NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2003

From: Network Computing and The SANS Institute (sans+ZZ90615155835774983_at_sans.org)
Date: Thu Feb 20 2003 - 13:46:06 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 007 (03.07)
                  Thursday, February 20, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue sponsored by Network Computing's Tech Library and Bitpipe Inc.

FREE Atheros Communications White Paper -- Building a Secure Wireless
Network Although the security protocols and mechanisms are available,
however, most wireless LANs are not yet protected. Understanding the
issues involved is the first step in achieving the necessary protection.
This white paper describes the security methods available today, from
older protocols that have vulnerabilities to the newer protocols that
provide the security customers demand.
http://techlibrary.networkcomputing.com/data/detail?id=1044882477_812&type=RES&x=405370794&src=email

For more white papers, case studies and product information on Data
Encryption go to:
http://techlibrary.networkcomputing.com/data/rlist?t=itmgmt_10_50_20_28_2&src=emailhl

************************** End Advertisement *************************

Many critical Oracle and Lotus Notes vulnerabilities were released
this week (all by the same security research vendor, too). Both
Oracle and IBM have patches available at the usual places on their
sites. Further information for the Oracle vulnerabilities is listed
in item {03.07.002}, and the Lotus vulnerabilities are listed in
items {03.07.013}, {03.07.014} and {03.07.015}.

These items are listed in the 'Cross-Platform' category. If they are
not in your newsletter content, you can still read the posts. Simply
change your category subscriptions to include Cross-Platform by
following the instructions at the bottom of this e-mail.

HP also released some important HP-UX patches, fixing various local
buffer overflows that could lead to privilege elevation. These
vulnerabilities are reported in items {03.07.009}, {03.07.010},
{03.07.011} and {03.07.012}.

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.07.015} Win - Lotus iNotes client ActiveX control overflow
{03.07.024} Win - Blade encoder
{03.07.004} Linux - Update {03.06.002}: w3m CSS vulnerabilities
{03.07.007} Linux - Update {03.02.014}: IMP CGI various SQL injection
{03.07.008} Linux - Update {03.01.029}: PHP 4.3.0 released, with
security fixes
{03.07.017} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
{03.07.018} Linux - Fileutils rm/mv race condition
{03.07.020} Linux - Update {03.01.009}: Lynx CRLF header injection
{03.07.022} Linux - Update {03.01.010}: CUPS multiple vulnerabilities
{03.07.023} Linux - pam_xauth forwards X authentication information
{03.07.025} Linux - Mandrake mcookie potential predictable randomness
{03.07.019} AIX - libIM NLS buffer overflow
{03.07.001} HPUX - Bastille incorrect sendmail privacy options
{03.07.009} HPUX - landiag & lanadmin buffer overflows
{03.07.010} HPUX - rpc.yppasswdd buffer overflow
{03.07.011} HPUX - stmkfont buffer overflow
{03.07.012} HPUX - rs.F3000 driver vulnerability
{03.07.021} SGI - IRIX IP vulnerabilities
{03.07.002} Cross - Multiple Oracle vulnerabilities 02/18
{03.07.003} Cross - Vulnerable PHP applications 02/18
{03.07.006} Cross - PHP CGI SAPI force_redirect broken
{03.07.013} Cross - Lotus Domino host redirect overflow
{03.07.014} Cross - Lotus iNotes PresetFields parameter overflow
{03.07.016} Cross - Lotus Domino 'extra dot' code disclosure
{03.07.005} MacOS - TruBlueEnvironment debug file vulnerability

- --- Windows News -------------------------------------------------------

*** {03.07.015} Win - Lotus iNotes client ActiveX control overflow

The Lotus iNotes client includes an ActiveX control that contains
a buffer overflow in the InitializeUsingNotesUserName method, which
allows a malicious Web page or e-mail to execute arbitrary code on
the user's system.

The vendor confirmed this vulnerability and released a patch.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0082.html

*** {03.07.024} Win - Blade encoder

The Blade encoder versions 0.94.2 and prior contain an exploitable
integer overflow that allows a malicious .wav file to execute
arbitrary code.

This vulnerability is confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0002.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0064.html

- --- Linux News ---------------------------------------------------------

*** {03.07.004} Linux - Update {03.06.002}: w3m CSS vulnerabilities

Debian released updated w3m packages, which fix the vulnerabilities
discussed in {03.06.002} ("w3m CSS vulnerabilities").

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0352.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0379.html

*** {03.07.007} Linux - Update {03.02.014}: IMP CGI various SQL
injection

SuSE released updated IMP packages, which fix the vulnerability
discussed in {03.02.014} ("IMP CGI various SQL injection").

Updated RPMs are listed at the reference URL below.

Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0499.html

*** {03.07.008} Linux - Update {03.01.029}: PHP 4.3.0 released, with
security fixes

SuSE released updated PHP packages, which fix the vulnerability
discussed in {03.01.029} ("PHP 4.3.0 released, with security fixes").

Updated RPMs are listed at the reference URL below.

Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0500.html

*** {03.07.017} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities

Conectiva released updated Mozilla packages, which fix the
vulnerabilities discussed in {02.38.013} ("Multiple Mozilla 1.0
vulnerabilities").

Updated RPMs are listed at the reference URL below.

Source: Conectiva (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0157.html

*** {03.07.018} Linux - Fileutils rm/mv race condition

A Red Hat advisory indicates the 'rm' and 'mv' utilities contain race
conditions when used in recursive move, which potentially could allow
a local attacker to delete local files and directories.

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0046.html

*** {03.07.020} Linux - Update {03.01.009}: Lynx CRLF header injection

Red Hat released updated Lynx packages, which fix the vulnerability
discussed in {03.01.009} ("Lynx CRLF header injection").

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0040.html

*** {03.07.022} Linux - Update {03.01.010}: CUPS multiple
vulnerabilities

Mandrake released updated CUPS packages, which fix the vulnerabilities
discussed in {03.01.010} ("CUPS multiple vulnerabilities").

Updated RPMs are listed at the reference URL below.

Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0205.html

*** {03.07.023} Linux - pam_xauth forwards X authentication information

The pam_xauth utility incorrectly forwards X authentication information
in 'su' requests, potentially allowing a local attacker to gain
access to other users' applications if those users use su to access
the attacker's account.

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0045.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0204.html

Source: Red Hat, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0045.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0204.html

*** {03.07.025} Linux - Mandrake mcookie potential predictable
randomness

Mandrake released new RPMs for the mcookie utility included with
Mandrake 8.2 and 9.0. The mcookie utility included with those versions
used the less secure /dev/urandom instead of /dev/random, thereby
resulting in potentially weakened random numbers.

Updated RPMs are listed at the reference URL below.

Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0172.html

- --- AIX News -----------------------------------------------------------

*** {03.07.019} AIX - libIM NLS buffer overflow

The libIM library included with AIX 4.3, 5.1 and 5.2 contains a buffer
overflow that could allow a local attacker to gain elevated privileges
via exploitation of a setuid/setgid application using the library.

This vulnerability is confirmed. APARs currently are in production;
a temporary e-fix is available at:
ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0067.html

- --- HP-UX News ---------------------------------------------------------

*** {03.07.001} HPUX - Bastille incorrect sendmail privacy options

An HP advisory indicates the Bastille security tool version B.02.00.00
does not correctly configure sendmail privacy options, potentially
leading to an information exposure. This is limited to HP-UX 11.00
and 11.11.

This vulnerability is confirmed and fixed in Bastille B.02.00.05. You
also can apply patch PHSS_28558 to fix B.02.00.00 if you do not want
to upgrade.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0033.html

*** {03.07.009} HPUX - landiag & lanadmin buffer overflows

An HP advisory indicates that buffer overflows in landiag and lanadmin
utilities allow a local user to execute arbitrary code with elevated
privileges.

Patches are currently being worked on; a workaround in the meantime
is to remove setuid/setgid permissions.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

*** {03.07.010} HPUX - rpc.yppasswdd buffer overflow

An HP advisory indicates the rpc.yppasswdd daemon contains a buffer
overflow that could cause a denial of service or the remote execution
of arbitrary code.

HP confirmed this vulnerability. HP-UX 11.00 can use PHNE_28102 and
HP-UX 11.11 can use PHNE_28103. HP-UX 10.20 and 11.22 patches are
still being produced.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

*** {03.07.011} HPUX - stmkfont buffer overflow

An HP advisory indicates the stmkfont utility contains a buffer
overflow that allows local attackers to execute code with elevated
privileges.

HP confirmed this vulnerability. HP-UX 10.20 users can install
patch PHSS_15423. Patches for HP-UX 11.xx are still in production;
a workaround is to remove setuid/setgid permissions.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

*** {03.07.012} HPUX - rs.F3000 driver vulnerability

An HP advisory indicates the possibility of a local attacker using
the rs.F3000 Freedom graphics driver to gain 'daemon' privileges. The
nature of the vulnerability was not discussed.

HP's recommended solution is to remove execute permissions from
rs.F3000 if you do not use the Freedom graphics card; if you do use
that particular hardware, then contact HP.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

- --- SGI News -----------------------------------------------------------

*** {03.07.021} SGI - IRIX IP vulnerabilities

SGI released a patch that fixes many IP stack issues, including denial
of service attacks and weak ISN generation.

Full patch information is available at the reference URL below.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q1/0046.html

- --- Cross-Platform News ------------------------------------------------

*** {03.07.002} Cross - Multiple Oracle vulnerabilities 02/18

Multiple versions of Oracle 8.x and 9.x contain numerous remotely
exploitable vulnerabilities. The vulnerabilities include:

- --User name authentication buffer overflow to database
- --TO_TIMESTAMP_TZ SQL function overflow
- --TZ_OFFSET SQL function overflow
- --iAS WebDAV COPY format string overflow
- --bfilename SQL function overflow

The vendor confirmed all these vulnerabilities and released patches.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0073.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0074.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0075.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0076.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0083.html

*** {03.07.003} Cross - Vulnerable PHP applications 02/18

The following third-party PHP CGI applications are reported vulnerable.

hp-planet.de's php-board: user password disclosure
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0069.html

Dotbr v1.0: information disclosure and command execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0070.html

Kietu v2.x: include file code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0071.html

D-Forum v1.00-1.11: include file code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0072.html

IndyNews PHP-Nuke addon: various media file manipulations
http://archives.neohapsis.com/archives/bugtraq/2003-02/0174.html

MyPHPPageTool v0.4.3-1: include file code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0052.html

PHPMyShop v1.0: SQL injection
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0053.html

PHP-Nuke v6.0 and prior: avatar CSS vulnerability
http://archives.neohapsis.com/archives/bugtraq/2003-02/0012.html

*** {03.07.006} Cross - PHP CGI SAPI force_redirect broken

PHP version 4.3.0 contains a bug in the CGI SAPI support that causes
it to ignore the 'cgi.force_redirect' configuration option, which
allows a remote user to read arbitrary files.

PHP confirmed this vulnerability and released version 4.3.1.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0085.html

*** {03.07.013} Cross - Lotus Domino host redirect overflow

Lotus Domino version 6.0.0 contains a buffer overflow in the handling
of large Host headers used in redirect responses. This allows the
remote execution of arbitrary code. There are also two denial of
service attacks.

These vulnerabilities are confirmed and fixed in version 6.0.1.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0080.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0084.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0086.html

*** {03.07.014} Cross - Lotus iNotes PresetFields parameter overflow

Lotus iNotes version 6.0 contains a buffer overflow in the handling
of the s_ViewName and Foldername options of the PresetFields
parameter. This vulnerability allows the remote execution of arbitrary
code.

The vendor confirmed this vulnerability and released version 6.0.1.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0081.html

*** {03.07.016} Cross - Lotus Domino 'extra dot' code disclosure

A report surfaced this week indicating that Lotus Domino server
versions 5 and 6 may allow the disclosure/download of executable
content by appending an extra '.' to the file name.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0153.html

- --- Mac OS News --------------------------------------------------------

*** {03.07.005} MacOS - TruBlueEnvironment debug file vulnerability

The TruBlueEnvironment utility contains a vulnerability in the
creation of debug files, which potentially allows a local attacker
to gain root privileges in Mac OS X prior to version 10.2.4.

The advisory indicates confirmation by the vendor, which released a
fix in Mac OS X version 10.2.4.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0068.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+VTBc+LUG5KFpTkYRAiQdAJ9FXvA5HyOkYIRNghhb4JCZJzCnOQCgiHPS
vifYwldDOmXMb8rrZY+3yGg=
=OUux
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by Network Computing's Tech Library and Bitpipe Inc.

For more white papers, case studies and product information on Data
Encryption go to:
http://techlibrary.networkcomputing.com/data/rlist?t=itmgmt_10_50_20_28_2&src=emailhl

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]