Debian: September 2007 Security Update - Critical Package Fixes

It was discovered that a buffer overflow of the RPC library of the MIT Kerberos reference implementation allows the execution of arbitrary code. The original patch from DSA-1367-1 didn't address the problem fully. This update delivers an updated fix.

advisories/debian/debian-new-krb5-packages-fix-arbitrary-code-execution-52839

Sumit I. Siddharth discovered that Gforge, a collaborative development tool performs insufficient input sanitising, which allows SQL injection.

advisories/debian/debian-new-gforge-packages-fix-sql-injection-80172

Aaron Plattner discovered a buffer overflow in the Composite extension of the X.org X server, which can lead to local privilege escalation.

advisories/debian/debian-new-xorg-server-packages-fix-privilege-escalation

Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks.

advisories/debian/debian-new-id3lib383-packages-fix-denial-of-service-42421

Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The PMA_ArrayWalkRecursive function in libraries/common.lib.php does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions.

advisories/debian/debian-new-phpmyadmin-packages-fix-several-vulnerabilities-72435

Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The PMA_ArrayWalkRecursive function in libraries/common.lib.php does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions.

advisories/debian/debian-new-phpmyadmin-packages-fix-several-vulnerabilities-72435

It was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable to a directory traversal bug which potentially allowed remote users to overwrite arbitrary files.

advisories/debian/debian-new-ktorrent-packages-fix-directory-traversal-27476

Several vulnerabilities have been discovered in phpWiki, a wiki engine written in PHP. It was discovered that phpWiki performs insufficient file name validation, which allows unrestricted file uploads.

advisories/debian/debian-new-phpwiki-packages-fix-several-vulnerabilities

Several vulnerabilities have been discovered in jffnms, a web-based Network Management System for IP networks. Cross-site scripting (XSS) vulnerability in auth.php, which allows a remote attacker to inject arbitrary web script or HTML via the user parameter.

advisories/debian/debian-new-jffnms-packages-fix-several-vulnerabilities

Two vulnerabilities have been found in MIT Kerberos 5, which could allow a remote unauthenticated user to execute arbitrary code with root privileges.

A stack buffer overflow vulnerability was discovered in the RPC library used by Kerberos' kadmind program by Tenable Network Security. A remote unauthenticated user who could access kadmind would be able to trigger the flaw and cause it to crash (CVE-2007-3999).

A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message. Updated packages fix this issue.

konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed. (CVE-2007-3820)

A vulnerability was found in MySQL's authentication protocol, making it possible for a remote unauthenticated attacker to send a specially crafted authentication request to the MySQL server causing it to crash (CVE-2007-3780).

A stack buffer overflow vulnerability was discovered in the RPC library used by Kerberos' kadmind program by Tenable Network Security. A remote unauthenticated user who could access kadmind would be able to trigger the flaw and cause it to crash (CVE-2007-3999).

Aaron Plattner discovered a buffer overflow in the Composite extension of the X.org X server, which if exploited could lead to local privilege escalation. Updated packages have been patched to prevent these issues.

A vulnerability in fetchmail was found where it could crash when attempting to deliver an internal warning or error message through an untrusted or compromised SMTP server, leading to a denial of service. Updated packages have been patched to prevent these issues.

A programming error was found in id3lib by Nikolaus Schulz that could lead to a denial of service through symlink attacks. Updated packages have been patched to prevent these issues.

A stack buffer overflow vulnerability was discovered in the RPCSEC_GSS RPC library by Tenable Network Security that could potentially allow for the execution of arbitrary code. Updated packages have been patched to prevent these issues.

Updated krb5 packages that correct a security flaw are now available for Red Hat Enterprise Linux 5. The MIT Kerberos Team discovered a problem with the originally published patch for svc_auth_gss.c (CVE-2007-3999). A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE.

advisories/red-hat/redhat-important-krb5-security-update-66067

Updated MySQL packages for the Red Hat Application Stack comprising the v1.2 release fixed various security issues. A flaw was discovered in MySQL's authentication protocol. A remote unauthenticated attacker could send a specially crafted authentication request to the MySQL server causing it to crash. (CVE-2007-3780) The security issues in this errata are rated as having important security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-important-mysql-security-update-80062

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-important-kernel-security-update-85756

New PHP5 packages are available for Slackware 10.1, 10.2, 11.0, and 12.0 to fix "several low priority security bugs." Note that PHP5 was not officially supported in Slackware 10.1 or 10.2 (being in the /testing directory), and was not the default version of PHP for Slackware 11.0 (being in the /extra directory), but updates are being provided anyway.

New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0 to fix a possible security issue. This version should also provide increased performance with certain ciphers. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: https://www.cve.org/CVERecord?id=CVE-2007-4752

New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and 12.0 to fix a security issue and various other bugs. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: https://www.cve.org/CVERecord?id=CVE-2007-4138

Original advisory details: It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges.

advisories/ubuntu/ubuntu-kerberos-vulnerability-25212