[MBT] new entry in pkg mm "Home Weekly edition Archives Security Calendar

root at ep09.kernel.pl root at ep09.kernel.pl
Wed Aug 28 15:38:32 CEST 2002


Distributions Penguin Gallery Kernel patches Stocks Old site
About LWN Donate Advertise Headlines Privacy

Security

Security news

Konqueror and digital certificates
Here is an advisory from the KDE project regarding a flaw in Konqueror's digital certificate handling. It seems that Konqueror (along with certain other, proprietary web browsers) doesn't look hard enough at how a site's certificate was signed, meaning that anybody can fake a certificate for anybody else's site. Thus, with a little additional trickery, it would be possible to set up "man in the middle" attacks and steal credit card numbers.

The Register described this vulnerability as "a colossal stuff-up." Certainly the error is worth fixing, but anybody who is greatly concerned about this vulnerability would be well advised to look at the end of the "Certificates and Credentials" chapter in Bruce Schneier's Secrets & Lies:

I visited www.palm.com to purchase something for my PalmPilot. When I went to the online checkout, I was redirected to https://palmorder.modusmedia.com/asp/store.asp. The SSL certificate was registered to Modus Media Internatinoal; clearly a flagrant attempt to defraud web customers, which I deftly uncovered because I carefully checked the SSL certificate. Not.

All that SSL does in almost every use is to verify that the remote site has a certificate issued by a trusted authority. There is no verification that said certificate has anything to do with the site that the user expects to be interacting with. Man in the middle attacks are easily done even when the web browser properly checks how digital certificates were signed; the Konqueror vulnerability has not really opened up any new holes.

The real issue, which nobody is all that concerned about, is that the digital certificate system is not doing much for its users. Quoting Schneier again: "Digital certificates provide no actual security for electronic commerce; it's a complete sham." Konqueror users should go ahead and apply the patch (see the LWN vulnerability entry for distributor updates as they arrive), but it's not going to make them all that much more secure against man in the middle attacks.

Comments (none posted)

August CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for August is out; it includes a look at Palladium, the proposed law allowing attacks against online copyright violators, and the idea of arming airline pilots. "To me, it's another example of the insane lengths the entertainment companies are willing to go to preserve their business models. They're willing to destroy your privacy, have general-purpose computers declared illegal, and exercise special vigilante police powers that no one else has...just to make sure that no one watches 'The Little Mermaid' without paying for it. They're trying to invent a new crime: interference with a business model."

Full Story (comments: none)

Security reports

FUDforum file access and SQL Injection
FUDforum is a web-based forum system. Ulf Harnhammar has reported two vulnerabilities in this package; one can provide access to files outside of the FUDforum directory, and the other can lead to SQL injection issues. The problems have been fixed in version 2.2.0.

Full Story (comments: none)

New PHP-Nuke cross-site scripting bug exposes admin accounts
A new cross-site scripting vulnerability has been reported in PHP-Nuke v5.6; properly exploited, this hole can be used to obtain access to the site's administrative accounts. No fix is available as of this writing. (Additional note: this vulnerability was actually first reported in March. PostNuke also, apparently, has this problem).

Full Story (comments: none)

Input validation attack in php-affiliate
php-affiliate - a script for running web site affiliate programs - places a little too much trust in the hidden fields it puts into forms, with the result that users can modify information belonging to other users.

Full Story (comments: none)

Remote command execution in Web Shop Manager
The Web Shop Manager e-commerce system has trivial remote command execution vulnerability. This problem exists in version 1.1; no updates are yet visible on the project web site.

Full Story (comments: none)

New vulnerabilities

Numerous vulnerabilities in bugzilla
Package(s): bugzilla CVE #(s): CAN-2002-0804 CAN-2002-0805 CAN-2002-0806 CAN-2002-0807 CAN-2002-0808 CAN-2002-0809 CAN-2002-0810 CAN-2002-0811 CAN-2002-0803
Created: Aug 21, 2002 Updated: Aug 21, 2002
Description: The bugzilla bug tracking system has a long list of security problems which can lead to data disclosure, administrative access, and denial of service attacks. The Red Hat advisory (below) gives the full list.
Alerts:
Red Hat RHSA-2002:109-07 2002-08-20

Comments (none posted)

Filename disclosure vulnerability in fam
Package(s): fam CVE #(s):
Created: Aug 19, 2002 Updated: Aug 19, 2002
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15

Comments (none posted)

Buffer overflow in libpng
Package(s): libpng CVE #(s): CAN-2002-0728 CAN-2002-0660
Created: Aug 20, 2002 Updated: Aug 20, 2002
Description: Versions of libpng prior to 1.0.14 contain a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications that are linked to libpng and that use the progressive reading feature. (From the Red Hat alert).
Alerts:
Yellow Dog YDU-20020819-2 2002-08-19
Eridani ERISA-2002:039 2002-08-19
Red Hat RHSA-2002:151-21 2002-08-14
Mandrake MDKSA-2002:049 2002-08-13
Debian DSA-140-2 2002-08-05
Debian DSA-140-1 2002-08-01

Comments (none posted)

Inadequate digital certificate verification in Konqueror
Package(s): Konqueror CVE #(s):
Created: Aug 19, 2002 Updated: Aug 21, 2002
Description: The Konqueror web browser, versions 3.0.2 and prior, does not properly check how digital certificates were signed; the result is that anybody can create fake certificates and use them for "man in the middle" attacks. The problem was fixed in Konqueror 3.0.3.

See also:

    * The KDE project's advisory on the problem.

* LWN's article on the vulnerability and the fundamental insecurity of the digital certificate infrastructure.

Alerts:
Debian DSA-155-1 2002-08-17

Comments (none posted)

Multiple vulnerabilities in mantis
Package(s): mantis CVE #(s):
Created: Aug 20, 2002 Updated: Aug 20, 2002
Description: The Mantis project has reported a number of bugs in the Mantis bug tracking system, including:

    * Arbitrary code execution as a result of some unitialized variables - beyond the problem reported in the previous Mantis vulnerability.

    * Exposure of private bug information through the modification of cookies.

    * SQL poisoning which could lead to privilege elevation.

    * Bypassing of limitations on who can view specific bugs.

* Another code execution vulnerability resulting from a different uninitialized variable.

Needless to say, upgrading to a version later than 0.17.3 is recommended.
Alerts:
Debian DSA-153-2 2002-08-20

Comments (none posted)

Safemode vulnerability in PHP
Package(s): PHP CVE #(s): CAN-2001-1246
Created: Aug 20, 2002 Updated: Aug 20, 2002
Description: PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers.
Alerts:
Red Hat RHSA-2002:102-26 2002-08-19

Comments (none posted)

Buffer overflow vulnerabilities in PostgreSQL
Package(s): PostgreSQL CVE #(s):
Created: Aug 21, 2002 Updated: Aug 21, 2002
Description: "Sir Mordred The Traitor" has reported a number of buffer overflow vulnerabilities in the PostgreSQL cash_words, repeat, and lpad and rpad functions. The cash_words vulnerability is fixed in PostgreSQL 7.2.1; the other two vulnerabilities remain open.
Alerts: (No alerts in the database for this vulnerability)

Comments (none posted)

XDR vulnerability in krb5
Package(s): krb5 CVE #(s): CAN-2002-0391
Created: Aug 19, 2002 Updated: Aug 20, 2002
Description: The Kerberos 5 implementation suffers from the same SunRPC XDR buffer overflow problem as many other packages (see the CERT advisory).
Alerts:
Yellow Dog YDU-20020819-1 2002-08-19
Eridani ERISA-2002:038 2002-08-16
Red Hat RHSA-2002:172-07 2002-08-14

Comments (none posted)

Updated vulnerabilities

OpenSSL remotely-exploitable buffer overflow vulnerabilities
Package(s): OpenSSL CVE #(s): CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
Created: Jul 30, 2002 Updated: Aug 14, 2002
Description: Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit. Both client and server applications are affected. The vulnerabilities are described in this security alert from the OpenSSL team.

No exploits have, yet, been published but these vulnerabilities are believed to be remotely exploitable; applying an update is a good thing to do in the near future.

CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
Alerts:
Yellow Dog YDU-20020810-1 2002-08-10
Conectiva CLA-2002:516 2002-08-08
EnGarde ESA-20020807-020 2002-08-07
Mandrake MDKSA-2002:046-1 2002-08-06
Red Hat RHSA-2002:160-21 2002-08-05
Eridani ERISA-2002:034 2002-08-06
Yellow Dog YDU-20020801-3 2002-08-01
Caldera CSSA-2002-033.0 2002-07-31
Gentoo openssl-20020730 2002-07-30
Eridani ERISA-2002:033 2002-07-30
SuSE SuSE-SA:2002:027 2002-07-30
Mandrake MDKSA-2002:046 2002-07-30
Conectiva CLA-2002:513 2002-07-31
Red Hat RHSA-2002:155-11 2002-07-29
Trustix 2002-0063 2002-07-29
OpenPKG OpenPKG-SA-2002.008 2002-07-30
EnGarde ESA-20020730-019 2002-07-30
Debian DSA-136-1 2002-07-30

Comments (none posted)

Denial of service vulnerability in version 9 of BIND
Package(s): bind CVE #(s): CAN-2002-0400
Created: Jun 05, 2002 Updated: Aug 19, 2002
Description: Here is an advisory from the Computer Emergency Response Team (CERT) regarding the denial of service vulnerability in version 9 of the BIND nameserver, up to 9.2.1. An attacker can send a properly crafted packet which triggers a check within BIND and causes it to shut down. The vulnerability can not be exploited for any purpose beyond denial of service, but that is bad enough; if you are running BIND 9, an upgrade is probably a good idea.

Note that many or most systems out there will still be running BIND 8, and thus will not be vulnerable.

News articles on the vulnerability appear in the Register and Network World Fusion News.
Alerts:
Mandrake MDKSA-2002:038-1 2002-08-15
Yellow Dog YDU-20020606-6 2002-06-06
Conectiva CLA-2002:494 2002-06-06
SuSE SuSE-SA:2002:021 2002-06-06
Mandrake MDKSA-2002:038 2002-06-04
Red Hat RHSA-2002:105-09 2002-06-04

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries
Package(s): bind glibc CVE #(s): CAN-2002-0651 CAN-2002-0684
Created: Jul 08, 2002 Updated: Aug 19, 2002
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
Caldera CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Off by one buffer overflow vulnerability in cvsd
Package(s): cvs CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: cvs version 1.11, and possibily earlier versions, has a locally exploitable off by one buffer overflow vulnerability. The details are available here.
Alerts:
Caldera CSSA-2002-035.0 2002-08-08

Comments (none posted)

Potential unauthorized root access vulnerability in dietlibc
Package(s): dietlibc CVE #(s): CAN-2002-0391
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library with is used in dietlibc, a libc optimized for small size. The bug could be exploited to gain unauthorized root access to software linking to dietlibc.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:
Debian DSA-146-2 2002-08-08
Debian DSA-146-1 2002-08-08

Comments (none posted)

Buffer overflow vulnerability in the Jabber plug-in module for gaim
Package(s): gaim CVE #(s): CAN-2002-0384 CAN-2002-0377
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."
Alerts:
Yellow Dog YDU-20020810-4 2002-08-10
Red Hat RHSA-2002:107-11 2002-08-05

Comments (none posted)

Remote execution vulnerability in gallery
Package(s): gallery CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: A remote attacker could execute commands under the uid of the web server by passing in the GALLERY_BASEDIR variable remotely. Gallery is a web-based photo album toolkit.
Alerts:
Debian DSA-138-1 2002-08-01

Comments (none posted)

Potential remote root exploit in glibc
Package(s): glibc CVE #(s): CAN-2002-0391
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

HylaFAX 4.1.3 fixes multiple vulnerabilities
Package(s): hylafax CVE #(s): CAN-2001-1034
Created: Jul 30, 2002 Updated: Aug 14, 2002
Description: The HylaFAX team has released version 4.1.3 fixing denial of service, elevated system privilege and possible remote code execution vulnerabilities.

HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX.
Alerts:
Debian DSA-148-1 2002-08-12

Comments (none posted)

Buffer overflow and format string vulnerabilities in ipppd
Package(s): i4l CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: The ipppd program, in the i4l package, has various buffer overflows and format string bugs. Since ipppd is installed setuid to root, attackers with appropriate group membership may be able to execute arbitrary commands as root. The i4l package for ISDN connectivity is installed by default in at least one distribution; you are vulnerable even if you do not have an ISDN connection.

The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd.
Alerts:
SuSE SuSE-SA:2002:030 2002-08-12

Comments (none posted)

File exposure vulnerability in interchange
Package(s): interchange CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: A problem has been discovered in interchange which may allow a remote attacker to read any file for which the user of the Interchange daemon has sufficient permissions. Interchange must be running in "INET mode" (internet domain socket) to be vulnerable. This is not the default setting, at least in Debian packages.

Interchange is an e-commerce and general HTTP database display system.
Alerts:
Debian DSA-150-1 2002-08-13

Comments (none posted)

Kerberos 5 unauthorized root access to KDC host vulnerability
Package(s): krb5 CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: A bug in the Kerberos 5 remote administration service, "kadmind", could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:
Conectiva CLA-2002:515 2002-08-07
Debian DSA-143-1 2002-08-05

Comments (none posted)

Remotely exploitable vulnerabilities in l2tpd
Package(s): l2tpd CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: l2tpd, a layer 2 tunneling client/server program, does not initialize the random generator. Since this makes all generated random number 100% guessable, the oversight could lead to remote exploits. There is also a buffer overflow vulnerability. Both problems are fixed in the updates below.
Alerts:
Debian DSA-152-1 2002-08-13

Comments (none posted)

Apache mod_ssl off-by-one local code execution and DoS vulnerability
Package(s): libapache-mod-ssl mod_ssl CVE #(s): CAN-2002-0653
Created: Jul 02, 2002 Updated: Aug 14, 2002
Description: Mod-ssl provides strong cryptography for the Apache webserver via the Secure Sockets Layer (SSL). A maliciously-crafted .htaccess file, may be used by an attacker to execute arbitrary commands as the httpd user or launch a denial of service attack. The problem is fixed in mod_ssl 2.8.10 which is available from here.

For more information see the announcement.
Alerts:
Mandrake MDKSA-2002:048 2002-08-08
Yellow Dog YDU-20020801-1 2002-08-01
Eridani ERISA-2002:029 2002-07-25
Caldera CSSA-2002-031.0 2002-07-16
Red Hat RHSA-2002:134-12 2002-07-16
EnGarde ESA-20020702-017 2002-07-02
Conectiva CLA-2002:504 2002-07-02
Debian DSA-135-1 2002-07-02

Comments (none posted)

libpng buffer overflow vulnerability
Package(s): libpng libpng2 libpng3 CVE #(s):
Created: Jul 17, 2002 Updated: Aug 19, 2002
Description: Versions of libpng prior to 1.2.4 and 1.0.14 have a buffer overflow vulnerability that could lead to remote code execution. Since libpng is used by programs that talk to the outside world (i.e. mozilla), it is worth upgrading.

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
Alerts:
Eridani ERISA-2002:030 2002-07-25
Conectiva CLA-2002:512 2002-07-17

Comments (2 posted)

Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
Package(s): mailman CVE #(s):
Created: Jun 05, 2002 Updated: Aug 14, 2002
Description: Barry A. Warsaw announced the release of Mailman 2.0.11 "which fixes two cross-site scripting exploits, one reported by "office" in the admin login page, and another reported by Tristan Roddis in the Pipermail index summaries. It is recommended that all sites upgrade their 2.0.x systems to this version."
Alerts:
Debian DSA-147-1 2002-08-08
Red Hat RHSA-2002:101-06 2002-06-27
Red Hat RHSA-2002:099-04 2002-06-06
Red Hat RHSA-2002:100-03 2002-06-06
Conectiva CLA-2002:489 2002-05-24

Comments (none posted)

Remote arbitrary code execution vulnerability in mantis
Package(s): mantis CVE #(s):
Created: Aug 14, 2002 Updated: Aug 20, 2002
Description: Mantis is a php based bug tracking system. Joao Gouveia and the Debian Security Team found multiple insecure uses of uninitialized variables in mantis.

When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.
Alerts:
Debian DSA-153-1 2002-08-14

Comments (none posted)

Temporary file vulnerability in mm library"
From: bugs at pld.org.pl
Reply-to: pld-devel-en at pld.org.pl
Message-Id: <bW0=.625 at bugs.pld.org.pl>
References: <bW0=.608 at bugs.pld.org.pl> 


Date: 2002-08-28 15:38:31+02	Author: Jakub Bogusz (qboosh) <qboosh at pld.org.pl> 
Title:         Home Weekly edition Archives Security Calendar
Distributions Penguin Gallery Kernel patches Stocks Old site
About LWN Donate Advertise Headlines Privacy

Security

Security news

Konqueror and digital certificates
Here is an advisory from the KDE project regarding a flaw in Konqueror's digital certificate handling. It seems that Konqueror (along with certain other, proprietary web browsers) doesn't look hard enough at how a site's certificate was signed, meaning that anybody can fake a certificate for anybody else's site. Thus, with a little additional trickery, it would be possible to set up "man in the middle" attacks and steal credit card numbers.

The Register described this vulnerability as "a colossal stuff-up." Certainly the error is worth fixing, but anybody who is greatly concerned about this vulnerability would be well advised to look at the end of the "Certificates and Credentials" chapter in Bruce Schneier's Secrets & Lies:

I visited www.palm.com to purchase something for my PalmPilot. When I went to the online checkout, I was redirected to https://palmorder.modusmedia.com/asp/store.asp. The SSL certificate was registered to Modus Media Internatinoal; clearly a flagrant attempt to defraud web customers, which I deftly uncovered because I carefully checked the SSL certificate. Not.

All that SSL does in almost every use is to verify that the remote site has a certificate issued by a trusted authority. There is no verification that said certificate has anything to do with the site that the user expects to be interacting with. Man in the middle attacks are easily done even when the web browser properly checks how digital certificates were signed; the Konqueror vulnerability has not really opened up any new holes.

The real issue, which nobody is all that concerned about, is that the digital certificate system is not doing much for its users. Quoting Schneier again: "Digital certificates provide no actual security for electronic commerce; it's a complete sham." Konqueror users should go ahead and apply the patch (see the LWN vulnerability entry for distributor updates as they arrive), but it's not going to make them all that much more secure against man in the middle attacks.

Comments (none posted)

August CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for August is out; it includes a look at Palladium, the proposed law allowing attacks against online copyright violators, and the idea of arming airline pilots. "To me, it's another example of the insane lengths the entertainment companies are willing to go to preserve their business models. They're willing to destroy your privacy, have general-purpose computers declared illegal, and exercise special vigilante police powers that no one else has...just to make sure that no one watches 'The Little Mermaid' without paying for it. They're trying to invent a new crime: interference with a business model."

Full Story (comments: none)

Security reports

FUDforum file access and SQL Injection
FUDforum is a web-based forum system. Ulf Harnhammar has reported two vulnerabilities in this package; one can provide access to files outside of the FUDforum directory, and the other can lead to SQL injection issues. The problems have been fixed in version 2.2.0.

Full Story (comments: none)

New PHP-Nuke cross-site scripting bug exposes admin accounts
A new cross-site scripting vulnerability has been reported in PHP-Nuke v5.6; properly exploited, this hole can be used to obtain access to the site's administrative accounts. No fix is available as of this writing. (Additional note: this vulnerability was actually first reported in March. PostNuke also, apparently, has this problem).

Full Story (comments: none)

Input validation attack in php-affiliate
php-affiliate - a script for running web site affiliate programs - places a little too much trust in the hidden fields it puts into forms, with the result that users can modify information belonging to other users.

Full Story (comments: none)

Remote command execution in Web Shop Manager
The Web Shop Manager e-commerce system has trivial remote command execution vulnerability. This problem exists in version 1.1; no updates are yet visible on the project web site.

Full Story (comments: none)

New vulnerabilities

Numerous vulnerabilities in bugzilla
Package(s): bugzilla CVE #(s): CAN-2002-0804 CAN-2002-0805 CAN-2002-0806 CAN-2002-0807 CAN-2002-0808 CAN-2002-0809 CAN-2002-0810 CAN-2002-0811 CAN-2002-0803
Created: Aug 21, 2002 Updated: Aug 21, 2002
Description: The bugzilla bug tracking system has a long list of security problems which can lead to data disclosure, administrative access, and denial of service attacks. The Red Hat advisory (below) gives the full list.
Alerts:
Red Hat RHSA-2002:109-07 2002-08-20

Comments (none posted)

Filename disclosure vulnerability in fam
Package(s): fam CVE #(s):
Created: Aug 19, 2002 Updated: Aug 19, 2002
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15

Comments (none posted)

Buffer overflow in libpng
Package(s): libpng CVE #(s): CAN-2002-0728 CAN-2002-0660
Created: Aug 20, 2002 Updated: Aug 20, 2002
Description: Versions of libpng prior to 1.0.14 contain a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications that are linked to libpng and that use the progressive reading feature. (From the Red Hat alert).
Alerts:
Yellow Dog YDU-20020819-2 2002-08-19
Eridani ERISA-2002:039 2002-08-19
Red Hat RHSA-2002:151-21 2002-08-14
Mandrake MDKSA-2002:049 2002-08-13
Debian DSA-140-2 2002-08-05
Debian DSA-140-1 2002-08-01

Comments (none posted)

Inadequate digital certificate verification in Konqueror
Package(s): Konqueror CVE #(s):
Created: Aug 19, 2002 Updated: Aug 21, 2002
Description: The Konqueror web browser, versions 3.0.2 and prior, does not properly check how digital certificates were signed; the result is that anybody can create fake certificates and use them for "man in the middle" attacks. The problem was fixed in Konqueror 3.0.3.

See also:

    * The KDE project's advisory on the problem.

* LWN's article on the vulnerability and the fundamental insecurity of the digital certificate infrastructure.

Alerts:
Debian DSA-155-1 2002-08-17

Comments (none posted)

Multiple vulnerabilities in mantis
Package(s): mantis CVE #(s):
Created: Aug 20, 2002 Updated: Aug 20, 2002
Description: The Mantis project has reported a number of bugs in the Mantis bug tracking system, including:

    * Arbitrary code execution as a result of some unitialized variables - beyond the problem reported in the previous Mantis vulnerability.

    * Exposure of private bug information through the modification of cookies.

    * SQL poisoning which could lead to privilege elevation.

    * Bypassing of limitations on who can view specific bugs.

* Another code execution vulnerability resulting from a different uninitialized variable.

Needless to say, upgrading to a version later than 0.17.3 is recommended.
Alerts:
Debian DSA-153-2 2002-08-20

Comments (none posted)

Safemode vulnerability in PHP
Package(s): PHP CVE #(s): CAN-2001-1246
Created: Aug 20, 2002 Updated: Aug 20, 2002
Description: PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers.
Alerts:
Red Hat RHSA-2002:102-26 2002-08-19

Comments (none posted)

Buffer overflow vulnerabilities in PostgreSQL
Package(s): PostgreSQL CVE #(s):
Created: Aug 21, 2002 Updated: Aug 21, 2002
Description: "Sir Mordred The Traitor" has reported a number of buffer overflow vulnerabilities in the PostgreSQL cash_words, repeat, and lpad and rpad functions. The cash_words vulnerability is fixed in PostgreSQL 7.2.1; the other two vulnerabilities remain open.
Alerts: (No alerts in the database for this vulnerability)

Comments (none posted)

XDR vulnerability in krb5
Package(s): krb5 CVE #(s): CAN-2002-0391
Created: Aug 19, 2002 Updated: Aug 20, 2002
Description: The Kerberos 5 implementation suffers from the same SunRPC XDR buffer overflow problem as many other packages (see the CERT advisory).
Alerts:
Yellow Dog YDU-20020819-1 2002-08-19
Eridani ERISA-2002:038 2002-08-16
Red Hat RHSA-2002:172-07 2002-08-14

Comments (none posted)

Updated vulnerabilities

OpenSSL remotely-exploitable buffer overflow vulnerabilities
Package(s): OpenSSL CVE #(s): CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
Created: Jul 30, 2002 Updated: Aug 14, 2002
Description: Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit. Both client and server applications are affected. The vulnerabilities are described in this security alert from the OpenSSL team.

No exploits have, yet, been published but these vulnerabilities are believed to be remotely exploitable; applying an update is a good thing to do in the near future.

CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
Alerts:
Yellow Dog YDU-20020810-1 2002-08-10
Conectiva CLA-2002:516 2002-08-08
EnGarde ESA-20020807-020 2002-08-07
Mandrake MDKSA-2002:046-1 2002-08-06
Red Hat RHSA-2002:160-21 2002-08-05
Eridani ERISA-2002:034 2002-08-06
Yellow Dog YDU-20020801-3 2002-08-01
Caldera CSSA-2002-033.0 2002-07-31
Gentoo openssl-20020730 2002-07-30
Eridani ERISA-2002:033 2002-07-30
SuSE SuSE-SA:2002:027 2002-07-30
Mandrake MDKSA-2002:046 2002-07-30
Conectiva CLA-2002:513 2002-07-31
Red Hat RHSA-2002:155-11 2002-07-29
Trustix 2002-0063 2002-07-29
OpenPKG OpenPKG-SA-2002.008 2002-07-30
EnGarde ESA-20020730-019 2002-07-30
Debian DSA-136-1 2002-07-30

Comments (none posted)

Denial of service vulnerability in version 9 of BIND
Package(s): bind CVE #(s): CAN-2002-0400
Created: Jun 05, 2002 Updated: Aug 19, 2002
Description: Here is an advisory from the Computer Emergency Response Team (CERT) regarding the denial of service vulnerability in version 9 of the BIND nameserver, up to 9.2.1. An attacker can send a properly crafted packet which triggers a check within BIND and causes it to shut down. The vulnerability can not be exploited for any purpose beyond denial of service, but that is bad enough; if you are running BIND 9, an upgrade is probably a good idea.

Note that many or most systems out there will still be running BIND 8, and thus will not be vulnerable.

News articles on the vulnerability appear in the Register and Network World Fusion News.
Alerts:
Mandrake MDKSA-2002:038-1 2002-08-15
Yellow Dog YDU-20020606-6 2002-06-06
Conectiva CLA-2002:494 2002-06-06
SuSE SuSE-SA:2002:021 2002-06-06
Mandrake MDKSA-2002:038 2002-06-04
Red Hat RHSA-2002:105-09 2002-06-04

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries
Package(s): bind glibc CVE #(s): CAN-2002-0651 CAN-2002-0684
Created: Jul 08, 2002 Updated: Aug 19, 2002
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
Caldera CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Off by one buffer overflow vulnerability in cvsd
Package(s): cvs CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: cvs version 1.11, and possibily earlier versions, has a locally exploitable off by one buffer overflow vulnerability. The details are available here.
Alerts:
Caldera CSSA-2002-035.0 2002-08-08

Comments (none posted)

Potential unauthorized root access vulnerability in dietlibc
Package(s): dietlibc CVE #(s): CAN-2002-0391
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library with is used in dietlibc, a libc optimized for small size. The bug could be exploited to gain unauthorized root access to software linking to dietlibc.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:
Debian DSA-146-2 2002-08-08
Debian DSA-146-1 2002-08-08

Comments (none posted)

Buffer overflow vulnerability in the Jabber plug-in module for gaim
Package(s): gaim CVE #(s): CAN-2002-0384 CAN-2002-0377
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."
Alerts:
Yellow Dog YDU-20020810-4 2002-08-10
Red Hat RHSA-2002:107-11 2002-08-05

Comments (none posted)

Remote execution vulnerability in gallery
Package(s): gallery CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: A remote attacker could execute commands under the uid of the web server by passing in the GALLERY_BASEDIR variable remotely. Gallery is a web-based photo album toolkit.
Alerts:
Debian DSA-138-1 2002-08-01

Comments (none posted)

Potential remote root exploit in glibc
Package(s): glibc CVE #(s): CAN-2002-0391
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:
Trustix 2002-0067 2002-08-13
Eridani ERISA-2002:036 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Debian DSA-149-1 2002-08-13

Comments (none posted)

HylaFAX 4.1.3 fixes multiple vulnerabilities
Package(s): hylafax CVE #(s): CAN-2001-1034
Created: Jul 30, 2002 Updated: Aug 14, 2002
Description: The HylaFAX team has released version 4.1.3 fixing denial of service, elevated system privilege and possible remote code execution vulnerabilities.

HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX.
Alerts:
Debian DSA-148-1 2002-08-12

Comments (none posted)

Buffer overflow and format string vulnerabilities in ipppd
Package(s): i4l CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: The ipppd program, in the i4l package, has various buffer overflows and format string bugs. Since ipppd is installed setuid to root, attackers with appropriate group membership may be able to execute arbitrary commands as root. The i4l package for ISDN connectivity is installed by default in at least one distribution; you are vulnerable even if you do not have an ISDN connection.

The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd.
Alerts:
SuSE SuSE-SA:2002:030 2002-08-12

Comments (none posted)

File exposure vulnerability in interchange
Package(s): interchange CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: A problem has been discovered in interchange which may allow a remote attacker to read any file for which the user of the Interchange daemon has sufficient permissions. Interchange must be running in "INET mode" (internet domain socket) to be vulnerable. This is not the default setting, at least in Debian packages.

Interchange is an e-commerce and general HTTP database display system.
Alerts:
Debian DSA-150-1 2002-08-13

Comments (none posted)

Kerberos 5 unauthorized root access to KDC host vulnerability
Package(s): krb5 CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: A bug in the Kerberos 5 remote administration service, "kadmind", could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:
Conectiva CLA-2002:515 2002-08-07
Debian DSA-143-1 2002-08-05

Comments (none posted)

Remotely exploitable vulnerabilities in l2tpd
Package(s): l2tpd CVE #(s):
Created: Aug 14, 2002 Updated: Aug 14, 2002
Description: l2tpd, a layer 2 tunneling client/server program, does not initialize the random generator. Since this makes all generated random number 100% guessable, the oversight could lead to remote exploits. There is also a buffer overflow vulnerability. Both problems are fixed in the updates below.
Alerts:
Debian DSA-152-1 2002-08-13

Comments (none posted)

Apache mod_ssl off-by-one local code execution and DoS vulnerability
Package(s): libapache-mod-ssl mod_ssl CVE #(s): CAN-2002-0653
Created: Jul 02, 2002 Updated: Aug 14, 2002
Description: Mod-ssl provides strong cryptography for the Apache webserver via the Secure Sockets Layer (SSL). A maliciously-crafted .htaccess file, may be used by an attacker to execute arbitrary commands as the httpd user or launch a denial of service attack. The problem is fixed in mod_ssl 2.8.10 which is available from here.

For more information see the announcement.
Alerts:
Mandrake MDKSA-2002:048 2002-08-08
Yellow Dog YDU-20020801-1 2002-08-01
Eridani ERISA-2002:029 2002-07-25
Caldera CSSA-2002-031.0 2002-07-16
Red Hat RHSA-2002:134-12 2002-07-16
EnGarde ESA-20020702-017 2002-07-02
Conectiva CLA-2002:504 2002-07-02
Debian DSA-135-1 2002-07-02

Comments (none posted)

libpng buffer overflow vulnerability
Package(s): libpng libpng2 libpng3 CVE #(s):
Created: Jul 17, 2002 Updated: Aug 19, 2002
Description: Versions of libpng prior to 1.2.4 and 1.0.14 have a buffer overflow vulnerability that could lead to remote code execution. Since libpng is used by programs that talk to the outside world (i.e. mozilla), it is worth upgrading.

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
Alerts:
Eridani ERISA-2002:030 2002-07-25
Conectiva CLA-2002:512 2002-07-17

Comments (2 posted)

Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
Package(s): mailman CVE #(s):
Created: Jun 05, 2002 Updated: Aug 14, 2002
Description: Barry A. Warsaw announced the release of Mailman 2.0.11 "which fixes two cross-site scripting exploits, one reported by "office" in the admin login page, and another reported by Tristan Roddis in the Pipermail index summaries. It is recommended that all sites upgrade their 2.0.x systems to this version."
Alerts:
Debian DSA-147-1 2002-08-08
Red Hat RHSA-2002:101-06 2002-06-27
Red Hat RHSA-2002:099-04 2002-06-06
Red Hat RHSA-2002:100-03 2002-06-06
Conectiva CLA-2002:489 2002-05-24

Comments (none posted)

Remote arbitrary code execution vulnerability in mantis
Package(s): mantis CVE #(s):
Created: Aug 14, 2002 Updated: Aug 20, 2002
Description: Mantis is a php based bug tracking system. Joao Gouveia and the Debian Security Team found multiple insecure uses of uninitialized variables in mantis.

When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.
Alerts:
Debian DSA-153-1 2002-08-14

Comments (none posted)

Temporary file vulnerability in mm library
Ticket ID:     #305
Ticket URL:    http://bugs.pld.org.pl/?bug=305
Package:       mm-1.1.3-6
Distribution:  PLD-Ra.main
Category:      security problem
Current state: closed -- resolved
Text:

mm has security patch applied since 1.1.3-5 release.

Upgrading to 1.2.x isn't simple because of SONAME change,
so at least apache and php would require rebuilding.
*** State changed to 'closed -- resolved'



More information about the pld-bugs mailing list