|
|
| |
|
| |
Security
Brief items
[This article was contributed by tummy.com]
With the purchase of RAV by Microsoft, many Linux email providers
and ISPs, are looking for an affordable, reliable replacement for RAV
Antivirus.
Kevin Fenzi, Senior Member Technical Staff of tummy.com, ltd. and the
co-author of the Linux Security HOWTO, has reviewed some of the currently
available alternatives.
Kevin evaluated the alternatives on several different criteria, including
Pricing policy (unlimited use is better than a per-domain or per-user
price), broad support for Mail Transport Agents, and ease of installation and
configuration.
Criteria Used:
- Pricing policy: Unlimited use got the highest score. Per-domain pricing
was next best, and per-user pricing was last. Those products that did
not have pricing information on their website received no score in this
category.
- Support for MTAs: A point was awarded for each of the popular Mail
Transport Agents supported (Qmail, Postfix, Exim, SuSE,
Sendmail+Milters, Sendmail, Dmail).
- Ease of Installation: Is the product easy to download and install?
- Ease of Configuration: Is the product easy to configure with your
local MTA?
- Scores are on a 'bad, fair, good, excellent' scale.
Read the full article here.
Comments (10 posted)
New vulnerabilities
gtksee: buffer overflow
| Package(s): | gtksee |
CVE #(s): | CAN-2003-0444
|
| Created: | June 30, 2003 |
Updated: | July 11, 2003 |
| Description: |
Viliam Holub discovered a bug in gtksee whereby, when loading PNG
images of certain color depths, gtksee would overflow a heap-allocated
buffer. This vulnerability could be exploited by an attacker using a
carefully constructed PNG image to execute arbitrary code when the
victim loads the file in gtksee. |
| Alerts: |
|
Comments (none posted)
imagemagick: insecure temporary file
| Package(s): | imagemagick |
CVE #(s): | CAN-2003-0455
|
| Created: | June 30, 2003 |
Updated: | July 10, 2003 |
| Description: |
There are circumstances in which imagemagick's libmagick library creates
temporary files without taking appropriate security precautions. This
vulnerability could be exploited by a local user to create or overwrite
files with the privileges of another user who is invoking a program using
this library. |
| Alerts: |
|
Comments (none posted)
PHP: Cross site scripting vulnerability
| Package(s): | PHP |
CVE #(s): | CAN-2003-0442
|
| Created: | July 2, 2003 |
Updated: | August 13, 2003 |
| Description: |
In PHP version 4.3.1 and earlier, when transparent session ID support is
enabled using the "session.use_trans_sid" option, the session ID is not
escaped before use. This allows a Cross Site Scripting attack. |
| Alerts: |
|
Comments (none posted)
phpbb: sql injection
| Package(s): | phpbb |
CVE #(s): | CAN-2003-0486
|
| Created: | June 28, 2003 |
Updated: | July 2, 2003 |
| Description: |
An SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier
allows remote attackers to steal password hashes via the topic_id parameter. |
| Alerts: |
|
Comments (none posted)
proftpd: SQL injection
| Package(s): | proftpd |
CVE #(s): | |
| Created: | June 30, 2003 |
Updated: | June 30, 2003 |
| Description: |
runlevel [runlevel@raregazz.org] reported that ProFTPD's PostgreSQL
authentication module is vulnerable to a SQL injection attack. This
vulnerability could be exploited by a remote, unauthenticated attacker
to execute arbitrary SQL statements, potentially exposing the
passwords of other users, or to connect to ProFTPD as an arbitrary
user without supplying the correct password. |
| Alerts: |
|
Comments (none posted)
tcptraceroute: problems dropping root privileges
| Package(s): | tcptraceroute |
CVE #(s): | CAN-2003-0489
|
| Created: | June 28, 2003 |
Updated: | July 10, 2003 |
| Description: |
tcptraceroute 1.4 and earlier does not fully drop privileges after
obtaining a file descriptor for capturing packets. This may allow local
users to gain access to the descriptor via a separate vulnerability in
tcptraceroute. |
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
xgalaga: buffer overflows
| Package(s): | xgalaga |
CVE #(s): | CAN-2003-0454
|
| Created: | June 30, 2003 |
Updated: | July 2, 2003 |
| Description: |
Steve Kemp discovered several buffer overflows in the game xgalaga, which
can be triggered by a long HOME environment variable. This vulnerability
could be exploited by a local attacker to gain gid 'games'. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups |
CVE #(s): | CAN-2003-0195
|
| Created: | May 27, 2003 |
Updated: | July 22, 2003 |
| Description: |
Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP
(Internet Printing Protocol) implementation. The IPP implementation is
single-threaded, which means only one request can be serviced at a time.
An attacker could make a partial request that does not time out and
therefore creates a denial of service. In order to exploit this bug, an
attacker must have the ability to make a TCP connection to the IPP port (by
default 631). |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 30, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnocatan: buffer overflows, denial of service
| Package(s): | gnocatan |
CVE #(s): | CAN-2003-0433
|
| Created: | June 12, 2003 |
Updated: | June 28, 2003 |
| Description: |
Bas Wijnen discovered that the gnocatan server is vulnerable to
several buffer overflows which could be exploited to execute arbitrary
code on the server system. |
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
kde: arbitrary code execution
| Package(s): | kde |
CVE #(s): | CAN-2003-0204
|
| Created: | April 10, 2003 |
Updated: | June 30, 2003 |
| Description: |
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means. |
| Alerts: |
|
Comments (none posted)
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel |
CVE #(s): | CAN-2003-0244
CAN-2003-0246
|
| Created: | May 14, 2003 |
Updated: | July 25, 2003 |
| Description: |
The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
- The ioperm() system call doesn't perform proper checking,
allowing a local user to manipulate arbitrary I/O ports.
- The networking code contains a remotely exploitable denial of
service condition; see the May 24 Security Page for details.
|
| Alerts: |
|
Comments (2 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete |
CVE #(s): | CAN-2003-0256
|
| Created: | May 8, 2003 |
Updated: | June 27, 2003 |
| Description: |
A vulnerability was discovered in versions of kopete
prior to 0.6.2. Kopete is a KDE instant messenger client. This
vulnerabiliy is in the GnuPG plugin that allows for users to send each
other GPG-encrypted instant messages. The plugin passes encrypted messages
to gpg, but does no checking to sanitize the commandline passed to gpg.
This can allow remote users to execute arbitrary code, with the permissions
of the user running kopete, on the local system. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
noweb: insecure temporary files
| Package(s): | noweb |
CVE #(s): | CAN-2003-0381
|
| Created: | June 17, 2003 |
Updated: | June 28, 2003 |
| Description: |
Jakob Lell discovered a bug in the 'noroff' script included in noweb
whereby a temporary file was created insecurely. During a review,
several other instances of this problem were found and fixed. Any of
these bugs could be exploited by a local user to overwrite arbitrary
files owned by the user invoking the script. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
radiusd-cistron: possible remote system compromise
| Package(s): | radiusd-cistron |
CVE #(s): | CAN-2003-0450
|
| Created: | June 13, 2003 |
Updated: | July 11, 2003 |
| Description: |
The package radiusd-cistron is an implementation of the RADIUS protocol.
Unfortunately the RADIUS server handles large NAS numbers incorrectly. This
leads to overwriting internal memory of the server process and may be
abused to gain remote access to the system the RADIUS server is running on. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vixie-cron: Local vulnerability
| Package(s): | vixie-cron |
CVE #(s): | CVE-2001-0559
|
| Created: | April 17, 2003 |
Updated: | October 3, 2003 |
| Description: |
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
xbl: buffer overflows
| Package(s): | xbl |
CVE #(s): | CAN-2003-0451
CAN-2003-0535
|
| Created: | June 20, 2003 |
Updated: | July 9, 2003 |
| Description: |
Steve Kemp discovered several buffer overflows in xbl, a game, which
can be triggered by long command line arguments. This vulnerability
could be exploited by a local attacker to gain gid 'games'. This has been assigned CVE #
CAN-2003-0451.
Another buffer overflow was discovered in xbl which could also be exploited by a local attacker to gain gid 'games'. This has been assigned CVE #
CAN-2003-0535. |
| Alerts: |
|
Comments (none posted)
xterm: command execution and denial of service
| Package(s): | XFree86 xterm |
CVE #(s): | CAN-2001-1409
CAN-2002-1472
CAN-2002-0164
CAN-2003-0063
CAN-2003-0071
|
| Created: | June 25, 2003 |
Updated: | July 2, 2003 |
| Description: |
A couple of new vulnerabilities have been found in the xterm application shipped with XFree86. There is yet another "execute arbitrary commands by setting the window title" vulnerability, along with a bug which can allow an attacker to lock up an exterm window. |
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
Xpdf - command execution vulnerability
| Package(s): | Xpdf |
CVE #(s): | CAN-2003-0434
|
| Created: | June 18, 2003 |
Updated: | July 24, 2003 |
| Description: |
Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. |
| Alerts: |
|
Comments (none posted)
ypserv: denial of service
| Package(s): | ypserv |
CVE #(s): | CAN-2003-0251
|
| Created: | June 25, 2003 |
Updated: | July 11, 2003 |
| Description: |
From the Red Hat advisory: "A vulnerability has been discovered in the ypserv NIS server prior to
version 2.7. If a malicious client queries ypserv via TCP and subsequently
ignores the server's response, ypserv will block attempting to send the
reply. This results in ypserv failing to respond to other client requests." The fix is up upgrade to version 2.8.0. |
| Alerts: |
|
Comments (none posted)
Resources
The June 27 issue of the Linux Advisory Watch newsletter from
LinuxSecurity.com is available.
Full Story (comments: none)
The June 30 issue of the Linux Security Week newsletter from
LinuxSecurity.com is available.
Full Story (comments: none)
Events
NEbraskaCERT is holding the 5th
annual NEbraskaCERT conference, the
leading Security Conference in the midwest. The conference will be held
August 5 - 7, 2003 at the Peter Kiewit Institute, Scott Conference Center,
Omaha, NE USA.
Comments (none posted)
Page editor: Rebecca Sobol
Next page: Kernel development>>
|
|
|