[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] various bugs



Hello,

First of all a clarification:
If a certain distribution is not listed in an advisory under
"Affected Systems", it does not mean that that distribution is not vulnerable.
It just means that I have no information about that distribution concerning
that vulnerability. If I know for certain that a certain distribution is
not vulnerable, I mention that explicitly in the advisory.

Secondly, for RedHat 6.x users: If you leave the /vol/vol1/distrib/redhat
directory from sphinx mounted permanently (that's what I do), then
upgrading is trivial: just change to that directory and run the rpm commands.
[i.e., all packages that are mentioned in the advisory are already in the
/vol/vol1/distrib/redhat/RedHat/RPMS directory].

Thirdly, todays advisory contains bug reports on several packages mostly
because I believe that the severity of the bugs is not such that they
deserve a separate advisory. E.g., most people don't run NIS or a web server
(at least you shouldn't) so they are not vulnerable to the yp, apache, php
bugs. If you rather have separate advisories on each and every bug, please
let me know.

Cheers,
Martin                   email: siegert@sfu.ca


ypbind & ypserv
===============

Problem description
-------------------
ypbind allows local root exploit.
ypbind and ypserv are only needed, if you are using NIS for authentication.
If this is not the case, uninstall ypbind i and ypserv (rpm -e ypbind ypserv).

Affected Systems
----------------
RedHat 5.x, 6.x
Mandrake 6.x, 7.x
Debian 2.1, 2.2
(other distributions are likely affected as well)

Solution
--------
RedHat 6.x
rpm -Fvh ypbind-1.7-0.6.x.i386.rpm

Mandrake 6.x, 7.x
rpm -Fvh ypbind-3.3-25mdk.i586.rpm ypserv-1.3.9-4mdk.i586.rpm

Debian 2.2 (potato)
dpkg -i nis_3.8-0.1_i386.deb


gnupg
=====

Problem description
-------------------
There is a bug in the signature verification of GNUpg,
the GNU replacement for PGP.

Signature verification does not work properly if there are
several sections with inline signatures within a single
file. In this case, GNUpg does not always detect when some
of the signed portions have been modified, and incorrectly
claims that all signatures are valid.

Affected Systems
----------------
Only if you are using PGP signatures.

Caldera OpenLinux eDesktop 2.4
RedHat 6.2, 7.0
Mandrake 7.x
(other distributions probably vulnerable as well)

Solution
--------

RedHat 6.2
rpm -Fvh gnupg-1.0.4-4.6.x.i386.rpm
RedHat 7.0
rpm -Fvh gnupg-1.0.4-5.i386.rpm

Caldera 2.4
rpm -Fhv gnupg-1.0.4-2.i386.rpm

Mandrake 7.x
rpm -Fvh gnupg-1.0.4-2mdk.i586.rpm


apache
======

Problem description
-------------------

A vulnerability in the mod_rewrite module and vulnerabilities in the
virtual hosting facility in versions of Apache prior to 1.3.14 may allow
attackers to view files on the server which are meant to be inaccessible.

Affected Systems
----------------
Only if an apache web server is installed.

RedHat 5.x, 6.x, 7.0
Mandrake 6.x, 7.x
all systems that run an apache web server with version < 1.3.14

Solution
--------

RedHat 6.0
rpm -Fvh apache-1.3.14-2.6.2.i386.rpm apache-devel-1.3.14-2.6.2.i386.rpm mod_perl-1.23-3.i386.rpm
to install the apache manual
rpm -Uvh apache-manual-1.3.14-2.6.2.alpha.rpm
RedHat 6.1
rpm -Fvh apache-1.3.14-2.6.2.i386.rpm apache-devel-1.3.14-2.6.2.i386.rpm auth_ldap-1.4.0-3.i386.rpm mod_perl-1.23-3.i386.rpm
to install the apache manual
rpm -Uvh apache-manual-1.3.14-2.6.2.alpha.rpm
RedHat 6.2
rpm -Fvh apache-1.3.14-2.6.2.i386.rpm apache-devel-1.3.14-2.6.2.i386.rpm apache-manual-1.3.14-2.6.2.i386.rpm auth_ldap-1.4.0-3.i386.rpm mod_perl-1.23-3.i386.rpm
RedHat 7.0
rpm -Fvh apache-1.3.14-3.i386.rpm apache-devel-1.3.14-3.i386.rpm apache-manual-1.3.14-3.i386.rpm mod_ssl-2.7.1-3.i386.rpm

Mandrake 6.0
rpm -Fvh apache-1.3.6-29mdk.i586.rpm apache-devel-1.3.6-29mdk.i586.rpm
Mandrake 6.1
rpm -Fvh apache-1.3.9-8mdk.i586.rpm apache-devel-1.3.9-8mdk.i586.rpm
Mandrake 7.0
rpm -Fvh apache-1.3.9-18mdk.i586.rpm apache-devel-1.3.9-18mdk.i586.rpm apache-suexec-1.3.9-18mdk.i586.rpm
Mandrake 7.1
rpm -Fvh apache-1.3.12-15mdk.i586.rpm apache-devel-1.3.12-15mdk.i586.rpm apache-suexec-1.3.12-15mdk.i586.rpm

PHP
===

Problem description
-------------------
Format string vulnerabilities have been found in PHP versions 3 and 4.
This may be exploitable remotely to run arbitrary commands under the
user id that runs the HTTP web server.

Affected Systems
----------------
Only if you installed support for PHP scripting language.

RedHat 5.x, 6.x, 7.0
Debian 2.x
Caldera eServer 2.3, eDesktop 2.4
(all distributions that use the PHP scripting language and a web server)

Solution
--------
RedHat 6.0
rpm -Fvh php-3.0.17-1.6.0.i386.rpm php-imap-3.0.17-1.6.0.i386.rpm php-manual-3.0.17-1.6.0.i386.rpm php-pgsql-3.0.17-1.6.0.i386.rpm
RedHat 6.1
rpm -Fvh php-3.0.17-1.6.1.i386.rpm php-imap-3.0.17-1.6.1.i386.rpm php-ldap-3.0.17-1.6.1.i386.rpm php-manual-3.0.17-1.6.1.i386.rpm php-pgsql-3.0.17-1.6.1.i386.rpm
RedHat 6.2
rpm -Fvh php-3.0.17-1.6.2.i386.rpm php-imap-3.0.17-1.6.2.i386.rpm php-ldap-3.0.17-1.6.2.i386.rpm php-manual-3.0.17-1.6.2.i386.rpm php-pgsql-3.0.17-1.6.2.i386.rpm
RedHat 7.0
rpm -Fvh php-4.0.3pl1-1.i386.rpm php-imap-4.0.3pl1-1.i386.rpm php-ldap-4.0.3pl1-1.i386.rpm php-manual-4.0.3pl1-1.i386.rpm php-mysql-4.0.3pl1-1.i386.rpm php-pgsql-4.0.3pl1-1.i386.rpm

Debian 2.2 (potato)
update the following packages:
php3-cgi-gd_3.0.17-0potato2_i386.deb
php3-cgi-imap_3.0.17-0potato2_i386.deb
php3-cgi-ldap_3.0.17-0potato2_i386.deb
php3-cgi-magick_3.0.17-0potato2_i386.deb
php3-cgi-mhash_3.0.17-0potato2_i386.deb
php3-cgi-mysql_3.0.17-0potato2_i386.deb
php3-cgi-pgsql_3.0.17-0potato2_i386.deb
php3-cgi-snmp_3.0.17-0potato2_i386.deb
php3-cgi-xml_3.0.17-0potato2_i386.deb
php3-cgi_3.0.17-0potato2_i386.deb
php3-dev_3.0.17-0potato2_i386.deb
php3-gd_3.0.17-0potato2_i386.deb
php3-imap_3.0.17-0potato2_i386.deb
php3-ldap_3.0.17-0potato2_i386.deb
php3-magick_3.0.17-0potato2_i386.deb
php3-mhash_3.0.17-0potato2_i386.deb
php3-mysql_3.0.17-0potato2_i386.deb
php3-pgsql_3.0.17-0potato2_i386.deb
php3-snmp_3.0.17-0potato2_i386.deb
php3-xml_3.0.17-0potato2_i386.deb
php3_3.0.17-0potato2_i386.deb
php4-cgi-gd_4.0.3-0potato1_i386.deb
php4-cgi-imap_4.0.3-0potato1_i386.deb
php4-cgi-ldap_4.0.3-0potato1_i386.deb
php4-cgi-mhash_4.0.3-0potato1_i386.deb
php4-cgi-mysql_4.0.3-0potato1_i386.deb
php4-cgi-pgsql_4.0.3-0potato1_i386.deb
php4-cgi-snmp_4.0.3-0potato1_i386.deb
php4-cgi-xml_4.0.3-0potato1_i386.deb
php4-cgi_4.0.3-0potato1_i386.deb
php4-gd_4.0.3-0potato1_i386.deb
php4-imap_4.0.3-0potato1_i386.deb
php4-ldap_4.0.3-0potato1_i386.deb
php4-mhash_4.0.3-0potato1_i386.deb
php4-mysql_4.0.3-0potato1_i386.deb
php4-pgsql_4.0.3-0potato1_i386.deb
php4-snmp_4.0.3-0potato1_i386.deb
php4-xml_4.0.3-0potato1_i386.deb
php4_4.0.3-0potato1_i386.deb

Caldera OpenLinux eServer 2.3
rpm -Fvh mod_php3-3.0.17-1S.i386.rpm mod_php3-doc-3.0.17-1S.i386.rpm
Caldera OpenLinux eDesktop 2.4
rpm -Fvh mod_php3-3.0.17-1D.i386.rpm mod_php3-doc-3.0.17-1D.i386.rpm


curl
====

Problem description
-------------------
curl (a tool to retrieve files using ftp, gover or http) has a bug in the
error logging code: when it created an error message it failed to check the
size of the buffer allocated for storing the message. This could be exploited
by the remote machine by returning an invalid response to a request from
curl which overflows the error buffer and trick curl into executing
arbitrary code.

Affected Systems
----------------
(as far as I know) only Debian ships curl as part of the default distribution.
RedHat Powertools contains a version of curl that is vulnerable (but it is
not part of the standard distributions).

Solution
--------
Debian 2.2 potato
update to curl-ssl_6.0-1.2_i386.deb and/or curl_6.0-1.1.1_i386.deb


ping
====

Problem description
-------------------
Several buffer overflows exist in ping that may be used for a local root
exploit.

Affected Systems
----------------
RedHat 6.x, 7.0

Workaround
----------
chmod 755 /bin/ping

Solution
--------
RedHat 6.2
rpm -Fvh iputils-20001010-1.6x.i386.rpm
RedHat 7.0
rpm -Fvh iputils-20001010-1.i386.rpm
RedHat 6.0, 6.1
RedHat did not release packages for these distributions although they are
likely to be vulnerable as well. /bin/ping is part of the netkit-base package
under 6.0 and 6.1. You may be able to upgrade that package with the
iputils-20001010-1.6x.i386.rpm and the inetd-0.16-4.i386.rpm packages of
the 6.2 distribution:
rpm -Uvh inetd-0.16-4.i386.rpm iputils-20001010-1.6x.i386.rpm
(this worked for me under 6.1)