|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ30724213527864530_at_sans.org)
Date: Thu Sep 05 2002 - 13:36:06 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 035 (02.35)
Thursday, September 5, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
----------------------------------------------------------------------
TechQuiz: Biometric Authentication
While there's still time, try your hand at our TechQuiz on verifying
the identity of a user with biometric authentication. Only two days
remain for you to qualify to win one of five USB security tokens.
Sponsored by Rainbow Technologies.
http://www.nwc.com/techquiz/
----------------------------------------------------------------------
The largest notable bug this week was a mega-patch released by Compaq/HP
for Tru64, which fixes many local and remotely-exploitable buffer
overflows. More information is available under item {02.35.005} in the
'Other' category.
Otherwise, the vulnerability roll-call this week was relatively low, so
admins can take a small breather and catch up from past weeks. We don't
anticipate the lull will last long, however.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.35.007} Win - MS02-048: Certificate enrollment control certificate
deletion
{02.35.012} Win - SWServer HTTP Web root escaping
{02.35.015} Win - FactoSystem CMS CGI SQL injection
{02.35.001} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
certificate basic constraints
{02.35.002} Linux - Update {02.31.018}: GAIM Jabber plugin buffer
overflow
{02.35.006} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
{02.35.009} Linux - PXE server malformed DHCP DoS
{02.35.013} Linux - Update {02.31.009}: RPC XDR array decoding overflow
{02.35.014} NW - Update {02.06.011}: Multiple vendor SNMP problems
{02.35.011} HPUX - Lp subsystem buffer overflow
{02.35.008} SGI - Update {02.09.027}: Java applets can hijack HTTP
proxy connections
{02.35.004} Other - Update {02.30.001}: OpenSSL multiple overflows and
ASN1 parse vulnerabilities
{02.35.005} Other - Multiple Tru64 overflows (SSRT2229)
{02.35.003} Cross - Ethereal ISIS decode overflow
{02.35.010} Cross - Scrollkeeper temporary file vulnerability
{02.35.016} Cross - Linuxconf LINUXCONF_LANG environment overflow
{02.35.017} Cross - Python insecure temporary file handling
- --- Windows News -------------------------------------------------------
*** {02.35.007} Win - MS02-048: Certificate enrollment control
certificate deletion
Microsoft released MS02-048 ("Certificate enrollment control
certificate deletion"). The Certificate enrollment ActiveX control
shipped with Windows 98 through XP contains a bug that allows a
malicious Web site to delete arbitrary certificates in the user's
certificate store, potentially causing a denial of service.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-048.asp
Source: Microsoft
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0119.html
*** {02.35.012} Win - SWServer HTTP Web root escaping
SWServer versions 2.2 and prior contain a vulnerability that allows
a remote attacker to access arbitrary files outside the Web root by
submitting URL requests with '..' notation.
The advisory indicates confirmation by the vendor, which released
version 2.3:
http://www.geocities.com/tlhome2000/swserver.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0307.html
*** {02.35.015} Win - FactoSystem CMS CGI SQL injection
FactoSystem Content Management System CGI suite is vulnerable to SQL
injection in various ASP pages, thereby allowing an attacker to tamper
with the backend database.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0097.html
- --- Linux News ---------------------------------------------------------
*** {02.35.001} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
certificate basic constraints
Conectiva released updated KDE packages that fix the vulnerability
discussed in {02.33.043} ("KDE Konqueror ignores SSL certificate
basic constraints").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0016.html
*** {02.35.002} Linux - Update {02.31.018}: GAIM Jabber plugin buffer
overflow
Mandrake and Conectiva released updated GAIM packages that fix the
vulnerability discussed in {02.31.018} ("GAIM Jabber plugin buffer
overflow").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0323.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0018.html
Source: Conectiva, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0323.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0018.html
*** {02.35.006} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
Mandrake released updated HylaFAX packages that fix the vulnerability
discussed in {02.30.031} ("HylaFAX faxgetty TSI DoS").
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0322.html
*** {02.35.009} Linux - PXE server malformed DHCP DoS
A Red Hat advisory indicates that malformed DHCP packets could cause
the PXE server to crash, resulting in a denial of service attack.
Updated RPMs are listed at the reference URL below.
Source: Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0326.html
*** {02.35.013} Linux - Update {02.31.009}: RPC XDR array decoding
overflow
SuSE released updated glibc packages that fix the vulnerability
discussed in {02.31.009} ("RPC XDR array decoding overflow").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q3/0913.html
- --- NetWare News -------------------------------------------------------
*** {02.35.014} NW - Update {02.06.011}: Multiple vendor SNMP problems
Novell released updated SNMP packages that fix the vulnerability
discussed in {02.06.011} ("Multiple vendor SNMP problems").
Updates can be found at:
http://support.novell.com/servlet/tidfinder/2961546
Source: Novell
http://archives.neohapsis.com/archives/bugtraq/2002-08/0295.html
- --- HP-UX News ---------------------------------------------------------
*** {02.35.011} HPUX - Lp subsystem buffer overflow
HP released patches for a vague buffer overflow in the lp printing
subsystem. The advisory states the problem is exploitable by local
users.
Apply the appropriate patch:
HPUX 10.20: PHCO_27133
HPUX 11.00: PHCO_27132
HPUX 11.11: PHCO_27020
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0064.html
- --- SGI News -----------------------------------------------------------
*** {02.35.008} SGI - Update {02.09.027}: Java applets can hijack HTTP
proxy connections
SGI released a workaround that fixes the vulnerability discussed in
{02.09.027} ("Java applets can hijack HTTP proxy connections").
Updating to JRE version 1.3.1_02 fixes the problem. It can be
downloaded at:
http://www.sgi.com/products/evaluation/6.5_java2_1.3.1_02/
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q3/0051.html
- --- Other News ---------------------------------------------------------
*** {02.35.004} Other - Update {02.30.001}: OpenSSL multiple overflows
and ASN1 parse vulnerabilities
Compaq/HP released updated packages for Tru64 and OpenVMS that fix the
vulnerability discussed in {02.30.001} ("OpenSSL multiple overflows
and ASN1 parse vulnerabilities").
Full update information is available at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/compaq/2002-q3/0009.html
*** {02.35.005} Other - Multiple Tru64 overflows (SSRT2229)
Compaq/HP released Early Release Patches that fix multiple buffer
overflows found in various versions of Tru64. The buffer overflows
are in both local and remotely accessible applications and allow an
attacker to execute arbitrary code. Some of the problems have been
reported previously. A denial of service in the ping command also
is reported.
A full list of ERPs is available at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/compaq/2002-q3/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {02.35.003} Cross - Ethereal ISIS decode overflow
Ethereal versions 0.9.5 and prior contain a buffer overflow in the
decoding functions of the ISIS protocol. This overflow potentially
allows a remote attacker to execute arbitrary code on the system
running ethereal or tethereal.
This vulnerability is confirmed and fixed in version 0.9.6,
available at:
http://www.ethereal.com/
Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0068.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0068.html
*** {02.35.010} Cross - Scrollkeeper temporary file vulnerability
The Scrollkeeper documentation system version 0.3.11 uses temporary
files insecurely, which allows a local attacker to create arbitrary
files on the system. It may be possible to leverage this insecurity
to provide root access via other subsystems.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-09/0003.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q3/0053.htm
Source: VulnWatch, Debian, Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0098.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0003.html
http://archives.neohapsis.com/archives/vendor/2002-q3/0053.htm
*** {02.35.016} Cross - Linuxconf LINUXCONF_LANG environment overflow
Linuxconf prior to version 1.28r4 contains a locally exploitable buffer
overflow in the LINUXCONF_LANG environment variable. If the Linuxconf
binary is setuid, then an attacker can gain elevated privileges.
The advisory indicates confirmation by the vendor, which released
version 1.28r4.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0093.html
*** {02.35.017} Cross - Python insecure temporary file handling
A Debian advisory indicates that the os module of Python uses temporary
files insecurely, potentially allowing a local attacker to cause
Python to execute arbitrary Python code.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0050.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9d6JD+LUG5KFpTkYRApzdAKChndSkXnyNjvEMIyAr5IzpNEymVwCeNANA
/EUCRNwXltX7JEuUkG8kFUc=
=ns1y
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
TechQuiz: Biometric Authentication
While there's still time, try your hand at our TechQuiz on verifying
the identity of a user with biometric authentication. Only two days
remain for you to qualify to win one of five USB security tokens.
Sponsored by Rainbow Technologies.
http://www.nwc.com/techquiz/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]