|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Feb 01 2001 - 18:00:44 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 082 (00.58)
Thursday, February 1, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
SANS2001 Registration Opens
More than ninety full-day courses including seven immersion training
tracks. Classes will fill up fast so register now before 6000+ brochures
hit the streets!
http://www.sans.org/SANS2001.htm
----------------------------------------------------------------------
The major vulnerability this week was with Bind. Multiple remotely
exploitable buffer overflows have been found, which allow a remote
attacker to execute arbitrary code. When compared to the past NXT bug,
the new TSIG vulnerability may be easier to exploit, since it doesn't
require such a complicated set-up (it doesn't require control of an
authoritative DNS server).
Also, the numbering of the Security Alert Consensus issues has faced a
Year-2001 glitch. The SAC reference numbers are in the form
{year.issue.item}. However, with the January 4th issue, we did not roll
over to the new year in the reference number ({01.xx.xxx}). Starting
with this issue (01.05), we will be using the correct reference numbers.
We will still reference the past four issues under their published (year
2000) reference numbers; however, for your convenience, here's the
conversion chart:
Issue NWC# Date released New ID
00.54 78 1/4/2001 01.01
00.55 79 1/11/2001 01.02
00.56 80 1/18/2001 01.03
00.57 81 1/25/2001 01.04
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.05.016} Win - MS01-003: Winsock Mutex Vulnerability
{01.05.017} Win - MS01-004: New file fragment reading via .htr
vulnerability
{01.05.018} Win - MS01-005: Hotfix packaging anomalies
{01.05.020} Win - PlanetIntra pi CGI buffer overflow
{01.05.036} Win - Trend Micro Virus Buster 2001 long e-mail address
buffer overflow
{01.05.037} Win - SlimServe HTTPd buffer overflow DoS
{01.05.038} Win - AIM malformed images lead to script execution during
log viewing
{01.05.003} Linux - Update {00.56.005}: PHP Apache module OPTIONS
directory configuration vulnerability
{01.05.005} Linux - Update {00.57.025}: icecast server fd_write()
format string vulnerability
{01.05.006} Linux - Update {00.56.019}: wu-ftpd privatepw temp file
race condition
{01.05.008} Linux - Trustix ships with openldap enabled
{01.05.010} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
{01.05.011} Linux - Update {00.56.027}: squid insecure temp file
handling
{01.05.015} Linux - Update {00.56.032}: htpasswd/htdigest (Apache)
insecure temp file handling
{01.05.027} Linux - Update {00.56.020}: inn insecure temporary file
handling
{01.05.028} Linux - Update {00.47.017}: OpenSSH allows malicious server
to access X display/ssh-agent
{01.05.032} Linux - Update {00.57.024}: Webmin insecure temp file
handling
{01.05.034} Linux - Update {00.51.022}: LPRng remote format string
buffer overflow
{01.05.002} BSD - Update {00.47.002}: Bind ZXFR DoS
{01.05.019} BSD - ipfw/ip6fw ECE packet subverts 'established' rule
{01.05.023} BSD - Ident remote file reading
{01.05.024} BSD - Update {00.57.026}: tinyproxy httperr() buffer
overflow
{01.05.033} BSD - periodic insecure temp file handling
{01.05.044} BSD - FreeBSD XFree86 updates
{01.05.009} HPUX - man command DoS
{01.05.021} HPUX - Unauthorized user access to Omniback client
{01.05.001} Cross - Multiple Bind buffer overflows (TSIG/infoleak)
{01.05.004} Cross - Update {00.56.043}: exmh insecure temp file handling
{01.05.007} Cross - Update {00.57.013}: Three vulnerabilities in MySql
{01.05.012} Cross - kdesu password sniffing vulnerability
{01.05.013} Cross - Update {00.57.015}: Multiple vulnerabilities in micq
{01.05.022} Cross - inetd open socket DoS
{01.05.025} Cross - Sort insecure temp file handling
{01.05.026} Cross - IBM Websphere Netscape component JSP file disclosure
{01.05.029} Cross - mars_nwe syslog format string vulnerability
{01.05.030} Cross - NewsDaemon username SQL tampering
{01.05.031} Cross - Hyperseek 2000 search engine file disclosure
{01.05.035} Cross - crontab allows users to read certain files
{01.05.039} Cross - Netscape Enterprise Server Web publishing
INDEX/REVLOG vulnerabilities
{01.05.040} Cross - JRun malformed URI Web-INF directory
listing/Web.xml disclosure
{01.05.041} Cross - Lars Ellingsen's guestserver.cgi command execution
{01.05.043} Cross - CrazyWWWBoard/qDecoder MIME boundary string buffer
overflow
{01.05.014} Tools - Apache 1.3.17 released
{01.05.042} Svc - AOL Web browser DoS/buffer overflow
- --- Windows News -------------------------------------------------------
*** {01.05.016} Win - MS01-003: Winsock Mutex Vulnerability
Microsoft has released MS01-003 ("Winsock Mutex Vulnerability"). Due to
insecure permissions on the winsock mutex, which is used during network
access, it is possible for a local application to 'take over' the mutex
and thereby keep the system from participating on the network.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-003.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0021.html
*** {01.05.017} Win - MS01-004: New file fragment reading via .htr
vulnerability
Microsoft has released MS01-004 ("New file fragment reading via .htr
vulnerability"). A new variant on the older '.htr file fragment reading'
bug allows a remote attacker to gain access to the source of executable
scripts (such as ASPs). This could possibly reveal sensitive
configuration information or application logic.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-004.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0028.html
*** {01.05.018} Win - MS01-005: Hotfix packaging anomalies
Microsoft has released MS01-005 ("Hotfix packaging anomalies"). Due to
some packaging glitches, certain catalog files contained within hotfixes
were corrupt. This could lead Windows 2000's file protection mechanism
to revert back to the insecure versions. This problem affects post-SP1
hotfixes prior to 12/18/2000.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-005.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0030.html
*** {01.05.020} Win - PlanetIntra pi CGI buffer overflow
The PlanetIntra Web server ships with a particular CGI program, pi, that
has been found vulnerable to a buffer overflow that would allow a remote
attacker to execute arbitrary code on the system. This vulnerability
has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0421.html
*** {01.05.036} Win - Trend Micro Virus Buster 2001 long e-mail address
buffer overflow
Trend Micro's Virus Buster 2001 version 8.00 antivirus package has been
found to contain a buffer overflow in the handling of large 'to'
addresses within e-mails. A vendor patch confirms this vulnerability.
Trend Micro has released version 8.01, which is available from:
http://www.trendmicro.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0500.html
*** {01.05.037} Win - SlimServe HTTPd buffer overflow DoS
The SlimServe HTTPd server version 1.0 has been found to contain a
buffer overflow in the handling of large URL requests. This
vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0505.html
*** {01.05.038} Win - AIM malformed images lead to script execution
during log viewing
A report has surfaced indicating a potential problem in AOL Instant
Messenger (versions 4.1 through 4.4). Due to the way AIM logs data, it
is possible for a malicious user to send a malformed image embedded in
a conversation. While this won't affect the current conversation, it
may alter the log files in such a way that would cause
JavaScript/VBScript to be executed when the user views logs of the
conversation. This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0414.html
- --- Linux News ---------------------------------------------------------
*** {01.05.003} Linux - Update {00.56.005}: PHP Apache module OPTIONS
directory configuration vulnerability
Many vendors have released updated PHP packages, which fix the
vulnerability discussed in {00.56.005} ("PHP Apache module OPTIONS
directory configuration vulnerability").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0028.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0016.html
Source: Redhat, Debian
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0028.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0016.html
*** {01.05.005} Linux - Update {00.57.025}: icecast server fd_write()
format string vulnerability
RedHat and Conectiva have released updated icecast packages that fix
the vulnerability discussed in {00.57.025} ("icecast server fd_write()
format string vulnerability"). Vendor patches confirm this
vulnerability.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0026.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0005.html
Source: RedHat, Conectiva
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0026.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0005.html
*** {01.05.006} Linux - Update {00.56.019}: wu-ftpd privatepw temp file
race condition
Debian has released new wu-ftpd packages that fix the vulnerability
discussed in {00.56.019} ("wu-ftpd privatepw temp file race condition").
Updated Debian DEBs (prior versions contained a packaging problem):
http://archives.neohapsis.com/archives/vendor/2001-q1/0014.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0014.html
*** {01.05.008} Linux - Trustix ships with openldap enabled
Trustix has released a patch fixing a packaging problem that results in
openldap running as a service; this is contrary to Trustix's "no default
services" philosophy.
Updated Trustix RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0469.html
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0469.html
*** {01.05.010} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
SuSE and Caldera have released updated glibc packages that fix the
vulnerability discussed in {00.56.034} ("glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps").
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0004.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/0438.html
Source: Caldera, SuSE
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0004.html
http://archives.neohapsis.com/archives/linux/suse/2001-q1/0438.html
*** {01.05.011} Linux - Update {00.56.027}: squid insecure temp file
handling
Debian has released an updated squid package that fixes the
vulnerability discussed in {00.56.027} ("squid insecure temp file
handling").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0015.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0015.html
*** {01.05.015} Linux - Update {00.56.032}: htpasswd/htdigest (Apache)
insecure temp file handling
Debian has released an updated Apache package that fixes the
vulnerability discussed in {00.56.032} ("htpasswd/htdigest (Apache)
insecure temp file handling").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0019.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0019.html
*** {01.05.027} Linux - Update {00.56.020}: inn insecure temporary file
handling
Debian has released an updated inn2 package that fixes the vulnerability
discussed in {00.56.020} ("inn insecure temporary file handling").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0023.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0023.html
*** {01.05.028} Linux - Update {00.47.017}: OpenSSH allows malicious
server to access X display/ssh-agent
Debian has released new OpenSSH packages for the SPARC platform, due to
a build problem. The packages fix the vulnerability discussed in
{00.47.017} ("OpenSSH allows malicious server to access X
display/ssh-agent").
Updated (SPARC) Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0026.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0026.html
*** {01.05.032} Linux - Update {00.57.024}: Webmin insecure temp file
handling
Caldera and Mandrake have released updated Webmin packages that fix the
vulnerability discussed in {00.57.024} ("Webmin insecure temp file
handling").
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0006.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0017.html
Source: Caldera, Mandrake
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0006.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0017.html
*** {01.05.034} Linux - Update {00.51.022}: LPRng remote format string
buffer overflow
TurboLinux has released an updated LPRng package that fixes the
vulnerability discussed in {00.51.022} ("LPRng remote format string
buffer overflow").
Updated TurboLinux RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2001-q1/0001.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/
2001-q1/0001.html
- --- BSD News -----------------------------------------------------------
*** {01.05.002} BSD - Update {00.47.002}: Bind ZXFR DoS
FreeBSD has released an advisory concerning the vulnerability discussed
in {00.47.002} ("Bind ZXFR DoS").
The FreeBSD 3.5-Stable branch has been corrected since 11/27/2000; the
FreeBSD ports collection has been corrected since 1/5/2001. Individual
packages are also available for download.
Please note: These updates do not include fixes for the more recent
buffer overflows discussed in this issue. We suggest updating to the
more recent version.
Source: FreeBSD (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0391.html
*** {01.05.019} BSD - ipfw/ip6fw ECE packet subverts 'established' rule
Ipfw and ip6fw have been found to consider TCP packets with the ECE flag
set as part of an established connection; therefore, ipfw/ip6fw rules
that depend on the use of the 'established' parameter may be subverted.
The vendor has confirmed the vulnerability and released an update.
Updated ipfw packages are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0341.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0341.html
*** {01.05.023} BSD - Ident remote file reading
A bug in FreeBSD's ident server (built into inetd) allows a remote user
to read the first 16 bytes of any file that is group wheel readable.
The vendor has confirmed this vulnerability.
FreeBSD-4.2-STABLE as of 11/25/2000 and FreeBSD-3.5.-STABLE as of
1/26/2001 contain the corrected versions. A patch is listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0493.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0493.html
*** {01.05.024} BSD - Update {00.57.026}: tinyproxy httperr() buffer
overflow
FreeBSD has released an updated tinyproxy port that fixes the
vulnerability discussed in {00.57.026} ("tinyproxy httperr() buffer
overflow").
Updated FreeBSD packages are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0540.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0540.html
*** {01.05.033} BSD - periodic insecure temp file handling
FreeBSD has released updated periodic packages, due to the periodic
improper handling of temporary files.
FreeBSD-4.1.1 after 11/11/2000 contains the updated version. Individual
patches are available at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0492.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0492.html
*** {01.05.044} BSD - FreeBSD XFree86 updates
FreeBSD has released a security advisory that fixes a few older problems
in components shipped with XFree86. The ports collection as of
10/24/2000 contains the fixes.
Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0536.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0536.html
- --- HP-UX News ---------------------------------------------------------
*** {01.05.009} HPUX - man command DoS
HP has released a security advisory detailing a denial of service in
the man command, due to man's insecure temporary file handling. No
additional details were made available. The vendor has confirmed this
vulnerability.
HP has released the following patches:
HP-UX 11.00: PHCO_23088
HP-UX 11.04: PHCO_23178
HP-UX 10.20: PHCO_23089
HP-UX 10.24: PHCO_23178
HP-UX 10.10: PHCO_23090
HP-UX 10.01: PHCO_23091
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0027.html
*** {01.05.021} HPUX - Unauthorized user access to Omniback client
HP has released patches for OmnibackII version A.03.50. The patches
prevent an unauthorized user from accessing the Omniback client. The
vendor has confirmed this vulnerability.
HP-UX 11.00: PHSS_22915
HP-UX 10.xx: PHSS_22914
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0022.html
http://archives.neohapsis.com/archives/hp/2001-q1/0023.html
- --- Cross-Platform News ------------------------------------------------
*** {01.05.001} Cross - Multiple Bind buffer overflows (TSIG/infoleak)
Bind versions prior to 8.2.3 and 4.9.8 contain various remotely
exploitable buffer overflows that would allow a remote attacker to
execute arbitrary code on the system under the privileges of the Bind
service. The vendor has confirmed these vulnerabilities.
ISC has announced Bind 8.2.3 and 4.9.8-REL, which fix the problems.
ftp://ftp.isc.org/isc/bind/src/8.2.3/bind-src.tar.gz
ftp://ftp.isc.org/isc/bind/src/DEPRECATED/4.9.8/bind-498-REL.tar.gz
Many Linux vendors have also released updated Bind packages:
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0027.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0469.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0022.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0008.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0003.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0030.html
Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0477.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0046.html
Source: Bind, Debian, Trustix, Mandrake, Conectiva, Caldera, RedHat,
Slackware, Immunix (SF Bugtraq)
http://archives.neohapsis.com/archives/bind/2001/0003.html
http://archives.neohapsis.com/archives/bind/2001/0004.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0027.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0022.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0008.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0003.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0030.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0477.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0046.html
*** {01.05.004} Cross - Update {00.56.043}: exmh insecure temp file
handling
Debian, Mandrake and FreeBSD have released updated exmh packages that
correct the vulnerability discussed in {00.56.043} ("exmh insecure temp
file handling").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0022.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0014.html
Updated FreeBSD packages:
http://archives.neohapsis.com/archives/freebsd/2001-01/0543.html
Source: Debian, Mandrake, FreeBSD
http://archives.neohapsis.com/archives/vendor/2001-q1/0022.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0014.html
http://archives.neohapsis.com/archives/freebsd/2001-01/0543.html
*** {01.05.007} Cross - Update {00.57.013}: Three vulnerabilities in
MySql
Many vendors have released updated MySql packages that fix the
vulnerability discussed in {00.57.013} ("Three vulnerabilities in
MySql").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0029.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0006.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0016.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0478.html
Updated FreeBSD packages:
http://archives.neohapsis.com/archives/freebsd/2001-01/0541.html
Source: RedHat, Conectiva, Mandrake, Caldera, FreeBSD (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0029.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0006.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0016.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0478.html
http://archives.neohapsis.com/archives/freebsd/2001-01/0541.html
*** {01.05.012} Cross - kdesu password sniffing vulnerability
The kdesu utility, shipped with KDE2, allows a local user to view the
passwords entered at the kdesu prompt. The vendor has confirmed this
vulnerability. Many linux vendors have released updated packages.
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0005.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/0499.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0009.html
Source: Caldera, SuSE, Conectiva
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0005.html
http://archives.neohapsis.com/archives/linux/suse/2001-q1/0499.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0009.html
*** {01.05.013} Cross - Update {00.57.015}: Multiple vulnerabilities in
micq
A patch has been made available for the vulnerability discussed in
{00.57.015} ("Multiple vulnerabilities in micq"). FreeBSD and RedHat
have also released updated packages.
A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0395.html
Updated FreeBSD packages:
http://archives.neohapsis.com/archives/freebsd/2001-01/0539.html
Updated Redhat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0027.html
Source: FreeBSD, SecurityFocus Bugtraq, RedHat
http://archives.neohapsis.com/archives/bugtraq/2001-01/0395.html
http://archives.neohapsis.com/archives/freebsd/2001-01/0539.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0027.html
*** {01.05.022} Cross - inetd open socket DoS
Inetd has been found to not properly close sockets used for internal
services (echo, chargen, etc). This can result in a denial of service
attack, should a remote attacker make multiple connections to one of
the running internal services. A vendor has confirmed this
vulnerability.
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0031.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0031.html
*** {01.05.025} Cross - Sort insecure temp file handling
Sort has been found to insecurely handle temporary files, resulting in
a local race condition.
FreeBSD has released a patch:
http://archives.neohapsis.com/archives/freebsd/2001-01/0495.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-01/0495.html
*** {01.05.026} Cross - IBM Websphere Netscape component JSP file
disclosure
A vulnerability has been found in the IBM Websphere Netscape component.
If the Websphere component uses the same document root as the Netscape
server, it may be possible to circumvent Websphere's processing of JSP
pages, allowing the JSP files to be served by Netscape instead. This
will result in the disclosure of the original JSP source code. This
vulnerability has not been confirmed. A suggested workaround is to use
separate document roots for Netscape and Websphere servers.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0446.html
*** {01.05.029} Cross - mars_nwe syslog format string vulnerability
mars_nwe version 0.99pl19 (and probably prior) contains a format string
buffer overflow during syslog operations. This vulnerability has not
been confirmed.
A third party patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0456.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0456.html
*** {01.05.030} Cross - NewsDaemon username SQL tampering
Versions of the NewsDaemon Web application prior to 0.21b contain a
vulnerability that allows remote users to tamper with an internal SQL
query, thereby allowing them to gain administrative rights to the
application. The vendor has confirmed this vulnerability and released
version 0.21b to fix the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0460.html
*** {01.05.031} Cross - Hyperseek 2000 search engine file disclosure
The Hyperseek 2000 search engine has been reported to allow a remote
attacker to view arbitrary files on the system (if they are viewable by
the Web server's uid). This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0463.html
*** {01.05.035} Cross - crontab allows users to read certain files
FreeBSD has released an advisory indicating a vulnerability in
crontab(8). This vulnerability allows a local user to read other users'
crontab(5) files or files of a particular format. The vendor has
confirmed this vulnerability.
Updated FreeBSD packages are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-01/0342.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0024.html
Source: FreeBSD, Debian
http://archives.neohapsis.com/archives/freebsd/2001-01/0342.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0024.html
*** {01.05.039} Cross - Netscape Enterprise Server Web publishing
INDEX/REVLOG vulnerabilities
Two reports have surfaced indicating problems in the Web publishing
mechanism of Netscape Enterprise Server versions 3.x and 4.x. If Web
publishing is enabled, it is possible for a remote attacker to gain
directory listings of Web directories by making INDEX requests. Also,
there is a potential denial of service when issuing REVLOG requests.
These vulnerabilities have not been confirmed.
The suggested workaround is to disable Web publishing. Please note that
the Netscape Enterprise Server line is no longer supported--the iPlanet
Server line has replaced it.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0396.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0422.html
*** {01.05.040} Cross - JRun malformed URI Web-INF directory
listing/Web.xml disclosure
Allaire has released a security advisory detailing a problem in JRun
version 3.0 that allows a remote attacker to gain directory listings of
the Web-inf directory as well as to view the contents of the Web.xml
file in the Web-inf directory.
Allaire has patches available at:
http://download.allaire.com/jrun/jrun3.0/jr30sp2.exe (Windows)
http://download.allaire.com/jrun/jrun3.0/jr30sp2u.sh (Unix)
Source: Allaire
http://archives.neohapsis.com/archives/vendor/2001-q1/0017.html
*** {01.05.041} Cross - Lars Ellingsen's guestserver.cgi command
execution
The guestbook CGI application by Lars Ellingsen has been found to allow
a remote attacker to execute arbitrary commandline commands under the
privileges of the Web server. No patches have been made available. This
vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0471.html
*** {01.05.043} Cross - CrazyWWWBoard/qDecoder MIME boundary string
buffer overflow
The qDecoder CGI library, versions 4.0 through 5.0.8, contain a buffer
overflow in the handling of MIME boundary strings. CrazyWWWBoard
versions 2000px, 2000LEpx, 98, 98PE, and 3.0.1 are built on the qDecoder
library and are therefore vulnerable. The buffer overflow allows a
remote attacker to execute arbitrary code under the Web server's uid.
A vendor patch confirms this vulnerability.
CrazyWWWBoard version 2000LEp5-1, which fixes the problem, is available
at:
ftp://ftp.nobreak.com/pub/SOTNAL/CrazyWWWBoard2000LEp5-1/
A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0486.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0486.html
- --- Tool Announcements News --------------------------------------------
*** {01.05.014} Tools - Apache 1.3.17 released
Apache 1.3.17 has been released. It includes bug fixes in mod_rewrite
and mod_autoindex, and better byte range handling. More importantly, it
includes a few path fixes for NetWare that could lead to a possible
security problem.
You can download version 1.3.17 from:
http://httpd.apache.org/dist/
Source: Apache
http://archives.neohapsis.com/archives/apache/2001/0001.html
- --- Services News ------------------------------------------------------
*** {01.05.042} Svc - AOL Web browser DoS/buffer overflow
A report has surfaced indicating a possible buffer overflow in the Web
browser included with AOL 5.0 software. It may be possible to trigger
the buffer overflow via an embedded Web link in an e-mail. No patches
have been released. This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0443.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6efhV+LUG5KFpTkYRAuCsAKCZ0+tSid2TkfXZsicYQBQevW2+6QCeOPno
zj5JBpGZT4sdgQ6au4V91EI=
=GiwK
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
SANS2001 Registration Opens
More than ninety full-day courses including seven immersion training
tracks. Classes will fill up fast so register now before 6000+ brochures
hit the streets!
http://www.sans.org/SANS2001.htm
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl, where
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information,
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved.
Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).
Powered by Neohapsis Inc., a Chicago-based security assessment and
integration services consulting group. infoneohapsis.com |
http://www.neohapsis.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]