Connection Manager Control
application (cmctl). A local attacker could leverage this attack to gain
euid/egid of the application, which is typically Oracle/DBA.

The vulnerability has been reported on Linux version 8.1.5 and
HP-UX (version unstated).

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0261.html
http://archives.neohapsis.com/archives/bugtraq/2000-11/0277.html

*** {00.48.030} Cross - AdCycle build.cgi Information Disclosure/DoS

AdCycle's installation involves the use of build.cgi, which tests the
database connection and initializes the database tables. If an admin
does not correctly restrict access to build.cgi after installation, it
may be possible for a remote attacker to gain the database
authentication information as well as to cause all the current data to
be deleted.

After installation, the permissions on build.cgi should be restricted
or the build.cgi should be removed or moved outside the Web root.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0271.html

*** {00.48.031} Cross - Ultimate Bulletin Board Private Forums Viewable

A vulnerability in Ultimate Bulletin Board versions 5.73 and earlier
allows a remote attacker to view posts in a private forum, circumventing
the required authentication.

No patches have been made available.

Source: Securityfocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2000-q4/0491.html

*** {00.48.037} Cross - phf HTTP_X Buffer Overflow

The phf CGI has been found vulnerable to a buffer overflow in the HTTP_X
environment variable, thereby allowing a remote attacker to execute
arbitrary code on the system.

No patches have been made available. We recommend removing or
restricting access to phf.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-11/0221.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE6HCvI+LUG5KFpTkYRAiiTAKCPjXiFCD/e+VyDiYu5MrV1SbczAACfQdlJ
wKuxHiZ09x2S2uX2r7yE+Qw=
=8QCB
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

Tivoli SecureWay Privacy Manager protects privacy while supporting
dynamic roles, which enables access decisions to be based on the
relationship between the requester and the subject of the data. To
learn more about this access control solution, click here.

http://info.tivoli.com/security/nc47

----------------------------------------------------------------------

If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).

Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL, you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).