+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 30th, 2001 Volume 2, Number 13a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week advisories were released for licq, sgml-tools, openssh,
kerberos, vim, joe, and eperl. The vendors include Conectiva,
Immunix, Mandrake, Red Hat, SuSE, and Trustix. Please take the
necessary time to patch your system. Security requires persistence.
Are you sick and tired of having to apply system updates week after week?
Why not use a distribution specifically for built for security, while
still maintaining maximum useability and flexibility. EnGarde is now
available for download. For more information please visit:
http://www.engardelinux.org
### FREE Apache SSL Guide from Thawte ###
Planning Web Server Security? Find out how to implement SSL! Get the
free Thawte Apache SSL Guide and find the answers to all your Apache
SSL security issues and more at:
http://www.thawte.com/ucgi/gothawte.cgi?a=n322405480022000
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'openssh' vulnerability
March 28th, 2001
It is possible to do a passive analysis on an ssh encrypted
connection and obtain important information about that connection. In
particular, it is possible to obtain the number of characters of a
password (which can be the login password itself or even passwords
entered during interactive commands such as "su"), type of
authentication that was used (password or publickey) and the numbers
of characters typed in a shell. This analysis can, for example, give
valuable information that will reduce the universe of passwords that
have to be tried in a brute-force attack.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1248.html
* Conectiva: 'sgml-tools' vulnerability
March 27th, 2001
Previous releases of the sgml-tools package create temporary files
with poor permissions, tipically allowing world-read access.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
sgml-tools-1.0.9-9cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1242.html
* Conectiva: 'licq' vulnerabilities
March 27th, 2001
Previous versions have two vulnerabilities that could be exploited by
a remote attacker to execute arbitrary commands on the client host.
The first vulnerability is a buffer overflow in a log function. The
second vulnerability consists in the use of the system() function to
invoke an external browser when an URL is received. This function
will expand and interpret shell characters and this could be used to
execute commands on behalf of the user running licq.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1241.html
+---------------------------------+
| Immunix | ----------------------------//
+---------------------------------+
* Immunix: 'vim' vulnerability
March 29th, 2001
An attacker could embed malicious VIM control codes into a file, and
as soon as any user opened that file in vim-enhanced or vim-X11 with
the status line option enabled in .vimrc, the commands would be
executed as that user.
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
vim-X11-5.7-8_imnx.i386.rpm
e60540c7e159ee6c989a3f51436bb4b9
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
vim-common-5.7-8_imnx.i386.rpm
23780ce98f4482d4ff1b80c6df23b1a3
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
vim-enhanced-5.7-8_imnx.i386.rpm
47de143756db2a52d84e54b55b28ef0a
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
vim-minimal-5.7-8_imnx.i386.rpm
6ad7c0aecef55646c2c7e3ce28c6f786
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1251.html
* Immunix: Kerberos vulnerabilities
March 29th, 2001
RedHat has released updated kerberos packages that fixes a number of
logical and temp file problems. PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1250.html
* Immunix: 'openssh' update
March 26th, 2001
Solar Designer has posted an excellent analysis of problems in
current versions of numerous SSH protocol implementations. These
problems can allow an attacker that is monitoring encrypted SSH
sessions to obtain sensitive information.
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
openssh-2.5.2p2-1_imnx_2.i386.rpm
1ea6e409d96ad90d02d3523c46f58ffc
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
openssh-askpass-2.5.2p2-1_imnx_2.i386.rpm
bbc07d1db6b74c909e89c6ed672767ba
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
openssh-clients-2.5.2p2-1_imnx_2.i386.rpm
28e9e9d368f6357a80ac1a90c61c4dae
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
openssh-server-2.5.2p2-1_imnx_2.i386.rpm
611b75b709ac04f93e21f680ac4e3ee1
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1240.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: 'vim' vulnerabilities
March 27th, 2001
Users could embed malicious VIM control codes into a file, and as
soon as any user opened that file in vim-enhanced or vim-X11 with the
status line option enabled in .vimrc, the commands would be executed
as that user.
http://www.linux-mandrake.com/en/ftp.php3
7.2/RPMS/ctags-3.5.1-8.1mdk.i586.rpm
1076ff77ed766322eb728a7703bf88a8
7.2/RPMS/vim-X11-5.7-8.1mdk.i586.rpm
059d7f49bcdc91f1584e988897d81f4e
7.2/RPMS/vim-common-5.7-8.1mdk.i586.rpm
f9d63eaf638a1ef5a96ed282b5b48f9f
7.2/RPMS/vim-enhanced-5.7-8.1mdk.i586.rpm
ca275976537ea13575e83bc42deed257
7.2/RPMS/vim-minimal-5.7-8.1mdk.i586.rpm
37c9ee2542cdcdeb971472be7b13a220
7.2/SRPMS/vim-5.7-8.1mdk.src.rpm
49c03d7aee3706d607ed2b8b46756817
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1252.html
* Mandrake: 'openssh' vulnerability
March 24th, 2001
There are several weaknesses in various implementations of the SSH
(Secure Shell) protocols. When exploited, they let the attacker
obtain sensitive information by passively monitoring encrypted SSH
sessions. The information can later be used to speed up brute-force
attacks on passwords, including the initial login password and other
passwords appearing in interactive SSH sessions, such as those used
with su.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1239.html
+---------------------------------+
| Red Hat | ----------------------------//
+---------------------------------+
* Red Hat: 'openssh' update
March 27th, 2001
Weaknesses in the SSH protocols can be used by a passive attacker to
deduce information about passwords entered over an encrypted
connection. This information can be used to reduce the number of
possible solutions which need to be tested to perform a brute-force
attack. This reduces the amount of time and resources required to
mount such an attack successfully.
ftp://updates.redhat.com/7.0/i386/
openssh-2.5.2p2-1.7.i386.rpm
59fe7436fb6736b7948bfaec706c5628
ftp://updates.redhat.com/7.0/i386/o
penssh-askpass-2.5.2p2-1.7.i386.rpm
f80b1952bd5caf65d0e724a26b421635
ftp://updates.redhat.com/7.0/i386/
openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm
04723384928efd09e4f96ef142409135
ftp://updates.redhat.com/7.0/i386/
openssh-clients-2.5.2p2-1.7.i386.rpm
8e387b44bd433e71c1caecb899a680f4
ftp://updates.redhat.com/7.0/i386/
openssh-server-2.5.2p2-1.7.i386.rpm
99a219f6c0708203f4982a4998b4e401
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1244.html
* Red Hat: Kerberos 5 vulnerability
March 27th, 2001
Updated Kerberos 5 packages are now available for Red Hat Linux 6 and
7. These packages fix a vulnerability in the handling of Kerberos IV
ticket files. Updated pam_krb5 packages are now available for Red Hat
Linux 7.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1245.html
+---------------------------------+
| SuSE | ----------------------------//
+---------------------------------+
* SuSE: 'joe' vulnerability
March 28th, 2001
An attacker could place a malicious joerc file in a public writeable
directory, like /tmp, to execute commands with the privilege of any
user (including root), which runs joe while being in this directory.
PLEASE SEE ADVISORY FOR OTHER PLATFORMS
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/
joe-2.8-300.i386.rpm
3140f1eb79eb246ad98f7687de517371
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1246.html
* SuSE: 'eperl' buffer overflows
March 28th, 2001
Fumitoshi Ukai and Denis Barbier have found several potential buffer
overflows, which could lead to local privilege escalation if
installed setuid (note: it's not installed setuid per default) or to
remote compromise
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/d2/e
perl-2.2.14-206.i386.rpm
e613b06d47dcfb7bbcea8c3d0c0e678b
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1247.html
+---------------------------------+
| Trustix | ----------------------------//
+---------------------------------+
* Trustix: 'openssh' vulnerability
March 29th, 2001
Improved countermeasure against "Passive Analysis of SSH (Secure
Shell) Traffic
http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1249.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Sun Apr 1 00:44 CST 2001