|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ67753842712424077_at_sans.org)
Date: Thu Oct 17 2002 - 14:32:06 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 041 (02.41)
Thursday, October 17, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
TechQuiz: Threat Management
It's the last chance to try your hand at our TechQuiz on managing
security concerns. Answer all our editors' questions correctly, and you
could win a Microsoft Xbox from our sponsor, Symantec.
http://www.nwc.com/techquiz/
************************** End Advertisement *************************
This week's three notable bugs are all in the "Cross-Platform"
category: a denial of service problem in the HTTP proxy service
included with the various Symantec firewall products (reported as item
{02.41.029}); a multivendor ypxfrd bug, which lets local users read
arbitrary files on the system (item {02.41.018}); and an improper
check in the Shockwave Flash player, which lets Flash movies/Web
sites read local files (reported as item {02.41.024}).
Remember, if you're not subscribed to the appropriate category, you
won't get those items. But don't despair: you can always catch them
online, in full, at http://archives.neohapsis.com/archives/sac/2002/.
You will also find past SAC issues in the same place.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.41.016} Win - MS02-058: Outlook Express S/MIME parsing buffer
overflow
{02.41.021} Win - MondoSearch CGI file viewing
{02.41.025} Win - PowerFTP large data stream overflow
{02.41.026} Win - SurfControl SuperScout admin server vulnerabilities
{02.41.028} Win - Daniel Arenz' Mini Server Web root escaping
{02.41.001} Linux - Update {02.40.029}: Bugzilla multiple
vulnerabilities
{02.41.002} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
{02.41.003} Linux - Update {02.37.007}: Konqueror subframe CSS and
insecure cookie vulnerabilities
{02.41.004} Linux - Update {02.39.013}: gv sscanf() overflow
{02.41.005} Linux - Update {02.39.004}: unzip file extraction directory
traversal
{02.41.006} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
{02.41.007} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS
vulnerabilities
{02.41.008} Linux - heartbeat daemon format string overflow
{02.41.009} Linux - Update {02.32.017}: xinetd signal pipe descriptor
DoS
{02.41.010} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{02.41.011} Linux - Update {01.45.013}: teTeX insecure temp file and
dvips invocation
{02.41.023} SGI - Multiple IRIX vulnerabilities: rpcbind; uux; mv;
fsr_efs
{02.41.013} SCO - Update {02.26.002}: DNS libresolve/resolver buffer
overflow
{02.41.017} Other - Update {02.10.014}: zlib double free decompression
bug
{02.41.019} Other - Tru64 routed allows file access
{02.41.012} Cross - syslog-ng macro expansion overflow
{02.41.014} Cross - KGhostview sscanf() format string vulnerabilities
{02.41.015} Cross - kpf arbitrary file retrieval
{02.41.018} Cross - ypxfrd arbitrary file reading
{02.41.020} Cross - Oracle listener SERVER_CURLOAD DoS
{02.41.022} Cross - MySimpleNews PHP CGI script execution
{02.41.024} Cross - Flash XML functions can read local files
{02.41.027} Cross - phpRank CGI multiple vulnerabilities
{02.41.029} Cross - Symantec firewall HTTP proxy DNS timeout DoS
{02.41.030} Cross - Symantec firewall CONNECT host scanning
- --- Windows News -------------------------------------------------------
*** {02.41.016} Win - MS02-058: Outlook Express S/MIME parsing buffer
overflow
Microsoft released MS02-058 ("Outlook Express S/MIME parsing buffer
overflow"). The S/MIME verification function of Outlook Express
incorrectly parses malicious digital signatures on incoming e-mail,
thereby allowing the malicious e-mail to execute arbitrary code on
the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-058.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0004.html
*** {02.41.021} Win - MondoSearch CGI file viewing
The MondoSearch CGI suite discloses the contents of files in the
Webroot by providing the target file name to the mask URL parameter
of the MsmMask.exe CGI. This disclosure could potentially reveal Web
application script source code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0147.html
*** {02.41.025} Win - PowerFTP large data stream overflow
PowerFTP Personal FTP Server version 2.24 reportedly contains a
buffer overflow in the handling of large data amounts sent by a remote
attacker. It is unconfirmed if arbitrary code execution is possible.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0124.html
*** {02.41.026} Win - SurfControl SuperScout admin server
vulnerabilities
The administrative HTTP server included with SurfControl's SuperScout
suite reportedly contains four vulnerabilities: cross-site scripting
in the handling of error messages; remotely retrievable plain text
user names and passwords; and two malformed HTTP request denial of
service attacks.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html
*** {02.41.028} Win - Daniel Arenz' Mini Server Web root escaping
Daniel Arenz' Mini (HTTP) Server version 2.1.6 reportedly does not
properly handle HTTP requests, thereby allowing remote attackers to
access files outside the Web root.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0181.html
- --- Linux News ---------------------------------------------------------
*** {02.41.001} Linux - Update {02.40.029}: Bugzilla multiple
vulnerabilities
Debian released updated Bugzilla packages, which fix the
vulnerabilities discussed in {02.40.029} ("Bugzilla multiple
vulnerabilities").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0121.html
*** {02.41.002} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
Red Hat released updated Fetchmail packages, which fix the
vulnerabilities discussed in {02.39.006} ("Fetchmail multiple
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0010.html
*** {02.41.003} Linux - Update {02.37.007}: Konqueror subframe CSS and
insecure cookie vulnerabilities
Mandrake released updated kdelibs packages, which fix the
vulnerabilities discussed in {02.37.007} ("Konqueror subframe CSS
and insecure cookie vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0013.html
*** {02.41.004} Linux - Update {02.39.013}: gv sscanf() overflow
Red Hat released updated gv packages, which fix the vulnerability
discussed in {02.39.013} ("gv sscanf() overflow").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0011.html
*** {02.41.005} Linux - Update {02.39.004}: unzip file extraction
directory traversal
Mandrake released updated unzip packages, which fix the vulnerability
discussed in {02.39.004} ("unzip file extraction directory traversal").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0016.html
*** {02.41.006} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
Mandrake released updated tar packages, which fix the vulnerability
discussed in {02.39.003} ("GNU tar file extraction directory
traversal").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0018.html
*** {02.41.007} Linux - Update {02.38.006}: Squirrel mail CGI multiple
CSS vulnerabilities
Red Hat released updated squirrel mail packages, which fix the
vulnerabilities discussed in {02.38.006} ("Squirrel mail CGI multiple
CSS vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0016.html
*** {02.41.008} Linux - heartbeat daemon format string overflow
The heartbeat daemon used for high-availability Linux clusters
contains various remotely exploitable format string vulnerabilities
that let a remote attacker execute arbitrary code on the system with
root privileges.
SuSE and Debian confirmed this vulnerability.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0203.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0224.html
Source: SuSE, Debian
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0203.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0224.html
*** {02.41.009} Linux - Update {02.32.017}: xinetd signal pipe
descriptor DoS
Red Hat released updated xinetd packages, which fix the vulnerability
discussed in {02.32.017} ("xinetd signal pipe descriptor DoS").
Updated RPMs are listed at the reference URL below.
Source: Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-10/0208.html
*** {02.41.010} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
Mandrake released updated Apache packages, which fix the
vulnerabilities discussed in {02.40.013} ("Apache host name CSS,
ab overflow and shared memory vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0022.html
*** {02.41.011} Linux - Update {01.45.013}: teTeX insecure temp file
and dvips invocation
Red Hat released updated teTeX packages, which fix the vulnerability
discussed in {01.45.013} ("teTeX insecure temp file and dvips
invocation").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0018.html
- --- SGI News -----------------------------------------------------------
*** {02.41.023} SGI - Multiple IRIX vulnerabilities: rpcbind; uux; mv;
fsr_efs
SGI released patches that fix various vulnerabilities found in
the rpcbind, uux, mv and fsr_efs utilities. IRIX prior to 6.5.18
is vulnerable.
A full list of patches is available at the reference URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q4/0014.html
- --- SCO News -----------------------------------------------------------
*** {02.41.013} SCO - Update {02.26.002}: DNS libresolve/resolver
buffer overflow
Caldera/SCO released updated packages, which fix the vulnerability
discussed in {02.26.002} ("DNS libresolve/resolver buffer overflow").
OpenServer 5.0.5 and 5.0.6 updates are available at:
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.39
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0001.html
- --- Other News ---------------------------------------------------------
*** {02.41.017} Other - Update {02.10.014}: zlib double free
decompression bug
Compaq/HP released updates for Tru64, which fix the vulnerability
discussed in {02.10.014} ("zlib double free decompression bug").
Updates are available at:
ftp://ftp1.support.compaq.com/public/unix/v5.1a/t64v51ab03as0003-20020827.tar
Source: HP/Compaq
http://archives.neohapsis.com/archives/compaq/2002-q4/0011.html
*** {02.41.019} Other - Tru64 routed allows file access
Compaq/HP reported that the routed daemon shipped with Tru64 versions
4.0F through 5.1A allows a remote attacker to access 'unauthorized
files' on the system.
Tru64 ERPs are listed at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/compaq/2002-q4/0008.html
- --- Cross-Platform News ------------------------------------------------
*** {02.41.012} Cross - syslog-ng macro expansion overflow
Versions 1.4.15 and prior of the syslog-ng daemon do not properly
expand macro strings configuration templates, which leads to a remotely
exploitable buffer overflow that can execute arbitrary code under
certain configurations.
The vendor confirmed this vulnerability and released a patch, which
is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0151.html
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0256.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2002-10/0151.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0256.html
*** {02.41.014} Cross - KGhostview sscanf() format string
vulnerabilities
The KGhostview utility included with KDE versions 1.1 through 3.0.3a
contains a format string vulnerability that lets a malicious postscript
or PDF execute arbitrary code. This vulnerability is based on the
vulnerability reported in {02.39.013} ("gv sscanf() overflow").
KDE version 3.0.4 fixes the vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0163.html
*** {02.41.015} Cross - kpf arbitrary file retrieval
The kpf utility included with KDE versions 3.0.1 through 3.0.3a
contains a vulnerability that lets a remote attacker retrieve arbitrary
files outside the specified shared directory.
The vendor confirmed this vulnerability. A fix is available in KDE
version 3.0.4.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0164.html
*** {02.41.018} Cross - ypxfrd arbitrary file reading
The ypxfrd daemon included with various OSs (Solaris, SCO OpenServer
and Caldera OpenLinux, in particular) allows a remote attacker to read
arbitrary .pag and .dir files on the system. If attackers have local
(non-root) access, they can use symlinks to read any file on the system
(by linking to the target using a .pag or .dir symlink extension).
This vulnerability is confirmed.
Caldera/SCO OpenServer updates are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0000.html
Compaq/HP Tru64 ERPs are listed at:
http://archives.neohapsis.com/archives/compaq/2002-q4/0007.html
Source: VulnWatch, Caldera/SCO, Compaq/HP
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0018.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0000.html
http://archives.neohapsis.com/archives/compaq/2002-q4/0007.html
*** {02.41.020} Cross - Oracle listener SERVER_CURLOAD DoS
The Oracle listener server included with Oracle 8i and 9i contains
a denial of service attack in the handling of the SERVER_CURLOAD
command. Further details were not provided.
The advisory indicates confirmation by the vendor, which released
a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0017.html
*** {02.41.022} Cross - MySimpleNews PHP CGI script execution
The MySimpleNews PHP CGI suite version 1 allows a remote attacker to
execute arbitrary PHP code when submitted as various URL parameters
to the users.php script.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0027.html
*** {02.41.024} Cross - Flash XML functions can read local files
A Macromedia advisory indicates that the Flash/Shockware player
allows a malicious Flash file to read files from the local user's
system and potentially send those files over the Internet.
The vendor confirmed this vulnerability and released an updated
Shockware/Flash player version.
Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2002-q4/0001.html
*** {02.41.027} Cross - phpRank CGI multiple vulnerabilities
The phpRank CGI suite version 1.8 reportedly contains multiple
vulnerabilities: various cross-site scripting problems; the
administrative password is stored and handled in plaintext; the
authentication mechanism 'fails open' when the database is not
available; a unique random ID generation is based on time(); and
update.php does not perform a proper authentication check.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0148.html
*** {02.41.029} Cross - Symantec firewall HTTP proxy DNS timeout DoS
The HTTP proxy service included with the various Symantec firewall
products (Raptor, VelociRaptor, Symantec Enterprise Firewall and
Symantec Gateway Security) is vulnerable to a denial of service
attack. An attacker sends HTTP requests for a nonexistent DNS zone,
thereby causing the service to hang until the timeout--which defaults
to five minutes--expires.
Symantec confirmed this vulnerability and released a patch, which is
available at:
http://www.symantec.com/techsupp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0189.html
*** {02.41.030} Cross - Symantec firewall CONNECT host scanning
The Symantec Enterprise Firewall and Raptor Firewall provide different
responses to an external attacker who submits CONNECT proxy requests
to various internal hosts. These responses can be used to determine
which internal hosts are responsive.
Symantec confirmed this vulnerability and released patches, which
are available at:
http://www.symantec.com/techsupp/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0190.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9rw44+LUG5KFpTkYRAmNjAKCLRr596938/fQwY8+EGPgPabhG8wCfVz5G
l8AabAclzI5OPSPm7lMw7Nc=
=NEOM
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
TechQuiz: Threat Management
It's the last chance to try your hand at our TechQuiz on managing
security concerns. Answer all our editors' questions correctly, and you
could win a Microsoft Xbox from our sponsor, Symantec.
http://www.nwc.com/techquiz/
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]