OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ65588627458764983_at_sans.org)
Date: Thu Dec 05 2002 - 14:32:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 048 (02.48)
                      Thursday, December 5, 2002
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ************************* Begin Advertisement ************************

    This issue sponsored by Rainbow Technologies' Instant Private Web.

    Secure your Web applications, e-mail, and Extranet in one day. Tired
    of managing and deploying VPN clients? Instant Private Web does not
    require changes to ANY of your INFRASTRUCTURE. Learn When to VPN and
    when Not to VPN - Download the Whitepaper here:

    http://www.rainbow.com/san2

    ************************** End Advertisement *************************

    Sybase database administrators should check out the three new
    vulnerabilities reported this week under item {02.48.005}. Another
    notable bug involves SSH.Com's SSH daemon; it is reported as item
    {02.48.001}. Plus, there are a few more NetScreen vulnerabilities
    (items {02.48.012} and {02.48.013}) as well as a FreeS/Wan IPSec
    small packet DoS (item {02.48.016}). The FreeS/Wan IPSec report
    advisory indicates that other IPSec implementations may be vulnerable,
    too--it seems that Debian may have 'jumped the gun' on a coordinated
    vendor release. Of course, we'll report everything within SAC, as it
    becomes known.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.48.008} Win - Moby NetSuite content-length header DoS
    {02.48.017} Win - pWins HTTP server Web root escaping
    {02.48.021} Win - Gordano GMS MIME attachment bypass
    {02.48.002} Linux - Update {02.45.022}: Pine 4.44 malformed From field
                vulnerability
    {02.48.003} Linux - Update {02.47.003}: Samba encrypted pass change
                request overflow
    {02.48.006} Linux - Update {02.40.024}: Sendmail smrsh execution
                restriction bypass
    {02.48.009} Linux - Update {02.39.006}: Fetchmail multiple
                vulnerabilities
    {02.48.010} Linux - Update {02.29.016}: wwwoffle negative content len
                field overflow
    {02.48.014} Linux - Update {02.15.013}: Webalizer reverse DNS lookup
                overflow
    {02.48.015} Linux - Linux Netfilter/IPTables IP queue packet leaking
    {02.48.018} Linux - Update {02.46.030}: Linux kernel lcall7 DoS
    {02.48.019} Linux - Update {02.45.027}: KDE KIO rlogin/telnet protocol
                handler overflows
    {02.48.020} Linux - IM suite insecure temp file handling
    {02.48.022} Linux - Update {02.45.006}: Window Maker image size integer
                overflow
    {02.48.012} NApps - NetScreen H.323 session table DoS
    {02.48.013} NApps - NetScreen predictable TCP ISN
    {02.48.011} Other - Update {02.19.017}: uudecode insecure output file
                handling
    {02.48.001} Cross - SSH.Com SSH setsid() vulnerability
    {02.48.004} Cross - Hughes' libhttpd multiple buffer overflows
    {02.48.005} Cross - Sybase DB multiple vulnerabilities
    {02.48.007} Cross - Portail PHP CGI SQL injection and CSS
                vulnerabilities
    {02.48.016} Cross - FreeS/Wan small packet DoS

    - --- Windows News -------------------------------------------------------

    *** {02.48.008} Win - Moby NetSuite content-length header DoS

    Moby NetSuite crashes when a particular malformed HTTP Content-Length
    header is submitted.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0364.html

    *** {02.48.017} Win - pWins HTTP server Web root escaping

    The pWins HTTP server version 0.2.5 does not properly handle Unicode
    encoded URLs on Windows platforms, thereby allowing a remote attacker
    to access files outside the Web root.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0347.html

    *** {02.48.021} Win - Gordano GMS MIME attachment bypass

    The Gordano Messaging Suite does not properly block specified
    attachments if a particular MIME encoding method is used.

    The vendor confirmed this vulnerability and released updates, listed
    at the reference URL below.

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q4/0085.html

    - --- Linux News ---------------------------------------------------------

    *** {02.48.002} Linux - Update {02.45.022}: Pine 4.44 malformed From
                    field vulnerability

    Multiple vendors released updated Pine packages, which fix the
    vulnerability discussed in {02.45.022} ("Pine 4.44 malformed From
    field vulnerability").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0232.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0015.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0953.html

    Source: Mandrake, EnGarde, SuSE
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0232.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0015.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0953.html

    *** {02.48.003} Linux - Update {02.47.003}: Samba encrypted pass change
                    request overflow

    Multiple vendors have released updated Samba packages, which fix the
    vulnerability discussed in {02.47.003} ("Samba encrypted pass change
    request overflow").

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0894.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0212.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0324.html

    Source: SuSE, Mandrake, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0894.html
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0212.html
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0324.html

    *** {02.48.006} Linux - Update {02.40.024}: Sendmail smrsh execution
                    restriction bypass

    Mandrake released updated Sendmail packages, which fix the
    vulnerability discussed in {02.40.024} ("Sendmail smrsh execution
    restriction bypass").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0216.html

    *** {02.48.009} Linux - Update {02.39.006}: Fetchmail multiple
                    vulnerabilities

    Caldera released updated Fetchmail packages, which fix the
    vulnerability discussed in {02.39.006} ("Fetchmail multiple
    vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0019.html

    *** {02.48.010} Linux - Update {02.29.016}: wwwoffle negative content
                    len field overflow

    Caldera released updated wwwoffle packages, which fix the vulnerability
    discussed in {02.29.016} ("wwwoffle negative content len field
    overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0016.html

    *** {02.48.014} Linux - Update {02.15.013}: Webalizer reverse DNS
                    lookup overflow

    Red Hat released updated Webalizer packages, which fix the
    vulnerability discussed in {02.15.013} ("Webalizer reverse DNS lookup
    overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0049.html

    *** {02.48.015} Linux - Linux Netfilter/IPTables IP queue packet leaking

    The Linux Netfilter/IPTables suite contains a bug present in Linux
    kernels 2.4.19 and prior. A local unprivileged process may be able to
    continue using an IP queue of a privileged process once the privileged
    process exists.

    This vulnerability is confirmed and fixed in Linux kernel version
    2.4.20.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-12/0025.html

    *** {02.48.018} Linux - Update {02.46.030}: Linux kernel lcall7 DoS

    Red Hat released updated kernel packages, which fix the vulnerability
    discussed in {02.46.030} ("Linux kernel lcall7 DoS").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0046.html

    *** {02.48.019} Linux - Update {02.45.027}: KDE KIO rlogin/telnet
                    protocol handler overflows

    Red Hat released updated KDE packages, which fix the vulnerability
    discussed in {02.45.027} ("KDE KIO rlogin/telnet protocol handler
    overflows").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0051.html

    *** {02.48.020} Linux - IM suite insecure temp file handling

    A Debian advisory indicates the impwagent and immknmz programs
    included in the IM program suite insecurely create temporary files,
    which allows a local symlink attack.

    Debian confirmed these vulnerabilities and released updated DEBs,
    listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0845.html

    *** {02.48.022} Linux - Update {02.45.006}: Window Maker image size
                    integer overflow

    Mandrake released updated Window Maker packages, which fix the
    vulnerability discussed in {02.45.006} ("Window Maker image size
    integer overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0233.html

    - --- Network Appliances News --------------------------------------------

    *** {02.48.012} NApps - NetScreen H.323 session table DoS

    The NetScreen firewall device running ScreenOS versions 2.8 through
    4.0.1 does not properly remove H.323 sessions from the state
    table. This could potentially lead to a denial of service whereby
    an attacker opens up many H.323 connections, which causes the state
    table to become filled and not accept any more connections.

    The vendor confirmed this vulnerability and released various updates.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0096.html

    *** {02.48.013} NApps - NetScreen predictable TCP ISN

    A NetScreen advisory indicates the TCP ISN random number generation
    in devices using ScreenOS 4.0 and prior is predictable, potentially
    leading to hijack/spoofed TCP sessions.

    This vulnerability is confirmed and fixed in ScreenOS version 4.0.1.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0095.html

    - --- Other News ---------------------------------------------------------

    *** {02.48.011} Other - Update {02.19.017}: uudecode insecure output
                    file handling

    HP/Compaq released Tru64 ERPs, which fix the vulnerability discussed
    in {02.19.017} ("uudecode insecure output file handling").

    Updates are listed at the reference URL below.

    Source: HP/Compaq
    http://archives.neohapsis.com/archives/tru64/2002-q4/0007.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.48.001} Cross - SSH.Com SSH setsid() vulnerability

    An SSH Communications advisory indicates SSH Communications server
    versions 2.0.13 through 3.2.1 on Unix platforms do not properly drop
    privileges when executing noninteractive sessions. An attacker with
    valid login credentials may be able to gain root access.

    The vendor confirmed this vulnerability. Versions 3.1.5 and 3.2.2
    fix the problem.

    Source: SSH Communications
    http://www.ssh.com/company/newsroom/article/286/

    *** {02.48.004} Cross - Hughes' libhttpd multiple buffer overflows

    Hughes Technologies' libhttpd HTTP library versions 1.2 and prior
    contain multiple remotely exploitable buffer overflows.

    The vendor confirmed this vulnerability and released version 1.3.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0305.html

    *** {02.48.005} Cross - Sybase DB multiple vulnerabilities

    Three new vulnerabilities were found in Sybase Adaptive Server
    versions 12.0 and 12.5: a buffer overflow in the DBCC CHECKVERIFY
    function; a buffer overflow in the DROP DATABASE function/statement;
    and a buffer overflow in the xp_freedll extended stored procedure. All
    three vulnerabilities are confirmed and allow a nonprivileged database
    user to gain full control of the server.

    The vendor released patches, available at:
    http://downloads.sybase.com/swd/swx

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0337.html
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0339.html
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0345.html

    *** {02.48.007} Cross - Portail PHP CGI SQL injection and CSS
                    vulnerabilities

    Yoopla.net's Portail PHP CGI suite version 0.99 contains multiple
    cross-site scripting and SQL injection vulnerabilities.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-11/0359.html

    *** {02.48.016} Cross - FreeS/Wan small packet DoS

    A Debian advisory indicates FreeS/Wan does not properly handle small
    IPSec packets, resulting in a denial of service issue.

    This vulnerability is confirmed. Updated Debian DEBs are listed at
    the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0824.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE977Xl+LUG5KFpTkYRAkwjAJ9Rm0RQ0CXomVFk9O9V9e50tw6Y4QCgoJfF
    1GNwgSB4Gm0o1un00xovFV8=
    =r1AJ
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ************************* Begin Advertisement ************************

    This issue sponsored by Rainbow Technologies' Instant Private Web.

    Secure your Web applications, e-mail, and Extranet in one day. Tired
    of managing and deploying VPN clients? Instant Private Web does not
    require changes to ANY of your INFRASTRUCTURE. Learn When to VPN and
    when Not to VPN - Download the Whitepaper here:

    http://www.rainbow.com/san2

    ************************** End Advertisement *************************

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).