LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 08-24-2004, 05:19 AM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
LQ - Security Report - August 24th 2004


August 17th 2004
18 issues handled (SF)
1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
2. Linux Kernel Unspecified chown Inode Time Vulnerability
3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
4. Xine-Lib Remote Buffer Overflow Vulnerability
5. Linux Kernel Unspecified USB Vulnerability
6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
10. KDE Insecure Temporary Directory Symlink Vulnerability
11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
14. RealNetwork RealPlayer Unspecified Remote Vulnerability
15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
17. HanSoft 4tH Unspecified Vulnerability
18. Sympa List Creation Authentication Bypass Vulnerability

August 20th 2004
23 issues handles over 9 distros (LAW)
1. squirrelmail - Multiple vulnerabilities
2. ruby - Insecure file permissions
3. rsync - Insufficient path sanitation
4. kdelibs - Insecure temporary file vulnerability
5. mysql - Insecure temporary file vulnerability
6. Roundup - Filesystem access vulnerability
7. gv - Buffer overflow vulnerability
8. Nessus - Race condition vulnerability
9. Gaim - Buffer overflow vulnerability
10. acroread - Buffer overflow vulnerabilities
11. Tomcat - Insecure installation
12. glibc - Information leak vulnerability
13. xine - lib Buffer overflow vulnerability
14. courier - imap Format string vulnerability
15. mozilla - Multiple vulnerabilities
16. spamassassin - Denial of service vulnerability
17. qt3 - Heap overflow vulnerability
18. ftpd - Privilege escalation vulnerability
19. pam - Privilege escalation vulnarability
20. Itanium - kernel Multiple vulnerabilities
21. semi - Insecure temporary file vulnerability
22. Netscape - Multiple vulnerabilities
23. kernel - Denial of service vulnerability
 
Old 08-24-2004, 05:23 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
August 17th 2004 (SF)

Security Focus

1. PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting Vulnerabi...
BugTraq ID: 10885
Remote: Yes
Date Published: Aug 07 2004
Relevant URL: http://www.securityfocus.com/bid/10885
Summary:
PluggedOut Blog is reported prone to a cross-site scripting vulnerability. This could allow for execution of hostile HTML and script code in the web client of a user who visits a malicious link to the vulnerable site. This code execution would occur in the security context of the site hosting the vulnerable software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.

2. Linux Kernel Unspecified chown Inode Time Vulnerability
BugTraq ID: 10887
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10887
Summary:
An unspecified vulnerability has been announced in the Linux Kernel implementation of the chown(2) system call. This issue is related to how inode time data is updated by the system call. The impact is not known at this time, though it is speculated that this could affect system integrity.

3. Linux Kernel Unspecified Signal Denial Of Service Vulnerabil...
BugTraq ID: 10888
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10888
Summary:
An unspecified denial of service vulnerability has been reported to exist in the Linux Kernel. This issue could occur when signals are handled by the kernel. Further details are not available at this time.

4. Xine-Lib Remote Buffer Overflow Vulnerability
BugTraq ID: 10890
Remote: Yes
Date Published: Aug 08 2004
Relevant URL: http://www.securityfocus.com/bid/10890
Summary:
It is reported that the xine media library is affected by a remote buffer overflow vulnerability. This issue can allow a remote attacker to gain unauthorized access to a vulnerable computer. xine-lib rc-5 and prior versions are reportedly affected by this issue. xine versions 0.99.2 and prior are also vulnerable.

5. Linux Kernel Unspecified USB Vulnerability
BugTraq ID: 10892
Remote: No
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10892
Summary:
The Linux Kernel implementation of USB is reported prone to an unspecified vulnerability. The impact is not known at this time, though it is speculated that this vulnerability could affect system stability.

6. PluggedOut Blog Calendar Module Cross-Site Scripting Vulnera...
BugTraq ID: 10894
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10894
Summary:
The Blog 'calendar' module does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. This could allow for execution of hostile HTML and script code in the web client of a user who visits a malicious link to the vulnerable site.

7. GNU CFEngine AuthenticationDialogue Remote Heap Based Buffer...
BugTraq ID: 10899
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10899
Summary:
GNU cfengine cfservd is reported prone to a remote heap-based buffer overrun vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function. The issue exists due to a lack of sufficient boundary checks performed on challenge data that is received from a client. Because the size of the buffer, the size of data copied in a memcpy() operation, and the data copied are all controlled by the attacker, a remote attacker may likely exploit this condition to corrupt in-line heap based memory management data. cfservd employs an IP based access control method. This access control must be bypassed prior to exploitation. This may hinder exploitation attempts. This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.

8. GNU CFEngine AuthenticationDialogue Remote Denial Of Service...
BugTraq ID: 10900
Remote: Yes
Date Published: Aug 09 2004
Relevant URL: http://www.securityfocus.com/bid/10900
Summary:
GNU cfengine cfservd is reported prone to a remote denial of service vulnerability. The vulnerability presents itself in the cfengine cfservd AuthenticationDialogue() function that is responsible for processing SAUTH commands and also performing RSA based authentication. The vulnerability presents itself because return values for several statements within the AuthenticationDialogue() function are not checked. This memcpy() operation based on the return values will fail resulting in a daemon crash. A remote attacker may exploit this vulnerability to crash the affected daemon effectively denying service to legitimate users. cfservd employs an IP based access control method (AllowConnectionsFrom). This access control must be bypassed prior to exploitation. This may hinder exploitation attempts. This vulnerability is reported to affect versions 2.0.0 to 2.1.7p1 of cfengine cfservd.

9. KDE Konqueror Cross-Domain Frame Loading Vulnerability
BugTraq ID: 10921
Remote: Yes
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10921
Summary:
Konqueror reported prone to a cross-domain frame loading vulnerability. It is reported that if the name of a frame rendered in a target site is known, then an attacker may potentially render arbitrary HTML in the frame of the target site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site. All versions of KDE up to KDE 3.2.3 are vulnerable to this issue.

10. KDE Insecure Temporary Directory Symlink Vulnerability
BugTraq ID: 10922
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10922
Summary:
KDE is reported to contain a temporary directory symlink vulnerability. This vulnerability is due to improper validation of the ownership of temporary directories. Local attackers can cause KDE applications to fail, denying service to users, or to overwrite arbitrary files with the privileges of the target user. Privilege escalation may be possible. Source patches have been made available by KDE to resolve this issue.

11. KDE DCOPServer Insecure Temporary File Creation Vulnerabilit...
BugTraq ID: 10924
Remote: No
Date Published: Aug 11 2004
Relevant URL: http://www.securityfocus.com/bid/10924
Summary:
KDEs DCOPServer is reported to contain an insecure temporary file creation vulnerability. This is due to the use of the mktemp() function. Since temporary files are used by the DCOP daemon for authentication purposes, a local attacker may possibly exploit this vulnerability to compromise the account of a targeted user running KDE. A local attacker may also possibly exploit this vulnerability to execute symbolic link file overwrite attacks. This may allow an attacker to overwrite arbitrary files with the privileges of the targeted user. Privilege escalation may also be possible using this method of attack. KDE versions from 3.2.0 to 3.2.3 are reported susceptible to this vulnerability.

12. Mutt PGP/GnuPG Verified Email Signature Spoofing Vulnerabili...
BugTraq ID: 10929
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10929
Summary:
It is reported that Mutt contains a vulnerability that allows attackers to send email that spoofs the look of a successfully verified PGP/GnuPG email message. An attacker may potentially simulate the look of the PGP/GnuPG output that Mutt usually includes when processing signed email messages. If a user employs Mutt with a specific configuration, the attacker may make email messages look almost identical to a properly signed and verified email. This may allow an attacker to create a message that falsifies a correctly verified PGP/GnuPG signature. This could allow an attacker to spoof email from trusted sources. This will likely greatly increase the effectiveness of social engineering attacks. In the index mode, messages with signatures have the 's' flag. Verified signatures change to 'S'. Ensuring that messages have the proper attributes will aid in the mitigation of this vulnerability. Versions 1.3.28 and 1.5.6 are reported affected by this vulnerability. Other versions are also likely affected.

13. Adobe Acrobat Reader Shell Metacharacter Remote Arbitrary Co...
BugTraq ID: 10931
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10931
Summary:
A remote code execution vulnerability is identified in Adobe Acrobat Reader. This issue may allow an attacker gain unauthorized access to a vulnerable computer. Acrobat Reader is affected by a shell metacharacter command execution vulnerability. This issue exists due to insufficient sanitization of user-supplied data by Acrobat Reader for Unix and Linux platforms. Successful exploitation can allow an attacker to use a specially crafted file name to execute arbitrary commands and applications through the shell. Adobe Acrobat Reader version 5.0 for Unix and Linux platforms is reported vulnerable to this issue. Acrobat Reader for Microsoft Windows platforms is not affected by this issue.

14. RealNetwork RealPlayer Unspecified Remote Vulnerability
BugTraq ID: 10934
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10934
Summary:
It is reported that RealNetwork RealPlayer contains an unspecified vulnerability that allows for execution of arbitrary code in the context of the user running the player. No further information is available at this time. This BID will be updated as further information is disclosed.

15. Kerio Mailserver Embedded HTTP Server Multiple Unspecified V...
BugTraq ID: 10936
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10936
Summary:
Kerio MailServer version 6.0.1 has been released. This release addresses various unspecified security vulnerabilities in the embedded HTTP server implemented with the Kerio MailServer application. The cause and impact of these issues is currently unknown. All versions of Kerio MailServer prior to 6.0.1 are considered vulnerable.

16. Rsync Sanitize_path Function Module Path Escaping Vulnerabil...
BugTraq ID: 10938
Remote: Yes
Date Published: Aug 12 2004
Relevant URL: http://www.securityfocus.com/bid/10938
Summary:
If an rsync server is installed as a daemon with a read/write enabled module without using the 'chroot' option, it is possible that a remote attacker could read/write files outside of the configured module path. Rsync does not properly sanitize the paths when not running with chroot. The problem exists in the 'sanitize_path' function. This could potentially be exploited to execute arbitrary code by corrupting or place arbitrary files on the system. Destruction of data could also result, possibly causing a denial of service condition. Other attacks could also occur, depending on the attacker's motives.

17. HanSoft 4tH Unspecified Vulnerability
BugTraq ID: 10939
Remote: Unknown
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10939
Summary:
An unspecified vulnerability is reported in the HanSoft 4tH compiler. This vulnerability is reported to be fixed in version 3.4e-pre4. No further information was reported. This BID will be updated as new information is disclosed.

18. Sympa List Creation Authentication Bypass Vulnerability
BugTraq ID: 10941
Remote: Yes
Date Published: Aug 13 2004
Relevant URL: http://www.securityfocus.com/bid/10941
Summary:
Sympa is reported to be prone to an authentication bypass vulnerability when creating new mailing lists. This vulnerability presents itself upon creating a new mailing list. The list master approval process could reportedly be skipped by an attacker. An attacker may exploit this issue to create unauthorized mailing lists. This may possibly be used to forward UCE messages, or possibly other attacks. Versions prior to 4.1.2 are reportedly affected by this vulnerability.
 
Old 08-24-2004, 05:27 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
August 20th 2004 (LAW)

Linux Advisory Watch

Distribution: Conectiva

8/13/2004 - squirrelmail
Multiple vulnerabilities
This patch addresses four vulnerabilities in SquirrelMail, including XSS and SQL injection attacks.
http://www.linuxsecurity.com/advisor...sory-4669.html


Distribution: Debian

8/20/2004 - ruby
Insecure file permissions
This can lead an attacker who has also shell access to the webserver to take over a session.
http://www.linuxsecurity.com/advisor...sory-4689.html

8/20/2004 - rsync
Insufficient path sanitation
The rsync developers have discoverd a security related problem in rsync which offers an attacker to access files outside of the defined directory.
http://www.linuxsecurity.com/advisor...sory-4690.html

8/20/2004 - kdelibs
Insecure temporary file vulnerability
This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly.
http://www.linuxsecurity.com/advisor...sory-4691.html

8/20/2004 - mysql
Insecure temporary file vulnerability
Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method which is part of the mysql-server package.
http://www.linuxsecurity.com/advisor...sory-4692.html


Distribution: Fedora

8/20/2004 - rsync
Insufficient path sanitization
This update backports a security fix to a path-sanitizing flaw that affects rsync when it is used in daemon mode without also using chroot.
http://www.linuxsecurity.com/advisor...sory-4688.html


Distribution: Gentoo

8/13/2004 - Roundup
Filesystem access vulnerability
Roundup will make files owned by the user that it's running as accessable to a remote attacker.
http://www.linuxsecurity.com/advisor...sory-4664.html

8/13/2004 - gv
Buffer overflow vulnerability
gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code.
http://www.linuxsecurity.com/advisor...sory-4665.html

8/13/2004 - Nessus
Race condition vulnerability
Nessus contains a vulnerability allowing a user to perform a privilege escalation attack using "adduser".
http://www.linuxsecurity.com/advisor...sory-4666.html

8/13/2004 - Gaim
Buffer overflow vulnerability
Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code.
http://www.linuxsecurity.com/advisor...sory-4667.html

8/13/2004 - kdebase,kdelibs Multiple vulnerabilities
Buffer overflow vulnerability
KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection.
http://www.linuxsecurity.com/advisor...sory-4668.html

8/20/2004 - acroread
Buffer overflow vulnerabilities
Acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs.
http://www.linuxsecurity.com/advisor...sory-4682.html

8/20/2004 - Tomcat
Insecure installation
Improper file ownership may allow a member of the tomcat group to execute scripts as root.
http://www.linuxsecurity.com/advisor...sory-4683.html

8/20/2004 - glibc
Information leak vulnerability
glibc contains an information leak vulnerability allowing the debugging of SUID binaries.
http://www.linuxsecurity.com/advisor...sory-4684.html

8/20/2004 - rsync
Insufficient path sanitation
This vulnerability could allow the listing of arbitrary files and allow file overwriting outside module's path on rsync server configurations that allow uploading.
http://www.linuxsecurity.com/advisor...sory-4685.html

8/20/2004 - xine-lib Buffer overflow vulnerability
Insufficient path sanitation
An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user.
http://www.linuxsecurity.com/advisor...sory-4686.html

8/20/2004 - courier-imap Format string vulnerability
Insufficient path sanitation
An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root).
http://www.linuxsecurity.com/advisor...sory-4687.html


Distribution: Mandrake

8/13/2004 - gaim
Buffer overflow vulnerabilities
Sebastian Krahmer discovered two remotely exploitable buffer overflow vunerabilities in the gaim instant messenger.
http://www.linuxsecurity.com/advisor...sory-4662.html

8/13/2004 - mozilla
Multiple vulnerabilities
A large number of Mozilla vulnerabilites is addressed by this update.
http://www.linuxsecurity.com/advisor...sory-4663.html

8/20/2004 - rsync
Insufficient path sanitation
If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it.
http://www.linuxsecurity.com/advisor...sory-4679.html

8/20/2004 - spamassassin
Denial of service vulnerability
Security fix prevents a denial of service attack open to certain malformed messages.
http://www.linuxsecurity.com/advisor...sory-4680.html

8/20/2004 - qt3
Heap overflow vulnerability
his vulnerability could allow for the compromise of the account used to view or browse malicious graphic files.
http://www.linuxsecurity.com/advisor...sory-4681.html


Distribution: NetBSD

8/20/2004 - ftpd
Privilege escalation vulnerability
A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session.
http://www.linuxsecurity.com/advisor...sory-4678.html


Distribution: Red Hat

8/19/2004 - pam
Privilege escalation vulnarability
If he pam_wheel module was used with the "trust" option enabled, but without the "use_uid" option, any local user could use PAM to gain access to a superuser account without supplying a password.
http://www.linuxsecurity.com/advisor...sory-4670.html

8/19/2004 - Itanium
kernel Multiple vulnerabilities
Updated Itanium kernel packages that fix a number of security issues are now available.
http://www.linuxsecurity.com/advisor...sory-4671.html

8/19/2004 - semi
Insecure temporary file vulnerability
Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs.
http://www.linuxsecurity.com/advisor...sory-4672.html

8/20/2004 - Netscape
Multiple vulnerabilities
Netscape Navigator and Netscape Communicator have been removed from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These packages were based on Netscape 4.8, which is known to be vulnerable to recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599.
http://www.linuxsecurity.com/advisor...sory-4673.html

8/20/2004 - kernel
Denial of service vulnerability
A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system.
http://www.linuxsecurity.com/advisor...sory-4674.html


Distribution: Suse

8/20/2004 - rsync
Insufficient pathname sanitizing
If rsync is running in daemon-mode and without a chroot environment it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it.
http://www.linuxsecurity.com/advisor...sory-4676.html

8/20/2004 - qt3
Buffer overflow vulnerability
Chris Evans found a heap overflow in the BMP image format parser which can probably be abused by remote attackers to execute arbitrary code.
http://www.linuxsecurity.com/advisor...sory-4677.html


Distribution: Trustix

8/20/2004 - rsync
Path escape vulnerability
Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected.
http://www.linuxsecurity.com/advisor...sory-4675.html
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Security Report - August 5th 2005 Capt_Caveman Linux - Security 3 08-05-2005 10:34 AM
LQ Security Report - August 29th 2004 Capt_Caveman Linux - Security 3 08-29-2004 11:43 PM
LQ - Security Report - August 16th 2004 Capt_Caveman Linux - Security 2 08-16-2004 11:25 PM
LQ Security Report May 28th 2004 Capt_Caveman Linux - Security 4 05-28-2004 02:26 PM
LQ security report - Feb 24th 2004 unSpawn Linux - Security 2 02-24-2004 05:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration