Package : xview
Vulnerability : buffer overflows
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0076
Erik Sjölund discovered that programs linked against xview are
vulnerable to a number of buffer overflows in the XView library. When
the overflow is triggered in a program which is installed setuid root
a malicious user could perhaps execute arbitrary code as privileged
user.
For the stable distribution (woody) these problems have been fixed in
version 3.2p1.4-16woody2.
For the unstable distribution (sid) these problems have been fixed in
version 3.2p1.4-19.
We recommend that you upgrade your xview packages.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Package : evolution
Vulnerability : integer overflow
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0102
BugTraq ID : 12354
Max Vozeler discovered an integer overflow in a helper application
inside of Evolution, a free grouware suite. A local attacker could
cause the setuid root helper to execute arbitrary code with elevated
privileges.
For the stable distribution (woody) this problem has been fixed in
version 1.0.5-1woody2.
For the unstable distribution (sid) this problem has been fixed in
version 2.0.3-1.2.
We recommend that you upgrade your evolution package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Package : mailman
Vulnerability : cross-site scripting, directory traversal
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-1177 CAN-2005-0202
Two security related problems have been discovered in mailman,
web-based GNU mailing list manager. The Common Vulnerabilities and
Exposures project identifies the following problems:
CAN-2004-1177
Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker
could craft an URL containing JavaScript (or other content
embedded into HTML) which triggered a mailman error page that
would include the malicious code verbatim.
CAN-2005-0202
Several listmasters have noticed unauthorised access to archives
of private lists and the list configuration itself, including the
users passwords. Administrators are advised to check the
webserver logfiles for requests that contain "/...../" and the
path to the archives or cofiguration. This does only seem to
affect installations running on web servers that do not strip
slashes, such as Apache 1.3.
For the stable distribution (woody) these problems have been fixed in
version 2.0.11-1woody9.
For the unstable distribution (sid) these problems have been fixed in
version 2.1.5-6.
We recommend that you upgrade your mailman package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Package : hztty
Vulnerability : privilege escalation
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0019
Erik Sjölund discovered that hztty, a converter for GB, Big5 and zW/HZ
Chinese encodings in a tty session, can be triggered to execute
arbitrary commands with group utmp privileges.
For the stable distribution (woody) this problem has been fixed in
version 2.0-5.2woody2.
For the unstable distribution (sid) this problem has been fixed in
version 2.0-6.1.
We recommend that you upgrade your hztty package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Product : Fedora Core 2
Name : mailman
Version : 2.1.5
Release : 8.fc2
Summary : Mailing list manager with built in Web access.
Description :
Mailman is software to help manage email discussion lists, much like
Majordomo and Smartmail. Unlike most similar products, Mailman gives
each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can administer
his or her list entirely from the Web. Mailman also integrates most
things people want to do with mailing lists, including archiving, mail
<-> news gateways, and so on.
Documentation can be found in: /usr/share/doc/mailman-2.1.5
Update Information:
There is a critical security flaw in Mailman 2.1.5 which will allow
attackers to read arbitrary files.
The extent of the vulnerability depends on what version of Apache
(httpd) you are running, and (possibly) how you have configured your
web server. It is believed the vulnerability is not available when
Mailman is paired with a version of Apache >= 2.0, however earlier
versions of Apache, e.g. version 1.3, will allow the exploit when
executing a Mailman CGI script. All versions of Fedora have shipped
with the later 2.0 version of Apache and thus if you are running a
Fedora release you are not likely to be vulnerable to the exploit
unless you have explicitly downgraded the version of your web
server. However, installing this version of mailman with a security
patch represents a prudent safeguard.
This issue has been assigned CVE number CAN-2005-0202.
For additional piece of mind, it is recommended that you regenerate
your list member passwords. Instructions on how to do this, and more
information about this vulnerability are available here:
Product : Fedora Core 3
Name : mailman
Version : 2.1.5
Release : 30.fc3
Summary : Mailing list manager with built in Web access.
Description :
Mailman is software to help manage email discussion lists, much like
Majordomo and Smartmail. Unlike most similar products, Mailman gives
each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can administer
his or her list entirely from the Web. Mailman also integrates most
things people want to do with mailing lists, including archiving, mail
<-> news gateways, and so on.
Documentation can be found in: /usr/share/doc/mailman-2.1.5
Update Information:
There is a critical security flaw in Mailman 2.1.5 which will allow
attackers to read arbitrary files.
The extent of the vulnerability depends on what version of Apache
(httpd) you are running, and (possibly) how you have configured your
web server. It is believed the vulnerability is not available when
Mailman is paired with a version of Apache >= 2.0, however earlier
versions of Apache, e.g. version 1.3, will allow the exploit when
executing a Mailman CGI script. All versions of Fedora have shipped
with the later 2.0 version of Apache and thus if you are running a
Fedora release you are not likely to be vulnerable to the exploit
unless you have explicitly downgraded the version of your web
server. However, installing this version of mailman with a security
patch represents a prudent safeguard.
This issue has been assigned CVE number CAN-2005-0202.
For additional piece of mind, it is recommended that you regenerate
your list member passwords. Instructions on how to do this, and more
information about this vulnerability are available here:
Product : Fedora Core 2
Name : mod_python
Version : 3.1.3
Release : 1.fc2.2
Summary : An embedded Python interpreter for the Apache Web server.
Description :
Mod_python is a module that embeds the Python language interpreter within
the server, allowing Apache handlers to be written in Python.
Mod_python brings together the versatility of Python and the power of
the Apache Web server for a considerable boost in flexibility and
performance over the traditional CGI approach.
Update Information:
Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
A remote user could visit a carefully crafted URL that would gain access to
objects that should not be visible, leading to an information leak. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned
the name CAN-2005-0088 to this issue.
This update includes a patch which fixes this issue.
Product : Fedora Core 3
Name : mod_python
Version : 3.1.3
Release : 5.2
Summary : An embedded Python interpreter for the Apache Web server.
Description :
Mod_python is a module that embeds the Python language interpreter within
the server, allowing Apache handlers to be written in Python.
Mod_python brings together the versatility of Python and the power of
the Apache Web server for a considerable boost in flexibility and
performance over the traditional CGI approach.
Update Information:
Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
A remote user could visit a carefully crafted URL that would gain access to
objects that should not be visible, leading to an information leak. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned
the name CAN-2005-0088 to this issue.
This update includes a patch which fixes this issue.
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Fedora Legacy
Fedora Legacy Update Advisory
Synopsis: Updated abiword resolves security vulnerabilities
Advisory ID: FLSA:1906
Issue date: 2005-02-08
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=3D1906
CVE Names: CAN-2004-0645
1. Topic:
Updated abiword packages that fix a security vulnerability are now
available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
AbiWord is a cross-platform, open-source word processor.
A buffer overflow in the wv library included in abiword allows remote
attackers to execute arbitrary code via a document with a long DateTime
field.
All users are advised to upgrade to these updated packages, which contain a=
=20
backported fix and are not vulnerable to this issue.
Fedora Legacy would like to thank Marc Deslauriers for reporting this issue,
and Dave Botsch and Marc Deslauriers and preparing updated RPMs.
4. Solution:
Before applying this update, make sure all previously released errata=20
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.
Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.
Updated libpng packages that fix security vulnerabilities are now
available.
The libpng package contains a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files. PNG
is a bit-mapped graphics format similar to the GIF format. PNG was
created to replace the GIF format, since GIF uses a patented data
compression algorithm.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
3. Problem description:
During a source code audit, Chris Evans discovered several buffer overflows
in libpng. An attacker could create a carefully crafted PNG file in such a
way that it would cause an application linked with libpng to execute
arbitrary code when the file was opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0597 to these issues.
In addition, this audit discovered a potential NULL pointer dereference in
libpng (CAN-2004-0598) and several integer overflow issues (CAN-2004-0599).
An attacker could create a carefully crafted PNG file in such a way that
it would cause an application linked with libpng to crash when the file was
opened by the victim.
These patches also include a more complete fix for the out of bounds memory
access flaw (CVE-2002-1363), in which there was a buffer overrun while adding filler bytes to 16-bit RGBA samples, and a similar patch (CAN-2004-0768) that fixes a buffer overrun while adding filler bytes to 16-bit grayscale samples.
All users are advised to update to the updated libpng packages which
contain backported security patches and are not vulnerable to these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory only contains
the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. This assumes that you have yum or
apt-get configured for obtaining Fedora Legacy content. Please visit
http://www.fedoralegacy.org/docs/ for directions on how to configure yum
and apt-get.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
Package name: MySQL
Advisory ID: MDKSA-2005:036
Date: February 10th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
Problem Description:
A temporary file vulnerability in the mysqlaccess script in MySQL was
discovered by Javier Fernandez-Sanguino Pena. This flaw could allow
an unprivileged user to let root overwrite arbitrary files via a
symlink attack. It could also be used to view the contents of a
temporary file which could contain sensitive information.
The updated packages have been patched to prevent these problems.
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
Mandrakelinux Security Update Advisory
Package name: python
Advisory ID: MDKSA-2005:035
Date: February 10th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate 3.0,
Corporate Server 2.1
Problem Description:
A flaw in the python language was found by the development team. The
SimpleXMLRPCServer library module could permit remote attackers
unintended access to internals of the registered object or it's
module, or possibly even other modules. This only affects python
XML-RPC servers that use the register_instance() method to register an
object without a _dispatch() method. Servers that only use the
register_function() method are not affected.
The updated packages have been patched to prevent these problems.
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
Mandrakelinux Security Update Advisory
Package name: squid
Advisory ID: MDKSA-2005:034
Date: February 10th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate 3.0,
Corporate Server 2.1
Problem Description:
More vulnerabilities were discovered in the squid server:
The LDAP handling of search filters was inadequate which could be
abused to allow logins using severial variants of a single login name,
possibly bypassing explicit access controls (CAN-2005-0173).
Minor problems in the HTTP header parsing code that could be used for
cache poisoning (CAN-2005-0174 and CAN-2005-0175).
A buffer overflow in the WCCP handling code allowed remote attackers
to cause a Denial of Service and could potentially allow for the
execution of arbitrary code by using a long WCCP packet.
The updated packages have been patched to prevent these problems.
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
Mandrakelinux Security Update Advisory
Package name: enscript
Advisory ID: MDKSA-2005:033
Date: February 10th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
Problem Description:
A vulnerability in the enscript program's handling of the epsf command
used to insert inline EPS file into a document was found. An attacker
could create a carefully crafted ASCII file which would make used of
the epsf pipe command in such a way that it could execute arbitrary
commands if the file was opened with enscript (CAN-2004-1184).
Additionally, flaws were found in enscript that could be abused by
executing enscript with carefully crafted command-line arguments.
These flaws only have a security impact if enscript is executed by
other programs and passed untrusted data from remote users
(CAN-2004-1185 and CAN-2004-1186).
The updated packages have been patched to prevent these problems.
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
Mandrakelinux Security Update Advisory
Package name: cpio
Advisory ID: MDKSA-2005:032
Date: February 10th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate 3.0,
Corporate Server 2.1
Problem Description:
A vulnerability in cpio was discovered where cpio would create worldwriteable
files when used in -o/--create mode and giving an output
file (with -O). This would allow any user to modify the created cpio
archive. The updated packages have been patched so that cpio now
respects the current umask setting of the user.
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
SUSE Linux
SUSE Security Announcement
Package: squid
Announcement-ID: SUSE-SA:2005:006
Date: Thursday, Feb 10th 2005 13:30 MET
Affected products: 8.1, 8.2, 9.0, 9.1, 9.2
SUSE Linux Enterprise Server 8, 9
Vulnerability Type: remote command execution
Severity (1-10): 8
SUSE default package: no
Cross References: CAN-2005-0094
CAN-2005-0095
CAN-2005-0096
CAN-2005-0097
CAN-2005-0173
CAN-2005-0174
CAN-2005-0175
CAN-2005-0211
CAN-2005-0241
Content of this advisory:
security vulnerability resolved:
buffer overflow in gopher parser
integer overflow in WCCP handling code
memory leak in the NTLM fakeauth_auth helper
denial-of-service in NTLM component
lax LDAP account name handling
cache poisoning by malformed HTTP packets
cache poisoning by splitted HTTP responses
buffer overflow in WCCP handling code
httpProcessReplyHeader function does not
properly set the debug context
problem description
solution/workaround
special instructions and notes
package location and checksums
pending vulnerabilities, solutions, workarounds:
standard appendix (further information)
1) problem description, brief discussion
Squid is a feature-rich web-proxy with support for various web-related
protocols.
The last two squid updates from February the 1st and 10th fix several
vulnerabilities. The impact of them range from remote denial-of-service
over cache poisoning to possible remote command execution.
Due to the hugh amount of bugs the vulnerabilities are just summarized
here.
CAN-2005-0094
A buffer overflow in the Gopher responses parser leads
to memory corruption and usually crash squid.
CAN-2005-0095
An integer overflow in the receiver of WCCP (Web Cache
Communication Protocol) messages can be exploited remotely
by sending a specially crafted UDP datagram to crash squid.
CAN-2005-0096
A memory leak in the NTLM fakeauth_auth helper for
Squid 2.5.STABLE7 and earlier allows remote attackers
to cause a denial-of-service due to uncontrolled memory
consumption.
CAN-2005-0097
The NTLM component in Squid 2.5.STABLE7 and earlier allows
remote attackers to cause a crash od squid by sending a
malformed NTLM message.
CAN-2005-0173
LDAP handles search filters very laxly. This behaviour can
be abused to log in using several variants of a login name,
possibly bypassing explicit access controls or confusing
accounting.
CAN-2005-0175 and CAN-2005-0174
Minor problems in the HTTP header parsing code that
can be used for cache poisoning.
CAN-2005-0211
A buffer overflow in the WCCP handling code in Squid 2.5
before 2.5.STABLE7 allows remote attackers to cause a
denial-of-service and possibly execute arbitrary code
by using a long WCCP packet.
CAN-2005-0241
The httpProcessReplyHeader function in Squid 2.5-STABLE7
and earlier does not properly set the debug context when
it is handling "oversized" HTTP reply headers. The impact
is unknown.
2) solution/workaround
There is no workaround known.
3) special instructions and notes
Please make sure squid is restarted after the update.
Execute 'rcsquid restart' as user root.
4) package location and checksums
Download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered for installation from the maintenance web.
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
Please see the SUSE Security Summary Report.
6) standard appendix: authenticity verification, additional information
Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
md5sums as provided in the (cryptographically signed) announcement.
using the internal gpg signatures of the rpm package.
execute the command
md5sum
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We recommend against subscribing to security lists that cause the
e-mail message containing the announcement to be modified
so that the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig
to verify the signature of the package, where is the
file name of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
gpg is installed
The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
Ubuntu Linux
Ubuntu Security Notice USN-78-1 February 09, 2005
mailman vulnerabilities
CAN-2005-0202
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
mailman
The problem can be corrected by upgrading the affected package to
version 2.1.5-1ubuntu2.3. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
An path traversal vulnerability has been discovered in the "private"
module of Mailman. A flawed path sanitation algorithm allowed the
construction of URLS to arbitrary files readable by Mailman. This
allowed a remote attacker to retrieve configuration and password
databases, private list archives, and other files.
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
postgresql
postgresql-contrib
The problem can be corrected by upgrading the affected package to
version 7.4.5-3ubuntu0.4. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
The execution of custom PostgreSQL functions can be restricted with
the EXECUTE privilege. However, previous versions did not check this
privilege when executing a function which was part of an aggregate.
As a result, any database user could circumvent the EXECUTE restriction of
functions with a particular (but very common) parameter structure by
creating an aggregate wrapper around the function. (CAN-2005-0244)
Several buffer overflows have been discovered in the SQL parser. These
could be exploited by any database user to crash the PostgreSQL server
or execute arbitrary code with the privileges of the server.
(CAN-2005-0245, CAN-2005-0247)
Finally, this update fixes a Denial of Service vulnerability of the
contributed "intagg" module. By constructing specially crafted arrays,
a database user was able to corrupt and crash the PostgreSQL server.
(CAN-2005-0246). Please note that this module is part of the
"postgresql-contrib" package, which is not officially supported by
Ubuntu.
