Showing all newswire headlines

This advisory is issued in an attempt to clarify any issues surrounding the recently discovered Apache/mod_ssl worm.

Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though.

The xf86 package contains various libraries and programs which are fundamental for the X server to function. The libX11.so library from this package dynamically loads other libraries where the pathname is controlled by the user invoking the program linked against libX11.so. Unfortunately, libX11.so also behaves the same way when linked against setuid programs. This behavior allows local users to execute arbitrary code under a different UID which can be the root-UID in the worst case. libX11.so has been fixed to check for calls from setuid programs. It denies loading of user controlled libraries in this case. We recommend an update in any case since there is no easy workaround possible except removing the setuid bit from any program linked against libX11.so.

There was an error in the original openssl094 packages, resulting in an incomplete fix. This error has been corrected in 0.9.4-6.potato.2 and 0.9.4-6.woody.2. We recommend that you upgrade your openssl094 packages immediately. i386 packages are available at this time, and packages will be available shortly for other architectures. Note that the openssl 0.9.5a and 0.9.6 updates were not affected by this error.

A cross site scripting problem has been discovered in Konquerer, a famous browser for KDE and other programs using KHTML. The KDE team reports that Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks.

Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It includes ASN1 updates in the woody packages, plus the potato packages which were not initially available.

Updated ethereal packages are available for Red Hat Powertools 6.2, 7, and 7.1. These packages are required for the Red Hat Security Advisory regarding applications linked against the old ucd-snmp libraries and also fix other security issues in ethereal.

Two buffer overflows have been discovered in purity, a game for nerds and hackers, which is installed setgid games on a Debian system. This problem could be exploited to gain unauthorized access to the group games. A malicious user could alter the highscore of several games.

Mordred Labs and others found several vulnerabilities in PostgreSQL, an object-relational SQL database. They are inherited from several buffer overflows and integer overflows. Specially crafted long date and time input, currency, repeat data and long timezone names could cause the PostgreSQL server to crash as well as specially crafted input data for lpad() and rpad(). More buffer/integer overflows were found in circle_poly(), path_encode() and path_addr().

A fifth parameter was added to PHP's mail() function in 4.0.5 that is not properly sanitized when the server is running in safe mode. This vulnerability would allow local users and, possibly, remote attackers to execute arbitrary commands using shell metacharacters. After upgrading to these packages, execute "service httpd restart" as root in order to close the hole immediately.

A problem in cacti, a PHP based frontend to rrdtool for monitoring systems and services, has been discovered. This could lead into cacti executing arbitrary program code under the user id of the web server. This problem, however, is only persistant to users who already have administrator privileges in the cacti system.

Updated gaim packages are now available for Red Hat Powertools 7. These updates fix a vulnerability in the URL handler.

Updated gaim packages are now available for Red Hat Linux 7.1, 7.2, and 7.3. These updates fix a vulnerability in the URL handler.

A vulnerability was discovered in KDE's SSL implementation in that it does not check the basic constraints on a certificate and as a result may accept certificates as valid that were signed by an issuer who is not authorized to do so. This can lead to Konqueror and other SSL- enabled KDE software falling victim to a man-in-the-middle attack without being aware of the invalid certificate. This will trick users into thinking they are on a secure connection with a valid site when in fact the site is different from that which they intended to connect to. This is fixed in KDE 3.0.3, and the KDE team provided a patch for KDE 2.2.2. This patch has been applied to the following packages. After upgrading kdelibs, you must restart KDE in order for the fix to work.

The network authentication system in Kerberos 5 contains an RPC library that includes an XDR decoder derived from Sun's RPC implementation. This implemenation is vulnerable to a heap overflow. With Kerberos, it is believed that an attacker would need to be able to successfully authenticate to kadmin to be able to exploit this vulnerability.

Jason Molenda and Hiromitsu Takagi found ways to exploit cross site scripting bugs in mhonarc, a mail to HTML converter. When processing maliciously crafted mails of type text/html, mhonarc, does not deactivate all scripting parts properly. This is fixed in upstream version 2.5.3.

[The mail just sent was formatted like an attachment due to a misconception on my side. This mail is only the clearsign version. ]

Updated wordtrans packages are now available for Red Hat Linux 7.3 which fix remote vulnerabilities in wordtrans-web.

Ethereal developers discovered a buffer overflow in the ISIS protocol dissector. It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.

Versions of Gaim (an AOL instant message client) prior to 0.58 contain a buffer overflow in the Jabber plug-in module. As well, a vulnerability was discovered in the URL-handling code, where the "manual" browser command passes an untrusted string to the shell without reliable quoting or escaping. This allows an attacker to execute arbitrary commands on the user's machine with the user's permissions. Those using the built-in browser commands are not vulnerable. Update: The 8.1 package had an incorrect dependency on perl. This package has been replaced with a proper package. Please note the differing md5 sums.