[security] Security Advisories

Lorenzo Iannuzzi nakis a libero.it
Ven 9 Apr 2004 18:08:47 CEST


Mi scuso per non aver scritto ultimamente, ho avuto vari problemi. Per
gli stessi motivi al momento non riesco a firmare l'email.
 Spero di non avervi fatto credere che tutto andasse liscio come l'olio,
in realtÓ ci sono palate di avvisi di sicurezza...

http://www.debian.org/security/

Steve Kemp and Jaguar discovered a number of buffer overflow
vulnerabilities in vfte, a version of the fte editor which runs on the
Linux console, found in the package fte-console.  This program is
setuid root in order to perform certain types of low-level operations
on the console.

Due to these bugs, setuid privilege has been removed from vfte, making
it only usable by root.  We recommend using the terminal version (in
the fte-terminal package) instead, which runs on any capable terminal
including the Linux console.

Alan Cox discovered that the isag utility (which graphically displays
data collected by the sysstat tools), creates a temporary file without
taking proper precautions.  This vulnerability could allow a local
attacker to overwrite files with the privileges of the user invoking
isag.

A vulnerability was discovered in oftpd, an anonymous FTP server,
whereby a remote attacker could cause the oftpd process to crash by
specifying a large value in a PORT command.

A vulnerability was discovered in squid, an Internet object cache,
whereby access control lists based on URLs could be bypassed
(CAN-2004-0189).  Two other bugs were also fixed with patches
squid-2.4.STABLE7-url_escape.patch (a buffer overrun which does not
appear to be exploitable) and squid-2.4.STABLE7-url_port.patch (a
potential denial of service).

Several local root exploits have been discovered recently in the Linux
kernel.  This security advisory updates the PA-RISC kernel 2.4.18 for
Debian GNU/Linux.  The Common Vulnerabilities and Exposures project
identifies the following problems that are fixed with this update:

CAN-2003-0961:

   An integer overflow in brk() system call (do_brk() function) for
   Linux allows a local attacker to gain root privileges.  Fixed
   upstream in Linux 2.4.23.

CAN-2003-0985:

   Paul Starzetz discovered a flaw in bounds checking in mremap() in
   the Linux kernel (present in version 2.4.x and 2.6.x) which may
   allow a local attacker to gain root privileges.  Version 2.2 is not
   affected by this bug.  Fixed upstream in Linux 2.4.24.

CAN-2004-0077:

   Paul Starzetz and Wojciech Purczynski of isec.pl discovered a
   critical security vulnerability in the memory management code of
   Linux inside the mremap(2) system call.  Due to missing function
   return value check of internal functions a local attacker can gain
   root privileges.  Fixed upstream in Linux 2.4.25 and 2.6.3.

According to a security advisory from the heimdal project:

http://www.pdc.kth.se/heimdal/advisory/2004-04-01/

heimdal, a suite of software implementing the Kerberos protocol, has
"a cross-realm vulnerability allowing someone with control over a
realm to impersonate anyone in the cross-realm trust path."

Shaun Colley discovered a problem in xine-ui, the xine video player
user interface.  A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion.  This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.

tcpdump, a tool for network monitoring and data acquisition, was found
to contain two vulnerabilities whereby tcpdump could be caused to
crash through attempts to read from invalid memory locations.  This
bug is triggered by certain invalid ISAKMP packets.

http://www.openpkg.org/security.html

  According to a message from Ilya Teterin posted on Bugtraq, the
  Midnight Commander application uses a uninitialized buffer to
  handle symlinks in VFS. This allows attackers to execute arbitrary
  code during symlink conversion. The Common Vulnerabilities and
  Exposures (CVE) project assigned the id CAN-2003-1023 [2] to the
  problem.

  According to a posting on Bugtraq, Shaun Colley discovered and
  researched a stack-based buffer overflow vulnerability which exists in
  the GNU Sharutils due to lack of bounds checking when handling the
  '-o' command-line option.

  According to a security advisory published by Rapid7, two
  vulnerabilities exists in the ISAKMP packet display functions of
  tcpdump. The Common Vulnerabilities and Exposures (CVE) project
  has reviewed both problems. CAN-2004-0183 identifies an overflow
  when displaying ISAKMP delete payloads with large number of SPIs,
  while CAN-2004-0184 identifies an integer underflow when
  displaying ISAKMP identification payload. These vulnerabilities
  appear only when verbose packet display is enabled by running tcpdump
  with the -v option.

  According to a Mandrake Linux security advisory, a denial of
  service (DoS) vulnerability exists in the header rewriting code of
  Fetchmail. The code's intention is to hack message headers so
  replies work properly. However, logic in the reply_hack() function
  fails to allocate enough memory for long lines and may write past a
  memory boundary. This could allow an attacker to cause a denial of
  service by sending a specially crafted email and crashing fetchmail.
  The Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2003-0792 to the problem.

http://www.mandrakesecure.net/en/advisories/

 A remotely exploitable buffer overflow vulnerability was found in
 MPlayer.  A malicious host can craft a harmful HTTP header
 ("Location:"), and trick MPlayer into executing arbitrary code upon
 parsing that header.

http://security.gentoo.org

KDE-PIM may be vulnerable to a remote buffer overflow attack that may
allow unauthorized access to an affected system.

A flaw has been found in the temporary file handling algorithms for the
sandboxing code used within Portage. Lockfiles created during normal
Portage operation of portage could be manipulated by local users
resulting in the truncation of hard linked files; causing a Denial of
Service attack on the system.

There are multiple vulnerabilities in tcpdump and libpcap related to
parsing of ISAKMP packets.

ipsec-tools contains a vulnerability that affects connections
authenticated  with X.509 certificates.

ClamAV is vulnerable to a denial of service attack when processing
certain RAR archives.

The login program included in util-linux could leak sensitive
information under certain conditions.

Multiple vulnerabilities in the way sysstat handles symlinks may allow
an attacker to execute arbitrary code or overwrite arbitrary files

Automake may be vulnerable to a symbolic link attack which may allow an
attacker to modify data or elevate their privileges.

http://www.apple.com/support/security/security_updates.html

Security Update 2004-04-05 is now available and contains security
enhancements for the following:

CUPS Printing:  Fixes CAN-2004-0382 to improve the security of the
   printing system. This is a configuration file change that does not
   affect the underlying Printing system.  Credit to aaron a vtty.com
   for reporting this issue.

libxml2:  Fixes CAN-2004-0110 to improve the handling of uniform
   resource locators.

Mail:  Fixes CAN-2004-0383 to improve the handling of HTML-formatted
   email. Credit to aaron a vtty.com for reporting this issue.

OpenSSL:  Fixes CAN-2004-0079 and CAN-2004-0112 to improve the
   handling of encryption choices.

http://www.netwosix.org/adv08.html

Multiple security problems in monit.

http://www.netwosix.org/adv09.html

Automake symbolic link vulnerability.

http://www.netwosix.org/adv10.html

Leak problem in util-linux.

http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml

A default username/password pair is present in all releases of the
Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE)
software. A user who logs in using this username has complete control of
the device. This username cannot be disabled. There is no workaround.

http://www.cisco.com/warp/public/707/cisco-sa-20040408-vpnsm.shtml

   The Cisco IP Security (IPSec) VPN Services Module (VPNSM) is a high-speed
   module for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series
   Internet Router that provides infrastructure-integrated IPSec VPN
   services.

   A malformed Internet Key Exchange (IKE) packet may cause the Cisco
   Catalyst 6500 Series Switch or the Cisco 7600 Series Internet Router
   hardware, with the VPNSM installed, to crash and reload.

http://www.sgi.com/support/security/

SGI has released SGI Advanced Linux Environment security update #17,
which includes updated RPMs for SGI ProPack v2.3 and SGI ProPack v2.4
for the SGI Altix family of systems, in response to the following
security issues:

Updated Ethereal packages fix security issues
 http://rhn.redhat.com/errata/RHSA-2004-136.html

Updated Mozilla packages fix security issues
 http://rhn.redhat.com/errata/RHSA-2004-110.html
-- 

Ciao e alla prossima!
Lorenzo




Maggiori informazioni sulla lista security