5731135 2000-11-15 15:40 +0100 /312 rader/ Roman Drahtmueller <draht@SUSE.DE>
Importerad: 2000-11-15 19:21 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: draht@SUSE.DE
Mottagare: Bugtraq (import) <13753>
Ärende: SuSE: miscellaneous
------------------------------------------------------------
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0011151539430.24239-100000@dent.suse.de>
-----BEGIN PGP SIGNED MESSAGE-----
SuSE: miscellaneous 15:30 MET, Wednesday, November 15 2000
This notice addresses the latest security advisories from various
Linux vendors as well as private contributors on public security
forums. The issues have been collected to keep the noise on the
public security forums at a reduced level.
The information herein should be considered both background as well as
upgrade information (please read carefully).
==
Topics:
1) SuSE security staff
2) packages:
gpg (update information)
bind8 (status: update avail, announcement pending)
pine (status: testing new version 4.30)
dump (status: not vulnerable)
phf (status: not vulnerable)
gs (status: pending)
global (status: building)
crontab (status: not vulnerable)
vlock (status: not vulnerable)
tcpdump (status: update avail, testing)
tcsh (status: update+announcement pending)
modules (status: more updates for older distributions)
==
1) SuSE security staff
SuSE welcomes security professional Sebastian Krahmer
<krahmer@suse.de> aboard the SuSE security team. His name has already
been on top of the last SuSE security announcement about the security
problems in the modules package. Enlarging the capacity of the
security team, Sebastian will be busy fixing security problems,
auditing code and maintaining security- related software. More
security announcements from him will be seen in the future.
2) packages
_________________________________________________________________________
* gpg
GnuPG may erroneously recognize a file/mail to be correctly signed, if
there are multiple signatures and the file/mail has been modified.
This bug affects all GnuPG versions prior to and including 1.0.3. It has
been fixed in version 1.0.4. Updated packages are available on our
German ftp server (as well as its mirrors) for the SuSE distributions
6.3, 6.4 and 7.0. Please note that the gpg packages for the SuSE-7.0
distribution have an addon, called gpgaddon. It contains
implementations of cipher algorythms that require licenses in many
countries due to software patents. Those gpgaddon packages are not
listed below.
There will not be a security announcement for this package - the
privacy risk for users of the old package is considerably small.
You can update your installed packages using the command
rpm -Uhv <URL-to-file>
where <URL-to-file> is one of the following FTP URLs to chose from.
Please use the SuSE Linux mirrors as listed at
http://www.suse.de/de/support/download/ftp/inland.html .
The md5sums for the files on the ftp server are:
i386 Intel Platform
SuSE-7.0
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/gpg-1.0.4-7.i386.rpm
d0b78231c127a6423c7ca46ec9618c00
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/7.0/zq1/gpg-1.0.4-7.src.rpm
a613abc7691b49e0c67e8c7dc924e3b0
SuSE-6.4
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/gpg-1.0.4-7.i386.rpm
c5b9fbe25d8cb5db4f52638c0959294d
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.4/zq1/gpg-1.0.4-7.src.rpm
f9d351e1b86fbcfbcf0d23fae5739b20
SuSE-6.3
ftp://ftp.suse.de/pub/suse/i386/update/6.3/sec1/gpg-1.0.4-7.i386.rpm
c5b9fbe25d8cb5db4f52638c0959294d
source rpm:
ftp://ftp.suse.de/pub/suse/i386/update/6.3/zq1/gpg-1.0.4-7.src.rpm
f9d351e1b86fbcfbcf0d23fae5739b20
Sparc Platform
SuSE-7.0
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/gpg-1.0.4-5.sparc.rpm
335aa6315468d4dae5753a6d14809bdd
source rpm:
ftp://ftp.suse.de/pub/suse/sparc/update/7.0/zq1/gpg-1.0.4-5.src.rpm
796b6f901aee33aad5fd01dc874abe3c
PPC Power PC platform
SuSE-7.0
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/gpg-1.0.4-7.ppc.rpm
302a7899783c9604a4ce962fcc627675
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/zq1/gpg-1.0.4-7.src.rpm
415be9ff92bcfd4a8f764207d412906d
SuSE-6.4
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/gpg-1.0.4-5.ppc.rpm
3566276b56ce13d6b977af91b5797ffc
source rpm:
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/zq1/gpg-1.0.4-5.src.rpm
49b75a880656a11e99fcbad16673247e
AXP Alpha Platform
SuSE-7.0
ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/gpg-1.0.4-12.alpha.rpm
8a504ad8957d455ead3ff22d6ba31626
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/7.0/zq1/gpg-1.0.4-12.src.rpm
986675ccf38f88770c079281a4175618
SuSE-6.4
ftp://ftp.suse.de/pub/suse/axp/update/6.4/sec1/gpg-1.0.4-5.alpha.rpm
65f6662aea3ff8832ac932ca0a57c10b
source rpm:
ftp://ftp.suse.de/pub/suse/axp/update/6.4/zq1/gpg-1.0.4-5.src.rpm
1d3ff30fac336c8e314da9903d1ee1b9
_________________________________________________________________________
* bind8
BIND, the Berkeley Internet Name Daemon, versions before 8.2.2p7,
has been found vulnerable to two denial of service attacks: named
may crash after a compressed zone transfer request and if an SRV
record (defined in RFC2782) is sent to the server. SuSE versions
6.0 through 6.4 are affected by this problem. The bind8 package in
SuSE-7.0 is not susceptible to the problems because a different
version of bind8 has been used in this distribution.
A temporary workaround against the first error is to disable zone
transfers if those are not needed (it is recommended for security
reasons, and the default configuration in our package has zone
transfers disabled.). Since the second bug can't be circumvented so
easily, it is recommended to upgrade the bind8 package as soon as
possible. Recognizing the urgency of this issue, the updated
packages are on their way to the ftp server right now. An
announcement covering the issue will
follow this notice.
_________________________________________________________________________
* pine
The popular text-based mail user agent is vulnerable to a buffer
overflow in the portion of code that periodically checks for the
arrival of new mail. In addition, there is an error in the header
parsing code which could lead to a crash of the mail program. The
authors of pine (University of Washington, Seattle, see
http://www.washington.edu/pine/credits.html) have published a new
version of the pine package that should fix the known
problems. During testing, several instabilities of the program have
been observed so that we have delayed the release of the updated
version. Additional patches are being tested right now so that the
release of the new version 4.30 can
be expected within days.
_________________________________________________________________________
* dump
The Linux implementation of the ext2fs backup utility "dump" can be
tricked into running arbitrary commands as root in case it is
installed setuid root. dump is not installed suid root in SuSE
Linux releases 6.0 through (the most recent) 7.0 because there is
no convincing reason to do so. Therefore, SuSE Linux is not
vulnerable to this problem with
the dump program.
_________________________________________________________________________
* phf cgi program
proton <proton@ENERGYMECH.NET> has discovered a buffer overflow
that can lead the phf cgi program to execute arbitrary code with
the privileges of the user that the webserver is running
under. SuSE distributions contain a cgi program that is called phf,
it is included in the thttpd package. Installed under
/usr/local/httpd/htdocs/cgi-bin/phf, this program is a booby trap
that logs attackers intending to exploit formerly known bugs of the
phf program. By consequence, SuSE distributions are not vulnerable
to the buffer overflow in the phf
program.
_________________________________________________________________________
* gs
The Ghostscript program in SuSE distributions runtime-links against
shared libraries in the current working directory if a shared
library with the adequate name is present. The problem is created
by exporting the environment variable LD_RUN_PATH at linking time
during the package compile process. Later, at runtime linking, the
runtime linker ld-linux.so.2 will try to open ./libc.so.6. If this
fails, the linker will continue searching the usual paths to find
the library. Basically, this means that users should call gs as
well as all programs using gs (such as gv or ghostview) in a
directory that is only writeable by the user calling gs. It is
expected that more Linux distributions (other than SuSE Linux) and
possibly commercial unix vendors as well are affected by this
problem. In future versions of the
SuSE Linux distribution, this problem will be fixed.
_________________________________________________________________________
* global
htags, one program within the global package, is a hypertext
generator from C, Yacc and Java source code. The "-f" option
generates a cgi script as an input form backend that is vulnerable
to a simple remote attack if the script is executable by a
webserver. Remote attackers can run arbitrary commands under the
user privileges of the webserver. The global package is not
installed per default, nor is the bug present in the
"installed-only" state of the package. However, if you use the
program and the "-f" option of htags, it is recommended to upgrade
the
package as soon as possible. We are working on the update packages.
_________________________________________________________________________
* crontab
A tmp file vulnerability has been found in various implementations
of
the crontab(1) command. SuSE Linux is not affected by this problem.
_________________________________________________________________________
* vlock
vlock is a terminal locking program for the Linux virtual system
console. It has been reported by Bartlomiej Grzybicki
<bgrzybicki@morliny.pl> that it is possible to crash a running vlock and
thus giving access to a console without a password. However, the
conditions under which the failure happens are not clear.
SuSE distributions are not concerned because the vlock program is not
included in the distribution.
_________________________________________________________________________
* tcpdump
Several buffer overflows have been found in the tcpdump program, a
network analysis program, according to FreeBSD Security Advisory
FreeBSD-SA-00:61.tcpdump. The vulnerability can be used to remotely
crash a running tcpdump program. Since the version of tcpdump
included in SuSE distributions is not capable of decoding AFS ACL
packets, this particular part of the bugs does not concern SuSE
Linux. Though, some intrusion detection systems rely on tcpdump's
output so that a proper operation of the tcpdump program is
crutial. There are updates packages available for download on our
ftp server which fix the vulnerability. The security announcement
is pending while
we're still testing the packages.
_________________________________________________________________________
* tcsh
proton <proton@ENERGYMECH.NET> has found a temporary file vulnerability
in the portion of code in the tcsh that handles redirects of the form
cat << END_OF_TEXT
foo
bar
END_OF_TEXT
With this vulnerability in place, it is possible for an attacker to
overwrite arbitrary files with the privileges of the user of tcsh.
There is no fix for this problem other than an upgrade to a fixed
version which will be available on our ftp server shortly. An advisory
covering this matter will follow.
_________________________________________________________________________
* modules/modutils
Sebastian Krahmer <krahmer@suse.de> has issued a SuSE security
announcement about the shell meta character expansion vulnerability
in the modprobe program that is responsible for the automatic
loading of kernel modules upon request. In addition to the update
packages for the vulnerable versions of the SuSE distribution, we
will provide updates for the older distributions (6.0-6.3) shortly,
even though these distributions have not been found vulnerable to
the modprobe problem. The rpm packages can be found at the usual
location shortly.
Regards,
Roman Drahtmüller,
SuSE Security.
- --
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBOhKcN3ey5gA9JdPZAQGW4QgAn6EDIQOe94u4xMc6u8z8yKv4eGaCQBk8
kCZ4l5kRizSO4z5NCc/oCChoi5ANuIIqRLG91cKixG0+4E69vgm140sSRicpfUtn
oqP2ExAXLf13vgA+XmFCTnFcTG3TY7+XCiwvpdM2aU95iuPcM0TSuVTeLlkFJW6S
Xkmt+58/111xFKrQ32UCOqgxsDIOV4b/Y5m+xi3XrubxdkW/eHjopZkutwXnFGVz
3rn1TEDOSRw6D41OdvWLRBQc6YdTYGdsUC4S5kMv3/Ti6/GQbjenxc3FKxWVPQaj
nvGMCobk5pbi/AuarEupXsgybDZbMmA6wlr8ppUsrV80uIqLH+zmZg==
=BjBa
-----END PGP SIGNATURE-----
(5731135) --------------------------------(Ombruten)