From schaefer at alphanet.ch Tue Apr 1 18:37:29 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue, 1 Apr 2003 18:37:29 +0200 Subject: [linux-leman-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #190 Message-ID: <20030401163728.GB1329@defian.alphanet.ch> Check Point FW-1 Syslog Daemon Unfiltered Escape Sequence Vulnerability BugTraq ID: 7161 Remote: Yes Date Published: Mar 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7161 Summary: Check Point Firewall-1 is a popular firewall package available from Checkpoint Software Technologies. An issue has been discovered in Check Point FW-1 syslog daemon when attempting to process a malicious, remotely supplied, syslog message. Specifically, the syslog service does not properly filter out messages that include escape sequences. This issue may be exploitable by a remote attacker to cause the Check Point syslog service to behave in an unpredictable manner. As well, exploitation of this vulnerability will result in a remote attacker being able to arbitrarily add syslog entries. This will ensure that any Check Point syslog entries on the firewall host would be suspect. It should be noted that this issue exists only when an administrator attempts to view Check Point syslog messages via the console. The technical details regarding this issue are currently unknown. This BID will be updated when further information becomes available. Mozilla Bonsai Parameters Page Unauthenticated Access Weakness BugTraq ID: 7163 Remote: Yes Date Published: Mar 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7163 Summary: Mozilla Bonsai is a tool that allows a user to perform queries on the contents of a CVS archive. A weakness has been reported for Bonsai that may allow remote attackers to obtain unauthorized access to the parameters page. This page is accessed through the editparams.cgi. The parameters page is used by Bonsai to set several options for the tool. Users by default are able to view this page but are unable to change any parameters unless a password is entered. Any information obtained in this manner may be used by an attacker to launch further attacks against a system using Bonsai. This vulnerability has been reported for Mozilla Bonsai 1.3 (including all current and CVS versions). Mozilla Bonsai Remote Command Execution Vulnerability BugTraq ID: 7162 Remote: Yes Date Published: Mar 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7162 Summary: Mozilla Bonsai is a tool that allows a user to perform queries on the contents of a CVS archive. A vulnerability has been discovered in Mozilla Bonsai. This issue is reported to affect all current and CVS versions of the utility. Exploitation of this issue may allow an attacker to remotely execute arbitrary commands with 'www-data' privileges. The details regarding this vulnerability are currently unknown. This BID will be updated as further information becomes available. Netgear ProSafe VPN Firewall Web Interface Login Denial Of Service Vulnerability BugTraq ID: 7166 Remote: Yes Date Published: Mar 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7166 Summary: The ProSafe VPN Firewall is a home and small office firewall and virtual private network device distributed by Netgear. A problem with the device could make it possible for a remote user to deny service. It has been reported that some ProSafe VPN Firewall devices do not properly handle some types of input. Because of this, a remote user could potentially send malicious input to the device that would result in a crash, and potential denial of service. The problem is in the handling of authentication information of excessive length. When a user passes both a username and password to the web administration interface of the device, the system can be caused to crash. It is likely that this issue is a memory corruption vulnerability, and potentially an exploitable boundary condition error. There is no confirmation of this. However, if this issue does prove to be an exploitable boundary condition error, an attacker could potentially execute arbitrary code on the vulnerable device with the privileges of the web interface. It should also be noted that this vulnerability is likely only exploitable via the internal interface of the device, though this also is not confirmed. 3Com SuperStack II RAS 1500 Malicious IP Header Denial of Service Vulnerability BugTraq ID: 7175 Remote: Yes Date Published: Mar 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7175 Summary: 3com SuperStack II Remote Access System (RAS) 1500 is a routing device designed to service dialup users. It has been reported that RAS 1500 routers are prone to a vulnerability that may cause a denial of service. The problem occurs when processing packets with malformed IP headers. Specifically, an IP header with a 'len' field of 0 may crash an affected device, causing it to reboot. An attacker effectively denying service to legitimate users of the device could exploit this vulnerability. 3Com SuperStack II RAS 1500 Unauthorized Access Vulnerability BugTraq ID: 7176 Remote: Yes Date Published: Mar 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7176 Summary: 3com SuperStack II Remote Access System (RAS) 1500 is a routing device designed to service dialup users. A vulnerability has been reported in 3Com RAS 1500 router that may allow attackers to access sensitive data. Specifically, RAS 1500 devices do not carry out sufficient authentication of users requesting files via the web interface. Successful exploitation of this vulnerability may allow an attacker to obtain sensitive configuration files. Access to this information may make it possible for an attacker to carry out further attacks on a target system or device. Joel Palmius Mod_Survey Data Injection Vulnerability BugTraq ID: 7192 Remote: Yes Date Published: Mar 23 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7192 Summary: Mod_Survey is a mod_perl module for Apache which allows web users to create online questionaires. It is maintained by Joel Palmius and will run on Linux and Unix variants as well as Microsoft Windows. Mod_Survey does not sufficiently sanitize data supplied via ENV tags. ENV tags are a feature included with Mod_Survey to import values supplied from environment variables into the data repository. It has been reported by the vendor that this may allow for injection of malicious data, including delimiter characters, into the data repository. Exploitation may allow for manipulation of environment variables or the possibility of executing database commands through injection of SQL syntax. Other attacks may also be possible. This is only an issue with surveys that use ENV tags. This issues occurs with ENV tags which import data from environment variables that may be potentially specified or influenced by a remote user (such as 'HTTP_USER_AGENT'). The consequences of exploitation could depend on the underlying database implementation and configuration or other factors. From schaefer at alphanet.ch Wed Apr 9 09:56:42 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed, 9 Apr 2003 09:56:42 +0200 Subject: [linux-leman-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #191 Message-ID: <20030409075642.GA1613@defian.alphanet.ch> Snort Evasion Echo Flag Port Scan Vulnerability BugTraq ID: 7220 Remote: Yes Date Published: Mar 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7220 Summary: Snort is a freely available, open source intrusion detection system. It is available for Unix, Linux, and Microsoft Windows platforms. It has been reported that a vulnerability exists in the default configuration of Snort. Due to this issue it is possible for a user to evade detection while performing some types of scans. The problem is in the detection of specifically crafted packets. When a port scan is initiated with the TCP SYN, FIN, and ECN flags set, the default configuration of snort will not register these packets as an IDS event. This could permit an attacker to gather information on network resources that could be used for more organized attack against systems. This problem has been reported in version 1.9.1, though earlier versions may be affected. Alexandria / SourceForge Cross Site Scripting Vulnerability BugTraq ID: 7223 Remote: Yes Date Published: Mar 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7223 Summary: Alexandria is a freely available project management system. VA Software SourceForge is a modified version of Alexandria. Alexandria does not adequately filter some HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. It has been reported that sections of Alexandria that display a user's resume are prone to cross site scripting attacks. Any attacker-supplied code will be executed within the context of the website running Alexandria. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials. Other attacks are also possible. This vulnerability was reported for Alexandria 2.5 and 2.0. Alexandria / SourceForge CRLF Injection Vulnerability BugTraq ID: 7224 Remote: Yes Date Published: Mar 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7224 Summary: Alexandria is a freely available project management system. VA Software SourceForge is a modified version of Alexandria. A vulnerability has been reported for Alexandria that may allow remote attackers to use the Alexandria system for proxying of unsolicited e-mail. The vulnerability exists in the 'sendmessage.php' script file. There is no input validation performed on user-supplied data passed to functions in the 'sendmessage.php' script file. As a result, malicious users may embed CR/LF sequences to inject additional headers into outgoing messages. Attackers may exploit this weakness to manipulate the structure of outgoing messages. For example, it may be possible for attackers to set the recipient to an arbitrary value. This could be leveraged by individuals to send mass unsolicited mail in a manner similar to how "formmail" is actively exploited (BID 3955). This vulnerability was reported for Alexandria 2.5 and 2.0. Alexandria / SourceForge File Disclosure Vulnerability BugTraq ID: 7225 Remote: Yes Date Published: Mar 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7225 Summary: Alexandria is a freely available project management system. VA Software SourceForge is a modified version of Alexandria. A vulnerability has been reported for Alexandria that may result in the disclosure of sensitive files to remote attackers. The vulnerability occurs in the 'docman/new.php' and 'patch/index.php' script files which allow the uploading of files. Due to insufficient checks performed by these scripts, it is possible for an attacker to specify any web server readable files as the files that were recently uploaded. This will result in the disclosure of the contents of these files to remote attackers. This vulnerability was reported for Alexandria 2.5 and 2.0. Mutt IMAP Remote Folder Buffer Overflow Vulnerabilities BugTraq ID: 7229 Remote: Yes Date Published: Mar 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7229 Summary: Mutt is a freely available, open source mail user agent. It is available for the Unix and Linux operating systems. Buffer overrun vulnerabilities have been reported for Mutt. These vulnerabilities are similar to the issues described in BID 7120, Mutt UTF-7 Internationalized Remote Folder Buffer Overrun Vulnerability. Mutt provides functionality that allows a remote user to read e-mail from folders through Internet Message Access Protocol (IMAP). A specially crafted folder on an IMAP server may be able to trigger these overflow conditions to cause the vulnerable mutt client to crash. Although unconfirmed, it may be possible to execute attacker-supplied code with the privileges of the mutt process. Further details of this vulnerability are currently unknown. This BID will be updated as more information becomes available. These vulnerabilities were reported for Mutt 1.3.28 and earlier. Sendmail Address Prescan Memory Corruption Vulnerability BugTraq ID: 7230 Remote: Yes Date Published: Mar 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7230 Summary: It has been reported that Sendmail is affected by a memory corruption condition that is likely remotely exploitable. The flaw is present in the prescan() procedure, one that is used for processing e-mail addresses in SMTP headers. This function is implemented in the source code file "parseaddr.c". It is at least theoretically possible that this condition may be exploited by remote attackers to execute instructions on target systems. This vulnerability is due to a logic error in the conversion of a char to an integer value. The condition occurs when Sendmail converts an externally supplied character byte to an integer type. It is possible for the byte to be converted to a special control value (-1) that will result in disabling of bounds checking. This is because the integer type is assigned to the value of a signed char without casting it as unsigned: c = *p++; The char value 0xFF will cause c to be assigned to the integer representation of -1, the 'NOCHAR' control value. Bounds checking is disabled when the value of the current character (c) is 'NOCHAR'. This leads to the potential for malicious data to be written beyond the boundaries of the buffer allocated to store it. Attackers may exploit this condition to overwrite potentially sensitive values on the stack with some degree of control. The discoverer of this condition has reported that it was successfully exploited to execute code locally. It is likely that this vulnerability can be exploited remotely as well. This vulnerability is eliminated in Sendmail version 8.12.9. Administrators are advised to upgrade as soon as possible. CCLog HTTP Header HTML Injection Vulnerability BugTraq ID: 7238 Remote: Yes Date Published: Mar 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7238 Summary: CCLog is a script that logs all hits to a certain web site. It has been reported that CCLog does not sufficiently filter user-supplied values for some HTTP headers. Specifically, the script, cc_log.pl, does not sanitize the values for the 'User-Agent' and 'Referer' HTTP headers. As a result, attackers may embed malicious script code or HTML into specially crafted HTTP requests. When CCLog is used to assemble a HTML version of web site hits and is viewed by another user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials. Other attacks are also possible. SAP DB RPM Install World Writable Binary Vulnerability BugTraq ID: 7242 Remote: No Date Published: Mar 31 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7242 Summary: SAP DB is a free enterprise level database available for Microsoft Windows, Linux, Solaris, AIX, Tru64, and HP-UX platforms. When SAP DB is installed using RPM packages, insecure permissions are left on two binaries. After performing the installation, the lserver and dbmsrv binaries have '777' permissions. This allows any user on the system to write to the binaries. It should be noted that this vulnerability only exists when SAP DB is installed using RPM packages. Installing SAP DB from tgz packages will leave these binaries with '755' permissions. Red Hat Linux 9 vsftpd Compiling Error Weakness BugTraq ID: 7253 Remote: Yes Date Published: Apr 01 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7253 Summary: vsftpd is a GPL licensed secure FTP server for UNIX and Linux platforms. tcp_wrappers is an IP packet filtering facility for UNIX and Linux platforms. In Red Hat Linux 9, vsftpd was switched to a standalone service instead of being run by xinetd. When this change was made, vsftpd was not compiled against tcp_wrappers. Because of this, the vsftpd user is unable to perform any IP packet filtering on access to the FTP server. This issue only affects Red Hat Linux 9 boxed sets that were manufactured for sale in the United States. The affected part numbers are RHF0120US and RHF0121US. Versions of Red Hat 9 that were downloaded or purchased from international boxed sets are not affected. From schaefer at alphanet.ch Mon Apr 14 11:04:40 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon, 14 Apr 2003 11:04:40 +0200 Subject: [linux-leman-annonces] MARDI 15 AVRIL 2003 19h00: "Linux est-il pret pour les entreprises?" Quelle fiabilite et possibilite de maintenance pour ce systeme d'exploitation?" Message-ID: <20030414090440.GA8893@defian.alphanet.ch> ------------------------------------------------------------------- WHEN: MARDI 15 AVRIL 2003 - DE 19h00 a 21h00 LOCATION: GENEVA - SWITZERLAND Language: Francais/French Place: Club suisse de la presse, la Pastorale - 106 rte de Ferney, Geneva Entree libre/Free entrance Organizer: Internet Society Geneva Aperitif offer by the Geneva press club /Club suisse de la presse Incription & detail: http://www.isoc.ch/events/avril.htm Conferences program 2003: http://www.isoc.ch/events/agenda.htm ------------------------------------------------------------------- "Linux est-il pret pour les entreprises?" Quelle fiabilite et possibilite de maintenance pour ce systeme d'exploitation?" Que cela soit au niveau des grands comptes ou a celui des PME et des ONG, LINUX grignote chaque jour un peu d?un marche jusqu'alors domine par Microsoft. Cette conference/debat a pour objectif de demontrer le niveau de fiabilite atteint le logiciel libre a ce jour. Les orateurs presenteront une serie de cas pratiques ainsi que les experiences acquises lors de l?implementation de solutions LINUX dans le secteur professionnel. Orateurs: ~~~~~~~~~ >>Gilbert Robert President du GULL et directeur de la societe Prolibre Diplome de l'universite de Luminy (Marseille) et de l'EPFL en informatique. Ingenieur systeme Unix depuis 1990. President et membre fondateur du GULL (Groupe romand des Utilisateurs de Linux et des Logiciels Libres) depuis 1998 et directeur de la societe ProLibre >>Guillaume Houlier Directeur ZeniSwiss SA Zeni a notamment travaille sur la migration du site de la Lloydsbank fran?aise vers une plate-forme Linux, ainsi que sur le deploiement a l'international d'une solution CMS basee sur les logiciels libres pour Peugeot. >>Edouard Soriano Directeur DAPSYS S.A. Dapsys S.A. travaille dans le domaine de l'imagerie medicale depuis 1997. Elle a developpe une gamme de produits destines a la gestion administrative, technique et medicale des services de radiologie bases des le debut sur les systemes d'exploitation Windows et Linux. Moderateur: Stephane Koch, President de l'Internet Society Geneva ------> >>Conferences program 2003: http://www.isoc.ch/events/agenda.htm Many thank to our sponsors: **************************** Club Suisse de la Presse: http://www.pressclub.ch/ Le Temps: http://www.letemps.ch/ Obital & Cie: http://www.orbital.ch/ Toutlecontenu.com: http://www.toutlecontenu.com Contact: Stephane Koch Internet Society Geneva, President Fax: +41 22 731 6007 Mobile: +41 79 607 57 33 Email: president at isocgva.ch ICQ: 21021944 Web Site : http://www.isocgva.ch Web Cast: http://isoctv.org Web Intl.: http://www.isoc.org --- events at isocgva.ch http://www.isocgva.ch http://addyourevent.com ------------------------------------------------------- _______________________________________________ wilhelmtux-discussion mailing list wilhelmtux-discussion at wilhelmtux.ch http://wilhelmtux.ch/vmailman/listinfo/wilhelmtux-discussion (via f?lix) From schaefer at alphanet.ch Wed Apr 16 11:08:33 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed, 16 Apr 2003 11:08:33 +0200 Subject: [linux-leman-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #192 Message-ID: <20030416090833.GA2443@defian.alphanet.ch> Buffalo WBRG54 Wireless Broadband Router Denial Of Service Vulnerability BugTraq ID: 7282 Remote: Yes Date Published: Apr 04 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7282 Summary: Buffalo Wireless Broadband Router WBRG54 is a network device for wireless networks. A vulnerability has been reported for the WBRG54 device that may result in a denial of service. It should be noted that the device must be set to 'peer-to-peer' connection mode if exploitation is to be possible. This mode allows for two devices to specifically communicate with each other. The vulnerability occurs when a vulnerable device receives numerous ICMP packets. An attacker can exploit this vulnerability by sending ICMP (type 8) packets to a vulnerable device. In some cases, this will result in the device behaving unpredictably and denying service. This vulnerability may also result in the device rebooting spontaneously. The problem was reported for the WBRG54 with firmware revisions 1.11 and 1.13. Other versions may also be affected. [ hardware ] CVSps Unfiltered Escape Sequence Vulnerability BugTraq ID: 7288 Remote: Yes Date Published: Apr 05 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7288 Summary: CVSps is a program to generate a diff/patch set for CVS repositories. It is available for Linux and Unix variant operating systems. A vulnerability has been reported for CVSps where some characters were improperly filtered prior to sending them to the command shell. Specifically, escape sequences are not properly filtered from filenames when generating a diff/patch set. This issue can be exploited by a malicious CVS contributor who names a file with malicious escape and shell metacharacters. When CVSps is used to process the malicious file, it may be possible to execute commands on the underlying shell of the host. This vulnerability was reported for CVSps 2.0b9 and earlier. Interbase External Table File Verification Vulnerability BugTraq ID: 7291 Remote: Yes Date Published: Apr 05 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7291 Summary: Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems. A vulnerability has been reported for Interbase that may result in the corruption of arbitrary system files. The vulnerability exists due to insufficient checks performed when creating or manipulating external databases. Specifically, file existence checks are not made. An attacker can exploit this vulnerability by creating an external table pointing to an arbitrary system file. When the attacker attempts to modify the external table, the system file will be corrupted with attacker-supplied information. This may result in system instability. This vulnerability is further exacerbated by the fact that the Interbase service typically runs with root or SYSTEM level privileges. Firebird is based on Borland/Inprise Interbase source code and is therefore also prone to this issue. Metrics Insecure Local File Creation Vulnerability BugTraq ID: 7293 Remote: No Date Published: Apr 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7293 Summary: Metrics is an application designed to measure various software metrics. It is available for the Linux operating system and is included with the Debian 2.2 distribution. A vulnerability has been discovered in Metrics which could allow an attacker to corrupt sensitive system files. The problem occurs in the 'halstead' and 'gather_stats' scripts, included in the Metrics package. The vulnerability exists due to the two scripts failing to carry out sufficient security precautions when attempting to create temporary files. As a result, it may be possible for a malicious local user to corrupt sensitive system files. This vulnerability was discovered in Metrics version 1.0 however, earlier versions may also be affected. Samba 'call_trans2open' Remote Buffer Overflow Vulnerability BugTraq ID: 7294 Remote: Yes Date Published: Apr 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7294 Summary: Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. The Samba daemon is typically run with super user privileges. A buffer overflow vulnerability has been reported for Samba that could allow an anonymous remote attacker to execute arbitrary code. The vulnerability occurs in the 'call_trans2open()' function when copying data into a 1024 byte static buffer. Sufficient bounds checking is not performed when a call to the 'Strncpy()' function is invoked. The length argument supplied to 'Strncpy()' is exactly the length of the user-supplied data. As a result, an attacker could exploit this vulnerability by sending data in excess of 1024 bytes. Successful exploitation of this vulnerability could allow an anonymous attacker to overwrite sensitive stack variables, including the 'open_trans2open()' functions' saved return address. The ability to influence sensitive memory could be leveraged by the attacker to execute arbitrary code with the privileges of the Samba server process. Samba Multiple Unspecified Remote Buffer Overflow Vulnerabilities BugTraq ID: 7295 Remote: Yes Date Published: Apr 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7295 Summary: Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. The Samba daemon is typically run with super user privileges. Multiple remote buffer overflow vulnerabilities have been reported for Samba and Samba-TNG. The overflows are reported to occur in both stack and heap-based memory. This issue occurs due to insufficient bounds checking when copying user-supplied data to internal buffers. Although it has not been confirmed, it is likely that these issues can be exploited to execute arbitrary code, with the privileges of Samba (which typically runs as root). These issues are reported to affect Samba 2.2.8 and Samba-TNG 0.3.1. The precise technical details regarding these vulnerabilities is currently unknown. This BID will be updated as further information is made available. It should be noted that these vulnerabilities may be similar to the issue described in BID 7294. Amavis Header Parsing Mail Relaying Weakness BugTraq ID: 7306 Remote: Yes Date Published: Apr 08 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7306 Summary: Amavis is a freely available, open source virus scanning software package. It is available for the UNIX and Linux operating systems. A problem with the software may make it possible to perform unauthorized actions in vulnerable configurations. It has been reported that some versions of Amavis-ng do not properly interact with Postfix. Because of this, an attacker may be able to circumvent relay restrictions. The problem is in the handling of headers. Due to improper e-mail header processing, Amavis may send e-mails to addresses specified in a To: field in the message body rather than the RCPT TO: field specified via SMTP. This could make it possible to relay e-mails through some configurations. Autres probl?mes: - client SETI (sauf erreur propri?taire sans source) - scripts PHP usuels From schaefer at alphanet.ch Thu Apr 17 11:11:33 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu, 17 Apr 2003 11:11:33 +0200 Subject: [linux-leman-annonces] Nouvelles mailing-lists GULL Message-ID: <20030417091133.GA1395@defian.alphanet.ch> Bonjour, comme discut? hier soir ? l'AG, on va renommer les mailing-lists. Une fois cette op?ration effectu?e, on ajoutera des redirections pour toutes les anciennes listes. Changements: gull at lists.alphanet.ch pour remplacer linux-leman gull-org at lists.alphanet.ch pour remplacer linux-leman-admin gull-annonces at lists.alphanet.ch pour remplacer linux-leman-annonces gull-commercial at lists.alphanet.ch pour remplacer linux-leman-commercial Il n'y aura pas besoin de se r?abonner: la configuration et la liste des membres sera prise des anciennes listes. La date de migration est fix?e ainsi: 12 mai 2003, 20h MEST. From schaefer at alphanet.ch Thu Apr 17 17:16:09 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu, 17 Apr 2003 17:16:09 +0200 Subject: [linux-leman-annonces] Rappels Message-ID: <20030417151609.GA2947@defian.alphanet.ch> Quelques rappels linux-neuchatel: - prochaine rencontre: 25 avril au Phare ? Fleurier, pr?sentation du cyber-caf? (clients GNU/Linux; serveurs GNU/Linux et Microsoft Windows) - prochain cours: 20 mai au CIN, Serri?res, Samba et ACL - cours suivant: 25 juin, au CIN, Webmin. Tout ce qui pr?c?de est pour le moment ouvert ? tous. Serveur WWW: http://linux-neuchatel.eicn.ch/ From schaefer at alphanet.ch Tue Apr 22 19:42:28 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue, 22 Apr 2003 19:42:28 +0200 Subject: [linux-leman-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #193 Message-ID: <20030422174228.GA1059@defian.alphanet.ch> BitchX Trojan Horse Vulnerability BugTraq ID: 7333 Remote: Yes Date Published: Apr 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7333 Summary: BitchX is a freely available, open source IRC client. It is available for Unix, Linux, and Microsoft operating systems. It has been announced that the server hosting BitchX, www.bitchx.org, was compromised recently. It has been reported that the intruder made modifications to the source code of BitchX to include trojan horse code. Downloads of the source code of BitchX from www.bitchx.org, and mirrors, likely contain the trojan code. Reports say that the trojan will run once upon compilation of BitchX. Once the trojan is executed, it attempts to connect to host 207.178.61.5 on port 6667. The trojan horse modifications can be found in the configure script in BitchX 1.0c19. Additionally, the trojan displays similarity to those found in irssi, fragroute, fragrouter, tcpdump, libpcap, OpenSSH, and Sendmail. This BID will be updated as more information becomes available. LPRng PSBanner Insecure Temporary File Creation Vulnerability BugTraq ID: 7334 Remote: No Date Published: Apr 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7334 Summary: LPRng psbanner is a printer filter utility that creates a PostScript format banner and is part of LPRng. psbanner filter has been reported prone to insecure temporary file creation vulnerability. Under certain circumstances, specifically when psbanner is configured as a filter, psbanner creates temporary files for debugging purposes in an insecure manner. It has been reported that psbanner does not check if a previous file exists or whether the file is symlinked to another location before using it for a specific action. The action taken on the file will be committed with the user id 'daemon'. This vulnerability may lead to symbolic link attacks with in the context of the user running the vulnerable utility. SheerDNS Information Disclosure Vulnerability BugTraq ID: 7336 Remote: Yes Date Published: Apr 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7336 Summary: SheerDNS is a master DNS server implementation for Unix and Linux variants. A vulnerability has been discovered in SheerDNS. Due to insufficient sanitization of user-supplied data within DNS requests, an attacker may be capable of viewing the contents of an arbitrary directory or file. Specifically, SheerDNS fails to filter directory traversal sequences (../) embedded in DNS queries. As SheerDNS runs with root privileges, exploitation of this issue would allow an attacker to view the contents of all system directories. This issue was discovered in SheerDNS version 1.0.0, however, earlier versions may also be affected. SheerDNS CNAME Buffer Overflow Vulnerability BugTraq ID: 7335 Remote: No Date Published: Apr 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7335 Summary: SheerDNS is a master DNS server implementation for Unix and Linux variants. SheerDNS is prone to a buffer overflow when constructing responses to CNAME queries. This is due to insufficient bounds checking of lookup information. Specifically, the static buffer for lookup results is much larger than the buffer for queries. The program does a strcpy() operation to copy the lookup results into the query buffer. Lookup information which is fetched from local files. If an attacker can influence the contents of these files, then it will be possible to trigger this condition to corrupt adjacent regions of stack memory with malicious data. Exploitation could lead to a denial of service or execution of malicious instructions. This issue was discovered in SheerDNS version 1.0.0, however, earlier versions may also be affected. GS-Common PS2Epsi Insecure Temporary File Vulnerability BugTraq ID: 7337 Remote: No Date Published: Apr 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7337 Summary: gs-common is a set of common files for different Ghostscript releases. The ps2espi script included with gs-common creates temporary files in an insecure manner when invoking Ghostscript. A malicious local user could exploit this condition to create a symbolic link that could corrupt any local file which is writeable by the user invoking the vulnerable script. Exploitation may result in a denial of service if critical files are corrupted. Privilege elevation may also be possible if the local attacker can corrupt local files with custom data. GTKHTML Malformed HTML Document Denial Of Service Vulnerability BugTraq ID: 7350 Remote: Yes Date Published: Apr 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7350 Summary: GtkHTML is a HTML rendering and editing engine for Gnome. It is embedded in many applications, such as Evolution personal and workgroup information management software. It has been reported that GtkHTML is prone to a vulnerability that may be exploited to cause a denial of service. This issue is present in GtkHTML with Evolution. It is possible to crash the Evolution e-mail client with a malformed message due to this flaw in GtkHTML. It is possible that this flaw may affect other applications that rely upon GtkHTML, though this has not been confirmed. Further details are not available at this time. This BID will be updated as more details become available. Python Documentation Server Error Page Cross-Site Scripting Vulnerability BugTraq ID: 7353 Remote: Yes Date Published: Apr 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7353 Summary: Python Documentation Server is a freely available server distributed with the Python software package. It is available for Unix, Linux, and Microsoft Operating Systems. It has been reported that the Python Documentation Server is vulnerable to a cross-site scripting vulnerability. The problem is due to insufficient sanitization of HTML and script code from error output. When HTML and script code are passed to the vulnerable server in a URI, the code will be displayed in the server's error page. An attacker could exploit this issue by constructing a malicious link which contains hostile HTML and script code and then enticing web users to visit the link. When the error page is displayed, the attacker-supplied code may be rendered in the user's web browser. This will occur in the security context of the documentation server. The server runs on port 7464 by default. Netcomm NB1300 Modem/Router Weak Default Configuration Settings Vulnerability BugTraq ID: 7359 Remote: Yes Date Published: Apr 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7359 Summary: Netcomm NB1300 modem/router is a device used to connect SOHO or Small Business networks to an ADSL service provider. The ADSL Router supports IP Packet routing and functions such as NAT and DHCP allowing users to have their IP address assigned automatically and share a single ISP account. It has been reported that the Netcomm NB1300 modem/router ships with weak default configuration settings. The NB1300 has, by default, an FTP server (VxWorks 5.4.1) exposed on the WAN interface. The default username is set as 'admin' and the password is, by default, 'password'. A remote user may connect to the FTP server and authenticate using default credentials if they have not been changed. The attacker may then download the router configuration information contained as plaintext in the 'config.reg' file. Other attacks may also be possible. Information gathered in this may be used in further attacks launched against the victim host/network. It should be noted that this vulnerability has been reported to affect all known releases of Netcomm NB1300 firmware. [ hardware ] Mozilla Browser Cross Domain Violation Vulnerability BugTraq ID: 7363 Remote: Yes Date Published: Apr 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7363 Summary: Mozilla is an open source web browser available for a number of platforms, including Microsoft Windows and Linux. A problem has been reported in Mozilla that could allow access to information in other browser windows. The vulnerability exists because Mozilla does not properly sanitize links when transferring documents from one domain to another. Specifically, malicious HTML code is not sanitized from the 'onclick' property. Upon the execution of code through the 'onclick' property, a violation in browser security zone policy would occur that allows the original web site to view the contents of web pages in other browser windows. This problem would require a user visiting a web page that has been designed to present malicious dialog boxes. This type of attack would most commonly occur through social engineering. Other browsers based on the Mozilla codebase are vulnerable to this issue. [ Progress; Oracle; et d'autres ] From schaefer at alphanet.ch Thu Apr 24 12:00:29 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu, 24 Apr 2003 12:00:29 +0200 Subject: [linux-leman-annonces] =?iso-8859-1?Q?=5Blinux-neuch=E2tel=5D_Con?= =?iso-8859-1?Q?f=E9rence?= au cybercafe du Phar Fleurier le 25 avril 2003 Message-ID: <20030424100029.GA2427@defian.alphanet.ch> [ post? pour Marc-Andr? Mojon ] Bonjour ? tous, Voici le programme de la conf?rence du 25 avril 2003 au cybercaf? Linux du Phare ? Fleurier. D?s 19h00 accueil, bar, cybercaf? gratuit, discussions. 20h00 1?re partie grand public Intervenants : Ronald Morand, animateur du Phare S?bastien Rollier, animateur du Phare Marc-Andr? Mojon, responsable informatique au Phare - C'est quoi linux Historique Valeurs de Linux Exp?rience d'un utilisateur Pourquoi le Cybercaf? du Phare a choisi Linux ? Pr?sentation du Cybercaf? - Les deux serveurs (acc?s aux mondes Windows et Linux sur chaque poste) - Les services offerts au cybercaf? Les tarifs, l'organisation, les horaires 21h00 2?me partie plus technique adapt?e aux linuxiens Intervenants: C?dric Rochat, responsable Linux au Phare - Les ?tapes de l'installation du cybercaf? (migration progressive sur Linux) Mise en service du cybercaf? sous Windows 2K (ann?e 2000) (5 postes client) Migration des postes clients sur Debian GNU/Linux + installation du serveur Windows NT4 Terminal Server (f?vrier 2002) Installation du serveur Linux Pharenux (2003) (d?tails fonctionnement actuel du cybercafe) Machines client (d?tails) - Client DHCP - Serveur X local - Son en local pour certaines applications - Connexion XDMCP sur le serveur Pharenux Serveur Pharenux (d?tails) - Routage IP - Serveur Proxy + WebXense (Squid + SquidGuard) - Serveur DHCP (avec certaines adresses fix?es en fonction des adresses MAC) - Serveur DNS (Bind) - Serveur FTP (ProFTPd) - Miroir Debian (debian, debian-non-US, debian-security, debian-unofficial) - Serveur Web HTTP (Apache) - Serveur X (XDMCP) Maintenance cybercaf? (scripts) - Machines clientes - Serveur Pharenux A bient?t C?dric Rochat, Marc-Andr? Mojon From schaefer at alphanet.ch Thu Apr 24 18:22:20 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu, 24 Apr 2003 18:22:20 +0200 Subject: [linux-leman-annonces] Adresse du Phare Message-ID: <20030424162220.GA6363@defian.alphanet.ch> Le Phare Grand-Rue 14 FLEURIER (Val de Travers / NE) 032 861 47 60 From schaefer at alphanet.ch Mon Apr 28 15:11:03 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon, 28 Apr 2003 15:11:03 +0200 Subject: [linux-leman-annonces] Serveur WWW officiel du groupe linux-neuchatel Message-ID: <20030428131103.GA5403@defian.alphanet.ch> Bonjour, le serveur http://linux-neuchatel.eicn.ch/ contient d?s aujourd'hui des informations d?taill?es sur les activit?s du groupe linux-neuchatel. Consultez notamment notre agenda pour vous inscrire aux prochains cours: http://linux-neuchatel.eicn.ch/agenda.html Prochaine activit? Date: mardi 2003-05-20 D?but: 19h Lieu: CIN, Serri?res Th?me: Samba + ACL + LDAP Public: Administrateur syst?me Responsable: Martial PAUPE Entr?e: Libre Inscription: obligatoire Souligions que la direction de l'EICN (HES-SO) a accept? que le groupe linux-neuchatel soit h?berg? sur le serveur des radio-amateurs, branch? sur le r?seau EICN. From schaefer at alphanet.ch Tue Apr 29 18:24:02 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue, 29 Apr 2003 18:24:02 +0200 Subject: [linux-leman-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #194 Message-ID: <20030429162402.GA1605@defian.alphanet.ch> Xinetd Rejected Connection Memory Leakage Denial Of Service Vulnerability BugTraq ID: 7382 Remote: Yes Date Published: Apr 18 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7382 Summary: Xinetd is intended as a secure replacement for inetd. It is designed for use with Linux and Unix variant operating environments. A denial of service vulnerability has been reported for Xinetd. The vulnerability exists due to memory leaks occuring when connections are rejected. This issue was reported to occur in the svc_request() function of the service.c source file where some allocated memory is not properly freed when a connection is rejected. An attacker can exploit this vulnerability by repeatedly connecting to a Xinetd server and having the connection rejected. This will result in a memory exhaustion issue that will result in a denial of service condition. This vulnerability was reported for Xinted prior to 2.3.11. Mod_NTLM Authorization Heap Overflow Vulnerability BugTraq ID: 7388 Remote: Yes Date Published: Apr 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7388 Summary: mod_ntlm is an Apache module, which implements NLTM authentication. It is available for Apache 2.0.x and 1.3.x on the Linux operating system. The mod_ntlm Apache module has been reported prone to a heap overflow vulnerability. The vulnerability is due to a lack of sufficient bounds checking performed on user-supplied data, stored in a 2048 byte buffer within heap memory. Specifically, an insecure 'vsprintf()' function call is made within the mod_ntlm 'log()' function. The call to 'vsprintf()' copies user-supplied authorization data without carrying out sufficient bounds checking. As a result, excessive data may be copied into the 2048 byte buffer, resulting in the corruption of sensitive memory management information. By modifying an adjacent malloc header to contain malicious values, it may be possible for an attacker to overwrite sensitive locations in memory when a subsequent call to free() is made. As a result, it may be possible for an attacker to execute arbitrary instructions, with the privileges of the Apache server. This vulnerability is reported to affect mod_ntlm v0.4 for Apache 1.3 and mod_ntlmv2 version 0.1 for Apache 2.0. Although unconfirmed, previous versions may also be affected. Mod_NTLM Authorization Format String Vulnerability BugTraq ID: 7393 Remote: Yes Date Published: Apr 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7393 Summary: mod_ntlm is an Apache module which implements NLTM authentication. It is available for Apache 2.0.x and 1.3.x on the Linux operating system. A format string vulnerability has been discovered in the mod_ntlm Apache module. The issue occurs when processing authorization information located in HTTP headers. The problem occurs in a call to ap_log_rerror(), by the log() function, without including format specifier arguments. As a result, it may be possible for a remote attacker to embed their own specifiers within authorization data. This may allow for an attacker to write to sensitive locations in memory. It should be noted that the exploitability of this issue to execute arbitrary code may be hindered by various system specific limitations. As a result, exploitation may only result in a denial of service. This vulnerability was reported in mod_ntlm <= 0.4 and mod_ntlm2 0.1. MIME-Support Package Insecure Temporary File Creation Vulnerability BugTraq ID: 7403 Remote: No Date Published: Apr 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7403 Summary: The mime-support package contains a variety of MIME applications and tools. It is available for the Linux operating system. A vulnerability has been discovered in the run-mailcap application included with mime-support. The problem occurs due to invalid sanity checks when creating temporary files. By populating the /tmp directory with symbolic links which point to sensitive system files, it may be possible for an unprivileged user to corrupt arbitrary files. As a result, an unprivileged user may be capable of rendering a target system unusable or possibly gain elevated privileges. This vulnerability affects run-mailcap included in mime-support verison 3.21 and earlier. SAP Database Development Tools INSTDBMSRV INSTROOT Environment Variable Vulnerability BugTraq ID: 7407 Remote: No Date Published: Apr 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7407 Summary: SAP DB is a free database software package for Unix, Linux, and Microsoft Operating Systems. It has been reported that a vulnerability exists in the SAP Database program instdbmsrv. Because of this, a local attacker may be able to gain elevated privileges. The problem is in the handling of input from untrusted sources. When executed, the instdbmsrv program checks the INSTROOT environment variable for the location of the pgm/dbmsrv program. The permissions of the dbmsrv program are changed to give the program setuid root privileges when the instdbmsrv is executed. An attacker could modify the INSTROOT environment variable locally to point to an arbitrary directory. When the instdbmsrv program is executed, an attacker-supplied version of the dbmsrv program would be changed to setuid root. This could result in an attacker gaining local administrative privileges. SAP Database Development Tools INSTLSERVER INSTROOT Environment Variable Vulnerability BugTraq ID: 7408 Remote: No Date Published: Apr 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7408 Summary: SAP DB is a free database software package for Unix, Linux, and Microsoft Operating Systems. It has been reported that a vulnerability exists in the SAP Database program instlserver. Because of this, a local attacker may be able to gain elevated privileges. The problem is in the handling of input from untrusted sources. When executed, the instlserver program checks the INSTROOT environment variable for the location of the pgm/lserver program. The permissions of the lserver program are changed to give the program setuid root privileges when the instlserver is executed. An attacker could modify the INSTROOT environment variable locally to point to an arbitrary directory. When the instlserver program is executed, an attacker-supplied version of the lserver program would be changed to setuid root. This could result in an attacker gaining local administrative privileges. [ un anti-virus propri?taire pour Linux semble ?tre attaquable ]