|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Jan 04 2001 - 15:09:42 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 078 (00.54)
Thursday, January 4, 2001
Created for you by
Network Computing and the SANS Institute
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
This issue is sponsored by Network Computing Events
Come see our Real-World Labs(R) LIVE Virtual Private Networking with
Quality of Service & Voice and Video Over IP Demo during COMNET. We'll
be LIVE in the Lobby at COMNET in the Washington D.C. Convention Center
January 29-February 1, 2001 from 10:00am - 4:00pm each day. For more
information click on:
http://www.networkcomputing.com/marketing/events/comnet.html
----------------------------------------------------------------------
This week's issue is smaller than usual because the information released
over the holidays was minimal.
A recent discussion about Zone Alarm brings up a good reminder: Be aware
of programs executed on the system responsible for your firewall. This
isn't a big concern in corporate networks (we hope), but is important
for home users working with products such as Zone Alarm. In general,
there's a host of ways to deactivate, uninstall and/or delete these
personal firewall products. However, all these options are required of
a standard computer application. The risk is that a virus, Trojan or
otherwise malicious content could disable the firewall product, leaving
the user's system vulnerable. However, we feel the problem lies in
users not keeping their systems free of malicious content; the problem
is not that the personal firewall products come with uninstall features
(standard of all computer applications nowadays).
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0146.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{00.54.008} Linux - Red Hat stunnel writes to write PID file to
nonexisting /var/stunnel
{00.54.009} Linux - Update {00.53.005}: gpg private key import/detached
signature vulnerabilities
{00.54.011} Linux - Fetchmail 'authenticate gssapi' vulnerability
{00.54.012} Linux - GTK+ arbitrary code execution via GTK_MODULES
environment variable
{00.54.003} Other - Normal Mac OS users can log in as 'owner'
{00.54.010} BSD - Update {00.51.034}: BitchX malformed DNS record
buffer overflow
{00.54.006} AIX - Update {00.53.032}: ksh creates insecure tmp files
for << processing
{00.54.004} SGI - Update {00.37.005}: Libc/glibc gettext() locale
format vulnerability
{00.54.005} SGI - Admin note: SGI's FTP patch site has changed
{00.54.002} Cross - Macromedia Shockwave Flash plugin buffer overflow
{00.54.007} Cross - Ikonboard CGI remote command execution
- --- Linux News ---------------------------------------------------------
*** {00.54.008} Linux - Red Hat stunnel writes to write PID file to
nonexisting /var/stunnel
Red Hat has released an updated stunnel package in response to older
versions of stunnel attempting to write a PID (process ID) file to
/var/stunnel, which does not exist. The details of exploitation have
not been released; we're assuming it's possible to form some variant of
symlink attack.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2000-q4/0017.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2000-q4/0017.html
*** {00.54.009} Linux - Update {00.53.005}: gpg private key
import/detached signature vulnerabilities
Conectiva has released an updated gpg package, which fixes the
vulnerability discussed in {00.53.005} ("gpg private key import/detached
signature vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2000-q4/
0025.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2000-q4/
0025.html
*** {00.54.011} Linux - Fetchmail 'authenticate gssapi' vulnerability
TurboLinux has released an advisory that details a security
vulnerability in fetchmail's handling of the "authenticate gssapi"
command. Specific exploit details have not been released.
Updated TurboLinux RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2000-q4/
0002.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2000-q4/
0002.html
*** {00.54.012} Linux - GTK+ arbitrary code execution via GTK_MODULES
environment variable
The GTK+ library has been found to load and execute any module listed
in the GTK_MODULES environment variable. This lets local users use a
Trojan GTK module in combination with a setgid/setuid application that
uses the GTK+ library-resulting in privilege escalation.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-12/0498.html
- --- Other News ---------------------------------------------------------
*** {00.54.003} Other - Normal Mac OS users can log in as 'owner'
Mac OS version 9.04 has been reported vulnerable to a bug that would
allow a user defined as "normal" to log in as "owner" (which is
equivalent to administrator) on systems where "Multiple Users" is set
up. A normal user can move the "Users & Groups Data File" file from
the preferences folder, which effectively removes the password from the
owner account.
No patches have been made available. It is suggested that you give
normal users "Limited" access instead of "Normal."
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-12/0497.html
- --- BSD News -----------------------------------------------------------
*** {00.54.010} BSD - Update {00.51.034}: BitchX malformed DNS record
buffer overflow
FreeBSD has released an updated BitchX advisory to indicate ko-bitchx
is also vulnerable to the vulnerability discussed in {00.51.034}
("BitchX malformed DNS record buffer overflow").
The ports collections as of 12/12/2000 contain the updated version.
Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2000-12/0555.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-12/0555.html
- --- AIX News -----------------------------------------------------------
*** {00.54.006} AIX - Update {00.53.032}: ksh creates insecure tmp
files for << processing
IBM has released a statement that confirms the version of ksh shipped
with AIX is NOT vulnerable to the bug discussed in {00.53.032} ("ksh
creates insecure tmp files for << processing").
Source: IBM (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-12/0473.html
- --- SGI News -----------------------------------------------------------
*** {00.54.004} SGI - Update {00.37.005}: Libc/glibc gettext() locale
format vulnerability
SGI has released an updated version of IRIX, which fixes the
vulnerability discussed in {00.37.005} ("Libc/glibc gettext() locale
format vulnerability").
IRIX versions prior to 6.5 are retired and unsupported. IRIX version
6.5.10 fixes the vulnerability, and all IRIX 6.5.x installations should
upgrade to 6.5.10. Patches are available at:
ftp://patches.sgi.com/support/free/security/
Source: SGI (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-12/0480.html
*** {00.54.005} SGI - Admin note: SGI's FTP patch site has changed
This administrative note to SGI admins indicates that security patches
are no longer available at sgigate.sgi.com, but have moved to the
following location:
ftp://patches.sgi.com/support/free/security/
Source: SGI (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-12/0477.html
- --- Cross-Platform News ------------------------------------------------
*** {00.54.002} Cross - Macromedia Shockwave Flash plugin buffer
overflow
Macromedia Shockwave Flash plugins versions 2 through 8 on all platforms
(Windown, Mac OS, Solaris and Linux) are reportedly vulnerable to a
buffer overflow by a malformed Flash file. This vulnerability would
allow a malicious Flash file (provided by a Web site, e-mail, etc.) to
run arbitrary code on the user's system.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-12/0491.html
*** {00.54.007} Cross - Ikonboard CGI remote command execution
The Ikonboard bulletin board CGI version 2.1.7b (and possibly prior)
contains a vulnerability that would let a remote attacker execute
arbitrary commands on the Web server (under the Web server's uid) by
specifying an alternate SEND_MAIL URL parameter.
No (working) patches have been made available. The patch included in
the referenced post below is insufficient because it does not remove
the vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-12/0483.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6VOPx+LUG5KFpTkYRAgmRAJ9Nc+/XNr4pLm67WypR4FeUS6zMdwCgkEJx
kOw6tTVnQSg4uOb3qZIq5Ks=
=q0Xa
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue is sponsored by Network Computing Events
Come see our Real-World Labs(R) LIVE Virtual Private Networking with
Quality of Service & Voice and Video Over IP Demo during COMNET. We'll
be LIVE in the Lobby at COMNET in the Washington D.C. Convention Center
January 29-February 1, 2001 from 10:00am - 4:00pm each day. For more
information click on:
http://www.networkcomputing.com/marketing/events/comnet.html
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL, you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved.
Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]