All articles

September 24, 2001 10:02 Debian: New UUCP packages fix local exploit

0
zen-parse has found a problem with Taylor UUCP as distributed with many GNU/Linux distributions. It was possible to make `uux' execute 'uucp' with malicious commandline arguments which gives an attacker access to files owned by uid/gid uucp. Fixed packages are available from security.debian.org.

September 24, 2001 04:31 Debian: slrn command invocation

0
Byrial Jensen found a nasty problem in slrn (a threaded news reader). When trying to decode binaries, the built-in code executes any shell scripts the article might contain, apparently assuming they would be some kind of self-extracting archive. Updated packages are available from security.debian.org.

September 24, 2001 04:29 Debian: squid FTP PUT problem

0
Vladimir Ivaschenko found a problem in squid (a popular proxy cache). He discovered that there was a flaw in the code to handle FTP PUT commands: when a mkdir-only request was done squid would detect an internal error and exit. Since squid is configured to restart itself on problems this is not a big problem. Updated packages are available from security.debian.org.

September 21, 2001 03:22 SuSE: Window Maker remote privilege escalation

0
The window manager Window Maker was found vulnerable to a buffer overflow due to improper bounds checking when setting the window title. An attacker can remotely exploit this buffer overflow by using malicious web page titles or terminal escape sequences to set a excessively long window title. This attack can lead to remote command execution with the privileges of the user running Window Maker. Fixed packages are available from ftp.suse.com.

No avatar September 20, 2001 00:00 Please Make Stable NON-US Homes for Strong Crypto Projects

49
"We freedom-loving U.S. citizens have had to rely on the freedom-loving citizens of saner countries to do the work of making strong encryption for many years. We had a brief respite, which we will eventually resume for good. In the meantime, please let me apologize for my countrymen and for my government for asking you to shoulder most of the burden again..."

September 19, 2001 05:17 Debian: New most packages available

0
Pavel Machek has found a buffer overflow in the `most' pager program. The problem is part of most's tab expansion where the program would write beyond the bounds two array variables when viewing a malicious file. This could lead into other data structures being overwritten which in turn could enable most to execute arbitrary code being able to compromise the users environment. Updated packages are available from security.debian.org.

No avatar September 15, 2001 00:00 Printing Software

10
To print something from a Free Unix, you use an application, which uses a client program to speak with a daemon process, which eventually executes some sort of driver or filter, which eventually sends print data to your printer. There are no universal standards for any step in this process; indeed, in many installations, hand-tooled scripts provide the glue between the various parts. This makes for a rather unpleasant configuration experience, to say the least.

September 12, 2001 10:15 Red Hat: New bugzilla packages available

0
The updated bugzilla package fixes numerous security issues which were present in previous releases of bugzilla and is available at updates.redhat.com.

September 11, 2001 02:58 SuSE: apache-contrib authentication bypass

0
The Apache module mod_auth_mysql 1.4,which is shipped since SuSE Linux 7.1, was found vulnerable to possible bypass authentication by MySQL command injection. An adversary could insert MySQL commands along with a password and these commands will be interpreted by MySQL while mod_auth_mysql is doing the password lookup in the database. A positive authentication could be returned. Fixed packages are available from ftp.suse.com.

September 11, 2001 02:57 Red Hat: Updated quota packages available

0
An updated set of quota utilities for Red Hat Linux 7.1 is being made available. This new package fixes several problems with the quota utilities as originally shipped. All systems using disk quotas should beupgraded to the packages available from updates.redhat.com.

September 11, 2001 02:55 Red Hat: sendmail local root exploit

0
Sendmail, the low-level system for sending and receiving email for Red Hat Linux, has an input validation flaw in part of its debugging code. This flaw could be exploited by an attacker who already has local access to a system and wants to gain root privileges. Fixed packages are available from updates.redhat.com.

September 11, 2001 02:53 Red Hat: Updated xinetd package available

0
A security audit has been done by Solar Designer on xinetd, and the results are now being made available as a preemptive measure. Also, memsetting too much memory to 0 would eventually lead to segfaults when executing services. This internal bug was fixed. Updated packages are available from updates.redhat.com.

September 11, 2001 02:52 Red Hat: New tmpwatch package fixes cron warning

0
The man update (RHSA-2001:072) removed several cache directories in /var that tmpwatch cleans up on a nightly basis. This update provides a new cron script for tmpwatch that verifies the existence of cache directories before cleaning is attempted. Updated packages are available from updates.redhat.com.

September 11, 2001 02:50 Red Hat: fetchmail remote attack

0
Fetchmail versions up to 5.8.9 are susceptible to remote attacks from malicious servers. When fetchmail attempts to create an index of messages in the remote mailbox being polled, it uses index numbers sent by the server as an index into an internal array. If a server sends fetchmail a negative number, fetchmail will attempt to write data outside the bounds of the array. Fixed packages are available from updates.redhat.com.

September 06, 2001 02:11 SuSE: screen local root compromise

0
The screen package allows a local attacker to obtain root privileges if the /usr/bin/screen command is installed setuid root and if a directory below /tmp/screens/ exists. The screen program needs root permissions from the setuid-root bit for two reasons: multi-attached sessions are only possible with root privileges, and writing terminal allocation information to /var/run/utmp (the who(1) and finger(1) commands). If the screen command is not running with special privileges, all functionality except these two features will continue to work, but the local root compromise will not be possible. In order to provide the features mentioned, the screen package used to be installed setuid-root in SuSE Linux distributions. Packages which work around this problem are available from ftp.suse.com.

September 04, 2001 02:06 SuSE: telnetd remote code execution

0
The telnet server which is shipped with SuSE distributions contains a remotely exploitable buffer-overflow within its telnet option negotiation code. This bug is wide-spread on UN*X systems and affects almost all implementations of telnet daemons available. SuSE 7.2 distribution ships the telnet-server package which contains the vulnerable telnet daemon. This package has been fixed. The SuSE Linux distributions 6.3 and 6.4 contain versions and implementations of the telnet-daemon that are vulnerable, but the complexity of the code requires a full source code audit of the software. In order not to further delay the release of the packages for the SuSE Linux 7.x distributions, we recommend to disable the telnet daemon on the 6.x distributions. The fixed 7.x packages can be obtained from ftp.suse.com.

No avatar August 30, 2001 00:00 Information retrieval from $HOME

50
Like everyone else, when I first encountered tree directory systems, I thought they were a marvelous way to organize information. I've been around computers since 1983, and have staunchly struggled to keep files and directories neatly organized. My physical filing cabinet has always been a mess, but I clung to the hope that my hard disk would be perfect.

August 23, 2001 15:06 SuSE: sendmail local root compromise

0
Cade Cairns of Securityfocus discovered a vulnerability in the sendmail program, the widely spread MTA used in Unix- and Unix-like systems. A local user can write arbitrary data to the process memory, resulting in user-controlled code to be executed as user root. Please note that this is a local vulnerability: Local shell access is needed for the attacker to be able to take advantage of this error. The /usr/sbin/sendmail program is installed set-uid root in most installations. This special privilege is needed for the sendmail program to operate properly. The attack pattern involves running sendmail to make use of the setuid-bit. Please note that this is the first sendmail security problem since 1997. Updated sendmail packages are available from ftp.suse.com.

August 20, 2001 09:43 SuSE: sdb local privilege escalation

0
Sdbsearch.cgi is Perl script which is part of the sdb package of SuSE Linux was found vulnerable by using untrustworthy client input (HTTP_REFERER). By exploiting this trust an attacker could force the sdbsearch.cgi script to open a malicious keylist file which includes keywords and filenames. By replacing the filename in the keylist file with the Perl pipe followed by arbitrary shell commands the sdbsearch.cgi would execute these commands when trying to open these 'filenames'. Note, that the attacker needs local access to the machine to store the keylist file on the server running sdbsearch.cgi. Misconfigured ftp accounts, trojan tar balls or RPM files could also be used. Fixed RPM packages are available from ftp.suse.com.

August 17, 2001 04:22 SuSE: fetchmail remote privilege escalation

0
Fetchmail is a tool for retrieving and forwarding mail. Two vulnerabilities in the code of fetchmail were found in the last weeks. Both vulnerabilities could be used to get remote access to the system with the privilege of the user running fetchmail. Fixed RPMs can be obtained from ftp.suse.com.

August 14, 2001 10:18 Debian: telnetd-ssl AYT buffer overflow

0
The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package in the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an exploitable overflow in its output handling. The original bug was found by <scut at nb.in-berlin.de>, and announced to bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were not believed to be vulnerable. On Aug 10 2001, zen-parse posted an advisory based on the same problem, for all netkit-telnet versions below 0.17. More details can be found on SecurityFocus. As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote root compromise on Debian systems; the 'telnetd' user can be compromised. Fixed packages can be found at security.debian.org.

August 12, 2001 12:54 Debian: buffer overflow in Window Maker

0
Alban Hertroys found a buffer overflow in Window Maker (a popular window manager for X). The code that handles titles in the window list menu did not check the length of the title when copying it to a buffer. Since applications will set the title using untrusted data (for example web browsers will set the title of their window to the title of the web-page being shown) this could be exploited remotely. Fixed packages are available from security.debian.org.

August 11, 2001 03:16 Debian: 3 security problems in imp

0
The Horde team released version 2.2.6 of IMP (a web based IMAP mail program) which fixes three security problems. A detailed description can be found in the body of this article. Fixed Debian packages are available from security.debian.org.

No avatar August 11, 2001 00:00 I got laid off! Now what do I do?

62
Too many programmers and sysadmins know the personal realities that lie behind the statistics of the dot com bubble's burst. What do you do when the spotlight's gone and the future no longer clear? Is the time between jobs a tragedy or an opportunity?

August 10, 2001 14:43 Debian: groff printf format problem

0
Zenith Parse found a security problem in groff (the GNU version of troff). The pic command was vulnerable to a printf format attack which made it possible to circumvent the -S option and execute arbitrary code. Fixed packages are available from security.debian.org.

August 10, 2001 02:43 Debian: netkit-telnet AYT buffer overflow

0
The telnet daemon contained in the netkit-telnet_0.16-4potato1 package in the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an exploitable overflow in its output handling. The original bug was announced to bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were not believed to be vulnerable. On Aug 10 2001, zen-parse posted an advisory based on the same problem, for all netkit-telnet versions below 0.17. More details can be found at SecurityFocus. As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote root compromise on Debian systems; the 'telnetd' user can be compromised. Fixed packages are available from security.debian.org.

August 10, 2001 02:38 Debian: fetchmail remote exploit

0
Salvatore Sanfilippo found two remotely exploitable problems in fetchmail while doing a security audit. In both the imap and pop3 code the input is not verified and used to store a number in an array. Since no bounds checking is done this can be used by an attacker to write arbitrary data in memory. An attacker can use this if we can get a user to transfer mail from a custom imap or pop3 server he controls. Fixed packages are available from security.debian.org.

August 09, 2001 15:52 Debian: xloadimage buffer overflow

0
The version of xloadimage (a graphics files viewer for X) that was shipped in Debian GNU/Linux 2.2 has a buffer overflow in the code that handles FACES format images. This could be exploited by an attacker by tricking someone into viewing a specially crafted image using xloadimage which would allow him to execute arbitrary code. Fixed packages are available from security.debian.org.

August 09, 2001 15:51 Debian: OpenLDAP DoS

0
CERT released their advisory CA-2001-18 which lists a number of vulnerabilities in various LDAP implementations. based on the results of the PROTOS LDAPv3 test suite. These tests found one problem in OpenLDAP, a free LDAP implementation that is shipped as part of Debian GNU/Linux 2.2. The problem is that slapd did not handle packets with an invalid BER length of length fields and would crash if it received those. An attacked can use this to mount a denial of service attack remotely. Fixed packages are available from security.debian.org.

No avatar August 04, 2001 00:00 Category Reviews

13
One of the problems with a software index like freshmeat's projects database is that people who wander into a category for the first time have difficulty determining which of the listed projects best suit their needs, which are ready for use, and which are in the early stages of development. They resort to downloading deadends and waste a lot of time before they find what they need, or they just give up. Today, we're starting a new series of articles that hopes to counter this problem with insights from people who are knowledgeable about specific types of software.
Screenshot

Project Spotlight

Jolokia

A JMX remoting alternative to JSR-160 connectors.

Screenshot

Project Spotlight

MSS Code Factory

A rule-based expert system for manufacturing source code.