Linux Security Week - December 15th 2000

    Date15 Dec 2000
    CategoryForums
    666
    Posted ByAnthony Pell
    This week, advisories were released for tcsh, ghostscript, joe, rp-pppoe, ed, bitchx, pam, apcupsd, mc, pico/pine, and zope. The vendors include Conectiva, Caldera, Immunix, Mandrake, and Red Hat. It is critical that you update all vulnerable packages to reduce . . . This week, advisories were released for tcsh, ghostscript, joe, rp-pppoe, ed, bitchx, pam, apcupsd, mc, pico/pine, and zope. The vendors include Conectiva, Caldera, Immunix, Mandrake, and Red Hat. It is critical that you update all vulnerable packages to reduce the risk of being compromised.

    Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability.

    ### OpenDoc Publishing ###

    Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition.

    http://www.linuxsecurity.com/sponsors/opendocs.html

    -> We invite you to subscribe to ISN (InfoSec News). It is a medium traffic list that caters to the distribution of information security news articles and other relevant resources. To subscribe: send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. with a message body of: subscribe ISN firstname lastname


     



     

    Vulnerabilities in KTH Kerberos IV - 12/10/2000

    The vulnerabilities may lead to local and remote root compromise if the system supports Kerberos authentication and uses the KTH implementation (as is the case with e.g. OpenBSD per default). The system needn't be specifically configured to use Kerberos for all of the issues to be exploitable; some of the vulnerabilities are exploitable even if Kerberos is disabled by commenting out the realm name in the "krb.conf" file.

    PLEASE SEE VENDOR ADVISORY

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-964.html


     


     

    Conectiva 6.0: 'tcsh' vulnerability [UPDATE] - 12/08/2000

    When using in-here documents (via the "<<" redirect), tcsh creates a temporary file in an insecure manner that could allow a symlink attack to overwrite arbitrary files.

    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcsh-6.10.00-1cl.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-960.html

    Conectiva 6.0: ghostscript vulnerability [UPDATE] - 12/08/2000

    1) insecure temporary file handling could allow symlink attacks; 2) a compile time option that was incorrectly being used made ghostscript pick up dynamic libraries in the current directory instead of the system directories.

    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ghostscript-5.50-13cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ghostscript-svgalib-5.50-13cl.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-961.html

    Conectiva: 'joe' symlink vulnerability -12/08/2000

    An attacker could create a symbolic link called DEADJOE in a directory and link it to sensitive system files. If the root user runs joe from that directory, and the program exits abnormally, it would add data to this sensitive file, probably corrupting it.

    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/joe-2.8-24cl.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-962.html

    Conectiva: 'rp-pppoe' vulnerability - 12/12/2000

    If rp-pppoe receives a crafted TCP segment with an option where the option-length field is zero (illegal), the program would enter an infinite loop and the connection would time-out and be dropped.

    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-970.html

    Conectiva: 'pam_localuser' buffer overflow - 12/13/2000

    The pam_localuser module, part of the PAM package, has a buffer overflow vulnerability in it. This module is *not* used in any default configuration and to be vulnerable an user would have to insert it manually in a configuration file in the /etc/pam.d directory.

    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-976.html

    Conectiva: 'ed' vulnerability - 12/13/2000

    The "ed" editor creates temporary files in an insecure way, making it vulnerable to symlink attacks.

    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-977.html


     
     


     

    Caldera: 'irc-bx' vulnerability - 12/12/2000

    There is a bug in the BitchX IRC client shipped with OpenLinux which allows an attacker in control of his reverse DNS mapping to crash or even remotely access a BitchX session.

    OpenLinux eDesktop 2.4:   irc-BX-1.0c17-2
    ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
    MD5 Checksum:  181880ff4a1d84ea279b2cb2488df272

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/caldera_advisory-973.html
     


     


     

    Immunix: 'tcsh' vulnerability - 12/10/2000

    A problem was found in the tcsh shell released for Immunix OS 6.2 and Immunix OS 7.0-beta that could lead to a root exploit through a temp file bug

    Immunix 6.2 are available at:

    6.2/updates/RPMS/tcsh-6.10-0.6.x_StackGuard.i386.rpm
    http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/tcsh-6.10-0.6.x_StackGuard.i386.rpm
    604b1bdb21fa27e244cd9297328d5fc2

    Immunix 7.0 beta are available at:

    7.0-beta/updates/RPMS/tcsh-6.10-1_StackGuard.i386.rpm
    0d8a2e6700e8a08f7325c87ea92222ee
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/tcsh-6.10-1_StackGuard.i386.rpm

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-965.html


     

    Immunix: 'pam' vulnerability - 12/10/2000

    A problem was found in the pam module released for Immunix OS 6.2 and Immunix OS 7.0-beta that contained a programming error in the pam_localuser module.  This module is not currently being used in the default configuration, but upgrading is advised

    Immunix 6.2 are available at:

    6.2/updates/RPMS/pam-0.72-20.6.x_StackGuard.i386.rpm
    http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/pam-0.72-20.6.x_StackGuard.i386.rpm
    184a57b870fdccd47d5666b0ab159712

    Immunix 7.0 beta are available at:

    7.0-beta/updates/RPMS/pam-0.72-37_StackGuard.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/pam-0.72-37_StackGuard.i386.rpm
    938d9e85b0757dc63bd3811adc0a1e8c

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-966.html

     


    Immunix: 'ed' vulnerability - 12/12/2000

    Alan Cox recently found a problem in the 'ed' editor that causes it to create temporary files in an unsafe fashion.

    Immunix 6.2 is available at:

    6.2/updates/RPMS/ed-0.2-19.6x_StackGuard.i386.rpm
    http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/ed-0.2-19.6x_StackGuard.i386.rpm
    99e9e6af4d17fe6e5df1a6a73f93b59b

    Immunix 7.0 beta is available at:

    7.0-beta/updates/RPMS/ed-0.2-19_StackGuard.i386.rpm
    http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/ed-0.2-19_StackGuard.i386.rpm
     ae64d6025e6873bba7ef866b53cdffe0

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-971.html


     
     


     

    Mandrake: 'ed' vulnerability - 12/10/2000

    Alan Cox discovered that GNU ed (a classed line editor tool) creates temporary files unsafely.

    Update Sites: :   http://www.linux-mandrake.com/en/ftp.php3

    Linux-Mandrake 7.1:

     7.1/RPMS/ed-0.2-17.1mdk.i586.rpm
    MD5 Checksum:  9d41ed3fc65d8f096d329c6ac8a11812

    7.1/SRPMS/ed-0.2-17.1mdk.src.rpm
    MD5 Checksum:  c1e68a7d63f72c5108a3a85346786de0
     

    Linux-Mandrake 7.2:

    7.2/RPMS/ed-0.2-21.1mdk.i586.rpm
    MD5 Checksum:  8ac697e3a3117f0221bd8bce6e08f2ca

    7.2/SRPMS/ed-0.2-21.1mdk.src.rpm
    MD5 Checksum:  9129468ee9043ab1272ff9f9cfb22f2f

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/mandrake_advisory-963.html
     

    Mandrake: 'apcupsd' vulnerability - 12/12/2000

    A problem exists with the apcupsd daemon.  During startup, apcupsd creates a PID file in /var/run with the ID of the daemon process.  This file is used by the shutdown script to kill the daemon process.

    Update Sites: :   http://www.linux-mandrake.com/en/ftp.php3

    Linux-Mandrake 7.2:

    7.2/RPMS/apcupsd-3.8.0-1.1mdk.i586.rpm
    MD5 Checksum:  13d0d7582dc9539fd43165caea173bc0

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/mandrake_advisory-972.html
     


     

    Mandrake: 'mc' vulnerability 12/12/2000

    A problem was found in the cons.saver program by Maurycy Prodeus.  The cons.saver program is a screensaver for the console that is included in the mc package.  cons.saver does not check if it is started with a valid stdout, which combined with a bug in its check to see if its argument is a tty (it forgets to close the file-descriptor after opening the supposed tty), causes it to write a NULL character to the file given as its parameter.

    Update Sites: :   http://www.linux-mandrake.com/en/ftp.php3

    Linux-Mandrake 7.2:

    7.2/RPMS/gmc-4.5.51-7.1mdk.i586.rpm
    8c8889a0a630d27b36a4f665735f10ac

    7.2/RPMS/mc-4.5.51-7.1mdk.i586.rpm
    a48455c265d3d439a7d8e038a1f6bf9f

    7.2/RPMS/mcserv-4.5.51-7.1mdk.i586.rpm
    a2461debb989236e2a95fb46cf1a80a5

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/mandrake_advisory-974.html


     

    Mandrake: 'BitchX' vulnerability - 12/14/2000

    Two bugs exist in the BitchX IRC client.  A possible stack overflow condition exists if a malformed DNS answer is processed by the client, and the second bug allows this malformed DNS record to be embedded in a valid DNS packet.  Without the second bug, the malformed DNS record wouldn't be processed "correctly."

    Update Sites: :   http://www.linux-mandrake.com/en/ftp.php3

    Linux-Mandrake 7.1:

    7.1/RPMS/BitchX-1.0-0.c17.1.2mdk.i586.rpm
    MD5 Checksum:  6a37d4159ec294b0f02d607d3bb0a1a8

    Linux-Mandrake 7.2:
    7.2/RPMS/BitchX-1.0-0.c17.1.1mdk.i586.rpm
    MD5 Checksum:  d08c8f5facc4c90770d78ab56cfc4d75

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/mandrake_advisory-979.html



     
     

    'pico' symlink vulnerability - 12/11/2000

    Upon abnormal exit, the text editor saves any changes made to the file being edited into a new file in the current working directory labeled filename.save (where filename will correspond to the name of the file being edited, e.g. test.txt will be saved as test.txt.save).

    PLEASE SEE VENDOR ADVISORY

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-968.html


     

    'pine' temp file vulnerability - 12/11/2000

    You can simply symlink this file(/tmp/pico.) to another file that doesn't
    exist. When victim is editing message victim editor vi follows symlinks and creates another file. By removing this symlink and creating your own temporary file and making it writable to victim, you can hijack his mail message.

    PLEASE SEE VENDOR ADVISORY

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/other_advisory-969.html


     
     
     


     

    Red Hat: 'ed' vulnerability - 12/11/2000

    The ed editor used files in /tmp in an insecure fashion.  It was possible for local users to exploit this vulnerability  to modify files that they normally could not and gain elevated privilege.

    PLEASE SEE VENDOR ADVISORY FOR OLDER VERSIONS

    7.0/i386/ed-0.2-19.i386.rpm
    ftp://updates.Red Hat.com/7.0/i386/ed-0.2-19.i386.rpm
    6186b80b1deba06a1d3d99e30e2270d0

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/redhat_advisory-967.html


     

    Red Hat: 'Zope' vulnerability - 12/12/2000

    A vulnerablity exists in previously released versions of Zope where users can create new DTML method instances through the Web without having the correct permissions.

    PLEASE SEE VENDOR ADVISORY FOR ZOPE UPDATES

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/redhat_advisory-975.html


     

    Red Hat: 'Bitchx' vulnerability - 12/13/2000

    A problem exists where BitchX will process malformed DNS answers, allowing an attacker to crash the client, or possibly access the BitchX session remotely.

    Red Hat Powertools 7.0:
    alpha:
    ftp://updates.Red Hat.com/powertools/7.0/alpha/BitchX-1.0c17-4.alpha.rpm
    6f31a2be5e84f99b83210aec219d24e

    ftp://updates.Red Hat.com/powertools/7.0/alpha/gtkBitchX-1.0c17-4.alpha.rpm
    157d026dded2ff8417a55ff793dbc26a

    i386:
    ftp://updates.Red Hat.com/powertools/7.0/i386/BitchX-1.0c17-4.i386.rpm
    c17d86c9b40a179fa6b069ec43c374a4

    ftp://updates.Red Hat.com/powertools/7.0/i386/gtkBitchX-1.0c17-4.i386.rpm
    461cf25450f5b3ba1f3a7d6b76c42eaa
     

    Vendor Advisory:
    http://www.linuxsecurity.com/advisories/redhat_advisory-978.html

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"5","type":"x","order":"1","pct":83.33,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.