Showing all newswire headlines

Joost Pol <joost@pine.nl> reports that OpenSSH versions 2.0 through 3.0.2 have an off-by-one bug in the channel allocation code. This vulnerability can be exploited by authenticated users to gain root privilege or by a malicious server exploiting a client with this bug.

Updated openssh packages are now available for Red Hat Linux 7, 7.1, and 7.2 which close a remotely-exploitable vulnerability in sshd.

A problem was found in versions of improved mod_frontpage prior to 1.6.1 regarding a lack of boundary checks in fpexec.c. This means that the suid root binary is exploitable for buffer overflows. This could be exploited by remote attackers to execute arbitrary code on the server with superuser privileges. Although there are no known exploits available, if you use mod_frontpage you are strongly encouraged to upgrade. This update for Mandrake Linux has been completely reworked and is easier to configure and use, as well as supporting the new FrontPage 2002 extensions.

Ed Moyle discovered a buffer overflow in mod_ssl's session caching mechanisms that use shared memory and dbm. This could potentially be triggered by sending a very long client certificate to the server.

Joost Pol found a bug in the channel code of all versions of OpenSSH from 2.0 to 3.0.2. This bug can allow authenticated users with an existing account on the vulnerable system to obtain root privilege or by a malicious server attacking a vulnerable client. OpenSSH 3.1 is not vulnerable to this problem. The provided packages fix this vulnerability.

New openssh packages are available to fix security problems.

Updated mod_ssl packages for Red Hat Linux 7, 7.1, and 7.2 are available which close a buffer overflow in mod_ssl.

Joost Pol discovered an off-by-one bug in a routine in the openssh code for checking channel IDs. This bug can be exploited on the remote side by an already authenticated user, qualifying this bug as a local security vulnerability, and on the local side if a malicious server attacks the connected client, qualifying this bug as a remote vulnerability. If the error is being exploited, it leads to arbitrary code execution in the process under attack (either a local ssh client, attacking the userID of the client user, or a remote secure shell daemon that has an authenticated user session running, attacking the root account of the remote system). Please note that the possible attack scenario is different from the usual attack scheme because "local vulnerability" refers to the remote side and vice versa.

Tim Waugh found several insecure uses of temporary files in the xsane program, which is used for scanning. This was fixed for Debian/stable by moving those files into a securely created directory within the /tmp directory.

Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, through.

Updated radiusd-cistron packages, which fix various security issues, are now available.

The widely used proxy-server squid contains a heap overflow in one of its URL constructing functions. Incorrect length-calculations for the user and passwd fields in ftp-URLs turned out to be the origin of the problem. Only users from hosts listed in squids ACL-files could trigger the overflow. The ftp-URL problem is not present in the 6.4, 7.0 and 7.1 distributions, but other security releated bugs have been fixed there. A complete history can be found at

This fixes several security problems in the POST handling code used for uploading files through forms. All sites using PHP are urged to upgrade as soon as possible.

Zorgon found several buffer overflows in cfsd, a daemon that pushes encryption services into the Unix(tm) file system. We are not yet sure if these overflows can successfully be exploited to gain root access to the machine running the CFS daemon. However, since cfsd can easily be forced to die, a malicious user can easily perform a denial of service attack to it.

Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.

Kari Hurtta discovered that a format bug exists in the Cyrus SASL library, which is used to provide an authentication API for mail clients and servers, as well as other services such as LDAP. The format bug was found in one of the logging functions which could be used by an attacker to obtain acces to a machine or to possibly acquire elevated privileges. Thanks to the SuSE security team for providing the fix.

Several flaws exist in various versions of PHP in the way it handles multipart/form-data POST requests, which are used for file uploads. The php_mime_split() function could be used by an attacker to execute arbitrary code on the server. This affects both PHP4 and PHP3. The authors have fixed this in PHP 4.1.2 and provided patches for older versions of PHP.

The e-matters team have found multiple remotely exploitable vulnerabilites in the source code responsible for file upload in the apache modules mod_php and mod_php4 (versions 3 and 4). The weakness can be used to have the webserver execute arbitrary code as supplied by the attacker.

Updated PHP packages are available to fix vulnerabilities in the functions that parse multipart MIME data, which are used when uploading files through forms.

Some of the changes made in the DSA-111-1 security fix for SNMP changed the API and ABI for the SNMP library which broke some other applications.