Linux Advisory Watch - January 31st 2003

    Date30 Jan 2003
    CategoryForums
    876
    Posted ByAnthony Pell
    This week, advisories were released for kdeutils, noffle, dhcp3, tomcat3, courier, mysql, fetchmail, vim, webalizer, postgresql, and cvs. The distributors include Debian, Guardian Digital's EnGarde Secure Linux, Mandrake, and Yellow Dog.. . . This week, advisories were released for kdeutils, noffle, dhcp3, tomcat3, courier, mysql, fetchmail, vim, webalizer, postgresql, and cvs. The distributors include Debian, Guardian Digital's EnGarde Secure Linux, Mandrake, and Yellow Dog.  
    ENCRYPTION + AUTHENTICATION =TRUST You may think people will regard your business as trustworthy because you've got a 128-bit encryption certificate, but encryption does not guarantee trust.  Thawte believes in rigorous authentication - Download our FREE Authentication Guide

    LinuxSecurity Feature Extras:

    Patching It Up - Patching and upgrading software requires more than running a few commands. Having a patch recovery plan, communicating with developers on that server, and knowing who to contact in case of a botched patch job is critical.

    Newest Members of the Team - Just to give everyone an idea about who writes these articles and feature stories that we spend so much of our time reading each day, I have decided to ask Brian Hatch and Duane Dunston, the newest members of the LinuxSecurity.com team, a few questions.  

    [ Linux Advisory Watch ] - [ Linux Security Week ] - [ PacketStorm Archive ] - [ Linux Security Documentation ]

    PackagesVendors
    kdeutilsDebian
    noffleDebian
    dhcp3Debian
    tomcat3Debian
    courierDebian
    mysqlEnGarde
    fetchmailEnGarde, Mandrake
    vimYellow Dog
    webalizerYellow Dog
    postgresqlYellow Dog
    cvsYellow Dog
     

    Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you.

    Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.  It includes pointers to updated packages and descriptions of each vulnerability. [ Subscribe ]  


       
    Package:kdeutils
    Date:01-24-2003
    Description:The KDE team discovered several vulnerabilities in the K Desktop Environment.  In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution.  These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network filesystem or other untrustedsource.
    Vendor Alerts:Debian:
    PLEASE SEE VENDOR ADVISORY FOR UPDATE

    Debian Vendor Advisory:http://www.linuxsecurity.com/advisories/debian_advisory-2809.htmlhttp://www.linuxsecurity.com/advisories/debian_advisory-2810.htmlhttp://www.linuxsecurity.com/advisories/debian_advisory-2811.html

     
    Package:noffle
    Date:01-27-2003
    Description:Dan Jacobson noticed a problem in noffle, an offline news server, that leads to a segmentation fault.  It is not yet clear whether this problem is exploitable.  However, if it is, a remote attacker could trigger arbitrary code execution under the user that calls noffle, probably news. 
    Vendor Alerts:Debian:
    http://security.debian.org/pool/updates/main/n/noffle/noffle_1.0.1-1.1_i386.debSize/MD5 checksum:    76410 2363f56a8ec52a321cb963771135271e 

    Debian Vendor Advisory:http://www.linuxsecurity.com/advisories/debian_advisory-2816.html

     
    Package:dhcp3
    Date:01-28-2003
    Description:Florian Lohoff discovered a bug in the dhcrelay causing it to send a continuing packet storm towards the configured DHCP server(s) in case of a malicious BOOTP packet, such as sent from buggy Cisco switches. 
    Vendor Alerts:Debian:
    PLEASE SEE VENDOR ADVISORY FOR UPDATE

    Debian Vendor Advisory:http://www.linuxsecurity.com/advisories/debian_advisory-2820.html

     
    Package:tomcat3
    Date:01-29-2003
    Description:A maliciously crafted request could return a directory listing even when an index.html, index.jsp, or other welcome file is present.  File contents can be returned as well.
    Vendor Alerts:Debian:
     http://security.debian.org/pool/updates/contrib/t/tomcat/libapache-mod-jk_3.3a-4woody1_i386.deb Size/MD5 checksum:    51522 1e11d6a43654fc6d921c8bc90ad15b4b

    Debian Vendor Advisory:http://www.linuxsecurity.com/advisories/debian_advisory-2823.html

     
    Package:courier
    Date:01-30-2003
    Description:The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module.  Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine.  An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability.  The MySQL auth module is not affected.
    Vendor Alerts:Debian:
    PLEASE SEE VENDOR ADVISORY FOR UPDATE

    Debian Vendor Advisory:http://www.linuxsecurity.com/advisories/debian_advisory-2824.html

     
    Package:mysql
    Date:01-27-2003
    Description:Update for the COM_TABLE_DUMP vulnerability.  
    Vendor Alerts:EnGarde:
    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/

    i386/MySQL-3.23.36-1.0.21.i386.rpmMD5 Sum: 36113d7995b6ebf09aabbb1970e9a203

    i386/MySQL-client-3.23.36-1.0.21.i386.rpmMD5 Sum: 4a765f412de0ae0f9f5abfb58812c4fe

    i386/MySQL-shared-3.23.36-1.0.21.i386.rpmMD5 Sum: 7b5b90da33569f3be8be9bb5d2134533

    EnGarde Vendor Advisory:http://www.linuxsecurity.com/advisories/engarde_advisory-2817.html

     
    Package:fetchmail
    Date:01-27-2003
    Description:Stefan Esser of e-matters, while re-auditing the Fetchmail package, found another vulnerability.  This heap overflow vulnerability allows a malicious remote attacker to crash Fetchmail or potentially execute arbitrary code as the user under which Fetchmail is being run.
    Vendor Alerts:EnGarde:
    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/

    i386/fetchmail-ssl-6.1.0-1.0.6.i386.rpmMD5 Sum: a28aa248c0b262ec8745a7c776b8584b

    EnGarde Vendor Advisory:http://www.linuxsecurity.com/advisories/engarde_advisory-2818.html 

    Mandrake:
    Mandrake Vendor Advisory:http://www.linuxsecurity.com/advisories/mandrake_advisory-2819.html
     
    Package:vim
    Date:01-27-2003
    Description:VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
    Vendor Alerts:Yellow Dog:
    ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/

    ppc/vim-common-6.1-18.7x.2a.ppc.rpmb286bd901010634b69a8fd09e7dfb785  

    ppc/vim-enhanced-6.1-18.7x.2a.ppc.rpm804e3f6b21255656acaa07b48bff276e 

    ppc/vim-minimal-6.1-18.7x.2a.ppc.rpmd525f6f668095b93f4d7cfa9194fff5c  

    ppc/vim-X11-6.1-18.7x.2a.ppc.rpmf9da0f1d03ece2214b80b6558bb7cc8f   

    Yellow Dog Vendor Advisory:http://www.linuxsecurity.com/advisories/yellowdog_advisory-2812.html
     
    Package:webalizer
    Date:01-27-2003
    Description:A buffer overflow in Webalizer versions prior to 2.01-10, when configured to use reverse DNS lookups, may allow remote attackers to execute arbitrary code by connecting to the monitored Web server from an IP address that resolves to a long hostname.
    Vendor Alerts:Yellow Dog:
    ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/

    ppc/webalizer-2.01_09-1.72.ppc.rpmc15f69de408b21dbb01075c449e7d2a7   

    Yellow Dog Vendor Advisory:http://www.linuxsecurity.com/advisories/yellowdog_advisory-2813.html
     
    Package:postgresql
    Date:01-27-2003
    Description:Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of  service and possibly execute arbitrary code via long arguments to the lpad  or rpad functions. CAN-2002-0972
    Vendor Alerts:Yellow Dog:
    ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/

    PLEASE SEE VENDOR ADVISORY FOR UPDATE

    Yellow Dog Vendor Advisory:http://www.linuxsecurity.com/advisories/yellowdog_advisory-2814.html
     
    Package:cvs
    Date:01-27-2003
    Description:On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server.
    Vendor Alerts:Yellow Dog:
    ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/

    ppc/cvs-1.11.1p1-8.7.ppc.rpm9652be9c12995d3873d20b7ce24ff3d6  

    Yellow Dog Vendor Advisory:http://www.linuxsecurity.com/advisories/yellowdog_advisory-2815.html
         

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/technology?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    16
    radio
    [{"id":"61","title":"High levels of security","votes":"1","type":"x","order":"1","pct":16.67,"resources":[]},{"id":"62","title":"High levels of quality ","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"63","title":"Cost-effectiveness ","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"64","title":"Freedom and flexibility ","votes":"5","type":"x","order":"4","pct":83.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.