Subject: Updated samba package for LBA-Linux R1
Advisory ID: LBASA-2004:37
Date: Friday, September 24, 2004
Product: LBA-Linux R1
Problem description:
Two vulnerabilities were discovered in samba 3.0.x; the first is a
defect in smbd's ASN.1 parsing that allows an attacker to send a
specially crafted packet during the authentication request which will
send the newly spawned smbd process into an infinite loop. As a
result, it is possible to use up all available memory on the
server.
The second vulnerability is in nmbd's processing of mailslot packets
which could allow an attacker to anonymously crash nmbd.
Subject: Updated krb5 package for LBA-Linux R1
Advisory ID: LBASA-2004:38
Date: Friday, September 24, 2004
Product: LBA-Linux R1
Problem description:
A double-free vulnerability exists in the MIT Kerberos 5's KDC program
that could potentially allow a remote attacker to execute arbitrary
code on the KDC host. As well, multiple double-free vulnerabilities
exist in the krb5 library code, which makes client programs and
application servers vulnerable. The MIT Kerberos 5 development team
believes that exploitation of these bugs would be difficult and no
known vulnerabilities are believed to exist. The vulnerability in
krb524d was discovered by Marc Horowitz; the other double-free
vulnerabilities were discovered by Will Fiveash and Nico Williams at
Sun.
Will Fiveash and Nico Williams also found another vulnerability in the
ASN.1 decoder library. This makes krb5 vulnerable to a DoS (Denial of
Service) attack causing an infinite loop in the decoder. The KDC is
vulnerable to this attack.
Subject: Updated httpd package for LBA-Linux R1
Advisory ID: LBASA-2004:39
Date: Sunday, September 26, 2004
Product: LBA-Linux R1
Problem description:
CAN-2004-0747
The Swedish IT Incident Centre (SITIC) reported a buffer
overflow in the expansion of environment variables during
configuration file parsing. This issue could allow a local user
to gain the privileges of a httpd child if a server can be forced
to parse a carefully crafted .htaccess file written by a local user.
CAN-2004-0786
Testing using the Codenomicon HTTP Test Tool performed by the
Apache Software Foundation security group and Red Hat uncovered
an input validation issue in the IPv6 URI parsing routines in the
apr-util library. If a remote attacker sent a request including a
carefully crafted URI, an httpd child process could be made to crash.
CAN-2004-0809
An issue was discovered in the mod_dav module which could be
triggered for a location where WebDAV authoring access has been
configured. A malicious remote client which is authorized to use the
LOCK method could force an httpd child process to crash by sending
a particular sequence of LOCK requests. This issue does not allow
execution of arbitrary code and will only result in a denial of service
where a threaded process model is in use.
