Showing all newswire headlines

A stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server was discovered, which is provided by Heimdal as well. A working exploit for this kadmind bug is already circulating, hence it is considered serious. The roken library also contains a vulnerability which could lead to another root exploit.

The lprng package contains the "runlpr" program which allows the lp user to execute the lpr program as root. Local attackers can pass certain commandline arguments to lpr running as root, fooling it to execute arbitrary commands as root. This has been fixed. Note that this vulnerability can only be exploited if the attacker has previously gained access to the lp account.

The syslog-ng package is a portable syslog implementation which can be used as syslogd replacement. Syslog-ng contained buffer overflows in its macro expansion routines. These overflows could be triggered by remote attackers if certain configuration options were enabled. Syslog-ng is not used by default on SuSE Linux, and even if installed, the problematic options are not enabled by default. We recommend an update of the syslog-ng package nevertheless if you use syslog-ng for logging. To be sure the update takes effect you have to restart the daemon by issuing the following command as root:

Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious.

A stack buffer overflow in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4) in the krb5 package can be exploited to gain unauthorized root access to a KDC host. Authentication to the daemon is not required to successfully perform the attack and according to MIT at least one exploit is known to exist. kadmind4 is used only by sites that require compatibility with legacy administrative clients, and sites that do not have these needs are likely not using kadmind4 and are not affected. MandrakeSoft encourages all users who use Kerberos to upgrade to these packages immediately.

Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. The MIT krb5 implementation includes support for version 4, including a complete v4 library, server side support for krb4, and limited client support for v4.

Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in kghostview which is part of the KDE-Graphics package. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim.

A cross-site scripting vulnerability was discovered in mod_ssl by Joe Orton. This only affects servers using a combination of wildcard DNS and "UseCanonicalName off" (which is not the default in Mandrake Linux). With this setting turned off, Apache will attempt to use the hostname:port that the client supplies, which is where the problem comes into play. With this setting turned on (the default), Apache constructs a self-referencing URL and will use ServerName and Port to form the canonical name. It is recommended that all users upgrade, regardless of the setting of the "UseCanonicalName" configuration option.

A vulnerability exists in KGhostview, part of the kdegraphics package. It includes a DSC 3.0 parser from GSview then is vulnerable to a buffer overflow while parsing a specially crafted .ps file. It also contains code from gv which is vulnerable to a similar buffer overflow triggered by malformed PostScript and PDF files. This has been fixed in KDE 3.0.4 and patches have been applied to correct these packages.

Updated ypserv packages which fix a memory leak are now available for Red Hat Linux 7.x and 6.

A vulnerability was discovered in dvips by Olaf Kirch that would allow remote users with access to the printer to execute commands as the lp user through sending special print jobs to the printer.

Joe Orton discovered a cross site scripting problem in mod_ssl, an Apache module that adds Strong cryptography (i.e. HTTPS support) to the webserver. The module will return the server name unescaped in the response to an HTTP request on an SSL port.

A buffer overflow was discovered in gv versions 3.5.8 and earlier by Zen Parse. The problem is triggered by scanning a file and can be exploited by an attacker sending a malformed PostScript or PDF file. This would result in arbitrary code being executed with the privilege of the user viewing the file. ggv uses code derived from gv and has the same vulnerability. These updates provide patched versions of gv and ggv to fix the vulnerabilities.

The PostgreSQL Object-Relational DBMS was found vulnerable to several security related buffer overflow problems. The buffer overflows are located in: * handling long datetime input * lpad() and rpad() function with multibyte * repeat() function * TZ and SET TIME ZONE environment variables These bugs could just be exploited by attackers who have access to the postgresql server to gain the privileges postgres user ID .

Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname.

Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in gnome-gv. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim.

Updated Mozilla packages are now available for Red Hat Linux. These new packages fix vulnerabilities in previous versions of Mozilla.

Paul Aurich and Samuele Giovanni Tonon discovered a serious security violation in PAM. Disabled passwords (i.e. those with '*' in the password file) were classified as empty password and access to such accounts is granted through the regular login procedure (getty, telnet, ssh). This works for all such accounts whose shell field in the password file does not refer to /bin/false. Only version 0.76 of PAM seems to be affected by this problem.

The SuSE Security Team has reviewed critical parts of the Heimdal package such as the kadmind and kdc server. While doing so several potential buffer overflows and other bugs have been uncovered and fixed. Remote attackers can probably gain remote root access on systems without fixes. Since these services usually run on authentication servers these bugs are considered very serious.

Some potential local security vulnerabilities were found in the kernel during code audits; these have been fixed in the