|
[GN] "GN SecNews #2"
|
Vijay Kumar
|
Feb 02, 2003 18:20 PST
|
GN SecNews Vol #2
-----------------
News Article Type: Weekly
Author: vijay (vijay-@users.sourceforge.net)
Date: Mon Feb 3 07:49:31 IST 2003
Please send in your comments and suggestions for improvement.
Disclaimer: This is a compilation of Security News Articles/Advisories from various GNU/Linux Providers, Developers and Users. The Author(s) of this article makes no warranties of any kind whatsoever with respect to the information contained from the sources. The information given here is as is from the source with the PGP signature if available.
_____________________________________________________________________________
Contents
--------
1). Security Update: [CSSA-2003-006.0] Linux: CVS double free vulnerability
2). [RHSA-2003:020-10] Updated kerberos packages fix vulnerability in
ftp client
3). Apache Jakarta Tomcat 3 URL parsing vulnerability
4). [OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql)
5). MITKRB5-SA-2003-001: Multiple vulnerabilities in old releases of
MIT Kerberos
6). [SECURITY] [DSA 245-1] New dhcp3 packages fix potential network flood
_____________________________________________________________________________
1)
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: CVS double free vulnerability
Advisory number: CSSA-2003-006.0
Issue date: 2003 January 31
Cross reference:
______________________________________________________________________________
1. Problem Description
Double-free vulnerabiity in CVS allows remote attackers to cause
a denial of service and possibly execute arbitrary code via a
malformed Directory request.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to cvs-1.11-9.i386.rpm
prior to cvs-doc-ps-1.11-9.i386.rpm
OpenLinux 3.1.1 Workstation prior to cvs-1.11-9.i386.rpm
prior to cvs-doc-ps-1.11-9.i386.rpm
OpenLinux 3.1 Server prior to cvs-1.11-9.i386.rpm
prior to cvs-doc-ps-1.11-9.i386.rpm
OpenLinux 3.1 Workstation prior to cvs-1.11-9.i386.rpm
prior to cvs-doc-ps-1.11-9.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-006.0/RPMS
4.2 Packages
e7a31e41a320f2397d23611600675d6e cvs-1.11-9.i386.rpm
676963b0422d0cd95397de77a3b927d1 cvs-doc-ps-1.11-9.i386.rpm
4.3 Installation
rpm -Fvh cvs-1.11-9.i386.rpm
rpm -Fvh cvs-doc-ps-1.11-9.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-006.0/SRPMS
4.5 Source Packages
da4062b0b49efcabb47c7efb41dc5471 cvs-1.11-9.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-006.0/RPMS
5.2 Packages
73dee39f6543079466e6d7adbac35ec6 cvs-1.11-9.i386.rpm
129403e58ca353878b09fbbbaaccf645 cvs-doc-ps-1.11-9.i386.rpm
5.3 Installation
rpm -Fvh cvs-1.11-9.i386.rpm
rpm -Fvh cvs-doc-ps-1.11-9.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-006.0/SRPMS
5.5 Source Packages
9030ced613dc9919f78a3200ea931fdc cvs-1.11-9.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-006.0/RPMS
6.2 Packages
3b3748a8bca4a972c422f43ff7745337 cvs-1.11-9.i386.rpm
04760b87b35c2a0f72cc41ed9565b47d cvs-doc-ps-1.11-9.i386.rpm
6.3 Installation
rpm -Fvh cvs-1.11-9.i386.rpm
rpm -Fvh cvs-doc-ps-1.11-9.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-006.0/SRPMS
6.5 Source Packages
6d87ab953cd4864fe319085b3d2517db cvs-1.11-9.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-006.0/RPMS
7.2 Packages
0aa2347beb3bf9e5219dfce2eedb26d8 cvs-1.11-9.i386.rpm
a646b53a8436c880b4752566223e7156 cvs-doc-ps-1.11-9.i386.rpm
7.3 Installation
rpm -Fvh cvs-1.11-9.i386.rpm
rpm -Fvh cvs-doc-ps-1.11-9.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-006.0/SRPMS
7.5 Source Packages
6e2cf8a3b250a1373846f4d35ea958ad cvs-1.11-9.src.rpm
8. References
Specific references for this advisory:
http://security.e-matters.de/advisories/012003.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr873732, fz527185,
erg712206.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
10. Acknowledgements
Stefan Esser <s.es-@e-matters.de> discovered and researched
these vulnerabilities.
______________________________________________________________________________
==============================================================================
2).
--------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated kerberos packages fix vulnerability in ftp client
Advisory ID: RHSA-2003:020-10
Issue date: 2003-01-31
Updated on: 2003-01-31
Product: Red Hat Linux
Keywords: krb5 ftp netkit
Cross references:
Obsoletes: RHSA-2002:242
CVE Names: CAN-2003-0041
---------------------------------------------------------------------
1. Topic:
Updated packages fix a vulnerability found in the Kerberos ftp client
distributed with the Red Hat Linux krb5 packages.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
3. Problem description:
Kerberos is a network authentication system.
A problem has been found in the Kerberos ftp client. When retrieving a
file with a filename beginning with a pipe character, the ftp client will
pass the filename to the command shell in a system() call. This could
allow a malicious ftp server to write to files outside of the current
directory or execute commands as the user running the ftp client.
The Kerberos ftp client runs as the default ftp client when the Kerberos
package krb5-workstation is installed on a Red Hat Linux distribution.
All users of Kerberos are advised to upgrade to these errata packages which
contain a backported patch and are not vulnerable to this issue.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/krb5-1.1.1-32.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/krb5-configs-1.1.1-32.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-devel-1.1.1-32.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-libs-1.1.1-32.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-server-1.1.1-32.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-workstation-1.1.1-32.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/krb5-1.2.2-16.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/krb5-devel-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-libs-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-server-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-workstation-1.2.2-16.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/krb5-1.2.2-16.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/krb5-devel-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-libs-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-server-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-workstation-1.2.2-16.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/krb5-1.2.2-16.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/krb5-devel-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/krb5-libs-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/krb5-server-1.2.2-16.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/krb5-workstation-1.2.2-16.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-devel-1.2.2-16.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-libs-1.2.2-16.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-server-1.2.2-16.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/krb5-workstation-1.2.2-16.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/krb5-1.2.4-4.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/krb5-devel-1.2.4-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/krb5-libs-1.2.4-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/krb5-server-1.2.4-4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/krb5-workstation-1.2.4-4.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/krb5-1.2.5-8.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/krb5-devel-1.2.5-8.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/krb5-libs-1.2.5-8.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/krb5-server-1.2.5-8.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/krb5-workstation-1.2.5-8.i386.rpm
6. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
7de192f207e97710837dfdc18dc8be0b 6.2/en/os/SRPMS/krb5-1.1.1-32.src.rpm
4336912a27f2bc883f29ac6d05b6c154 6.2/en/os/i386/krb5-configs-1.1.1-32.i386.rpm
18bdb726d9f38dbc792d5f15bc9db723 6.2/en/os/i386/krb5-devel-1.1.1-32.i386.rpm
6200ee5d3f15a46e5cd3ff2861c881c0 6.2/en/os/i386/krb5-libs-1.1.1-32.i386.rpm
fc652d6f61443bc540ba290f69be2253 6.2/en/os/i386/krb5-server-1.1.1-32.i386.rpm
63ad9195b138e7dd65057aa298f8b085 6.2/en/os/i386/krb5-workstation-1.1.1-32.i386.rpm
616cdc7ef0e0e21ea841d0094c907e0a 7.0/en/os/SRPMS/krb5-1.2.2-16.src.rpm
a0828c84238c35f745a4e536ae0a9d28 7.0/en/os/i386/krb5-devel-1.2.2-16.i386.rpm
6a417b3633390567e24c8236d0a428aa 7.0/en/os/i386/krb5-libs-1.2.2-16.i386.rpm
ee80b17f8d07a416f615e18982bab8f8 7.0/en/os/i386/krb5-server-1.2.2-16.i386.rpm
94ed04976632fbfb45fed0cb1fe39176 7.0/en/os/i386/krb5-workstation-1.2.2-16.i386.rpm
616cdc7ef0e0e21ea841d0094c907e0a 7.1/en/os/SRPMS/krb5-1.2.2-16.src.rpm
a0828c84238c35f745a4e536ae0a9d28 7.1/en/os/i386/krb5-devel-1.2.2-16.i386.rpm
6a417b3633390567e24c8236d0a428aa 7.1/en/os/i386/krb5-libs-1.2.2-16.i386.rpm
ee80b17f8d07a416f615e18982bab8f8 7.1/en/os/i386/krb5-server-1.2.2-16.i386.rpm
94ed04976632fbfb45fed0cb1fe39176 7.1/en/os/i386/krb5-workstation-1.2.2-16.i386.rpm
616cdc7ef0e0e21ea841d0094c907e0a 7.2/en/os/SRPMS/krb5-1.2.2-16.src.rpm
a0828c84238c35f745a4e536ae0a9d28 7.2/en/os/i386/krb5-devel-1.2.2-16.i386.rpm
6a417b3633390567e24c8236d0a428aa 7.2/en/os/i386/krb5-libs-1.2.2-16.i386.rpm
ee80b17f8d07a416f615e18982bab8f8 7.2/en/os/i386/krb5-server-1.2.2-16.i386.rpm
94ed04976632fbfb45fed0cb1fe39176 7.2/en/os/i386/krb5-workstation-1.2.2-16.i386.rpm
d3eac1b4295ee369dcfd9995a0e45b37 7.2/en/os/ia64/krb5-devel-1.2.2-16.ia64.rpm
ef40911979476a6eb1e5478ac7c47fea 7.2/en/os/ia64/krb5-libs-1.2.2-16.ia64.rpm
b75832522f7ea9947be50798ef26b779 7.2/en/os/ia64/krb5-server-1.2.2-16.ia64.rpm
6048f3c9244988cba98faf1393c27723 7.2/en/os/ia64/krb5-workstation-1.2.2-16.ia64.rpm
3969cabccac559df1e3dcb52053c4027 7.3/en/os/SRPMS/krb5-1.2.4-4.src.rpm
6aec2391885a30736e5e1de4a771dc2f 7.3/en/os/i386/krb5-devel-1.2.4-4.i386.rpm
722ab734d6ce600dd80bba2486d8a140 7.3/en/os/i386/krb5-libs-1.2.4-4.i386.rpm
6b5f820a689f7298d31258df42940216 7.3/en/os/i386/krb5-server-1.2.4-4.i386.rpm
342240d400ec1a1538d04da1d223bbf6 7.3/en/os/i386/krb5-workstation-1.2.4-4.i386.rpm
eea7b6df4f894efbdd94bac8be3f917d 8.0/en/os/SRPMS/krb5-1.2.5-8.src.rpm
9e91371e397a6eec059a1b5e3139f3ef 8.0/en/os/i386/krb5-devel-1.2.5-8.i386.rpm
a830d26d187e18be678ee12722eec485 8.0/en/os/i386/krb5-libs-1.2.5-8.i386.rpm
fd353f875ea9edc4375af13ba80ae38f 8.0/en/os/i386/krb5-server-1.2.5-8.i386.rpm
70b04bf0aa7662af6704ce0223ebb914 8.0/en/os/i386/krb5-workstation-1.2.5-8.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. References:
http://www.kb.cert.org/vuls/id/258721
http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482
http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0041
8. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
===============================================================================
3).
_______________________________________________________________________________
Apache Jakarta Tomcat 3 URL parsing vulnerability
_______________________________________________________________________________
OVERVIEW
========
Tomcat is a JSP/Servlet implementation developed at the Apache Software
Foundation. Tomcat versions 3.3.1 and earlier contain some security
vulnerabilities which allow a remote user to retrieve listings of
directories despite index.html or index.jsp files. It is also possible
to retrieve contents of files and directories that shouldn't be visible to
outside. The vulnerability also allows retrieving the source of JSP files.
DETAILS
=======
Certain kinds of HTTP requests containing binary null or backslash
characters are parsed incorrectly by Tomcat's built-in web server. The
following GET request causes Tomcat to output the directory listing of
the web root under default installation:
GET /<null byte>.jsp HTTP/1.0
The following UNIX command can be issued to test the vulnerability:
$ perl -e 'print "GET /\x00.jsp HTTP/1.0\r\n\r\n";' | nc my.server 8080
If your server is vulnerable, the command will output a HTTP header and
the directory listing even if there's an index file present. Furthermore,
a backslash can be used in the following way to get information from
otherwise inaccessible directories:
$ perl -e 'print "GET /admin/WEB-INF\\classes/ContextAdmin.java\x00.jsp HTTP/1.0\r\n\r\n";'|nc my.server 8080
This will output the contents of ContextAdmin.java.
The servlet engine interprets the directory listing and any file
retrieved in this way as a JSP page, which might be exploited to run
arbitrary Java code under some imaginable scenarios. If the attacker can
create a file whose name contains JSP tags somewhere under the web root,
the code would be run when the directory listing is fetched in the way
described above. Similarly Java code embedded in *.html or any other file
can be compiled and run by an attacker.
In the same way a remote user may force a *.jsp file to be interpreted as
plain HTML, ie. retrieve the source of JSP files:
$ perl -e 'print "GET /examples/jsp/cal/cal1.jsp\x00.html HTTP/1.0\r\n\r\n";'|nc my.server 8080
This would output the source of the example JSP file.
SOLUTION
========
The vendor was informed on January 10, 2003. A new version of Tomcat
addressing this problem has been released. The fixed version 3.3.1a and
additional information is available at
http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/
According to the vendor, the problem only affects Tomcat used with JDK
1.3.1 or earlier.
CREDITS
=======
The vulnerability was discovered by Jouko Pynnönen of Online Solutions
Ltd, Finland.
--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jou-@solutions.fi http://www.solutions.fi http://www.secmod.com
==============================================================================
4).
______________________________________________________________________________
[OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql)
______________________________________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg--@openpkg.org open-@openpkg.org
OpenPKG-SA-2003.008 29-Jan-2003
________________________________________________________________________
Package: mysql
Vulnerability: double free can cause denial of service
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= mysql-3.23.54a-20030116 >= mysql-3.23.55-20030124
OpenPKG 1.2 <= mysql-3.23.54a-1.2.0 >= mysql-3.23.54a-1.2.1
OpenPKG 1.1 <= mysql-3.23.52-1.1.1 >= mysql-3.23.52-1.1.2
Affected Releases: Dependent Packages: none
Description:
Vincent Danen of Mandrake Linux noticed that according to the change
log [0] for MySQL release 3.23.55 [1] a vulnerbility has been fixed
where a double-free pointer bug in mysql_change_user() handling
enabled a specially hacked version of MySQL client to crash mysqld.
The vendor states that one needs to successfully login to the server
by using a valid user account to be able to exploit this bug.
Please check whether you are affected by running "<prefix>/bin/rpm -q
mysql". If you have the "mysql" package installed and its version is
affected (see above), we recommend that you immediately upgrade it
(see Solution). [2][3]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror
location, verify its integrity [8], build a corresponding binary RPM
from it [2] and update your OpenPKG installation by applying the binary
RPM [3]. For the current release OpenPKG 1.2, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.2/UPD
ftp> get mysql-3.23.54a-1.2.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig mysql-3.23.54a-1.2.1.src.rpm
$ <prefix>/bin/rpm --rebuild mysql-3.23.54a-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/mysql-3.23.54a-1.2.1.*.rpm
________________________________________________________________________
References:
[0] http://www.mysql.com/doc/en/News-3.23.55.html
[1] http://www.mysql.com/
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] http://www.openpkg.org/tutorial.html#regular-binary
[4] ftp://ftp.openpkg.org/release/1.1/UPD/mysql-3.23.52-1.1.2.src.rpm
[5] ftp://ftp.openpkg.org/release/1.2/UPD/mysql-3.23.54a-1.2.1.src.rpm
[6] ftp://ftp.openpkg.org/release/1.1/UPD/
[7] ftp://ftp.openpkg.org/release/1.2/UPD/
[8] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <open-@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <open-@openpkg.org>
iD8DBQE+N9gEgHWT4GPEy58RAqygAJ99b9BRMrnG8b5/RermS5QQz08tkQCeLq3s
e3UDxVtK5aGXWeiQvXIHVOM=
=egoK
-----END PGP SIGNATURE-----
==============================================================================
5).
______________________________________________________________________________
MITKRB5-SA-2003-001: Multiple vulnerabilities in old releases of
MIT Kerberos
______________________________________________________________________________
MIT krb5 Security Advisory 2003-001
Original Release Date: 2003-01-28
Topic: Multiple vulnerabilities in old releases of MIT Kerberos
Severity: CRITICAL: Remote user can crash KDC, and may be able to
forge non-local identities and compromise the KDC or
application servers.
SUMMARY
=======
Multiple vulnerabilities have been found in MIT Kerberos 5 releases
prior to release 1.2.5. MIT recommends updating to 1.2.7 if possible.
IMPACT
======
* A remote user can crash the KDC.
* A user authenticated in a remote realm may be able to claim to be
other non-local users to an application server.
* It may be possible for a user to gain access to the KDC system and
database.
AFFECTED SOFTWARE
=================
* All releases of MIT Kerberos 5 before 1.2.5.
FIX
===
MIT recommends updating to release 1.2.5 or later, preferably to the
latest release. Patches specifically to fix these problems are not
available at this time.
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/www/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/www/index.html
ACKNOWLEDGMENTS
===============
Thanks to greg pryzby, Joseph Sokol-Margolis, Gerald Britton, E. Larry
Lidz, and CERT for reporting these problems.
DETAILS
=======
Problem 1: KDC null pointer dereferences
________________________________________
Certain protocol requests, compliant with the protocol encoding scheme
but indicative of a client system most likely configured incorrectly,
can crash a KDC with a null pointer dereference. We do not believe
any exploit to gain access to the KDC or otherwise alter its behavior
is possible on systems without storage mapped at address zero. We
have not explored the effects of this on a system with mapped memory
at address zero.
The fallback and retransmit algorithm used in the MIT krb5 library
will cause an application not receiving a reply from a KDC to try
other KDCs in the same realm; it will iterate through this list a few
times, or until it gets a response. Thus, one client may take down
multiple KDCs.
We believe this vulnerability is limited to the TGS-REQ exchange, that
is, cases where the user has already authenticated to the KDC or one
with which it shares inter-realm keys. So (ignoring cases of
well-known passwords) there is an audit trail of sorts, even if it has
to be dug out of a core file, and it is not a simple, scriptable
attack against KDCs in general.
Workarounds:
- Start your KDC from inittab or a loop in a shell script. (The
inittab approach may not work well if the KDC is crashed too often
in a short span of time.)
Thanks to greg pryzby <GregP-@aol.com> for reporting this problem.
Problem 2: realm transit checks
_______________________________
Realms with shared keys can impersonate people in other non-local
realms in certain cases. It may be exploitable in various ways if
non-local principal names are on critical ACLs.
This vulnerability affects both the KDC and Kerberos application
servers.
This problem was fixed in the 1.2.3 release. That release also added
a flag to the KDC config file that can be set to refuse untrusted
cross-realm authentication, in case application servers cannot be
updated quickly enough. This is not recommended as a long-term
solution, because the current model we use says that the application
server is responsible for doing this validation, which allows (for
example) a service on a specific machine (perhaps one set up for
software testing) to be configured to know about authentication paths
known to the maintainer of the service, even if the maintainer of the
KDC does not trust these paths for general use within the realm.
Enforcing this limitation in the KDC takes this option away from the
maintainers of individual machines.
Workarounds:
- Delete or change inter-realm keys so inter-realm authentication is
disabled.
- Remove all non-local principals from all critical ACLs in services
using old MIT Kerberos code to validate the realm transit path
Thanks to Joseph Sokol-Margolis <se-@mit.edu> and Gerald Britton
<gbri-@alum.mit.edu> for finding this problem.
Problem 3: format strings
_________________________
Older versions of the MIT KDC used strings containing Kerberos
principal names as printf-style format strings in logging routines.
At least some cases do not require successful authentication, so this
can be used as a remote, anonymous attack.
It is easy to crash the KDC with this exploit. We do not know of any
exploits to gain access to the host system, but we do not rule out the
possibility.
Workarounds: See under problem 1. ***However, these do not address
the host access possibility.***
Thanks to E. Larry Lidz <ell-@eridu.uchicago.edu> for discovering
this problem.
Problem 4: bounds checking on data sizes
________________________________________
Some of our code does not do bounds checking on lengths before
allocating storage. On some systems, attempting to allocate large
negative amounts of storage can crash the program. Thus, some bogus
packets may crash the KDC or an application server using Kerberos. We
do not believe this can be exploited to gain access to the host
system.
Workarounds:
- start KDC in a loop in a script, or from inittab
- do likewise for any server processes that need to handle multiple
client connections
Thanks to CERT for bringing this to our attention.
REVISION HISTORY
================
2003-01-28 original release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+Nvz7UqOaDMQ+e5gRAsTXAKDnR5W9BAF29BN+LTA6Vf0VE8IEaACffUxa
q3ZwHRinV/lW5Hc1pgvxI3U=
=KrXi
-----END PGP SIGNATURE-----
================================================================================
6).
_______________________________________________________________________________
[SECURITY] [DSA 245-1] New dhcp3 packages fix potential network flood
_______________________________________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 245-1 secu-@debian.org
http://www.debian.org/security/ Martin Schulze
January 28th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : dhcp3
Vulnerability : ignored counter boundary
Problem-Type : remote
Debian-specific: no
CVE Id : CAN-2003-0039
Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).
This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.
The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already.
For the stable distribution (woody) this problem has been fixed in
version 3.0+3.0.1rc9-2.2.
The old stable distribution (potato) does not contain dhcp3 packages.
For the unstable distribution (sid) this problem has been fixed in
version 1.1.2-1.
We recommend that you upgrade your dhcp3 package when you are using
the dhcrelay server.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9-2.2.dsc
Size/MD5 checksum: 730 24c46bc59c7b7fbf5af839b1896073cf
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9-2.2.diff.gz
Size/MD5 checksum: 24457 9d555df929ea70ef2b36f7455298a79f
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.0+3.0.1rc9.orig.tar.gz
Size/MD5 checksum: 809803 3cc4758e5a59362315393a1874dfcb21
Alpha architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_alpha.deb
Size/MD5 checksum: 416630 397a678e504608e82480b70da257e3de
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_alpha.deb
Size/MD5 checksum: 216102 393965c956aa0c61b87830ade40927ef
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_alpha.deb
Size/MD5 checksum: 106904 787c1f7ef446485f153fdb5985f57669
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_alpha.deb
Size/MD5 checksum: 287256 9157faf5d681794429640f3c77ef2ae3
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_alpha.deb
Size/MD5 checksum: 526892 48d538b72ff214a8ec5b224f9e4716da
ARM architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_arm.deb
Size/MD5 checksum: 386896 f4f9769ef04b52227b0b1134824a8f58
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_arm.deb
Size/MD5 checksum: 188652 b82228305af807ba3588ab0aad6d55aa
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_arm.deb
Size/MD5 checksum: 93386 4990ce79c724969a518c8203398c6a36
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_arm.deb
Size/MD5 checksum: 273362 16e0bd4a19aaabf42f91d62cde3c806f
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_arm.deb
Size/MD5 checksum: 484526 d597e37691b5aba8599fc654354436df
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_i386.deb
Size/MD5 checksum: 375346 27d1ad0d2b6cfbbdebfcdf034edfef0b
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_i386.deb
Size/MD5 checksum: 178596 955644258c1c3447c440ea68240c5595
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_i386.deb
Size/MD5 checksum: 82090 88d318c70305922de31c6f0eab7db3e6
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_i386.deb
Size/MD5 checksum: 269360 e87afd18b990a9c16e8768152b05fb11
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_i386.deb
Size/MD5 checksum: 465170 2bf1b093963bcd214e1edd9a078b7446
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_ia64.deb
Size/MD5 checksum: 550076 a46f9f25e3567e22a55df624559f346e
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_ia64.deb
Size/MD5 checksum: 339224 d91056b8739382c06dcad9ed9fdce54d
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_ia64.deb
Size/MD5 checksum: 134254 11d223ea9054ad0b19d55add7083c21d
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_ia64.deb
Size/MD5 checksum: 348766 e546dac3162fee5eab1328c120bc51c4
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_ia64.deb
Size/MD5 checksum: 701484 80aa1015319366aa8f6fa6c3e7daa088
HP Precision architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_hppa.deb
Size/MD5 checksum: 384876 e971b851045b3399b3280789bfb10dd8
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_hppa.deb
Size/MD5 checksum: 188182 13442ca2429b42ef3aa007e84cb686bd
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_hppa.deb
Size/MD5 checksum: 93040 37c5a4ea972f80fc4aae1fa18cce870d
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_hppa.deb
Size/MD5 checksum: 274828 4ee56537ce01864eff25c04bf8cbc7cc
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_hppa.deb
Size/MD5 checksum: 478030 f5aa250b35b7aba6236e243f81a40571
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_m68k.deb
Size/MD5 checksum: 364618 a1fc0175cae39bb4b6f8366104cdd027
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_m68k.deb
Size/MD5 checksum: 168548 e619f627bf4dc3502237445b170b9b10
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_m68k.deb
Size/MD5 checksum: 79262 70957f418a8be321b6cd8ed681392daf
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_m68k.deb
Size/MD5 checksum: 264246 527734c5a0815888385c8030a0ab8d11
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_m68k.deb
Size/MD5 checksum: 451098 b7a114770edf4846bcc122fa91802a87
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_mips.deb
Size/MD5 checksum: 397654 5dd77052a1bf96a6919b42abb7d1993d
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_mips.deb
Size/MD5 checksum: 198506 29532f0c0c25cc74db482956a2e17767
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_mips.deb
Size/MD5 checksum: 94724 9be76951eec5cb400b91b6d2aa3afbc4
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_mips.deb
Size/MD5 checksum: 281616 d487fea11aa26522ca13252d5a1143f1
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_mips.deb
Size/MD5 checksum: 496364 ae74e80436ac5a5639d25c813937be4c
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_mipsel.deb
Size/MD5 checksum: 397210 af17a66c93142f3b37f3ff54a70de6ce
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_mipsel.deb
Size/MD5 checksum: 197808 f64f4c1cbe51b41a46105fb96afac7f2
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_mipsel.deb
Size/MD5 checksum: 94864 2cd66c4b1fad6f8cf76d88fb3d32b64e
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_mipsel.deb
Size/MD5 checksum: 281570 1913fcf10728ea03dd914aef054b062a
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_mipsel.deb
Size/MD5 checksum: 496042 9396140993730275d6b8de6e34675f54
PowerPC architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_powerpc.deb
Size/MD5 checksum: 375068 666bbe22fd67328d8992facd41d1896b
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_powerpc.deb
Size/MD5 checksum: 178500 ae76150c581357a02d9b7bb8ced0dbdc
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_powerpc.deb
Size/MD5 checksum: 91100 9a647196076ff0ca93f1972be8e06c96
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_powerpc.deb
Size/MD5 checksum: 269858 c7c3f542facc9f807dbbd1a8452cd732
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_powerpc.deb
Size/MD5 checksum: 466862 5e4a8282b7befb8471bcaa48d7f7e578
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_s390.deb
Size/MD5 checksum: 374846 b2479d34b339e43b754f856d04fe7c18
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_s390.deb
Size/MD5 checksum: 177838 29fb48bb7d7df2abf795ba8d18d54dba
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_s390.deb
Size/MD5 checksum: 83068 c693a61e70c3551ff06ebbe3902d77da
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_s390.deb
Size/MD5 checksum: 270776 e518ea7234a90f9ad6775402bd1ebed9
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_s390.deb
Size/MD5 checksum: 465362 2e5c9c19eec1b2da7723ec841066d91d
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.0+3.0.1rc9-2.2_sparc.deb
Size/MD5 checksum: 375452 c9bd70d1b1fdf3d46d2d0c3d90afdabe
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.0+3.0.1rc9-2.2_sparc.deb
Size/MD5 checksum: 178438 fc7418c8bdc8191c9068544c09095ac0
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.0+3.0.1rc9-2.2_sparc.deb
Size/MD5 checksum: 87346 dc9d3fedf805cb854e883ad054325380
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.0+3.0.1rc9-2.2_sparc.deb
Size/MD5 checksum: 271280 5a063042a2f5700ebd15c86459192761
http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.0+3.0.1rc9-2.2_sparc.deb
Size/MD5 checksum: 465524 c7a808f387b4c4c488cba086145d272a
These files will probably be moved into the stable distribution on
its next revision.
-------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-secur-@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+NpF3W5ql+IAeqTIRAic7AJ98qQAQ6DGiqMTvAzNvrI7C6dXcDwCeLy4l
L5vf3sHCMEhErjT5PDv6Ve0=
=rLCC
-----END PGP SIGNATURE-----
===============================================================================
End of "GN SecNews Vol#2
===============================================================================
--
- vijay
|
|
 |
|
