Welcome Guest!
 Glug-Nilgiris
 Previous Message All Messages Next Message 
[GN][News:]GN SecNews #3  Vijay Kumar
 Feb 09, 2003 18:25 PST 

GN SecNews Vol #3
-----------------
News Article Type: Weekly
Author: vijay (vijay-@users.sourceforge.net)
Date: Mon Feb 10 07:41:53 IST 2003

Please send in your comments and suggestions for improvement.

Disclaimer: This is a compilation of Security News Articles/Advisories from various GNU/Linux Providers, Developers and Users. The Author(s) of this article makes no warranties of any kind whatsoever with respect to the information contained from the sources. The information given here is as is from the source with the PGP signature if available.

===============================================================================

Contents
========
1.) SecurityFocus Linux Newsletter #117
2.) [RHSA-2003:040-07] Updated openldap packages available
3.) [RHSA-2003:017-06] Updated PHP packages available
4.) [RHSA-2003:025-20] Updated 2.4 kernel fixes various vulnerabilities
5.) BDT_AV200212140001: Insecure default: Using pam_xauth for su from
      sh-utils package


===============================================================================

1.)
===============================================================================

SecurityFocus Linux Newsletter #117

===============================================================================

SecurityFocus Linux Newsletter #117
-----------------------------------

This newsletter is sponsored by: Black Hat (http://www.blackhat.com)

Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts.

All of the top experts you've read about recently are speaking. Fully
supported by Microsoft, with new MS hosted training sessions just added!

Visit www.blackhat.com to register.
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Forensics on the Windows Platform, Part 1
     2. The Busy Life of a Welsh Virus-Writer
     3. New Book: Hacker's Challenge 2 Test Your Network Security...
     4. SecurityFocus DPP Program
     5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
     1. GNU Mailman 'email' Cross Site Scripting Vulnerability
     2. GNU Mailman Error Page Cross Site Scripting Vulnerability
     3. slocate Local Buffer Overrun Vulnerability
     4. Blackboard Learning System search.pl SQL Injection Variant...
     5. Noffle Remote Memory Corruption Vulnerability
     6. Sun Java Virtual Machine Illegal Access To Object Methods...
     7. Sun JSSE/Java Plug-In/Java Web Start Incorrect Certificate...
     8. SpamAssassin BSMTP Mode Buffer Overflow Vulnerability
     9. YaBB SE News.PHP Remote File Include Vulnerability
     10. FTLS GuestBook Script Injection Vulnerability
     11. DotProject Remote File Include Vulnerability
     12. MIT Kerberos Key Distribution Center Remote Format String...
     13. MIT Kerberos Remote Heap Corruption Vulnerability
     14. MIT Kerberos / Key Distribution Center Shared Key User...
     15. PLP Tools plpnfsd Syslog Format String Vulnerability
III. LINUX FOCUS LIST SUMMARY
     1. NIS with local root (Thread)
     2. Secure Web-Based Administration (Thread)
     3. Administrivia: Trimming replies (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
     1. McAfee Active Virus Defense Small Business Edition
     2. F-Secure Anti-Virus Total Suite
     3. eTrust Antivirus
V. NEW TOOLS FOR LINUX PLATFORMS
     1. TinyMonitor v0.9b
     2. J2SSH v0.0.4
     3. Bastille Linux v2.0.4
VI. SPONSOR INFORMATION



I. FRONT AND CENTER
-------------------
1. Forensics on the Windows Platform, Part 1
By Jamie Morris

This article, the first in a two-part series about forensics on the
Windows platform, will examine the preparatory steps that can be taken by
both investigators and system administrators alike. While this series is
concerned with Windows-specific investigations, this article will examine
some basic, non-technical concepts that are applicable to all forensic
investigations.

http://online.securityfocus.com/infocus/1661

2. The Busy Life of a Welsh Virus-Writer
By George Smith

The prison-bound author of the Gokar virus loves shoes, pole dancers and
personal self-disclosure. His blog tells all.

http://online.securityfocus.com/columnists/138

3. New Book: Hacker's Challenge 2 Test Your Network Security & Forensic
Skills

Do you have what it takes to keep the bad guys out of your network? Find
out with the latest edition of this best-selling book featuring 20+ all
new hacking challenges for you to solve. Plus, you'll get in-depth
solutions for each, all written by experienced security consultants.

For more information visit:
http://shop.osborne.com/cgi-bin/osborne/0072226307.html

4. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html


II. BUGTRAQ SUMMARY
-------------------
1. GNU Mailman 'email' Cross Site Scripting Vulnerability
BugTraq ID: 6677
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6677
Summary:

Mailman is software to help manage email discussion lists, much like
Majordomo and SmartList. It is written and maintained by the GNU Project
and is available for the Linux and Unix operating systems.

A cross site scripting vulnerability has been discovered in GNU Mailman.
The issue occurs due to insufficient sanitization of URI parameters.
Specifically, the 'email' URI parameter is not correctly filtered for
embedded HTML or script code.

As a result, attackers may embed malicious script code or HTML into a link
to a site running the vulnerable software. When this link is followed by a
web user, the attacker-supplied code will be interpreted in their web
browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.

2. GNU Mailman Error Page Cross Site Scripting Vulnerability
BugTraq ID: 6678
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6678
Summary:

Mailman is software to help manage email discussion lists, much like
Majordomo and SmartList. It is written and maintained by the GNU Project
and is available for the Linux and Unix operating systems.

A cross site scripting vulnerability has been discovered in GNU Mailman.
The issue occurs due to insufficient sanitization of URI parameters.
Specifically, the 'language' variable is not sufficiently sanitized before
being included in error pages.

As a result, attackers may embed malicious script code or HTML into a link
to a site running the vulnerable software. When this link is followed by a
web user, the attacker-supplied code will be interpreted in their web
browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.

It has been reported that GNU Mailman 2.0.11 is not affected by this
issue.

3. slocate Local Buffer Overrun Vulnerability
BugTraq ID: 6676
Remote: No
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6676
Summary:

Secure Locate (slocate) provides a secure way to index and quickly search
for files on your system. It is available for the Linux and Unix operating
systems. Typically slocate is installed with setgid 'slocate' privileges.

A buffer overrun vulnerability has been discovered in slocate. The issue
occurs when 1024, or more, bytes of data are supplied to both the regex
('-r') and the parse /etc/updatedb.conf ('-c') command line arguments.
This issue occurs due to insufficient bounds checking on user-supplied
input.

A malicious local user may be able to exploit this issue to overwrite
sensitive locations in memory. For instance, by overwriting the programs
instruction pointer it may be possible to redirect program flow to point
to attacker-supplied instructions. As slocate is typically installed with
setgid privileges, any code execution accomplished by an attacker will be
executed with group 'slocate' privileges. An attacker may leverage this
privilege escalation to exploit the target system further.

*** Conflicting details have been released which provide information
reporting that the issue described is not a buffer overflow. Furthermore,
the programming error that occurs may not be a security issue and thus not
exploitable.

4. Blackboard Learning System search.pl SQL Injection Variant Vulnerability
BugTraq ID: 6687
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6687
Summary:

Blackboard Learning system is a suite of software products available for
Microsoft Windows, Linux and Solaris servers that power an "e-Education
Infrastructure" for education providers.

Blackboard Learning System, in some cases, does not sufficiently sanitize
user-supplied input which is used when constructing SQL queries. As a
result, attackers may supply malicious parameters to manipulate the
structure and logic of SQL queries. This may result in unauthorized
operations being performed on the underlying database.

This vulnerability was reported to exist in the search.pl script file. A
remote attacker can exploit this vulnerability to discover the passwords
of other users.

This vulnerability is a variant of the vulnerability described in BID
6655.

This vulnerability was reported for Blackboard Learning System 5.5.1,level
1 and 2. Previous releases may also be affected.

5. Noffle Remote Memory Corruption Vulnerability
BugTraq ID: 6695
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6695
Summary:

Noffle is a news (nntp) server designed to service few users and low speed
dial-up connections to the Internet. It is available for the Unix and
Linux operating systems.

A memory corruption bug has been discovered in Noffle. The issue can be
triggered remotely and may cause a segmentation violation in the affected
server. This issue is likely caused when Noffles is attempting to process
a malicious news group or entry.

Although unconfirmed, this issue may be exploitable by a remote attacker
to trigger a denial of service or possibly execute arbitrary code.
Attacker-supplied instructions would be executed with the privileges of
the invoker of Noffle, likely the 'news' user.

The technical details regarding this issue are currently unknown. This BID
will be updated when further information becomes available.

6. Sun Java Virtual Machine Illegal Access To Object Methods Vulnerability
BugTraq ID: 6681
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6681
Summary:

A vulnerability has been reported in the Sun Java Virtual Machine that may
allow illegal access to protected fields or methods of an object.

Precise technical details of this vulnerability are not currently known
however this vulnerability may have security implications. It may be
possible to exploit this vulnerability to gain read/write access to system
files despite the security constraints placed on the Applet sandbox. The
ability to access protected values may also be leveraged to launch other
attacks.

It may be possible to execute commands on target systems if this
vulnerability is exploited in conjunction with others.

7. Sun JSSE/Java Plug-In/Java Web Start Incorrect Certificate Validation Vulnerability
BugTraq ID: 6682
Remote: Yes
Date Published: Jan 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6682
Summary:

Sun (Java Secure Socket Extension) JSSE is a series of Java packages to
facilitate secure network communications. Java Plug-In is software to
enhance inter-operability with applets and Java beans. It is included
with releases of JRE (Java Runtime Environment). Java Web Start is
software to simplify deployment of Java applications, allowing users to
launch Java applications from embedded links in webpages.

In the case of JSSE, this may result in untrusted and potentially hostile
websites being successfully authenticated for SSL transactions. If
successfully exploited, a malicious website may be validated for a SSL
transaction and this may lead to further attacks against the user based on
the false trust created by this vulnerability. Applications which use
JSSE will be prone to this issue.

The vulnerability occurs if an SSLContext was initialized, using the
SSLContext.init() method, with an instance of the X509TrustManager
implementation. This will result in JSSE to incorrectly call the
isClientTrusted() method when determining trust decisions.

Java Plug-In and Java Web Start do not correctly validate signed JAR
files. This may result in untrusted and potentially hostile code being
treated and therefore executed as though it is trusted. An attacker may
exploit this to transmit a signed JAR file containing malicious code to a
user of the software, which will appear to be trusted by the software.
Any web browsers which are configured to use JRE and include the Java
Plug-In or Java Web Start may be prone to this issue.

It is not currently known what circumstances are required to reproduce
these conditions. Though not verified, this may be similar to the issue
described in BID 5410.

8. SpamAssassin BSMTP Mode Buffer Overflow Vulnerability
BugTraq ID: 6679
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6679
Summary:

SpamAssassin is a mail filter to identify and process spam. It is
available for Linux and Unix variant operating systems.

A buffer overflow vulnerability has been reported for SpamAssassin. The
vulnerability exists when SpamAssassin has been configured for use with
BSMTP (Batch Simple Mail Transfer Protocol) processing.

SpamAssassin uses the program spamc to process mail. 'spamc' is the client
program that feeds data to the spamd service that processes email. BSMTP
processing is enabled by executing spamc with the '-B' option.

The vulnerability occurs when SpamAssassin is escaping '.' characters when
processing email headers. Due to insufficient bounds checking performed by
the filter, it is possible for a remote attacker to trigger the buffer
overflow condition.

An attacker can exploit this vulnerability by composing a malicious email
with specific headers. This will cause the buffer overflow condition in
the program, spamc. This may result in malicious attacker-supplied code
being executed with the privileges of the spamc process.

It should be noted that this issue allows an attacker to write the value
of the '.' character to the LSB of the value stored above the affected
buffer. Under some circumstances this may be the function's saved frame
pointer but the exploitability of this issue is highly volatile.

This vulnerability was reported to affect SpamAssassin 2.40 to 2.43.

9. YaBB SE News.PHP Remote File Include Vulnerability
BugTraq ID: 6674
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6674
Summary:

YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.

A vulnerability has been discovered in YaBB SE. Due to insufficient
sanitization of some user-supplied variables by the 'News.php' script, it
is possible for a remote attacker to include a malicious PHP file in a
URL.

An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'$template' parameter.

If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.

This vulnerability was reported for YaBB SE 1.5.1 and earlier.

10. FTLS GuestBook Script Injection Vulnerability
BugTraq ID: 6686
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6686
Summary:

FTLS Guestbook is freely available guestbook software. It will run on most
Unix and Linux variants, as well as Microsoft Windows operating systems.

Guestbook does not adequately filter HTML tags from various fields. This
may enable an attacker to inject arbitrary script code into pages that are
generated by the guestbook.

The attacker's script code may be executed in the web client of arbitrary
users who view the pages generated by the guestbook, in the security
context of the website running the software.

Attackers may potentially exploit this issue to hijack web content or to
steal cookie-based authentication credentials.

This vulnerability was reported for FTLS Guestbook 1.1.

11. DotProject Remote File Include Vulnerability
BugTraq ID: 6710
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6710
Summary:

dotproject is web-based project management software, written in PHP. It is
designed to run on Unix and Linux variants.

dotproject is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in several PHP script files provided with dotproject in the 'modules'
directory which try to include the file 'classdefs/date.php'.

The following are a list of scripts that are affected:
modules/projects/addedit.php
modules/projects/view.php
modules/projects/vw_files.php
modules/tasks/addedit.php
modules/tasks/viewgantt.php

Under some circumstances, it is possible for remote attackers to influence
the include path for 'date.php' to point to an external file on a remote
server by manipulating the $root_dir URI parameter.

If the remote file is a malicious PHP script, this may be exploited to
execute arbitrary commands in the context of the webserver.

12. MIT Kerberos Key Distribution Center Remote Format String Vulnerabilities
BugTraq ID: 6712
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6712
Summary:

Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.

A number of vulnerabilities have been reported in the MIT Kerberos Key
Distribution Center (KDC). It has been reported that KDC fails to supply
sufficient format specifiers when handling user-supplied data.
Specifically, principal names supplied by a remote user are handled by
functions of the printf family without supplying format specifiers. It has
been determined that under some cirumstances an unauthenticated remote
user may be able to pass principal names to an affected server.

An attacker could exploit this vulnerability by supplying a maliciously
crafted principal name containing format specifiers. By writing
attacker-controlled values to memory using the %n format specifier, it may
be possible for a remote attacker to execute arbitrary commands.

As this issue affects older releases of Kerberos, a BID may already exist.
If this is issue proves to be covered in a previous database entry, this
BID will be retired and the correct BID will be updated accordingly.

13. MIT Kerberos Remote Heap Corruption Vulnerability
BugTraq ID: 6713
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6713
Summary:

Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.

A vulnerability has been discovered in MIT Kerberos. It has been reported
that, due to insufficient bounds checking and sanitization of
user-supplied data, Kerberos is prone to memory corruption.

A remote attacker may trigger this condition my supplying a negative
length value in a malicious packet sent to a target server. This may
result in insufficient memory being allocated or cause invalid memory to
be referenced. Successful exploitation of this issue may result in a
denial of service.

Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be overwritten. If
successful this could allow for the execution of arbitrary code with the
privileges of Kerberos. The possibility of exploitation of this issue to
execute code, however, has not been confirmed.

As this issue affects older releases of Kerberos, a BID may already exist.
If this is issue proves to be covered in a previous database entry, this
BID will be retired and the correct BID will be updated accordingly.

14. MIT Kerberos / Key Distribution Center Shared Key User Spoofing Vulnerability
BugTraq ID: 6714
Remote: Yes
Date Published: Jan 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6714
Summary:

Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.

A vulnerability has been discovered MIT Kerberos and Key Distribution
Center (KDC). It has been reported that a user within a realm implementing
shared keys may be able to spoof another legitimate non-local user.

This issue is exploitable due to insufficent realm transit path
verification by the affected software.

This vulnerable exists only if non-local principal names are located in
the KDC's access control list. The ability to impersonate another
legitimate user may be leveraged by an attacker to obtain sensitive
information. Under some cirumstances a malicious attacker may be able to
impersonate a user with additional privileges to their own.

This issue affects MIT Kerberos 5 release 1.2.2 and earlier. As this issue
affects older releases of Kerberos, a BID may already exist. If this is
issue proves to be covered in a previous database entry, this BID will be
retired and the correct BID will be updated accordingly.

15. PLP Tools plpnfsd Syslog Format String Vulnerability
BugTraq ID: 6715
Remote: No
Date Published: Jan 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6715
Summary:

PLP Tools is a collection of libraries and utilities for enabling Unix and
Linux variant systems to communicate with a Psion palmtop over a serial
line. plpnfsd is the server application that allows users to mount Psion
filesystems on workstations.

A vulnerability has been reported for plpnfsd that may result in an
attacker obtaining elevated privileges on the vulnerable system.

Due to a programming error, it may be possible to exploit a format string
vulnerability in plpnfsd. A logging function in plpnfsd contains insecure
syslog() calls. This could result in the execution of attacker-supplied
code.

The vulnerability occurs when plpnfsd receives a carefully constructed
directory name that include malicious format string specifiers. In the
event that this vulnerability is exploited, an attacker could cause
arbitrary locations in memory to be corrupted with attacker-specified data
and execute code with elevated privileges.

This vulnerability is also exacerbated by the fact that the plpnfsd daemon
is installed with setuid root privileges.

This vulnerability was reported for plptools 0.6.


III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. NIS with local root (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/309475

2. Secure Web-Based Administration (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/309114

3. Administrivia: Trimming replies (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/309085


IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. McAfee Active Virus Defense Small Business Edition
by Network Associates
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.mcafeesecurity.com/products/small-business/active-virus.asp
Summary:

This product suite serves as your dedicated anti-virus department. This
edition not only features VirusScan, WebShield, and NetShield to defend
all tiers of your network, it adds the control of ePolicy Ochestrator.
This flexible tool lets you enforce your chosen anti-virus policy, and
gives you unprecedented visibility into virus defense across your network.
Active Virus Defense Small Business Edition prevents outbreaks, promotes
productivity, and protects your anti-virus budget.

2. F-Secure Anti-Virus Total Suite
by F-Secure Corporation
Platforms: DOS, Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.f-secure.com/products/anti-virus/totalsuite/
Summary:

F-Secure Anti-Virus Total Suite includes all critical components for
corporate virus security. By using F-Secure's award winning workstation,
file server, email server and firewall anti-virus products, you are always
protected even against the latest threats. All F-Secure Anti-Virus Total
Suite products are centrally manageable with one easy to use management
solution, F-Secure Policy Manager.

3. eTrust Antivirus
by Computer Associates International, Inc.
Platforms: Linux, MacOS, Netware, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
http://www3.ca.com/Solutions/ProductFamily.asp?ID=156
Summary:

eTrust Antivirus is a set of award-winning antivirus solutions, providing
superior protection against today's most prevalent security threat ?
viruses. Based on advanced technology, eTrust Antivirus reduces virus
infections, simplifies and automates updating, and eases administration.
eTrust Antivirus is certified by ICSA Labs for detecting 100% of "in the
wild" viruses.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. TinyMonitor v0.9b
by Brian Shellabarger
Relevant URL:
http://www.glug.com/projects/
Platforms: FreeBSD, Linux, POSIX, Solaris, SunOS, UNIX
Summary:

TinyMonitor is written in Perl and was created out of pure necessity for a
simple monitoring program that watched the actual content of returned
pages rather than simply checking to see if the httpd service was running.
It can be used for simple Web server monitoring (i.e., is it actually
delivering content?) or to verify that a page is returning what you expect
(i.e., a 200 rather than a 404). It is very small and designed to work
through cron. Alerts are sent via email to a pager or SMS phone.

2. J2SSH v0.0.4
by Richard Pernavas
Relevant URL:
http://www.sshtools.com
Platforms: Os Independent
Summary:

J2SSH is an object-orientated Java implementation of the SSH2 protocol. It
provides a rich, powerful, and extensible SSH API that enables developers
to gain access to SSH servers and to develop entire SSH client/server
frameworks. The API library provides a fully-featured SSH2 implementation
specifically designed for cross-platform development. Higher level
components, representing both the standard SSH client and SSH servers, are
provided which implement the protocol specification for user sessions and
port forwarding. The specification currently supports public-key and
password authentication, with X11 forwarding and SFTP to follow.

3. Bastille Linux v2.0.4
by Jay Beale jay@bastille dash linux.org
Relevant URL:
http://www.bastille-linux.org/
Platforms: Linux
Summary:

Bastille Linux aims to be the most comprehensive, flexible, and
educational Security Hardening Program for Red Hat, Mandrake, and Debian
Linux, along with HP-UX. Virtually every task it performs is optional,
providing immense flexibility. It educates the installing admin regarding
the topic at hand before asking any question. The interactive nature
allows the program to be more thorough when securing, while the
educational component produces an admin who is less likely to compromise
the increased security.



VI. SPONSOR INFORMATION
-----------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)

Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts.

All of the top experts you've read about recently are speaking. Fully
supported by Microsoft, with new MS hosted training sessions just added!

Visit www.blackhat.com to register.
-------------------------------------------------------------------------------

===============================================================================

Eof of SecurityFocus NewsLetter #117

===============================================================================

2.)
===============================================================================

[RHSA-2003:040-07] Updated openldap packages available

===============================================================================

[RHSA-2003:040-07] Updated openldap packages available

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated openldap packages available
Advisory ID:       RHSA-2003:040-07
Issue date:        0000-01-01
Updated on:        2003-02-05
Product:           Red Hat Linux
Keywords:          openldap setuid .ldaprc buffer overflow
Cross references:
Obsoletes:         RHSA-2002-014
CVE Names:         CAN-2002-1378 CAN-2002-1379
---------------------------------------------------------------------

1. Topic:

Updated openldap packages are available which fix a number of local and
remote buffer overflows in libldap and the slapd and slurpd servers, and
potential issues stemming from using user-specified LDAP configuration files.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

OpenLDAP is a suite of LDAP (Lightweight Directory Access Protocol)
applications and development tools. LDAP is a set of protocols for
accessing directory services. In an audit of OpenLDAP by SuSE, a number of
potential security issues were found:

When reading configuration files, libldap would read the current user's
.ldaprc file even in applications being run with elevated privileges.

Slurpd would overflow an internal buffer if the command-line argument used
with the -t or -r flags was too long, or if the name of a file for which it
attempted to create an advisory lock was too long.

When parsing filters, the getfilter family of functions from libldap could
be made to overflow an internal buffer by supplying a carefully crafted
ldapfilter.conf file.

When processing LDAP entry display templates, libldap could be made to
overflow an internal buffer by supplying a properly crafted
ldaptemplates.conf file.

When parsing an access control list, slapd could be made to overflow an
internal buffer.

When constructing the name of the file used for logging rejected
replication requests, slapd would overflow an internal buffer if the size
of the generated name was too large, and could be tricked into destroying
the contents of any file owned by the ldap user due to a race condition in
the subsequent creation of the log file.

Red Hat Linux users who use LDAP are advised to install the updated
openldap packages which are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/openldap-1.2.13-2.src.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/openldap-1.2.13-2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openldap-clients-1.2.13-2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openldap-devel-1.2.13-2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openldap-servers-1.2.13-2.i386.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/openldap-2.0.27-2.7.1.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/openldap12-1.2.13-8.src.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/openldap-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openldap-clients-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openldap-devel-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openldap-servers-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openldap12-1.2.13-8.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openldap-2.0.27-2.7.1.src.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/openldap12-1.2.13-8.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/openldap-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openldap-clients-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openldap-devel-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openldap-servers-2.0.27-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openldap12-1.2.13-8.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openldap-2.0.27-2.7.3.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/openldap12-1.2.13-8.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/openldap-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openldap-clients-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openldap-devel-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openldap-servers-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openldap12-1.2.13-8.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openldap-2.0.27-2.7.3.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openldap-clients-2.0.27-2.7.3.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openldap-devel-2.0.27-2.7.3.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openldap-servers-2.0.27-2.7.3.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openldap12-1.2.13-8.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openldap-2.0.27-2.7.3.src.rpm
ftp://updates.redhat.com/7.3/en/os/SRPMS/openldap12-1.2.13-8.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/openldap-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openldap-clients-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openldap-devel-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openldap-servers-2.0.27-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openldap12-1.2.13-8.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/openldap-2.0.27-2.8.0.src.rpm
ftp://updates.redhat.com/8.0/en/os/SRPMS/openldap12-1.2.13-9.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/openldap-2.0.27-2.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openldap-clients-2.0.27-2.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openldap-devel-2.0.27-2.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openldap-servers-2.0.27-2.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/openldap12-1.2.13-9.i386.rpm



6. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
6abc37d341ed1998e0e37a5c8ae2b292 6.2/en/os/SRPMS/openldap-1.2.13-2.src.rpm
2d6741aa454a4bf6ad39447e30136b05 6.2/en/os/i386/openldap-1.2.13-2.i386.rpm
c5d39f85114ba91e94fe270c2b04a12e 6.2/en/os/i386/openldap-clients-1.2.13-2.i386.rpm
1ae2c495fb0dd934ac51365c0b6cb098 6.2/en/os/i386/openldap-devel-1.2.13-2.i386.rpm
e3c1cffb180a025811cf6a97d95c7e33 6.2/en/os/i386/openldap-servers-1.2.13-2.i386.rpm
edde5757c10e2f51a371f457cb3d4bee 7.0/en/os/SRPMS/openldap-2.0.27-2.7.1.src.rpm
92d8d3db8064d35faab46b59c077251d 7.0/en/os/SRPMS/openldap12-1.2.13-8.src.rpm
a44a25cea2e81cb296d2aad1351a750d 7.0/en/os/i386/openldap-2.0.27-2.7.1.i386.rpm
48b8097de61282171ecb2740116ea63f 7.0/en/os/i386/openldap-clients-2.0.27-2.7.1.i386.rpm
23f437d646397bebed28fad5b733ee8f 7.0/en/os/i386/openldap-devel-2.0.27-2.7.1.i386.rpm
94e6f4fc6851055fa3a224ea30b693a5 7.0/en/os/i386/openldap-servers-2.0.27-2.7.1.i386.rpm
0a692fe198ed8743ede8e6dbf999e486 7.0/en/os/i386/openldap12-1.2.13-8.i386.rpm
edde5757c10e2f51a371f457cb3d4bee 7.1/en/os/SRPMS/openldap-2.0.27-2.7.1.src.rpm
92d8d3db8064d35faab46b59c077251d 7.1/en/os/SRPMS/openldap12-1.2.13-8.src.rpm
a44a25cea2e81cb296d2aad1351a750d 7.1/en/os/i386/openldap-2.0.27-2.7.1.i386.rpm
48b8097de61282171ecb2740116ea63f 7.1/en/os/i386/openldap-clients-2.0.27-2.7.1.i386.rpm
23f437d646397bebed28fad5b733ee8f 7.1/en/os/i386/openldap-devel-2.0.27-2.7.1.i386.rpm
94e6f4fc6851055fa3a224ea30b693a5 7.1/en/os/i386/openldap-servers-2.0.27-2.7.1.i386.rpm
0a692fe198ed8743ede8e6dbf999e486 7.1/en/os/i386/openldap12-1.2.13-8.i386.rpm
148ac6c282678e649d9bc82ef68472ec 7.2/en/os/SRPMS/openldap-2.0.27-2.7.3.src.rpm
92d8d3db8064d35faab46b59c077251d 7.2/en/os/SRPMS/openldap12-1.2.13-8.src.rpm
878a1302654284097cd6b1ff37dcb990 7.2/en/os/i386/openldap-2.0.27-2.7.3.i386.rpm
42bdf5437712c8b7240cdb6dee4ec8c1 7.2/en/os/i386/openldap-clients-2.0.27-2.7.3.i386.rpm
4fedaaa2c3bae85580d80b981af12194 7.2/en/os/i386/openldap-devel-2.0.27-2.7.3.i386.rpm
9341c678193d6f6dda7c9718df75d614 7.2/en/os/i386/openldap-servers-2.0.27-2.7.3.i386.rpm
0a692fe198ed8743ede8e6dbf999e486 7.2/en/os/i386/openldap12-1.2.13-8.i386.rpm
518f368e458a617daa37baefb331fa09 7.2/en/os/ia64/openldap-2.0.27-2.7.3.ia64.rpm
c5b77b9c6a01f72f13438d058ec05cb9 7.2/en/os/ia64/openldap-clients-2.0.27-2.7.3.ia64.rpm
55e81b9cb1e2ae1a44ceb833470087ee 7.2/en/os/ia64/openldap-devel-2.0.27-2.7.3.ia64.rpm
5c6dd70a327ced63f143eee0587e9439 7.2/en/os/ia64/openldap-servers-2.0.27-2.7.3.ia64.rpm
fccda5abf8c02f80a5713438854ccb39 7.2/en/os/ia64/openldap12-1.2.13-8.ia64.rpm
148ac6c282678e649d9bc82ef68472ec 7.3/en/os/SRPMS/openldap-2.0.27-2.7.3.src.rpm
92d8d3db8064d35faab46b59c077251d 7.3/en/os/SRPMS/openldap12-1.2.13-8.src.rpm
878a1302654284097cd6b1ff37dcb990 7.3/en/os/i386/openldap-2.0.27-2.7.3.i386.rpm
42bdf5437712c8b7240cdb6dee4ec8c1 7.3/en/os/i386/openldap-clients-2.0.27-2.7.3.i386.rpm
4fedaaa2c3bae85580d80b981af12194 7.3/en/os/i386/openldap-devel-2.0.27-2.7.3.i386.rpm
9341c678193d6f6dda7c9718df75d614 7.3/en/os/i386/openldap-servers-2.0.27-2.7.3.i386.rpm
0a692fe198ed8743ede8e6dbf999e486 7.3/en/os/i386/openldap12-1.2.13-8.i386.rpm
cb6f6d639ff823cc016725dab752aacd 8.0/en/os/SRPMS/openldap-2.0.27-2.8.0.src.rpm
2ba981c5834886ca93ce492ea8c87848 8.0/en/os/SRPMS/openldap12-1.2.13-9.src.rpm
f6ffab19ae521c65396cc76d0a64c2c9 8.0/en/os/i386/openldap-2.0.27-2.8.0.i386.rpm
3e12f7f0aacca920d60fc39766b7d3e5 8.0/en/os/i386/openldap-clients-2.0.27-2.8.0.i386.rpm
351bd4cea012a1517ded0c03a4512c48 8.0/en/os/i386/openldap-devel-2.0.27-2.8.0.i386.rpm
a5b8e07d9f13a98aaf1bf999d6672efc 8.0/en/os/i386/openldap-servers-2.0.27-2.8.0.i386.rpm
0e5cbc3c9eb9136169caefed4dadd7c6 8.0/en/os/i386/openldap12-1.2.13-9.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1379

8. Contact:

The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
===============================================================================

End Of [RHSA-2003:040-07] Updated openldap packages available

===============================================================================

3.)
===============================================================================

[RHSA-2003:017-06] Updated PHP packages available

===============================================================================
---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated PHP packages available
Advisory ID:       RHSA-2003:017-06
Issue date:        2003-01-21
Updated on:        2003-02-04
Product:           Red Hat Linux
Keywords:          PHP wordwrap
Cross references:
Obsoletes:         
CVE Names:         CAN-2002-1396
---------------------------------------------------------------------

1. Topic:

Updated PHP packages are available that fix a vulnerability in the
wordwrap() function and a number of compatibility bugs.

2. Relevant releases/architectures:

Red Hat Linux 8.0 - i386

3. Problem description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP server.

A heap-based buffer overflow was found in the wordwrap() function in PHP
versions after 4.1.2 and before 4.3.0. If wordwrap() is used on
user-supplied input this could allow remote attackers to cause a denial of
service or execute arbitrary code.

Red Hat Linux 8.0 shipped with a version of PHP that was vulnerable to this
issue. Other Red Hat Linux distributions shipped with an earlier version
of PHP and are not vulnerable to this issue.

In addition, a number of compatiblity bugs have also been found between PHP
4.2 and Apache 2.0.

All users of PHP are advised to upgrade to these erratum packages which
contain a patch to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

74396 - safe mode not working in php-4.2.2-8.0.5
75029 - PHP with Apache 2.0: getlastmod function fails
75712 - php4 with apache 2, getenv(ANYTHING) returns blank string
75878 - Apache caches requests by default, or there is some bug around.
78586 - Invalid command php_flag

6. RPMs required:

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/php-4.2.2-8.0.7.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/php-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-devel-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-imap-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-ldap-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-manual-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-mysql-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-pgsql-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-odbc-4.2.2-8.0.7.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/php-snmp-4.2.2-8.0.7.i386.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
6142b2ac0eb22a2f6b33724ab5f40c72 8.0/en/os/SRPMS/php-4.2.2-8.0.7.src.rpm
ee10926c45bf9fb9cdd3694700662711 8.0/en/os/i386/php-4.2.2-8.0.7.i386.rpm
370779db08cf8f7f8346b516fc4ebbde 8.0/en/os/i386/php-devel-4.2.2-8.0.7.i386.rpm
ce94c1398ec3e5a2edc4455e4949da70 8.0/en/os/i386/php-imap-4.2.2-8.0.7.i386.rpm
5a7ecb7ce8ceb67ca53f1daa15488957 8.0/en/os/i386/php-ldap-4.2.2-8.0.7.i386.rpm
d7d2b4aeac657ea17d5d4a3a9f72eb51 8.0/en/os/i386/php-manual-4.2.2-8.0.7.i386.rpm
5174df281714e3bf550d5697df326be4 8.0/en/os/i386/php-mysql-4.2.2-8.0.7.i386.rpm
ed2a793624ad2869da4c09f38d88bb75 8.0/en/os/i386/php-odbc-4.2.2-8.0.7.i386.rpm
dd19149ccecab409296cdb7feaf8dd2e 8.0/en/os/i386/php-pgsql-4.2.2-8.0.7.i386.rpm
d7b8bdc55e9cc453f1639f1c34c118ef 8.0/en/os/i386/php-snmp-4.2.2-8.0.7.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://marc.theaimsgroup.com/?l=bugtraq&m=104102689503192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396

9. Contact:

The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
===============================================================================

End of [RHSA-2003:017-06] Updated PHP packages available

===============================================================================

4.)
===============================================================================

   [RHSA-2003:025-20] Updated 2.4 kernel fixes various vulnerabilities

===============================================================================

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated 2.4 kernel fixes various vulnerabilities
Advisory ID:       RHSA-2003:025-20
Issue date:        2003-01-24
Updated on:        2003-02-03
Product:           Red Hat Linux
Keywords:          ethernet frame padding O_DIRECT
Cross references:
Obsoletes:         RHBA-2002:292
CVE Names:         CAN-2003-0001 CAN-2003-0018
---------------------------------------------------------------------

1. Topic:

Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now
available that fix an information leak from several ethernet drivers, and
a file system issue.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - athlon, i386, i586, i686
Red Hat Linux 7.2 - athlon, i386, i586, i686
Red Hat Linux 7.3 - athlon, i386, i586, i686
Red Hat Linux 8.0 - athlon, i386, i586, i686

3. Problem description:

The Linux kernel handles the basic functions of the operating system.
Vulnerabilities have been found in version 2.4.18 of the kernel. This
advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0.

Multiple ethernet Network Interface Card (NIC) device drivers do not pad
frames with null bytes, which allows remote attackers to obtain information
from previous packets or kernel memory by using malformed packets. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0001 to this issue.

A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and
later that can create a limited information leak where any user on the
system with write privileges to a file system can read information from
that file system (from previously deleted files), and can create minor file
system corruption (easily repaired by fsck). Red Hat Linux in its default
configuration is not affected by this bug, because the ext3 file system
(the default file system in Red Hat Linux 7.2 and later) does not support
the O_DIRECT feature. Of the kernels Red Hat has released, only the 2.4.18
kernels have this bug. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0018 to this issue.

Users of the ext2 file system can migrate to the ext3 file system
using the tune2fs program as described in the white paper at
http://www.redhat.com/support/wpapers/redhat/ext3/

All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade
to these errata packages, which contain patches to ethernet drivers to
remove the information leak and a patch to fix O_DIRECT handling.

In addition, the following drivers are upgraded to support newer hardware:
3c59x, e100, e1000, tg3

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied, especially the additional
packages from RHSA-2002:205 and RHSA-2002:206 respectively.

The procedure for upgrading the kernel manually is documented at:

http://www.redhat.com/support/docs/howto/kernel-upgrade/

Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.

Please note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. Note that you need to select the kernel
explicitly on default configurations of up2date.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

76159 - Errata kernel 2.4.18-17.8.0 fails PCI resource allocation

6. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm
ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm
ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm
ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.3/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/kernel-2.4.18-24.8.0.src.rpm

athlon:
ftp://updates.redhat.com/8.0/en/os/athlon/kernel-2.4.18-24.8.0.athlon.rpm
ftp://updates.redhat.com/8.0/en/os/athlon/kernel-smp-2.4.18-24.8.0.athlon.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/kernel-2.4.18-24.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-source-2.4.18-24.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-doc-2.4.18-24.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-BOOT-2.4.18-24.8.0.i386.rpm

i586:
ftp://updates.redhat.com/8.0/en/os/i586/kernel-2.4.18-24.8.0.i586.rpm
ftp://updates.redhat.com/8.0/en/os/i586/kernel-smp-2.4.18-24.8.0.i586.rpm

i686:
ftp://updates.redhat.com/8.0/en/os/i686/kernel-2.4.18-24.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-smp-2.4.18-24.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-bigmem-2.4.18-24.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-debug-2.4.18-24.8.0.i686.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
4d0a3a9f1bcdfec8a014c5666a4c4501 7.1/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm
7179efeb266bba7aa633a01267e24e74 7.1/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm
fcd9c11db5c7c02bd8ac16c12260c0e6 7.1/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm
63f1217de153ff63217515e1b016da33 7.1/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm
03a071c1c7252869382d683b1ceefa9f 7.1/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm
18dd6648f9d77d3d266e584c7c2feca4 7.1/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm
040aafbd075ad5f4041fa086a8179c80 7.1/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm
0a6684bc40e9f9f06d934dd806e182b3 7.1/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm
35e33d5b3746db33bdf747bf4a866e00 7.1/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm
e0f9b4ae807dd4ee026a026f8233e977 7.1/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm
ef2c961e676946329d5221fda16e2846 7.1/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm
13e60edc74a4e9ae6efe396acab4eb70 7.1/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm
c7b78cdeb9e72d94cfa80bbe49303241 7.1/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm
4d0a3a9f1bcdfec8a014c5666a4c4501 7.2/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm
7179efeb266bba7aa633a01267e24e74 7.2/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm
fcd9c11db5c7c02bd8ac16c12260c0e6 7.2/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm
63f1217de153ff63217515e1b016da33 7.2/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm
03a071c1c7252869382d683b1ceefa9f 7.2/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm
18dd6648f9d77d3d266e584c7c2feca4 7.2/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm
040aafbd075ad5f4041fa086a8179c80 7.2/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm
0a6684bc40e9f9f06d934dd806e182b3 7.2/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm
35e33d5b3746db33bdf747bf4a866e00 7.2/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm
e0f9b4ae807dd4ee026a026f8233e977 7.2/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm
ef2c961e676946329d5221fda16e2846 7.2/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm
13e60edc74a4e9ae6efe396acab4eb70 7.2/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm
c7b78cdeb9e72d94cfa80bbe49303241 7.2/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm
4d0a3a9f1bcdfec8a014c5666a4c4501 7.3/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm
7179efeb266bba7aa633a01267e24e74 7.3/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm
fcd9c11db5c7c02bd8ac16c12260c0e6 7.3/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm
63f1217de153ff63217515e1b016da33 7.3/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm
03a071c1c7252869382d683b1ceefa9f 7.3/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm
18dd6648f9d77d3d266e584c7c2feca4 7.3/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm
040aafbd075ad5f4041fa086a8179c80 7.3/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm
0a6684bc40e9f9f06d934dd806e182b3 7.3/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm
35e33d5b3746db33bdf747bf4a866e00 7.3/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm
e0f9b4ae807dd4ee026a026f8233e977 7.3/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm
ef2c961e676946329d5221fda16e2846 7.3/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm
13e60edc74a4e9ae6efe396acab4eb70 7.3/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm
c7b78cdeb9e72d94cfa80bbe49303241 7.3/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm
3ab26ebfd1c80ba101b5b86bf5cd6421 8.0/en/os/SRPMS/kernel-2.4.18-24.8.0.src.rpm
6e12213933aac18036ecbec4e9d0b0ac 8.0/en/os/athlon/kernel-2.4.18-24.8.0.athlon.rpm
619979740d16881959d5f888aefaf195 8.0/en/os/athlon/kernel-smp-2.4.18-24.8.0.athlon.rpm
2be552e4025aba02877ca21a0bd64007 8.0/en/os/i386/kernel-2.4.18-24.8.0.i386.rpm
232613b661b5dc806647935bbab16cb0 8.0/en/os/i386/kernel-BOOT-2.4.18-24.8.0.i386.rpm
b0dddbebe98c52bdeb737473319008a0 8.0/en/os/i386/kernel-doc-2.4.18-24.8.0.i386.rpm
43ffe5e9be347b2da60d83cc03d64923 8.0/en/os/i386/kernel-source-2.4.18-24.8.0.i386.rpm
d69f50521cb66ce09a9cefde417e8107 8.0/en/os/i586/kernel-2.4.18-24.8.0.i586.rpm
91e3b03e57e7df41d1472b45ad151719 8.0/en/os/i586/kernel-smp-2.4.18-24.8.0.i586.rpm
5ccc7bd0668a144b91580490ae487744 8.0/en/os/i686/kernel-2.4.18-24.8.0.i686.rpm
551569c64e64b83c145dc17b08dd505b 8.0/en/os/i686/kernel-bigmem-2.4.18-24.8.0.i686.rpm
56fafedd2ee58f288327fb56eaafd884 8.0/en/os/i686/kernel-debug-2.4.18-24.8.0.i686.rpm
b125aab060782242428bdafb05edab93 8.0/en/os/i686/kernel-smp-2.4.18-24.8.0.i686.rpm


These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://www.atstake.com/research/advisories/2003/a010603-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0018

9. Contact:

The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.

===============================================================================

   [RHSA-2003:025-20] Updated 2.4 kernel fixes various vulnerabilities

===============================================================================

5.)
===============================================================================

BDT_AV200212140001: Insecure default: Using pam_xauth for su from
      sh-utils package (fwd)

===============================================================================

Bedatec Security Advisory 200212140001
--------------------------------------

Discovered       : 2002-12-08
Vendor notified : 2002-12-14 (sorry for the delay, had to check if
                               default is still set for RH 8.0)
Author           : Andreas Beck <bec-@bedatec.de>
Application      : su as contained in e.g. sh-utils-2.0.12-3.
           RedHat pam packages like e.g. pam-0.75-18.7
Severity         : Insecure default could allow X Session cookie stealing
                   from root thus gaining root priviledges for a user
                   already having unpriviledged acess.
Risk             : Medium (root compromise, but needs interaction with root)
Vendor status    : Vendor will make updated packages available shortly
Vendor statement : "Red Hat is working on updated pam_xauth packages
    which adds back the missing ACL functionality.
    These will be available shortly from
    http://rhn.redhat.com/errata/ and via the
    Red Hat Network."
Affected Versions: At least Redhat 8.0 and 7.1 are vulnerable. Supposedly
                   all versions in between are as well.
   RedHat 7.0 and before are _NOT_ vulnerable.
CVE reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1160


Overview:
---------

On Redhat Linux including 8.0, PAM comes with a module pam_xauth which can
forward X MIT-Magic-Cookies to newly instantiated sessions.

While this is a nice feature and generally harmless for the case that an
unpriviledged user elevates his priviledges to root using e.g. su or the
various wrappers for some root-only programs, it poses a security risk
for root, if root uses su in order to assume the id of a less priviledged
user, e.g. for troubleshooting purposes.


Details:
--------

While checking an unrelated problem, we discovered that using su would
allow the target user to connect to the running X session owned by the
user that used su.

Quick checking

 becka@cupido$ su devel
Password:
[devel@cupido becka]$ xauth
Using authority file /home/devel/.xauthupNGf8

revealed, that su seems to forward the MIT-Magic-Cookie to the target
user in a temporary .xauth-File.

 [devel@cupido devel]$ ls -l /home/devel/.xauthupNGf8
-rw-------    1 devel    devel          51 Dez 8 00:26 .xauthupNGf8

This file is owned by the target user and only readable by the target
user, as it must/should be for the method to work.


This behaviour causes a security risk when root uses su to become an
unpriviledged user for troubleshooting an account.


Possible attack scenario:
-------------------------

Write a mail to local root, stating that you have difficulties logging in,
like e.g. you get logged out after 5 seconds in which you can run programs
and everything, you just get logged out afterwards.

This should be a strange enough description, that root will probably want to
verify this behaviour.

Assuming root is running an X session on the console under his normal login
name, he will probably su to root to allow to assume the id of the
complaining user without having to supply a password by using su again.

[Depending on the method of connection, a remote X server should also do.]


The default entries in /etc/pam.d/su will cause the X session cookie to be
forwarded to first root and then the user whose "problem" is to be
investigated.


Right after sending the mail, said user places a process in memory that
will wait for the .xauth-file to appear. Only a very careful root would
check for running processes, and even then, he is not likely to shut down
something like "longrunning_calculation" that is niced up and all.

The process will grab the contents of the .xauth-File and can then
connect to the X server, as it knows the cookie. Though this is annoying
by itself (User can see what is on the root desktop, send fake events,
thus run programs as the user who started the desktop etc.), in this
scenario it is much worse, as we know that there is a terminal open
that has just su'ed to the current user, very probably from _root_.
Just send it "exit<Enter>" and then execute whatever you like.

This way you even reproduce the problem you told root about.
O.K. - he might get suspicious now, but the damage is done.


Some webpages suggest, that pam_xauth can be customized to only forward
cookies under certain conditions. However neither the manpage for su
nor the one for pam_xauth mention how to do that. Moreover the su manpage
does not state, that X forwarding is on by default.


Proof of concept/How to reproduce:
----------------------------------

Log in as an unpriviledged user ("victim"). Start up X if necessary.
Get root using su, then assume the ID of another unpriviledged user
("attacker") using su.

Log in as "attacker" remotely or from a console. Locate the -xauth file.
Give it to an arbitrary X program using the XAUTHORITY environment
variable and set display accordingly. This data can be obtained
from the shell that root started.

Program should appear on victim's X server.


Vendor Response:
----------------

2002-12-14 -> Redhat notified via EMail
2002-12-16 <- Initial response requesting extended timeline due to holidays
2002-12-16 -> Acknowledged extended timeline due to holidays
2002-12-17 <- Asked to check RH 7.0 as it seems not vulnerable due to its
              ACL checking. Proposed fix to add ACL-checks back in.
2002-12-17 -> Acknowledged that RH 7.0 does not seem vulnerable judging
              from its documentation. Suggested manpage fix (see below).
2003-01-12 -> Checked back with Redhat for a timeline update
2003-01-13 <- RH states fix is worked out and packages are in QA.
              Suggested Feb 3rd for co-ordinated release
2003-01-13 -> Acknowledged Feb 3rd
2003-02-02 <- RH notifies of delay due to higher priority issues.
              sends Vendor statement as quoted above.


As the issue is not too serious, and a workaround (Recommendation 2)
exists, I decided to publish anyway to enable security aware admins
to mitigate the problem in the meantime.


Recommendations:
----------------

To solve or mitigate the problem, choose one of:

1) Get updated vendor packages when they appear. Configure re-added ACL
   functionality not to forward from root (should be default).

2) Disable pam_xauth module for su by commenting out the relevant line in
   /etc/pam.d/su.
   If required copy su to "sux" and make an appropriate pam.d entry that
   retains the old behaviour.

3) If you already have a pam_xauth module with ACL control, change its
   configuration not to forward X if su is called by root.

plus you may want to consider:

4) pam_xauth documentation should clearly state why one shouldn't forward
   X11 to untrusted accounts. Something along the lines of:

   "Mind that forwarding X11-cookies to other users basically allows them
    to gain control over your X session. This is usually not a problem when
    the target user is root, but can be one when root assumes the id of a
    possibly untrusted user"

5) Be aware of the possible consequences of propagating X-Cookies to
   potentially hostile environments. (ssh with -X basically opens the same
   problem, though it is less readily exploitable there due to the
   transparent Cookie replacement.)



Kind regards,

Andreas Beck

--
= Andreas Beck                    | Email : <bec-@bedatec.de>             =
===============================================================================

BDT_AV200212140001: Insecure default: Using pam_xauth for su from
      sh-utils package

===============================================================================


===============================================================================

End of GN SecNews #3

===============================================================================
 Previous Message All Messages Next Message 
  Check It Out!

  Topica Channels
 Best of Topica
 Art & Design
 Books, Movies & TV
 Developers
 Food & Drink
 Health & Fitness
 Internet
 Music
 News & Information
 Personal Finance
 Personal Technology
 Small Business
 Software
 Sports
 Travel & Leisure
 Women & Family

  Start Your Own List!
Email lists are great for debating issues or publishing your views.
Start a List Today!

© 2001 Topica Inc. TFMB
Concerned about privacy? Topica is TrustE certified.
See our Privacy Policy.