OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ65089497224734077_at_sans.org)
Date: Thu Nov 14 2002 - 13:26:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 045 (02.45)
                      Thursday, November 14, 2002
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ************************* Begin Advertisement ************************

    This issue sponsored by Network Computing's Tech Library and Bitpipe
    Inc.

    Is your network performing the way it needs to?

    FREE Sprint White Paper: Ensure the Reliability, Security and
    Performance of Your Network

    This white paper gives insight into the importance of choosing the right
    network vendor to maintain a reliable mission-critical system.

    http://techlibrary.networkcomputing.com/data/detail?id=1034613043_194&type=RES&x=1085552908&src=email

    ************************** End Advertisement *************************

    The big news this week is the announcement of another round of
    vulnerabilities found in the popular DNS implementation, BIND
    (Berkeley Internet Name Domain Server). Bind versions 4 and 8, both
    in wide use on the Internet, are affected (see {02.45.007}).

    In addition to the vulnerability announcements themselves, much
    of the security community is up in arms over the handling of
    the issue. It appears that ISC (the maintainers of BIND) released
    patch information to a selective set of paying customers before the
    vulnerability announcement was made public, essentially arming any
    would-be attackers lurking or associated with those organizations
    with the necessary information for exploitation. Complicating matters
    further, when the issue did go public (at least a week later), the
    patches were only made available via e-mail--with some delay times
    reported as exceeding eight hours.

    While ISC appears to have changed its position in the past 24
    hours by placing the patches online (instead of requiring the manual
    intervention of an ISC staff member via e-mail), the whole fiasco calls
    into question--once again--the politics and policies surrounding
    research, disclosure and vendor/maintainer response. Some good
    debates on the issue can be found on SecurityFocus' Bugtraq mailing
    list as well as in other popular security forums on the Internet. We
    encourage organizations to voice their opinions on vulnerability
    disclosure practices to their vendors and software maintainers. The
    madness needs to end.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.45.028} Win - ColdFusion/JRun long URI overflow
    {02.45.001} Linux - Update {02.31.009}: RPC XDR array decoding overflow
    {02.45.002} Linux - Update {02.41.014}: KGhostview sscanf() format
                string vulnerability
    {02.45.004} Linux - Update {02.44.037}: Perl Mail::Mailer command
                execution
    {02.45.005} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS
                vulnerabilities
    {02.45.009} Linux - Luxman game maped gzip path vulnerability
    {02.45.011} Linux - Update {02.42.020}: Heimdal kadmind multiple
                vulnerabilities
    {02.45.012} Linux - nss_ldap DNS SRV record overflow
    {02.45.013} Linux - html2ps insecure file handling
    {02.45.014} Linux - Update {02.41.012}: syslog-ng macro expansion
                overflow
    {02.45.015} Linux - Update {02.37.005}: PHP mail() command may bypass
                safe_mode
    {02.45.017} Linux - Update {02.35.009}: PXE server malformed DHCP DoS
    {02.45.018} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
    {02.45.019} Linux - masqmail multiple overflows
    {02.45.021} Linux - Update {02.29.004}: libpng progressive image
                loading overflows
    {02.45.023} Linux - Simple Web Server file restrict bypass
    {02.45.026} Linux - KDE Lisa/resLISa multiple vulnerabilities
    {02.45.032} Linux - nanog-traceroute overflow
    {02.45.016} NW - iManager emFrame user name overflow
    {02.45.020} NW - eDir user login/expired password vulnerability
    {02.45.010} SGI - Update {02.32.029}: rpc.ttdbserverd _TT_CREATE_FILE()
                heap overflow
    {02.45.029} SCO - in.talkd format string vulnerability
    {02.45.025} NApps - Update {02.44.026}: NetScreen SSH DoS
    {02.45.031} NApps - Various 802.11b access points disclose information
    {02.45.024} Other - QNX packager insecure path vulnerability
    {02.45.003} Cross - Linuxconf allows sendmail relay
    {02.45.006} Cross - Window Maker image size integer overflow
    {02.45.007} Cross - BIND SIG cached RR overflow + 2 DoS
    {02.45.008} Cross - Perl Safe.pm reuse opmask modification
    {02.45.022} Cross - Pine 4.44 malformed From field vulnerability
    {02.45.027} Cross - KDE KIO rlogin/telnet protocol handler overflows
    {02.45.030} Cross - Light HTTP long URL overflow

    - --- Windows News -------------------------------------------------------

    *** {02.45.028} Win - ColdFusion/JRun long URI overflow

    The Macromedia/Allaire ColdFusion version 6.0 (and prior) and JRun
    version 4.0 (and prior) IIS ISAPI handlers contain a buffer overflow
    in the handling of large URI strings. This lets a remote attacker
    execute arbitrary code with local system privileges.

    Macromedia released updated patches.

    Source: Macromedia, VulnWatch
    http://archives.neohapsis.com/archives/vendor/2002-q4/0042.html
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0072.html

    - --- Linux News ---------------------------------------------------------

    *** {02.45.001} Linux - Update {02.31.009}: RPC XDR array decoding
                    overflow

    Conectiva and Red Hat (re-)released updated glibc packages, which fix
    the vulnerability discussed in {02.31.009} ("RPC XDR array decoding
    overflow").

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0013.html

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0033.html

    Source: Conectiva, Red Hat
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0013.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0033.html

    *** {02.45.002} Linux - Update {02.41.014}: KGhostview sscanf() format
                    string vulnerability

    Conectiva released updated kghostview packages, which fix the
    vulnerability discussed in {02.41.014} ("KGhostview sscanf() format
    string vulnerability").

    Updated RPMs are listed at the reference URL below.

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0015.html

    *** {02.45.004} Linux - Update {02.44.037}: Perl Mail::Mailer command
                    execution

    Mandrake released updated perl-mailtools packages, which fix the
    vulnerability discussed in {02.44.037} ("Perl Mail::Mailer command
    execution").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0101.html

    *** {02.45.005} Linux - Update {02.38.006}: Squirrel mail CGI multiple
                    CSS vulnerabilities

    Debian released updated Squirrel mail packages, which fix the
    vulnerability discussed in {02.38.006} ("Squirrel mail CGI multiple
    CSS vulnerabilities").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0555.html

    *** {02.45.009} Linux - Luxman game maped gzip path vulnerability

    The setuid maped utility included with the Luxman game reportedly
    relies on the user's PATH when executing the gzip utility, thereby
    allowing a trojan gzip to access /dev/mem.

    This vulnerability is confirmed.

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0499.html

    Source: VulnWatch, Debian
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0062.html
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0499.html

    *** {02.45.011} Linux - Update {02.42.020}: Heimdal kadmind multiple
                    vulnerabilities

    Red Hat released updated Kerberos packages, which fix the
    vulnerabilities discussed in {02.42.020} ("Heimdal kadmind multiple
    vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0035.html

    *** {02.45.012} Linux - nss_ldap DNS SRV record overflow

    Under certain configurations, the nss_ldap PAM module prior to version
    198 can be triggered to overflow a buffer by receiving a long DNS
    SRV record.

    Mandrake confirmed this and released updated RPMs, listed at the
    reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0100.html

    *** {02.45.013} Linux - html2ps insecure file handling

    A SuSE advisory indicates the html2ps utility will perform insecure
    file operations based on untrusted user data. If html2ps is used as
    a filter in lprng, there is a potential for exploitation.

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0471.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0515.html

    Source: SuSE, Debian
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0471.html
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0515.html

    *** {02.45.014} Linux - Update {02.41.012}: syslog-ng macro expansion
                    overflow

    EnGarde re-released updated syslog-ng packages, which fix the
    vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
    overflow").

    Updated RPMs are listed at the reference URL below.

    Source: EnGarde
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0008.html

    *** {02.45.015} Linux - Update {02.37.005}: PHP mail() command may
                    bypass safe_mode

    Red Hat released updated PHP packages, which fix the vulnerability
    discussed in {02.37.005} ("PHP mail() command may bypass safe_mode").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0036.html

    *** {02.45.017} Linux - Update {02.35.009}: PXE server malformed DHCP
                    DoS

    Caldera released updated pxe packages, which fix the vulnerability
    discussed in {02.35.009} ("PXE server malformed DHCP DoS").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0010.html

    *** {02.45.018} Linux - Update {02.42.013}: Apache mod_ssl host name CSS

    EnGarde released updated Apache packages, which fix the vulnerability
    discussed in {02.42.013} ("Apache mod_ssl host name CSS").

    Updated RPMs are listed at the reference URL below.

    Source: EnGarde
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0009.html

    *** {02.45.019} Linux - masqmail multiple overflows

    A Debian advisory indicates multiple buffer overflows exist in the
    masqmail utility. This vulnerability could allow a local attacker to
    gain root privileges.

    Updated Debian DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0577.html

    *** {02.45.021} Linux - Update {02.29.004}: libpng progressive image
                    loading overflows

    Caldera released updated libpng packages, which fix the vulnerability
    discussed in {02.29.004} ("libpng progressive image loading
    overflows").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0011.html

    *** {02.45.023} Linux - Simple Web Server file restrict bypass

    The Simple Web Server version 0.5.1 allows remote attackers to access
    otherwise restricted Web files when they add an extra character to
    the URL request.

    The advisory indicates vendor confirmation.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0065.html

    *** {02.45.026} Linux - KDE Lisa/resLISa multiple vulnerabilities

    KDE versions prior to 3.0.5 contain three vulnerabilities: a local
    attacker can overflow the resLISa module via the LOGNAME environment
    variable and gain access to a raw network socket; a remote attacker
    can run a trojan lisa service, which can feed data to a scanning lisa
    service and cause an overflow that allows the execution of arbitrary
    code; and the 'lan:' URL handler contains a buffer overflow that
    allows the execution of arbitrary code.

    These vulnerabilities are confirmed and fixed in KDE version 3.0.5.

    Updated Debian DEBs (which only fix some of the vulnerabilities):
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0558.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0711.html

    Source: VulnWatch, Debian, SuSE, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0068.html
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0558.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0711.html
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0135.html

    *** {02.45.032} Linux - nanog-traceroute overflow

    A SuSE advisory indicates the nanog-traceroute utility contains a
    buffer overflow that could let a local attacker gain access to a raw
    network socket.

    Updated RPMs are listed at the reference URL below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0722.html

    - --- NetWare News -------------------------------------------------------

    *** {02.45.016} NW - iManager emFrame user name overflow

    A long distinguished name entered as the user name to the iManager
    emFrame login will result in a buffer overflow on the server.

    Patch information is available at:
    http://support.novell.com/servlet/tidfinder/2963651

    Source: Novell
    http://archives.neohapsis.com/archives/novell/2002-q4/0000.html

    *** {02.45.020} NW - eDir user login/expired password vulnerability

    A Novell advisory indicates eDirectory version 8.6.2 allows users to
    log in to accounts with expired passwords.

    Update information is available at:
    http://support.novell.com/servlet/tidfinder/2963767

    Source: Novell
    http://archives.neohapsis.com/archives/novell/2002-q4/0001.html

    - --- SGI News -----------------------------------------------------------

    *** {02.45.010} SGI - Update {02.32.029}: rpc.ttdbserverd
                    _TT_CREATE_FILE() heap overflow

    SGI released updated ToolTalk packages, which fix the vulnerability
    discussed in {02.32.029} ("rpc.ttdbserverd _TT_CREATE_FILE() heap
    overflow").

    Patches are listed in the reference URLs below.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q4/0035.html
    http://archives.neohapsis.com/archives/vendor/2002-q4/0034.html

    - --- SCO News -----------------------------------------------------------

    *** {02.45.029} SCO - in.talkd format string vulnerability

    A Caldera/SCO advisory indicates the in.talkd daemon contains a
    remotely exploitable format string vulnerability.

    Updated binaries are listed at the reference URL below.

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0012.html

    - --- Network Appliances News --------------------------------------------

    *** {02.45.025} NApps - Update {02.44.026}: NetScreen SSH DoS

    ScreenOS version 4.0.0r6 was released. It fixes the vulnerability
    discussed in {02.44.026} ("NetScreen SSH DoS").

    Updates are available to registered customers.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0088.html

    *** {02.45.031} NApps - Various 802.11b access points disclose
                    information

    An advisory indicates various GlobalSunTech-based 802.11b access
    points (including D-Link DWL-900AP+, Linksys WAP11, Wisecom GL2422AP,
    Alloy GL-2422AP and Eusso GL2422-AP) will answer a particular
    broadcast packet with a response that contains configuration
    information--potentially including the WEP keys.

    Third parties confirmed this vulnerability on the various access
    points listed. An exploit for this vulnerability was published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0008.html

    - --- Other News ---------------------------------------------------------

    *** {02.45.024} Other - QNX packager insecure path vulnerability

    The setuid packager utility included with QNX OS version 6.2.0
    insecurely calls the 'cp' utility without using an absolute path,
    thereby allowing a local attacker to execute a trojan cp command with
    root privileges.

    The advisory indicates confirmation by the vendor, which will have
    a fix in QNX 6.2.1. Until then, users can 'chmod -s' the packager
    utility.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0066.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.45.003} Cross - Linuxconf allows sendmail relay

    A bug in the mailconf module causes Linuxconf prior to version 1.28r1
    to generate a sendmail configuration that allows the relaying of
    'user%domain' addresses.

    This vulnerability is confirmed. Linuxconf version 1.28r1 contains
    a fix.

    Updated Conectiva RPMs are listed at the reference URL below.

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0016.html

    *** {02.45.006} Cross - Window Maker image size integer overflow

    The Window Maker windows manager does not properly check for integer
    overflow/wraparound when calculating the buffer size for an image. This
    could potentially lead to the execution of arbitrary code when viewing
    a malicious/untrusted graphic.

    Debian confirmed this vulnerability and released updated DEBs, listed
    at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0500.html

    *** {02.45.007} Cross - BIND SIG cached RR overflow + 2 DoS

    BIND versions 4 and 8 contain a buffer overflow in the handling of
    cached SIG RR records, thereby allowing a remote, authoritative DNS
    server to execute arbitrary code if recursion is enabled (which is
    on by default). Bind 8 also contains two remote denial of service
    vulnerabilities.

    The vendor confirmed these vulnerabilities and suggests upgrading to
    BIND 9.2.1. Fixes to BIND 8.x and 4.x are currently in progress.

    Red Hat also released a statement for Red Hat Linux users:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0041.html

    Source: VulnWatch, Red Hat
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0071.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0041.html

    *** {02.45.008} Cross - Perl Safe.pm reuse opmask modification

    The Safe.pm module shipped with Perl 5.8.0 and prior contains a bug
    that lets untrusted code executing in a Safe compartment modify the
    operation mask. If the compartment were reused, then the modified
    mask would still be in effect, thereby giving the untrusted code
    additional privileges.

    This vulnerability is confirmed, and Safe.pm version 2.08 contains
    the fix. The updated module is available via CPAN.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0061.html

    *** {02.45.022} Cross - Pine 4.44 malformed From field vulnerability

    Pine versions prior to 4.50 (which has not yet been made public)
    crash when encountering an e-mail with a malformed From field.
    It is uncertain at this point whether arbitrary code execution is
    possible. This vulnerability can be remotely triggered.

    Third parties confirmed this vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0046.html

    *** {02.45.027} Cross - KDE KIO rlogin/telnet protocol handler overflows

    KDE prior to version 3.0.5 contains buffer overflows in the rlogin
    KIO protocol handler. KDE versions 2.x also contain an overflow in
    the telnet KIO protocol handler.

    The vendor confirmed these vulnerabilities.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0142.html

    *** {02.45.030} Cross - Light HTTP long URL overflow

    Light HTTPD (lhttpd) reportedly contains a buffer overflow in the
    handling of long URL requests, thereby allowing a remote attacker to
    execute arbitrary code.

    This vulnerability is not confirmed. An exploit was published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0138.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE90/bN+LUG5KFpTkYRAnQOAKCWbodQ+YK1QFLmAo6fQ9RjLmC6zQCeOYSK
    sSonE5PtrN2exQ+qkwuwau0=
    =7cyj
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ************************* Begin Advertisement ************************

    This issue sponsored by Network Computing's Tech Library and Bitpipe
    Inc.

    Is your network performing the way it needs to?

    FREE Sprint White Paper: Ensure the Reliability, Security and
    Performance of Your Network

    This white paper gives insight into the importance of choosing the right
    network vendor to maintain a reliable mission-critical system.

    http://techlibrary.networkcomputing.com/data/detail?id=1034613043_194&type=RES&x=1085552908&src=email

    ************************** End Advertisement *************************

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).