|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Apr 26 2001 - 15:10:33 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 094 (01.17)
Thursday, April 19, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
Learn at Brocade Networking Storage Conference 2001
Enhance your knowledge and expertise in Storage Area Networking (SANs).
Presentation Highlights: SAN implementation case studies from users;
the latest SAN technology from the industry's leading vendors; and the
future of SAN technology from Brocade executives. Complimentary Brocade
Certification testing. Learn more at:
http://www.brocade.com/conference2001
----------------------------------------------------------------------
It was slow on the vulnerability front this week, which is a good thing
for most of us. However, there were a good number of vendor updates.
SGI finally issued an advisory on some of January's Bind
vulnerabilities. IBM announced patches {01.17.007} for the ntpd/xntpd
problems. And Microsoft announced that it has been bitten -- once again
-- by regression errors, this time in relation to the IE cached content
problem {01.11.002}.
In other news this week, one of our sister efforts (GIAC) formally
launched incidents.org. Readers are encouraged to hop over to
www.incidents.org and check out the Internet Storm Watch as well as some
of the other resources the team is providing.
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.17.006} Win - MS01-022: WebDAV service provider allows scripts to
impersonate user
{01.17.013} Win - Update {01.11.002}: MS01-015: IE may divulge location
to cached content
{01.17.016} Win - The Bat! line ending misinterpretation
{01.17.017} Win - Viking Web server reverse directory traversal
{01.17.025} Win - Update {01.12.014}: FTP server globbing denial of
service
{01.17.002} Linux - Update {01.13.018}: Linux kernel 2.2.19 released
{01.17.004} Linux - Update {01.15.012}: Netscape GIF comment may
contain malicious JavaScript
{01.17.005} Linux - Update {01.16.024}: cfingerd syslog format string
buffer overflows
{01.17.009} Linux - Nirvana editor (nedit) insecure temp file handling
{01.17.012} Linux - sendfiled local buffer overflow
{01.17.022} Linux - Update {01.16.032}: IPTables FTP RELATED
connections bypass filters
{01.17.023} Linux - Update {00.56.023}: mgetty insecure temp file
handling
{01.17.010} BSD - Update {01.13.010}: licq URL link can contain
embedded commands
{01.17.011} BSD - Update {01.11.012}: slrn message wrapper buffer
overflow
{01.17.020} BSD - Update {01.15.011}: Multivendor FTP glob
functionality buffer overflow
{01.17.007} AIX - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
{01.17.024} NW - Mercury MTA POP3 server buffer overflow
{01.17.008} SGI - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{01.17.014} NApps - Cisco CBOS display 'sh nat' output to different
session
{01.17.018} Other - Timbuktu allows user to bypass Mac OS X
authentication
{01.17.001} Cross - Samba insecure temp file handling
{01.17.003} Cross - Sudo logging buffer overflow
{01.17.019} Cross - NCM.at Content Management System content.pl file
disclosure/command execution
{01.17.021} Cross - Update {01.16.030}: Hylafax hfaxd -q parameter
format string vulnerability
{01.17.026} Cross - WebCalendar PHP script remote command execution
{01.17.027} Cross - phpMyAdmin script remote command execution
{01.17.028} Cross - phpPgAdmin script remote command execution
{01.17.029} Cross - phpSecurePages script remote command execution
{01.17.015} Tools - Bind 8.2.4 available
- --- Windows News -------------------------------------------------------
*** {01.17.006} Win - MS01-022: WebDAV service provider allows scripts
to impersonate user
Microsoft has released MS01-022 ("WebDAV service provider allows scripts
to impersonate user"). The WebDAV Internet Publishing Provider component
allows a script received from a malicious Web site to make various
WebDAV requests to arbitrary servers, using the user's authentication
credentials in the process. This could allow a malicious Web site (or
e-mail) to access internal Web servers and so on.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-022.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0010.html
*** {01.17.013} Win - Update {01.11.002}: MS01-015: IE may divulge
location to cached content
Microsoft has rereleased the patches for the vulnerability discussed in
{01.11.002} ("MS01-015: IE may divulge location to cached content").
The original patches have been found to contain a regression error.
New patches are available at:
http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0018.html
*** {01.17.016} Win - The Bat! line ending misinterpretation
The Bat! e-mail program version 1.51 contains a bug that causes the
program to handle an improper end-of-line sequence incorrectly. This
could provide a potential denial of service against the user.
The vendor has confirmed this problem and fixed it in version
1.42beta10. This version appears to be an earlier version than 1.51,
but we're just going on what was reported.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0345.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0381.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0410.html
*** {01.17.017} Win - Viking Web server reverse directory traversal
Viking Web server version 1.07 allows a remote attacker to access files
outside the Web root by using reverse directory traversal ('..')
notation in a URL request.
The vendor has confirmed the problem and released a fix, which is
available at:
http://www.robtex.com/viking/dl.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0409.html
*** {01.17.025} Win - Update {01.12.014}: FTP server globbing denial of
service
A quick note was posted indicating that the newest version of Winsock
FTPD (version 3.00R4) contains a fix for the vulnerability discussed in
{01.12.014} ("FTP server globbing denial of service").
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0394.html
- --- Linux News ---------------------------------------------------------
*** {01.17.002} Linux - Update {01.13.018}: Linux kernel 2.2.19 released
Mandrake and Conectiva have released updated kernel packages that fix
the vulnerability discussed in {01.13.018} ("Linux kernel 2.2.19
released").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/
0309.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/
2001-q2/0003.html
Source: Mandrake, Conectiva (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0309.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0003.html
*** {01.17.004} Linux - Update {01.15.012}: Netscape GIF comment may
contain malicious JavaScript
Debian has released updated Netscape packages that fix the vulnerability
discussed in {01.15.012} ("Netscape GIF comment can may contain
malicious JavaScript").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0019.html
Updated Progeny DEBs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0351.html
Source: Debian, Progeny (SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2001-q2/0019.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0351.html
*** {01.17.005} Linux - Update {01.16.024}: cfingerd syslog format
string buffer overflows
Debian and Progeny have released updated cfingerd packages that fix the
vulnerability discussed in {01.16.024} ("cfingerd syslog format string
buffer overflows").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0009.html
Updated Progeny DEBs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0373.html
Source: Debian, Progeny (SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2001-q2/0009.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0373.html
*** {01.17.009} Linux - Nirvana editor (nedit) insecure temp file
handling
The nirvana editor (nedit) has been found to handle temporary files
insecurely when printing portions of a file. This potentially allows a
local attacker to overwrite files writable by the user running nedit.
This vulnerability has been confirmed.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0364.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0364.html
*** {01.17.012} Linux - sendfiled local buffer overflow
Debian has released an advisory indicating a buffer overflow in
sendfiled that, when exploited, would allow a local user to execute
arbitrary code with root privileges.
This vulnerability has been confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0020.html
Updated Progeny DEBs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0384.html
Source: Debian, Progeny (SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2001-q2/0020.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0384.html
*** {01.17.022} Linux - Update {01.16.032}: IPTables FTP RELATED
connections bypass filters
RedHat has released an advisory concerning the vulnerability discussed
in {01.16.032} ("IPTables FTP RELATED connections bypass filters").
Essentially, the company is just alerting users of RedHat 7.1 to the
problem. At the present time, no RedHat updates are available.
The advisory is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0357.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0357.html
*** {01.17.023} Linux - Update {00.56.023}: mgetty insecure temp file
handling
RedHat has released updated patches for the vulnerability discussed in
{00.56.023} ("mgetty insecure temp file handling"). The first set of
patches contained packaging errors.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0365.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0365.html
- --- BSD News -----------------------------------------------------------
*** {01.17.010} BSD - Update {01.13.010}: licq URL link can contain
embedded commands
FreeBSD has updated the licq port to fix the vulnerability discussed in
{01.13.010} ("licq URL link can contain embedded commands").
The FreeBSD ports collection as of March 13, 2001, contains the updated
version.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-04/0607.html
*** {01.17.011} BSD - Update {01.11.012}: slrn message wrapper buffer
overflow
FreeBSD has updated the slrn port to fix the vulnerability discussed in
{01.11.012} ("slrn message wrapper buffer overflow").
The FreeBSD ports collection as of April 4, 2001, contains the fixed
version.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-04/0610.html
*** {01.17.020} BSD - Update {01.15.011}: Multivendor FTP glob
functionality buffer overflow
FreeBSD has released an updated advisory concerning the vulnerability
discussed in {01.15.011} ("Multivendor FTP glob functionality buffer
overflow").
Updated advisory can be found at:
http://archives.neohapsis.com/archives/freebsd/2001-04/0466.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-04/0466.html
- --- AIX News -----------------------------------------------------------
*** {01.17.007} AIX - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
IBM has released a patch that fixes the vulnerability discussed in
{01.15.001} ("ntpd/xntpd control request parsing buffer overflow").
The emergency fix for AIX 4.3.x and 5.1 is available at:
ftp://aix.software.ibm.com/aix/efixes/security/xntpd_efix.tar.Z
Source: IBM (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0314.html
- --- NetWare News -------------------------------------------------------
*** {01.17.024} NW - Mercury MTA POP3 server buffer overflow
Mercury MTA POP3 servers prior to version 1.48 contain a buffer overflow
in the handling of incoming commands. This vulnerability could allow a
remote attacker to execute arbitrary code.
Version 1.48 fixes this problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0378.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0388.html
- --- SGI News -----------------------------------------------------------
*** {01.17.008} SGI - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
SGI has released patches for the vulnerability discussed in {01.05.001}
("Multiple Bind buffer overflows (TSIG/infoleak)").
A full list of available patches can be viewed at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0324.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2001-q2/0017.html
- --- Network Appliances News --------------------------------------------
*** {01.17.014} NApps - Cisco CBOS display 'sh nat' output to different
session
Cisco has confirmed a bug in the CBSO (Cisco Broadband Operation System)
found on various Cisco cable modems. If a user runs the 'sh nat' command
in one telnet terminal, the output actually will be displayed to the
next user who makes a connection (but prior to logging in).
Cisco is currently working on a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0380.html
- --- Other News ---------------------------------------------------------
*** {01.17.018} Other - Timbuktu allows user to bypass Mac OS X
authentication
A report has surfaced indicating that the Timbuktu preview for Mac OS
X allows a user to access the Timbuktu and System Preferences
configuration menus without having to login. By accessing System
Preferences, users can modify user authentication information, thus
giving them administrative access.
The report indicates that the vendor, Netopia, is not concerned with
the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0337.html
- --- Cross-Platform News ------------------------------------------------
*** {01.17.001} Cross - Samba insecure temp file handling
Samba versions 2.0.7 and prior have been found to handle temporary files
insecurely, thereby allowing a local attacker to overwrite arbitrary
files when a remote user queries a printer queue. The smbclient
application also creates insecure temporary files when performing 'more'
and 'mput' commands.
The vendor has confirmed this vulnerability and released version 2.0.8
(security upgrade only) as well as the newer 2.2.0 series, which also
contains feature enhancements. The new versions are available at:
ftp://www.samba.org/pub/samba/
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0008.html
http://archives.neohapsis.com/archives/vendor/2001-q2/0012.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0009.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0004.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0319.html
Updated Progeny DEBs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0326.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/
0004.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0362.html
The FreeBSD ports collection was corrected on Apr 18, 2001:
http://archives.neohapsis.com/archives/freebsd/2001-04/0608.html
OpenBSD has committed net/samba-2.2.0 to the ports collection:
http://archives.neohapsis.com/archives/openbsd/2001-04/1669.html
Source: Debian, Immunix, Caldera, Trustix, Progeny, Conectiva, FreeBSD,
Samba (SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2001-q2/0008.html
http://archives.neohapsis.com/archives/vendor/2001-q2/0012.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0009.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0305.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0004.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0319.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0326.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0004.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0362.html
http://archives.neohapsis.com/archives/freebsd/2001-04/0608.html
http://archives.neohapsis.com/archives/openbsd/2001-04/1669.html
*** {01.17.003} Cross - Sudo logging buffer overflow
Sudo versions prior to 1.6.3p6 have been found to contain a locally
exploitable buffer overflow in the logging routines. This vulnerability
allows a local attacker to execute arbitrary commands as root.
This vulnerability has been confirmed.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0361.html
The FreeBSD ports collection was updated on Mar 7, 2001:
http://archives.neohapsis.com/archives/freebsd/2001-04/0609.html
Source: SuSE, FreeBSD
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0361.html
http://archives.neohapsis.com/archives/freebsd/2001-04/0609.html
*** {01.17.019} Cross - NCM.at Content Management System content.pl
file disclosure/command execution
NCM.at's Content Management System ships with a content.pl CGI script.
This script has been found to allow remote attackers to view arbitrary
files that are readable by the Web server as well as to execute command
line commands under the uid of the Web process.
The report indicates vendor confirmation and a fix, which is available
by contacting the vendor directly. Vendor homepage:
http://www.ncm.at/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0223.html
*** {01.17.021} Cross - Update {01.16.030}: Hylafax hfaxd -q parameter
format string vulnerability
FreeBSD and SuSE have released updated hylafax packages that fix the
vulnerability discussed in {01.16.030} ("Hylafax hfaxd -q parameter
format string vulnerability").
The FreeBSD ports collection as of April 17, 2001, contains the fix:
http://archives.neohapsis.com/archives/freebsd/2001-04/0606.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0429.html
Source: FreeBSD, SuSE
http://archives.neohapsis.com/archives/freebsd/2001-04/0606.html
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0429.html
*** {01.17.026} Cross - WebCalendar PHP script remote command execution
The WebCalendar PHP script version 0.9.26 contains a bug that allows a
remote attacker to run arbitrary command line commands under the uid of
the Web server.
This vulnerability has been confirmed. A third-party patch is available
at:
http://www.securereality.com.au/patches/WebCalendar-SecureReality.diff
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0392.html
*** {01.17.027} Cross - phpMyAdmin script remote command execution
The phpMyAdmin script version 2.1.0 contains a bug that allows a remote
attacker to run arbitrary command line commands under the uid of the
Web server.
This vulnerability has been confirmed. A third-party patch is available
at:
http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0396.html
*** {01.17.028} Cross - phpPgAdmin script remote command execution
The phpPgAdmin script version 2.2.1 contains a bug that allows a remote
attacker to run arbitrary command line commands under the uid of the
Web server.
This vulnerability has been confirmed. A third-party patch is available
at:
http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0396.html
*** {01.17.029} Cross - phpSecurePages script remote command execution
The phpSecurePages script version 0.23beta contains a bug that allows
a remote attacker to run arbitrary command line commands under the uid
of the Web server.
This vulnerability has been confirmed. A third-party patch is available
at:
http://www.securereality.com.au/patches/phpSecurePages-
SecureReality.diff
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0397.html
- --- Tool Announcements News --------------------------------------------
*** {01.17.015} Tools - Bind 8.2.4 available
Bind 8.2.4 has been released. It is a maintenance release that contains
bug fixes; no security-related items are included.
The updated version of Bind can be downloaded at:
ftp://ftp.isc.org/
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0021.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE66H7b+LUG5KFpTkYRAqXeAJkBvVy/RphPMn7/9ZDb6dQ7wU+nHQCeP0bM
vIKkz1jhMcm0Y+PDxTZ5N1o=
=ODW6
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Learn at Brocade Networking Storage Conference 2001
Enhance your knowledge and expertise in Storage Area Networking (SANs).
Presentation Highlights: SAN implementation case studies from users;
the latest SAN technology from the industry's leading vendors; and the
future of SAN technology from Brocade executives. Complimentary Brocade
Certification testing. Learn more at:
http://www.brocade.com/conference2001
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]