OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ90615155835774983_at_sans.org)
Date: Thu Feb 20 2003 - 13:46:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 007 (03.07)
                      Thursday, February 20, 2003
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ************************* Begin Advertisement ************************

    This issue sponsored by Network Computing's Tech Library and Bitpipe Inc.

    FREE Atheros Communications White Paper -- Building a Secure Wireless
    Network Although the security protocols and mechanisms are available,
    however, most wireless LANs are not yet protected. Understanding the
    issues involved is the first step in achieving the necessary protection.
    This white paper describes the security methods available today, from
    older protocols that have vulnerabilities to the newer protocols that
    provide the security customers demand.
    http://techlibrary.networkcomputing.com/data/detail?id=1044882477_812&type=RES&x=405370794&src=email

    For more white papers, case studies and product information on Data
    Encryption go to:
    http://techlibrary.networkcomputing.com/data/rlist?t=itmgmt_10_50_20_28_2&src=emailhl

    ************************** End Advertisement *************************

    Many critical Oracle and Lotus Notes vulnerabilities were released
    this week (all by the same security research vendor, too). Both
    Oracle and IBM have patches available at the usual places on their
    sites. Further information for the Oracle vulnerabilities is listed
    in item {03.07.002}, and the Lotus vulnerabilities are listed in
    items {03.07.013}, {03.07.014} and {03.07.015}.

    These items are listed in the 'Cross-Platform' category. If they are
    not in your newsletter content, you can still read the posts. Simply
    change your category subscriptions to include Cross-Platform by
    following the instructions at the bottom of this e-mail.

    HP also released some important HP-UX patches, fixing various local
    buffer overflows that could lead to privilege elevation. These
    vulnerabilities are reported in items {03.07.009}, {03.07.010},
    {03.07.011} and {03.07.012}.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {03.07.015} Win - Lotus iNotes client ActiveX control overflow
    {03.07.024} Win - Blade encoder
    {03.07.004} Linux - Update {03.06.002}: w3m CSS vulnerabilities
    {03.07.007} Linux - Update {03.02.014}: IMP CGI various SQL injection
    {03.07.008} Linux - Update {03.01.029}: PHP 4.3.0 released, with
                security fixes
    {03.07.017} Linux - Update {02.38.013}: Multiple Mozilla 1.0
                vulnerabilities
    {03.07.018} Linux - Fileutils rm/mv race condition
    {03.07.020} Linux - Update {03.01.009}: Lynx CRLF header injection
    {03.07.022} Linux - Update {03.01.010}: CUPS multiple vulnerabilities
    {03.07.023} Linux - pam_xauth forwards X authentication information
    {03.07.025} Linux - Mandrake mcookie potential predictable randomness
    {03.07.019} AIX - libIM NLS buffer overflow
    {03.07.001} HPUX - Bastille incorrect sendmail privacy options
    {03.07.009} HPUX - landiag & lanadmin buffer overflows
    {03.07.010} HPUX - rpc.yppasswdd buffer overflow
    {03.07.011} HPUX - stmkfont buffer overflow
    {03.07.012} HPUX - rs.F3000 driver vulnerability
    {03.07.021} SGI - IRIX IP vulnerabilities
    {03.07.002} Cross - Multiple Oracle vulnerabilities 02/18
    {03.07.003} Cross - Vulnerable PHP applications 02/18
    {03.07.006} Cross - PHP CGI SAPI force_redirect broken
    {03.07.013} Cross - Lotus Domino host redirect overflow
    {03.07.014} Cross - Lotus iNotes PresetFields parameter overflow
    {03.07.016} Cross - Lotus Domino 'extra dot' code disclosure
    {03.07.005} MacOS - TruBlueEnvironment debug file vulnerability

    - --- Windows News -------------------------------------------------------

    *** {03.07.015} Win - Lotus iNotes client ActiveX control overflow

    The Lotus iNotes client includes an ActiveX control that contains
    a buffer overflow in the InitializeUsingNotesUserName method, which
    allows a malicious Web page or e-mail to execute arbitrary code on
    the user's system.

    The vendor confirmed this vulnerability and released a patch.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0082.html

    *** {03.07.024} Win - Blade encoder

    The Blade encoder versions 0.94.2 and prior contain an exploitable
    integer overflow that allows a malicious .wav file to execute
    arbitrary code.

    This vulnerability is confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0002.html
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0064.html

    - --- Linux News ---------------------------------------------------------

    *** {03.07.004} Linux - Update {03.06.002}: w3m CSS vulnerabilities

    Debian released updated w3m packages, which fix the vulnerabilities
    discussed in {03.06.002} ("w3m CSS vulnerabilities").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2003-q1/0352.html
    http://archives.neohapsis.com/archives/linux/debian/2003-q1/0379.html

    *** {03.07.007} Linux - Update {03.02.014}: IMP CGI various SQL
                    injection

    SuSE released updated IMP packages, which fix the vulnerability
    discussed in {03.02.014} ("IMP CGI various SQL injection").

    Updated RPMs are listed at the reference URL below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2003-q1/0499.html

    *** {03.07.008} Linux - Update {03.01.029}: PHP 4.3.0 released, with
                    security fixes

    SuSE released updated PHP packages, which fix the vulnerability
    discussed in {03.01.029} ("PHP 4.3.0 released, with security fixes").

    Updated RPMs are listed at the reference URL below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2003-q1/0500.html

    *** {03.07.017} Linux - Update {02.38.013}: Multiple Mozilla 1.0
                    vulnerabilities

    Conectiva released updated Mozilla packages, which fix the
    vulnerabilities discussed in {02.38.013} ("Multiple Mozilla 1.0
    vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Conectiva (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0157.html

    *** {03.07.018} Linux - Fileutils rm/mv race condition

    A Red Hat advisory indicates the 'rm' and 'mv' utilities contain race
    conditions when used in recursive move, which potentially could allow
    a local attacker to delete local files and directories.

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0046.html

    *** {03.07.020} Linux - Update {03.01.009}: Lynx CRLF header injection

    Red Hat released updated Lynx packages, which fix the vulnerability
    discussed in {03.01.009} ("Lynx CRLF header injection").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0040.html

    *** {03.07.022} Linux - Update {03.01.010}: CUPS multiple
                    vulnerabilities

    Mandrake released updated CUPS packages, which fix the vulnerabilities
    discussed in {03.01.010} ("CUPS multiple vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0205.html

    *** {03.07.023} Linux - pam_xauth forwards X authentication information

    The pam_xauth utility incorrectly forwards X authentication information
    in 'su' requests, potentially allowing a local attacker to gain
    access to other users' applications if those users use su to access
    the attacker's account.

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0045.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0204.html

    Source: Red Hat, Mandrake
    http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0045.html
    http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0204.html

    *** {03.07.025} Linux - Mandrake mcookie potential predictable
                    randomness

    Mandrake released new RPMs for the mcookie utility included with
    Mandrake 8.2 and 9.0. The mcookie utility included with those versions
    used the less secure /dev/urandom instead of /dev/random, thereby
    resulting in potentially weakened random numbers.

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0172.html

    - --- AIX News -----------------------------------------------------------

    *** {03.07.019} AIX - libIM NLS buffer overflow

    The libIM library included with AIX 4.3, 5.1 and 5.2 contains a buffer
    overflow that could allow a local attacker to gain elevated privileges
    via exploitation of a setuid/setgid application using the library.

    This vulnerability is confirmed. APARs currently are in production;
    a temporary e-fix is available at:
    ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0067.html

    - --- HP-UX News ---------------------------------------------------------

    *** {03.07.001} HPUX - Bastille incorrect sendmail privacy options

    An HP advisory indicates the Bastille security tool version B.02.00.00
    does not correctly configure sendmail privacy options, potentially
    leading to an information exposure. This is limited to HP-UX 11.00
    and 11.11.

    This vulnerability is confirmed and fixed in Bastille B.02.00.05. You
    also can apply patch PHSS_28558 to fix B.02.00.00 if you do not want
    to upgrade.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2003-q1/0033.html

    *** {03.07.009} HPUX - landiag & lanadmin buffer overflows

    An HP advisory indicates that buffer overflows in landiag and lanadmin
    utilities allow a local user to execute arbitrary code with elevated
    privileges.

    Patches are currently being worked on; a workaround in the meantime
    is to remove setuid/setgid permissions.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

    *** {03.07.010} HPUX - rpc.yppasswdd buffer overflow

    An HP advisory indicates the rpc.yppasswdd daemon contains a buffer
    overflow that could cause a denial of service or the remote execution
    of arbitrary code.

    HP confirmed this vulnerability. HP-UX 11.00 can use PHNE_28102 and
    HP-UX 11.11 can use PHNE_28103. HP-UX 10.20 and 11.22 patches are
    still being produced.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

    *** {03.07.011} HPUX - stmkfont buffer overflow

    An HP advisory indicates the stmkfont utility contains a buffer
    overflow that allows local attackers to execute code with elevated
    privileges.

    HP confirmed this vulnerability. HP-UX 10.20 users can install
    patch PHSS_15423. Patches for HP-UX 11.xx are still in production;
    a workaround is to remove setuid/setgid permissions.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

    *** {03.07.012} HPUX - rs.F3000 driver vulnerability

    An HP advisory indicates the possibility of a local attacker using
    the rs.F3000 Freedom graphics driver to gain 'daemon' privileges. The
    nature of the vulnerability was not discussed.

    HP's recommended solution is to remove execute permissions from
    rs.F3000 if you do not use the Freedom graphics card; if you do use
    that particular hardware, then contact HP.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

    - --- SGI News -----------------------------------------------------------

    *** {03.07.021} SGI - IRIX IP vulnerabilities

    SGI released a patch that fixes many IP stack issues, including denial
    of service attacks and weak ISN generation.

    Full patch information is available at the reference URL below.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2003-q1/0046.html

    - --- Cross-Platform News ------------------------------------------------

    *** {03.07.002} Cross - Multiple Oracle vulnerabilities 02/18

    Multiple versions of Oracle 8.x and 9.x contain numerous remotely
    exploitable vulnerabilities. The vulnerabilities include:

    - --User name authentication buffer overflow to database
    - --TO_TIMESTAMP_TZ SQL function overflow
    - --TZ_OFFSET SQL function overflow
    - --iAS WebDAV COPY format string overflow
    - --bfilename SQL function overflow

    The vendor confirmed all these vulnerabilities and released patches.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0073.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0074.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0075.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0076.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0083.html

    *** {03.07.003} Cross - Vulnerable PHP applications 02/18

    The following third-party PHP CGI applications are reported vulnerable.

    hp-planet.de's php-board: user password disclosure
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0069.html

    Dotbr v1.0: information disclosure and command execution
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0070.html

    Kietu v2.x: include file code execution
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0071.html

    D-Forum v1.00-1.11: include file code execution
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0072.html

    IndyNews PHP-Nuke addon: various media file manipulations
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0174.html

    MyPHPPageTool v0.4.3-1: include file code execution
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0052.html

    PHPMyShop v1.0: SQL injection
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0053.html

    PHP-Nuke v6.0 and prior: avatar CSS vulnerability
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0012.html

    Source: VulnWatch, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0069.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0070.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0071.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0072.html
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0174.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0052.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0053.html
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0012.html

    *** {03.07.006} Cross - PHP CGI SAPI force_redirect broken

    PHP version 4.3.0 contains a bug in the CGI SAPI support that causes
    it to ignore the 'cgi.force_redirect' configuration option, which
    allows a remote user to read arbitrary files.

    PHP confirmed this vulnerability and released version 4.3.1.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0085.html

    *** {03.07.013} Cross - Lotus Domino host redirect overflow

    Lotus Domino version 6.0.0 contains a buffer overflow in the handling
    of large Host headers used in redirect responses. This allows the
    remote execution of arbitrary code. There are also two denial of
    service attacks.

    These vulnerabilities are confirmed and fixed in version 6.0.1.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0080.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0084.html
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0086.html

    *** {03.07.014} Cross - Lotus iNotes PresetFields parameter overflow

    Lotus iNotes version 6.0 contains a buffer overflow in the handling
    of the s_ViewName and Foldername options of the PresetFields
    parameter. This vulnerability allows the remote execution of arbitrary
    code.

    The vendor confirmed this vulnerability and released version 6.0.1.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0081.html

    *** {03.07.016} Cross - Lotus Domino 'extra dot' code disclosure

    A report surfaced this week indicating that Lotus Domino server
    versions 5 and 6 may allow the disclosure/download of executable
    content by appending an extra '.' to the file name.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2003-02/0153.html

    - --- Mac OS News --------------------------------------------------------

    *** {03.07.005} MacOS - TruBlueEnvironment debug file vulnerability

    The TruBlueEnvironment utility contains a vulnerability in the
    creation of debug files, which potentially allows a local attacker
    to gain root privileges in Mac OS X prior to version 10.2.4.

    The advisory indicates confirmation by the vendor, which released a
    fix in Mac OS X version 10.2.4.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0068.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE+VTBc+LUG5KFpTkYRAiQdAJ9FXvA5HyOkYIRNghhb4JCZJzCnOQCgiHPS
    vifYwldDOmXMb8rrZY+3yGg=
    =OUux
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ************************* Begin Advertisement ************************

    This issue sponsored by Network Computing's Tech Library and Bitpipe Inc.

    FREE Atheros Communications White Paper -- Building a Secure Wireless
    Network Although the security protocols and mechanisms are available,
    however, most wireless LANs are not yet protected. Understanding the
    issues involved is the first step in achieving the necessary protection.
    This white paper describes the security methods available today, from
    older protocols that have vulnerabilities to the newer protocols that
    provide the security customers demand.
    http://techlibrary.networkcomputing.com/data/detail?id=1044882477_812&type=RES&x=405370794&src=email

    For more white papers, case studies and product information on Data
    Encryption go to:
    http://techlibrary.networkcomputing.com/data/rlist?t=itmgmt_10_50_20_28_2&src=emailhl

    ************************** End Advertisement *************************

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2003 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).