Debian: DOS Vulnerabilities and Security Fixes Advisory February 2010

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563. The Common Vulnerabilities and Exposures project identifies the following problems:

Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy. The Common Vulnerabilities and Exposures project identifies the following problems:

The trac-git package released in DSA-1990-1 had a wrong dependency that could not be satisfied in Debian stable. This update corrects this problem. For reference, the original advisory text is provided below.

Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries.

Dan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace. A local attacker, with access to use FUSE, could unmount arbitrary locations, leading to a denial of service.

Several vulnerabilities have been discovered in qt4-x11, a cross-platform C++ application framework. The Common Vulnerabilities and Exposures project identifies the following problems:

Several vulnerabilities have been discovered in Moodle, an online course management system. The Common Vulnerabilities and Exposures project identifies the following problems

Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.

It was discovered that sendmail, a Mail Transport Agent, does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate. This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority.

Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:

A bug in git-core caused the security update in DSA 1841 to fail to build on a number of architectures Debian supports. This update corrects the bug and releases builds for all supported architectures. The original advisory is quoted in full below for reference.

It was discovered that libxerces2-java, a validating XML parser for Java, does not properly process malformed XML files. This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file.

Julien Cristau discovered that hybserv, a daemon running IRC services for IRCD-Hybrid, is prone to a denial of service attack via the commands option.

It was discovered that pdns-recursor, the PowerDNS recursive name server, contains a cache poisoning vulnerability which may allow attackers to trick the server into serving incorrect DNS data (CVE-2009-4010).

The latest DSA for maildrop introduced two regressions. The maildrop program stopped working when invoked as a non-root user, such as with postfix. Also, the lenny version dropped a dependency on the courier-authlib package.

Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges.

ircd-hybrid/ircd-ratbox integer underflow/denial of service vulnerability

Multiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them

It was brought to our attention by Ludwig Nussel at SUSE the md5 collision certificate should not be included. This update removes the offending certificate. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The mozilla nss library has consequently been rebuilt to pickup these changes and are also being provided.

This advisory updates Wireshark to the version 1.0.11, which fixes the following vulnerabilities: The SMB and SMB2 dissectors could crash (CVE-2009-4377). The Infiniband dissector could crash on some platforms (CVE-2009-2563). Several buffer overflows were discovered and fixed in the LWRES dissector.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080) The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. (CVE-2009-4005) An issue was discovered in 2.6.32.x kernels, which sets unsecure permission for devtmpfs file system by default. (CVE-2010-0299) Additionally, it was added support for Atheros AR2427 Wireless Network Adapter. To update your kernel, please follow the directions located at: https://tuxedo.org/

It was discovered that the mailcap package needed by firefox wasn't provided with MDVA-2010:015. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This advisory addresses these problems.

gtk+ 2.0 was not handling correctly input method in client-side window mode. This could lead to applications crash, inkscape is a good example of crash. This updates fixes this issues and upgrades gtk+2.0 to latest stable release (2.18.6), which includes stability fixes for various applications, including gnome-panel.

The rootcerts package was added in Mandriva in 2005 and was meant to be updated when nessesary. The provided rootcerts packages has been upgraded using the latest certdata.txt file from the mozilla cvs repository, as of 2009/12/03. In Mandriva a number of additional CA root certificates has been added such as ICP-Brasil (Brazil government CA), cacert.org, IGC/A CA (French government CA). The IGC/A CA one was recently added upstream in the mozilla certdata.txt file. The rootcerts package provides the /etc/pki/tls/certs/ca-bundle.crt file which most sofwares in Mandriva, and where appliable is sharing such as KDE, curl, pidgin, neon, and more. The mozilla nss library has consequently been rebuilt to pickup these changes and are also being provided.

Evolution could crash when adding new task to a task list. Those packages fixes this issue and updates Evolution to the latest stable release, bringing performance and stability fixes, as well as additional translations.

This update brings a new stable version of webkitgtk, and solves the problem with processors without the SSE2 instruction set. It is easy to see if you are suffering from this bug, just try to open some webpage on epiphany Web broswser, it will crash with old webkit version.

There was a small typo in the french translation. The update packages addresses this issue.

This is a bundle of MDS related packages that fixes numerous bugs.

This update fixes unaligned access in libpci on some rare hardware which ended in all programs using libldetect to fail with draksound (Bug #56772).

This update a bug in urpmi which prevented rpmdrake to install packages a second time (bug #54842)

Multiple vulnerabilities was discovered and corrected in kdelibs4

Multiple vulnerabilities was discovered and corrected in kdelibs4

Updated kernel packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-rhsa-20100076-01-kernel-security-and-bug-fix-update

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-rhsa-20100079-01-kernel-security-and-bug-fix-update

Ronald Volgers discovered that the mount.cifs utility, when installed as a setuid program, suffered from a race condition when verifying user permissions. A local attacker could trick samba into mounting over arbitrary locations, leading to a root privilege escalation.

A serious vulnerability was found in TLS/SSLv3 protocol as implemented in nss, which can be used by man-in-the-middle attackers to send arbitrary requests to the server as if legitimate user. [UPDATE] The issue is fixed in Pardus 2008

Multiple vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or compromise a user's system. [UPDATE] The issue is fixed in Pardus 2008

A weakness has been reported in Ruby, which can be exploited by malicious people to manipulate certain data. [UPDATE] The issue is fixed in Pardus 2008

A vulnerability has been found in sqlite, which can be exploited by malicious people to gather deleted information on sqlite database. [UPDATE] The issue is fixed in Pardus 2008

A vulnerability has been fixed in kernel, which can be used by malicious to cause denial of service. NOTE: This advisory is a correction for PLSA-2010-25. It wrongly stated that map/mmap issues affected Pardus. However, it is not known whether these issues are real security issues, so patches for these issues were not applied. These issues will be investigated further.

A vulnerability has been fixed in Postgresql, which can be exploited by malicious people to cause denial of service via application crash.

A security issue has been fixed in Samba, which can be exploited by malicious, local users to disclose potentially sensitive information and potentially gain escalated privileges.

Multiple vulnerabilities have been fixed in kernel, which can be exploited by malicious people to cause denial of service.

Multiple vulnerabilities have been fixed in Wireshark, which can be exploited by malicious people to cause a denial of service.

A security issue has been fixed in Fuse, which can be exploited by malicious, local users to disclose potentially sensitive information and potentially gain escalated privileges.

A weakness has been reported in Ruby, which can be exploited by malicious people to manipulate certain data.

A vulnerability has been found in sqlite, which can be exploited by malicious people to gather deleted information on sqlite database.

A serious vulnerability was found in TLS/SSLv3 protocol as implemented in nss, which can be used by man-in-the-middle attackers to send arbitrary requests to the server as if legitimate user.

A vulnerability has been reported in SystemTap, which can be exploited by malicious users to compromise a vulnerable system.

Multiple vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or compromise a user's system.