From webmaster at linux-gull.ch Sun Oct 5 15:11:02 2003 From: webmaster at linux-gull.ch (Erik Rossen) Date: Sun Oct 5 15:11:02 2003 Subject: [gull-annonces] Debian bug-squashing party, dimanche 9 novembre Message-ID: <20031005131042.GY4964@freesurf.ch> Debian bug-squashing party, dimanche 9 novembre Afin de c?l?brer le 10?me anniversaire de la distribution Debian GNU/Linux, le GULL organise une bug-squashing party qui sera ouverte aux membres ainsi qu'aux non-membres. Tout les d?tails ne sont pas encore fix?s mais voici cependant le programme. 1. On enferme 10 ? 40 volontaires dans une grande salle du b?timent de Nimag ? Ecublens (http://www.nimag.net/contact/map.php) 2. Les volontaires auront ? disposition tout ce dont ils ont besoin pour travailler: ordinateurs, bande passante (wireless y compris), ?lectricit?, pizza et bi?re. 3. Les volontaires devront corrig?s des bugs list?s dans le Debian Bug-Tracking System (BTS), consultable ? l'adresse http://bugs.debian.org, de 12h00 ? 20h00. 4. Un bug est consid?r? comme corrig? lorsqu'une solution a ?t? trouv?e, v?rifi?e par un autre volontaire et qu'un email a ?t? envoy? au mainteneur du package. Le GULL paiera la nourriture et les boissons de tout les volontaires qui auront corrig? au moins un bug (m?me un petit). Les autres devront payer de leur poche ou s'occuper des rangements. A moins qu'on ne leur attache un rocher ? la jambe avant des les jeter dans le lac. Il y aura des pr?sentations de diff?rentes techniques utilis?es pour ?radiquer des bugs: * Comment utiliser le BTS et le programme reportbug * Cr?ation d'un syst?me de test (stable, testing ou unstable) dans un sous-r?pertoire en utilisant debootstrap. * Comment utiliser diff, patch, strace et gdb * Et plus d'autres choses SI VOUS ?TES INT?RESS?S: merci d'envoyer un email ? l'adresse gull-org at lists.alphanet.ch avec les informations suivantes: * Qui vous ?tes * Si vous amenez un ordinateur portable avec une carte r?seau * Quels bugs vous voulez corriger ou sur quel package vous voulez travailler (si vous avez d?j? une id?e) * Si vous voulez faire une pr?sentation ou participer ? l'organisation * N'importe quelle id?e qui vous passerait par l'esprit pour rendre la party plus sympa ou plus efficace -- Erik Rossen webmaster at linux-gull.ch http://www.linux-gull.ch OpenPGP key: 2935D0B9 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From schaefer at alphanet.ch Tue Oct 7 13:11:01 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue Oct 7 13:11:01 2003 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #217 Message-ID: <20031007105508.GB3017@defian.alphanet.ch> SMC Router Random UDP Packet Denial Of Service Vulnerability BugTraq ID: 8711 Remote: Yes Date Published: Sep 26 2003 Relevant URL: http://www.securityfocus.com/bid/8711 Summary: The SMC SMC2404WBR BarricadeT Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router is routing hardware that is intended to be deployed in home or small office networks. A denial of service has been reported in the SMC SMC2404WBR BarricadeT Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router. It is possible to trigger this condition by sending UDP packets randomly to ports 0-65000. The impact of the issues seems to vary, sometimes the router will need a "soft reset" to regain normal functionality and sometimes a "hard reset" will be required. The time it takes for the router to recover after being reset may also vary. In any of these cases, the availability of a network which depends on the router will be denied to legitimate users. This condition was reportedly reproduced using one of the exploits for BID 8525. The SMC7004VWBR router is also affected by this vulnerability. SMC7004VWBR firmwares are reportedly affected even when security features such as Stateful Packet Inspection, Anti-DoS and UDP sessions are enabled. This may also be the case with other routers. [ hardware ] Webfs HTTP Server Information Disclosure Vulnerability BugTraq ID: 8724 Remote: Yes Date Published: Sep 29 2003 Relevant URL: http://www.securityfocus.com/bid/8724 Summary: WebFS is a simple web server that serves static content. It is available for Linux and Unix variant operating environments. An information disclosure vulnerability has been discovered in Webfs HTTP server. The problem occurs due to insufficient sanitization of user-supplied hostnames when accessing virtual hosts. Specifically, placing dot-dot (..) sequences within a requested hostname can effectively trigger this issue. An attacker exploiting this issue may be capable of viewing the contents of directories and files outside of the established web root. This issue may only exist if the server has been configured to use virtual hosting. Apache2 MOD_CGI STDERR Denial Of Service Vulnerability BugTraq ID: 8725 Remote: No Date Published: Sep 29 2003 Relevant URL: http://www.securityfocus.com/bid/8725 Summary: Apache HTTP Server is an open-source web server designed to run on a number of different platforms. Apache2 has been reported prone to a denial-of-service vulnerability. The issue has been reported to present itself when a CGI script outputs 4k or greater of data to STDERR. If this condition occurs the execution of the script will reportedly pause indefinitely due to a locked write() call in mod_cgi. Because Apache2 is waiting for further input from the malicious CGI application, the httpd process may hang. When the maximum connection limit is reached, Apache will no longer service requests, effectively denying service to legitimate users. This issue has been reported to affect Apache 2.0.47. Previous versions may also be affected. WebFS Long Pathname Buffer Overrun Vulnerability BugTraq ID: 8726 Remote: Yes Date Published: Sep 29 2003 Relevant URL: http://www.securityfocus.com/bid/8726 Summary: WebFS is a simple web server that serves static content. It is available for Linux and Unix variant operating environments. It has been discovered that WebFS is prone to a buffer overrun vulnerability when handling path names of excessive length. As a result, an attacker may be capable of triggering the condition and overwriting sensitive memory with malicious data. This could ultimately allow for the execution of arbitrary code with the privileges of the WebFS HTTP server. It should be noted that for this condition to occur, an attacker must have the ability to create directories on the affected system. This may be accomplished by obtaining legitimate credentials, which allow for such access, or possibly through the exploitation of another unrelated vulnerability such as that described in BID 8724. OpenSSL ASN.1 Parsing Vulnerabilities BugTraq ID: 8732 Remote: Yes Date Published: Sep 30 2003 Relevant URL: http://www.securityfocus.com/bid/8732 Summary: Multiple vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. OpenSSL does not directly implement ASN.1 but does use ASN.1 objects in X.509 certificates and various other cryptographic elements. The following issues were reported: Two flaws in the ASN.1 parser could lead to denial of service attacks. The first bug may be exploited to cause an out of bounds read operation to occur, most likely resulting in a denial of service. This can be triggered by a malformed or unusual ASN.1 tag value. The second of the described bugs occurs if an application is configured to ignore public key decode errors (specifically the X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error). This is reportedly not a common configuration in production setups but some applications may ignore decode errors for debugging reasons. As a result, the impact and exposure will vary depending on the targeted application and some applications may be more vulnerable to attacks than others. Remote attackers can exploit this issue with a maliciously crafted SSL client certificate. CAN-2003-0543 and CAN-2003-0544 correspond to these two denial of service issues. The issues are reported to exist in SSLeay and OpenSSL versions prior to 0.9.7c or 0.9.6k. Another vulnerability related to ASN.1 parsing was reported in OpenSSL 0.9.7. ASN.1 encodings that are rejected by the parser due to being invalid may potentially trigger a memory management error. In particular, a double free may result due to an ASN.1 structure (ASN1_TYPE) being deallocated incorrectly. This reportedly could be leveraged to corrupt stack memory. In this manner, sensitive stack variables such as instruction pointers could be overwritten with attacker-supplied values. The issue could be exploited by remote attacks via a maliciously crafted SSL client certificate. This issue has been assigned CVE name CAN-2003-0545. An additional weakness was reported that may aid in exploitation of these issues. In some circumstances, a client may force a server to parse a client certificate when one has not been specifically requested. This could even occur with server implementations that don't enable client authentication. Any applications which use the OpenSSL ASN.1 library to handle external data may present an attack vector for these vulnerabilities. These issues are pending further analysis and will be separated into individual BIDs when analysis is complete. OpenSSL SSLv2 Client_Master_Key Remote Denial Of Service Vul... BugTraq ID: 8746 Remote: Yes Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8746 Summary: OpenSSL is an open source implementation of the SSL protocol. OpenSSL SSLv2 has been reported prone to a remotely triggered denial of service when processing a specially crafted malicious CLIENT_MASTER_KEY message. It has been reported that a remote attacker may use a maliciously crafted CLIENT_MASTER_KEY message to influence the execution flow of a vulnerable service implementing SSLv2 into a die() procedure. This will effectively cause the affected process to abort, denying service to legitimate users. An attacker may flood an affected service with malicious CLIENT_MASTER_KEY messages, persistently denying service for legitimate users. Other attacks may also be possible. The impact and exposure may vary depending on the particular applications that use vulnerable OpenSSL libraries. This vulnerability is not reported to be present in OpenSSL versions greater than 0.9.6f of the 0.9.6 series of releases, because the use of the die() procedure is no longer implemented. It is not known whether the 0.9.7 series is also affected. FreeBSD Kernel ProcFS Handler UIO_Offset Integer Overflow Vu... BugTraq ID: 8748 Remote: No Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8748 Summary: All versions of the FreeBSD kernel have been reported prone to an integer overflow vulnerability. The issue presents itself in the procfs handling procedures, and has been reported to be due to a lack of sufficient sanity checks performed on 'uio' offset parameters. It has been reported that a local attacker may exploit this condition because it is possible to indirectly influence the value for the 'uio' offset. Ultimately an attacker may trigger an integer overflow or underflow condition. This may result in a read attempt from non-resident kernel memory, triggering a kernel panic and effectively denying service to legitimate users. A local attacker may also exploit this issue to disclose potentially sensitive data stored in regions of memory that would otherwise be restricted. This issue has been reported to be exploitable on systems that have procfs enabled. FreeBSD Kernel Readv() Integer Overflow Vulnerability BugTraq ID: 8749 Remote: No Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8749 Summary: A local vulnerability has been discovered within the FreeBSD kernel. The problem occurs within the readv() system call, which is used to read data and scatter it into an arbitrary number of buffers specified by an argument. When a file is accessed by a system call in FreeBSD, such as open() or dup2(), the reference counter (f_count) for that file is incremented using the fhold() function and when access is complete the counter is decremented by fdrop(). It has been discovered that the readv() system call fails to call the fdrop() function after a specific procedure had previously triggered a call to fhold(). As a result, by triggering a large number of calls to fhold() in a call to readv(), it may be possible to cause the f_count integer value to wrap. It has been reported that this integer overflow can be triggered by supplying an overly large iovcnt variable in a call to readv(). As a result, an attacker may potentially be capable of trigger kernel memory corruption. This could ultimately result in a system panic or could possibly be leveraged to elevate local privileges to that of the root user. FortiGate Firewall Web Filter Logs HTML Injection Vulnerabil... BugTraq ID: 8750 Remote: Yes Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8750 Summary: FortiGate are a series of commercial firewall appliances which run an embedded operating system entitled FortiOS. The FortiGate web interface is prone to an HTML injection vulnerability. Denied requests are logged into a web filter log which is viewable through the web administrative interface. HTML and script code will not be sanitized when these requests are logged. To exploit this issue, the attacker must construct for a resource that will be denied by the firewall, based on the defined policies of the targeted firewall. Malicious could then be embedded in the request, which will be logged as part of the request. An attacker could exploit this to cause hostile code to be rendered in the browser of an administrative user who views the logs. This could result in theft of cookie-based authentication credentials from the firewall administrator, potentially allowing for firewall compromise. Since the attacker can control how the logs will be rendered to the administrator, it is also possible to spoof or conceal log entries. This issue reportedly exists in FortiOS releases prior to 2.50MR4. [ hardware ] Inter7 VPopMail Configuration File Insecure Default Permissi... BugTraq ID: 8751 Remote: No Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8751 Summary: vpopmail is a freely available, open source virtual domain handling software package. It is available for the Unix and Linux operating systems. A problem has been identified in the default configuration of vpopmail. Because of this, an attacker may be able to gain access to potentially sensitive information. The problem is in the creation of the configuration file. When vpopmail is compiled with MySQL support, authentication data is stored in the /etc/vpopmail.conf file. This file is created with world-readable permissions, which may reveal sensitive information such as authentication credentials for the database. An attacker could use these credentials to potentially gain access to the database as the vpopmail database user. This problem has been reported on Gentoo Linux, but may affect other operating systems. From schaefer at alphanet.ch Sun Oct 12 12:41:03 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Sun Oct 12 12:41:03 2003 Subject: [gull-annonces] Nouvel engin de recherche pour les mailing-lists Message-ID: <20031012103123.GA2579@defian.alphanet.ch> Bonjour, j'ai r?activ? la recherche sur les listes gull, gull-org, gull-annonces, linux-neuchatel et gull-commercial via search.alphanet.ch. Les archives remontent ? 1999, et seront actualis?es chaque jour. Liens directs: http://search.alphanet.ch/cgi-bin/search.cgi?domain=ml-linux-neuchatel http://search.alphanet.ch/cgi-bin/search.cgi?domain=ml-gull http://search.alphanet.ch/cgi-bin/search.cgi?domain=ml-gull-org http://search.alphanet.ch/cgi-bin/search.cgi?domain=ml-gull-annonces http://search.alphanet.ch/cgi-bin/search.cgi?domain=ml-gull-commercial J'en ai profit? pour ajouter un filtre MIME et non ISO-8859-1, qui rend tout en texte de mani?re ? avoir des recherches et affichages corrects. Veuillez consulter http://search.alphanet.ch/ pour les conditions d'acc?s. Le syst?me de recherche est tr?s rapide mais tr?s simplifi?: il peut parfois ?tre contre-intuitif. Je citerai simplement qu'il permet ?galement un mode threading assez puissant. Il y a une doc en anglais ?: http://search.alphanet.ch/search-engine.html Si quelqu'un veut, avec mon support, ?crire un petit manuel en fran?ais, qu'il soit le bienvenu. L'interface pipermail de Mailman (http://lists.alphanet.ch/pipermail/gull) reste disponible sans changements (y compris les bugs). From schaefer at alphanet.ch Wed Oct 15 09:11:02 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed Oct 15 09:11:02 2003 Subject: [gull-annonces] =?iso-8859-1?B?UulzdW3p?= =?iso-8859-1?Q?=3A?= SecurityFocus Newsletter #218 Message-ID: <20031015062053.GB2291@defian.alphanet.ch> OpenSSL ASN.1 Parsing Vulnerabilities BugTraq ID: 8732 Remote: Yes Date Published: Sep 30 2003 Relevant URL: http://www.securityfocus.com/bid/8732 Summary: Multiple vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. OpenSSL does not directly implement ASN.1 but does use ASN.1 objects in X.509 certificates and various other cryptographic elements. The following issues were reported: Two flaws in the ASN.1 parser could lead to denial of service attacks. The first bug may be exploited to cause an out of bounds read operation to occur, most likely resulting in a denial of service. This can be triggered by a malformed or unusual ASN.1 tag value. The second of the described bugs occurs if an application is configured to ignore public key decode errors (specifically the X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error). This is reportedly not a common configuration in production setups but some applications may ignore decode errors for debugging reasons. As a result, the impact and exposure will vary depending on the targeted application and some applications may be more vulnerable to attacks than others. Remote attackers can exploit this issue with a maliciously crafted SSL client certificate. CAN-2003-0543 and CAN-2003-0544 correspond to these two denial of service issues. The issues are reported to exist in SSLeay and OpenSSL versions prior to 0.9.7c or 0.9.6k. Another vulnerability related to ASN.1 parsing was reported in OpenSSL 0.9.7. ASN.1 encodings that are rejected by the parser due to being invalid may potentially trigger a memory management error. In particular, a double free may result due to an ASN.1 structure (ASN1_TYPE) being deallocated incorrectly. This reportedly could be leveraged to corrupt stack memory. In this manner, sensitive stack variables such as instruction pointers could be overwritten with attacker-supplied values. The issue could be exploited by remote attacks via a maliciously crafted SSL client certificate. This issue has been assigned CVE name CAN-2003-0545. An additional weakness was reported that may aid in exploitation of these issues. In some circumstances, a client may force a server to parse a client certificate when one has not been specifically requested. This could even occur with server implementations that don't enable client authentication. Any applications which use the OpenSSL ASN.1 library to handle external data may present an attack vector for these vulnerabilities. These issues are pending further analysis and will be separated into individual BIDs when analysis is complete. It should be noted that only the k8, k9, and k91 images for Catalyst 6500 series switches and 7200 series Routers of the 12.2SX and 12.2SY release trains are affected. OpenSSL SSLv2 Client_Master_Key Remote Denial Of Service Vul... BugTraq ID: 8746 Remote: Yes Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8746 Summary: OpenSSL is an open source implementation of the SSL protocol. OpenSSL SSLv2 has been reported prone to a remotely triggered denial of service when processing a specially crafted malicious CLIENT_MASTER_KEY message. It has been reported that a remote attacker may use a maliciously crafted CLIENT_MASTER_KEY message to influence the execution flow of a vulnerable service implementing SSLv2 into a die() procedure. This will effectively cause the affected process to abort, denying service to legitimate users. An attacker may flood an affected service with malicious CLIENT_MASTER_KEY messages, persistently denying service for legitimate users. Other attacks may also be possible. The impact and exposure may vary depending on the particular applications that use vulnerable OpenSSL libraries. This vulnerability is not reported to be present in OpenSSL versions greater than 0.9.6f of the 0.9.6 series of releases, because the use of the die() procedure is no longer implemented. It is not known whether the 0.9.7 series is also affected. FreeBSD Kernel ProcFS Handler UIO_Offset Integer Overflow Vu... BugTraq ID: 8748 Remote: No Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8748 Summary: All versions of the FreeBSD kernel have been reported prone to an integer overflow vulnerability. The issue presents itself in the procfs handling procedures, and has been reported to be due to a lack of sufficient sanity checks performed on 'uio' offset parameters. It has been reported that a local attacker may exploit this condition because it is possible to indirectly influence the value for the 'uio' offset. Ultimately an attacker may trigger an integer overflow or underflow condition. This may result in a read attempt from non-resident kernel memory, triggering a kernel panic and effectively denying service to legitimate users. A local attacker may also exploit this issue to disclose potentially sensitive data stored in regions of memory that would otherwise be restricted. This issue has been reported to be exploitable on systems that have procfs enabled. FreeBSD Kernel Readv() Integer Overflow Vulnerability BugTraq ID: 8749 Remote: No Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8749 Summary: A local vulnerability has been discovered within the FreeBSD kernel. The problem occurs within the readv() system call, which is used to read data and scatter it into an arbitrary number of buffers specified by an argument. When a file is accessed by a system call in FreeBSD, such as open() or dup2(), the reference counter (f_count) for that file is incremented using the fhold() function and when access is complete the counter is decremented by fdrop(). It has been discovered that the readv() system call fails to call the fdrop() function after a specific procedure had previously triggered a call to fhold(). As a result, by triggering a large number of calls to fhold() in a call to readv(), it may be possible to cause the f_count integer value to wrap. It has been reported that this integer overflow can be triggered by supplying an overly large iovcnt variable in a call to readv(). As a result, an attacker may potentially be capable of trigger kernel memory corruption. This could ultimately result in a system panic or could possibly be leveraged to elevate local privileges to that of the root user. FortiGate Firewall Web Filter Logs HTML Injection Vulnerabil... BugTraq ID: 8750 Remote: Yes Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8750 Summary: FortiGate are a series of commercial firewall appliances which run an embedded operating system entitled FortiOS. The FortiGate web interface is prone to an HTML injection vulnerability. Denied requests are logged into a web filter log which is viewable through the web administrative interface. HTML and script code will not be sanitized when these requests are logged. To exploit this issue, the attacker must construct for a resource that will be denied by the firewall, based on the defined policies of the targeted firewall. Malicious could then be embedded in the request, which will be logged as part of the request. An attacker could exploit this to cause hostile code to be rendered in the browser of an administrative user who views the logs. This could result in theft of cookie-based authentication credentials from the firewall administrator, potentially allowing for firewall compromise. Since the attacker can control how the logs will be rendered to the administrator, it is also possible to spoof or conceal log entries. This issue reportedly exists in FortiOS releases prior to 2.50MR4. [ hardwae ] Inter7 VPopMail Configuration File Insecure Default Permissi... BugTraq ID: 8751 Remote: No Date Published: Oct 02 2003 Relevant URL: http://www.securityfocus.com/bid/8751 Summary: vpopmail is a freely available, open source virtual domain handling software package. It is available for the Unix and Linux operating systems. A problem has been identified in the default configuration of vpopmail. Because of this, an attacker may be able to gain access to potentially sensitive information. The problem is in the creation of the configuration file. When vpopmail is compiled with MySQL support, authentication data is stored in the /etc/vpopmail.conf file. This file is created with world-readable permissions, which may reveal sensitive information such as authentication credentials for the database. An attacker could use these credentials to potentially gain access to the database as the vpopmail database user. This problem has been reported on Gentoo Linux, but may affect other operating systems. Cisco CatOS Password Prompt Unauthorized Remote Command Exec... BugTraq ID: 8752 Remote: Yes Date Published: Oct 03 2003 Relevant URL: http://www.securityfocus.com/bid/8752 Summary: It has been alleged that it is possible for remote attackers to execute arbitrary commands without proper authorization. Reportedly it is possible to execute shell commands from the password prompt on a device running a vulnerable version of CatOS. The attacker must be able to connect to a vulnerable device via telnet, though it has not been ruled out that other remote administrative services such as SSH do not also present attack vectors. The discoverer of this vulnerability has stated that it is possible to exploit this issue by submitting a shell command to the password prompt, followed by a space and a question mark. Symantec has not been able to confirm the existence of the vulnerability, which if of a very serious nature. However, the author of the report insists that the issue is legitimate. This BID will be updated or retired based on any follow-up information that becomes available. This issue has been reported in CatOS versions 5.4(2) and 5.5(2) on Cisco Catalyst 6509 switches. Other devices and CatOS versions may also be similarly affected. Cisco has replied to this issue stating that it cannot be used to execute commands, retrieve information from the device, or reveal information about traffic processed by the device. Details are available to registered Cisco users at: http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdr87435 Since this issue cannot be exploited to compromise any security properties on the device, this BID will be retired. [ hardware ] Cisco PIX ICMP Echo Request Network Address Translation Pool... BugTraq ID: 8754 Remote: Yes Date Published: Oct 03 2003 Relevant URL: http://www.securityfocus.com/bid/8754 Summary: A problem has been reported in Cisco PIX network firewalls when global IP address pools are exposed to ICMP traffic. This may result in a denial of service to network resources. The problem is in the handling of ICMP echo requests. When a pool of addresses is dedicated to the task of network address translation, the Cisco PIX behavior dictates that traffic received for a specific address means that the address is in use. However, ICMP echo traffic floods for addresses in the Network Address Translation (NAT) pool keeps the addresses in an active state, whether or not the addresses are actually in use. Because of this, it is possible for a remote system to flood the host with requests for addresses in the pool, exhausting the pool of NAT addresses, and preventing traffic from crossing the PIX to external points. [ hardware ] Cisco LEAP Password Disclosure Weakness BugTraq ID: 8755 Remote: Yes Date Published: Oct 03 2003 Relevant URL: http://www.securityfocus.com/bid/8755 Summary: Cisco LEAP is a mutual authentication algorithm based on Extensible Authentication Protocol (EAP). LEAP is used with wireless networks and relies on user's logon password for authentication. Weaknesses in the Cisco LEAP protocol been reported to exist in the software that may allow a remote attacker to gain access to user passwords shared by the client and the network. This problem may allow an attacker to brute force user passwords by employing dictionary attacks. Successful exploitation of this weakness may allow a remote attacker to steal authentication information, potentially allowing for unauthorized network access. [ hardware ] Sun Cobalt RaQ Message.CGI Cross-Site Scripting Vulnerabilit... BugTraq ID: 8757 Remote: Yes Date Published: Oct 03 2003 Relevant URL: http://www.securityfocus.com/bid/8757 Summary: RaQ is a server appliance originally developed by Cobalt. It is now distributed and maintained by Sun Microsystems. A problem with message.cgi script used by Cobalt RaQ appliances could lead to cross-site scripting. This could result in attacks attempting to steal authentication information. The problem is in the handling of input by the message.cgi script. Due to insufficient sanitizing of input, it is possible to render arbitrary script code through the vulnerable script on Cobalt RaQ systems. The attacker must pass the malicious input through the info variable. [ hardware ] Conectiva Vixie-Cron Package Potential Denial Of Service Vul... BugTraq ID: 8759 Remote: No Date Published: Oct 03 2003 Relevant URL: http://www.securityfocus.com/bid/8759 Summary: Vixie cron is an implementation of the popular UNIX program that runs user-specified programs at periodic scheduled times. The Conectiva Vixie-Cron package has been reported prone to a potential denial of service vulnerability. The issue was introduced in a previous Vixie-Cron package update that was designed to address the vulnerability described in BID 2687. This package was found to introduce a problem whilst using cron.allow and cron.deny, to control access to the crontab application. It has been reported that if these files contain more than one user the crontab program will fail. A local attacker, who has the ability to write data into cron.allow and cron.deny files, may instigate an efficient denial of service against the crontab program. Conectiva has addressed this issue by releasing an updated package; all users are advised to apply the applicable packages as soon as possible. Netscreen ScreenOS DHCP Packet Buffer Padding Information Le... BugTraq ID: 8762 Remote: Yes Date Published: Oct 03 2003 Relevant URL: http://www.securityfocus.com/bid/8762 Summary: NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. A vulnerability has been discovered in Netscreen ScreenOS when the associated device is acting as a DHCP server. Appliances that are not hosting DHCP services are not affected by this issue. The problem specifically lies in that fact that the application fails to re-initialize or zero out a specific memory buffer prior to using the memory to generate DHCP response packets. It has been discovered that this buffer may have previously been used to store HTTP management session information. An attacker could exploit this issue by making a DHCP request and recording the sensitive data located within the packet. This could ultimately expose encoded authentication credentials to the attacker that could be used to launch further attacks against the appliance. [ hardware ] Conexant AccessRunner DSL Console Authentication Bypass Vuln... BugTraq ID: 8765 Remote: Unknown Date Published: Oct 04 2003 Relevant URL: http://www.securityfocus.com/bid/8765 Summary: The Conexant AccessRunner DSL Console is the interface for administering and configuring the DSL device. The Conexant AccessRunner DSL Console is vulnerable to an authentication bypass issue. Reportedly, when the device prompts a user for a password, an attacker can bypass the authentication by simply entering an invalid password. When the screen displaying the incorrect password message is displayed, the attacker simply has to press the 'Enter' key to gain access to the console. ** The discoverer of this issue has reported that it may not be present in some devices. There is currently no known reason for why some devices are vulnerable while others are not. This record will be updated if and when further details become available. [ hardware ] JBoss HSQLDB Remote Command Injection Vulnerability BugTraq ID: 8773 Remote: Yes Date Published: Oct 06 2003 Relevant URL: http://www.securityfocus.com/bid/8773 Summary: JBoss is a freely available, open source Java Application server. It is distributed and maintained by JBoss Group and is available for a number of platforms including Microsoft Windows and Unix/Linux variants. A remote command injection vulnerability has been reported in JBoss. The issue is reportedly exposed via the HSQLDB component, which is a SQL database server that manages JMS connections. A number of unspecified flaws cause this condition, including programming errors in the sun.* classes, logic errors in the org.apache.* classes of the JDK and the default configuration settings. As a result, it is possible to pass commands to the HSQLDB component via the port it listens on. It should be noted that the port may vary between versions, by default it is 1701/TCP for version 3.2.1 and 1476/TCP for 3.0.8. It has been reported that this issue could be exploited to mount a number of attacks, including execution of database commands, denial of service attacks, log manipulation, information disclosure and execution of operating system commands on some supported platforms. This issue is reported to exist with JBoss 3.2.1/3.0.8 on any Java 1.4.x-enabled platforms. Other versions may be similarly affected. The consequences may vary depending on the capabilities of the underlying operating system, but it is believed that this could be exploited to execute arbitrary operating system commands on Windows 2000 and XP systems. SuSE Linux SuSEWM Configuration File Insecure Temporary File... BugTraq ID: 8778 Remote: No Date Published: Oct 06 2003 Relevant URL: http://www.securityfocus.com/bid/8778 Summary: SuSEConfig is a component of the SuSE Linux operating system. It is designed to be a standardized configuration tool to SuSE operating systems. A problem exists in the SuSEWM configuration file used by SuSEConfig. Because of this, it may be possible for a local attacker to gain elevated privileges. The problem is in the handling of temporary files. When the configuration file is executed by SuSEConfig, the predictable temporary file /tmp/susewm.$$ is created, where $$ signifies an arbitrary value. Improper file creation checks make it possible for an attacker to symbolically link a predicted file name to a sensitive system file. Upon execution of SuSEConfig, the contents of the file at the end of the symbolic link will be modified. The reported impact is privilege escalation, though the method through which this is gained is unclear. This BID will be further updated as more information becomes available. SuSE Linux JavaRunt Configuration File Insecure Temporary Fi... BugTraq ID: 8779 Remote: No Date Published: Oct 06 2003 Relevant URL: http://www.securityfocus.com/bid/8779 Summary: SuSEConfig is a component of the SuSE Linux operating system. It is designed to be a standardized configuration tool to SuSE operating systems. A problem exists in the JavaRunt configuration file used by SuSEConfig. Because of this, it may be possible for a local attacker to gain elevated privileges. The problem is in the handling of temporary files. When the configuration file is executed by SuSEConfig, the predictable temporary file /tmp/.java_wrapper is created. Improper file creation checks make it possible for an attacker to symbolically link the predicted file name to a sensitive system file. Upon execution of SuSEConfig, the contents of the file at the end of the symbolic link will be corrupted, potentially with attacker-supplied data. Exploitation could permit privilege escalation. The reported impact is privilege escalation, though the method through which this is gained is unclear. This BID will be further updated as more information becomes available. SLocate User-Supplied Database Heap Overflow Vulnerability BugTraq ID: 8780 Remote: No Date Published: Oct 06 2003 Relevant URL: http://www.securityfocus.com/bid/8780 Summary: slocate is the Secure Locate program. It is available for various UNIX and Linux operating systems, and is maintained by public domain. It has been reported that a vulnerability exists in the handling of user-supplied databases by slocate. Because of this, an attacker may be able to gain elevated privileges. The problem is a heap-based off-by-one condition. Because of this, it is possible for an attacker to potentially overwrite memory management structures with attacker-supplied values. This could allow an attacker to execute code with the privileges of the slocate program, typically installed with setgid privileges of the slocate group. This problem may be related to the issue identified in Bugtraq ID 7629. From ysagon at hasa.ch Wed Oct 15 15:04:01 2003 From: ysagon at hasa.ch (Yann Sagon) Date: Wed Oct 15 15:04:01 2003 Subject: [gull-annonces] [GULL][COURS][ANNONCE] Active-DVI - un logiciel libre de =?iso-8859-1?q?pr=E9sentation?= Message-ID: <200310151502.01182.ysagon@hasa.ch> Cours 24 - Active-DVI - un logiciel libre de pr?sentation Par: Jos? Manuel Nunes Description: Active DVI Active-DVI est un afficheur de fichiers DVI et un pr?sentateur programmable d'expos?s ?crits en LaTeX. Public: Ceux qui ont besoin de faire des pr?sentations de temps en temps, les amateurs de LaTeX et les amateurs d'Objective Caml. Lieu : Grenier Bernois ? Morges (adresse et plan ? http://www.linux-gull.ch/pv/images/AG2003plan.jpg) Horaire: jeudi 30 octobre 2003 de 19h30 ? 22h00 Support de cours: Pas encore disponible Inscriptions: http://www.linux-gull.ch/cours/index.html#24 Tarifs: Gratuit pour les membres du GULL, 50.- pour les non-membres -- Yann Sagon From schaefer at alphanet.ch Mon Oct 20 11:21:02 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon Oct 20 11:21:02 2003 Subject: [gull-annonces] 10.11.2003: Linux und =?iso-8859-1?Q?freie?= =?iso-8859-1?Q?_Software_in_der_=D6ffentlichen?= Verwaltung Message-ID: <20031020091135.GA2588@defian.alphanet.ch> Linux et le logiciel libre dans l'administration publique, conf?rence /ch/open en allemand. Sehr geehrte Mitglieder und InteressentInnen Wir m?chten Sie einladen, an unserem n?chsten Event ?ber "Linux und freie Software in der ?ffentlichen Verwaltung" teilzunehmen: 10.11.03, Technopark Zuerich, Raum Cobol 16.30 - ca. 18.30 Uhr: Vortrag Anschliessend an den Vortrag sind Sie zu einem Ap?ro eingeladen. Linux und freie Software in der ?ffentlichen Verwaltung ======================================================= Referent: --------- Thomas Schwaller, IBM Deutschland GmbH Abstract: --------- Linux in der ?ffentlichen Verwaltung ist ein heiss diskutiertes Thema, wie etwa der Linux-Entscheid der Stadt M?nchen belegt. Dieser Vortrag stellt einige aktuelle Projekte und den daraus resultierenden Migrationsleitfaden des Deutschen Innenministeriums vor und diskutiert die f?r Beh?rden wichtige Common Citeria Sicherheitszertifizierung f?r Linux. Abschliessend werden diverse freie und propriet?re Groupware-L?sungen unter Linux pr?sentiert, die als Exchange-Ersatz dienen k?nnen. Bio: ---- Tom Schwaller studierte Mathematik und theoretische Physik an der Eidgen?ssischen Technischen Hochschule in Z?rich. Nach dem Studium war er als wissenschaftlicher Mitarbeiter an der Universit?t Augsburg t?tig und arbeitete anschlie?end an verschiedenen Forschungsprojekten im Bereich High Performance Computing an der TU M?nchen mit. Anfang 1996 wurde er Chefredakteur des deutschsprachigen Linux-Magazins und Site-Manager des Linux-Portals www.linux-community.de. Im Juni 2001 wechselte er zur IBM Deutschland GmbH, wo er sich als Linux IT Architect mit der Beratung von Kunden bei der Einf?hrung von Linux besch?ftigt. Wir freuen uns ?ber Ihre Anmeldung unter . Mit freundlichen Gruessen Ursula Burri From rossen at linux-gull.ch Tue Oct 21 16:00:02 2003 From: rossen at linux-gull.ch (Erik Rossen) Date: Tue Oct 21 16:00:02 2003 Subject: [gull-annonces] Debian bug-squashing =?iso-8859-1?Q?party?= =?iso-8859-1?Q?=3A_la_liste_de_participants_=28mise_?= =?iso-8859-1?Q?=E0?= jour: 21 octobre 2003) Message-ID: <20031021135911.GN4096@freesurf.ch> Je viens de mettre ? jour la page d'organisation du Debian bug-squashing party ? http://www.linux-gull.ch/manif/bugsquash2003.html. Maintenant il y a une liste de tous les personnes qui ont dit qu'ils veulent participer. Merci de me signaler des modifications ? faire. J'attends encore les confirmations de cette demi-douzaine des personnes int?ress?s le soir du cours Unix II ainsi que les confirmations des membres du comit? du GULL (eh oui, vous aussi!). Remarque: on a re?u beaucoup de offres de support mat?riaux - assez pour ?quiper un centre de recherche informatique. Sachez que le mieux est de venir avec un ordinateur portable (ou pas encombrant) afin qu'on ne p?te pas tous les plombs chez Nimag. -- Erik Rossen rossen at linux-gull.ch Tel: (41 22) 362 45 08 http://www.linux-gull.ch OpenPGP key: 2935D0B9 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: From schaefer at alphanet.ch Thu Oct 23 18:11:02 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu Oct 23 18:11:02 2003 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #219 Message-ID: <20031023123853.GA610@defian.alphanet.ch> IRCnet IRCD Local Buffer Overflow Vulnerability BugTraq ID: 8817 Remote: Yes Date Published: Oct 13 2003 Relevant URL: http://www.securityfocus.com/bid/8817 Summary: IRCnet IRCD is an IRC implementation that is available for a number of platforms including Linux/Unix variants. IRCnet IRCD has been reported prone to a buffer overflow vulnerability that may be exploited by local users. The issue likely presents itself due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into a reserved buffer in memory. Supplied data that exceeds the size of the affected buffer may overrun its bounds and corrupt adjacent memory. This issue may be exploited to crash the affected server. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a local attacker may also leverage this condition to potentially have arbitrary instructions executed in the context of the affected server. This vulnerability has been reported to affect all versions of IRCnet IRCD in the 2.10 development tree up to and including 2.10.3p3. mIRC DCC SEND Buffer Overflow Vulnerability BugTraq ID: 8818 Remote: Yes Date Published: Oct 13 2003 Relevant URL: http://www.securityfocus.com/bid/8818 Summary: mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. A vulnerability has been reported to exist in mIRC that may allow a remote attacker to crash a vulnerable mIRC client. The condition is most likely present due to insufficient boundary checking performed on 'DCC SEND' requests. It has been reported that when received, a malicious 'DDC SEND' request can trigger a fatal error and cause an affected mIRC client to crash. The 'DCC SEND' request can be sent to a channel or a specific targeted user. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a remote attacker may potentially lever this issue to have arbitrary code executed in the context of the affected mIRC client. mIRC versions 6.1 and 6.11 have been reported to be prone to this issue, however other versions may be affected as well. mIRC IRC URL Buffer Overflow Vulnerability BugTraq ID: 8819 Remote: Yes Date Published: Oct 13 2003 Relevant URL: http://www.securityfocus.com/bid/8819 Summary: mIRC is a chat client for the IRC protocol, designed for Microsoft Windows based operating systems. When mIRC is installed it registers a handler for a 'irc://' type of URL. Through these means, mIRC is invoked when a 'IRC URL' is followed. mIRC has been reported prone to a buffer overflow vulnerability when handling malicious 'IRC URLs'. Specifically when a IRC URL of >998 bytes is clicked by a user running a vulnerable version of mIRC. The issue likely presents itself due to a lack of sufficient boundary checks performed when IRC URL data is being copied into an insufficient buffer in memory. Data that exceeds the size of the reserved buffer will overrun its bounds and corrupt adjacent memory. Because memory adjacent to the affected buffer is used to store a saved instruction pointer, an attacker may influence execution flow of the affected client into attacker controlled memory. This may ultimately allow the attacker to execute arbitrary instructions in the context of the user running the affected client. mIRC version 6.1 has been reported to be prone to this issue, however other versions may be affected as well. Apache Mod_Throttle Module Local Shared Memory Corruption Vu... BugTraq ID: 8822 Remote: No Date Published: Oct 14 2003 Relevant URL: http://www.securityfocus.com/bid/8822 Summary: The mod_throttle Apache module is an application developed by sert.com. It is designed to reduce the load used when handling specified server requests. mod_throttle is available for the BSD, Linux, and Solaris operating systems. The mod_throttle Apache module is said to be prone to a vulnerability that could allow for local privilege elevation. The problem occurs due to the mod_throttle module incorrectly storing critical data within shared memory that is accessible by a user with 'apache' privileges. As a result, an attacker may be capable of corrupting memory pointers and a data file located in a shared memory segment. These pointers may have previously pointed to internal module procedures or may point to critical data required to unload the module while Apache is terminating. This could ultimately lead to privilege elevation during the startup or shutdown procedures of Apache, ultimately allowing for an attacker to gain root privileges. To successfully exploit this issue, it has been reported that an attacker must somehow cause Apache to reload its configuration file. As a result, this vulnerability may be exploited in conjunction with the issue described in BID 5884. Other methods of loading the configuration file may also be used. Apache Tomcat Non-HTTP Request Denial Of Service Vulnerabili... BugTraq ID: 8824 Remote: Yes Date Published: Oct 15 2003 Relevant URL: http://www.securityfocus.com/bid/8824 Summary: Tomcat is a web server and JSP/Servlet container that is developed by Apache as part of the Jakarta project. Apache Tomcat 4 has been reported prone to a remotely triggered denial of service vulnerability when handling undisclosed non-HTTP request types. It has been reported that when certain specific non-HTTP request types are handled by the Tomcat HTTP connector the Tomcat server will reject subsequent requests on the affected port until the service is restarted. A remote attacker may exploit this condition to deliberately prevent the affected server from handling requests, effectively denying service to legitimate users. It should be noted that this vulnerability has been reported for Tomcat 4.0.x versions. DBMail IMAP Service SQL Injection Vulnerability BugTraq ID: 8829 Remote: Yes Date Published: Oct 15 2003 Relevant URL: http://www.securityfocus.com/bid/8829 Summary: dbmail is a set of applications used for storing and retrieving e-mail messages from a database. dbmail supports MySQL or PostgreSQL databases. A vulnerability has been reported to exist in dbmail IMAP service that may allow a remote attacker to inject malicious SQL syntax into database queries. The source of this issue is insufficient sanitization of user-supplied input. The problem is reported to exist in various parameters such as username and password. It has been reported that the vulnerable parameters are not sanitized for user-supplied input before it is included in the database. A remote attacker may exploit this issue to influence SQL query logic while attempting to authenticate to the server. A malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. dbmail versions 1.1 and prior have been reported to be prone to this issue, however other versions may be affected as well. Linksys BEFSX41 EtherFast Router Log Viewer Denial Of Servic... BugTraq ID: 8834 Remote: Yes Date Published: Oct 15 2003 Relevant URL: http://www.securityfocus.com/bid/8834 Summary: Linksys Instant Broadband EtherFast Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint is a hardware router targeted at home and small office users. Linksys BEFSX41 EtherFast Routers are prone to a denial of service. This issue is exposed via the log viewer in the web administrative interface. By submitting an invalid value for the "Log_Page_Num" parameter, it is possible to trigger this condition, causing the router to be unresponsive. The log viewer is implemented via Group.cgi. The following example was provided to demonstrate the issue: http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0 While exploitation does require a logged in administrative user to submit a request to the log viewer with malformed parameters, it is possible that the admin could be tricked into visiting a malicious URI that exploits the issue. The URI could be embedded in an image tag in a web page that the administrative user visits. Due to the router being at a predictable address and many router commands being submitted via HTTP GET requests, it may also be possible to use this type of attack to trick a logged administrative user into executing other router commands. This has not been confirmed. [ hardware ] From schaefer at alphanet.ch Mon Oct 27 23:31:02 2003 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon Oct 27 23:31:02 2003 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #220 Message-ID: <20031027222311.GA5598@defian.alphanet.ch> Eric S. Raymond Fetchmail Unspecified Denial of Service Vuln... BugTraq ID: 8843 Remote: Yes Date Published: Oct 16 2003 Relevant URL: http://www.securityfocus.com/bid/8843 Summary: Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond. A vulnerability has been reported to be present in the software that may allow an attacker to cause a denial of service condition in Fetchmail 6.2.4. It has been reported that the problem presents itself when a specially crafted e-mail message is sent to fetchmail. The precise nature of this vulnerability is not known at the moment due to a lack of details, however exploitation of this issue may allow an attacker to cause the software to crash. Although unconfirmed, it may be possible to execute arbitrary code on a vulnerable system. This vulnerability may be related to known issues, however this has not been confirmed by Symantec. This BID and any other applicable BIDs will be updated, as further information is available. Fetchmail 6.2.4 has been reported to be prone to this issue however other versions may be vulnerable as well. Multiple GDM Local Denial Of Service Vulnerabilities BugTraq ID: 8846 Remote: No Date Published: Oct 17 2003 Relevant URL: http://www.securityfocus.com/bid/8846 Summary: Gnome Display Manager (GDM) is a utility harnessed by Gnome to manage various functions when interfacing with X. GDM has been reported prone to multiple denial of service vulnerabilities that may be triggered by a local attacker. It has been reported that GDM does not perform sufficient restrictions on data that it receives. A local attacker may send excessive amounts of data to GDM and cause memory resources to be exhausted until the kernel terminates the process of the affected GDM. Additionally a separate issue has been reported to affect GDM that may be exploited by a local attacker to trigger a denial of service of the GDM utility. The issue has been reported to present itself due to an error while handling queries, for example version queries or authentication responses. It has been reported that an attacker may invoke a query request against GDM and not read the reply, thus triggering GDM into filling its send buffer. This will have the affect of preventing GDM from accepting new logins. A local attacker may exploit these vulnerabilities to deny service to GDM for legitimate users. Explicit details regarding this vulnerability are not currently available, this BID will be updated when further details are released or when more exhaustive investigation into this condition has been completed. Emule Web Control Panel HTTP Login Long Password Denial of S... BugTraq ID: 8854 Remote: Yes Date Published: Oct 20 2003 Relevant URL: http://www.securityfocus.com/bid/8854 Summary: eMule is a freely available, open source peer-to-peer file sharing application. eMule uses the eDonkey file sharing protocol. It is available for the BSD, Linux, Microsoft Windows operating systems. eMule includes a web control panel that allows users to login to the server over the web. It has been reported that the eMule Web Control Panel HTTP login mechanism may be prone to denial of service attacks. Reports indicate that the eMule program expects that login credentials will be received only from the trusted login form. Specifically, no more then 12 password characters are expected to be received, and as such eMule does not carry out bounds checking on this data. However, the eMule login mechanism is said to not validate the origin of login form information received. As a result, an attacker may be capable of constructing malicious HTML form data to transmit excessive password data to the program. Due to insufficient bounds checking, this will effectively cause memory corruption and trigger a denial of service. Reports indicated that password data in excess of 500 to 1000 bytes may be required to trigger the issue. It should be noted that, due to the nature of this vulnerability, this could theoretically lead to arbitrary code execution. This has not been confirmed however. Origo ADSL Router Remote Administrative Interface Configurat... BugTraq ID: 8855 Remote: Yes Date Published: Oct 20 2003 Relevant URL: http://www.securityfocus.com/bid/8855 Summary: Origo ADSL routers are a broadband connectivity solution distributed and maintained by Origo. A problem has been identified in some Origo ADSL routers. Due to insufficient access control, it may be possible for a remote user to gain unauthorized administrative access to routers, potentially resulting in a denial of service. The problem is in the listening of a command line-based administrative service on port 254. This service is enabled by default, and is not protected with a password. An attacker could access this interface to change the router configuration, resulting in a denial of service until the router is reconfigured. Other attacks against network resources, such as man-in-the-middle attacks, may also be possible. This issue is known to affect the ASR-8100 router, though ASR-8400 routers may also be affected. [ hardware ] PSCS VPOP3 Email Server WebAdmin Cross-Site Scripting Vulner... BugTraq ID: 8869 Remote: Yes Date Published: Oct 22 2003 Relevant URL: http://www.securityfocus.com/bid/8869 Summary: PSCS VPOP3 Email Server is an e-mail server and gateway. A cross-site scripting vulnerability has been reported to exist in PSCS VPOP3. The problem has been reported to exist in the WebAdmin utility of the software. The issue presents itself due to improper handling of user-supplied data in certain parameters, which will permit remote attackers to embed HTML and script code in links. HTML and script code could then be rendered in the browser of the user visiting the link. This attack would occur in the security context of the vulnerable site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information. Since the issue affects the WebAdmin utility, it is likely that a successful attack of this nature would permit an attacker to hijack an administrative account. PSCS VPOP3 versions 2.0.0e and 2.0.0f have been reported to be prone to this vulnerability, however other versions may be affected as well. Coreutils LS Width Argument Integer Overflow Vulnerability BugTraq ID: 8875 Remote: Yes Date Published: Oct 22 2003 Relevant URL: http://www.securityfocus.com/bid/8875 Summary: Coreutils 'ls' utility is a binary application that is used to list directory contents. Coreutils 'ls' has been reported prone to an integer overflow vulnerability. The issue reportedly presents itself when handling '-w' (width) and '-C' (output column display) command line arguments passed to the vulnerable application. It has been reported that excessive values passed as a '-w' argument to 'ls' may cause an internal integer value to be misrepresented. Further arithmetic performed based off this misrepresented value may have unintentional results. For example, if this value is used when assigning memory, huge amounts of system memory may be allocated resulting in a denial of service condition as resource starvation occurs. Additionally it has been reported that this vulnerability may be exploited in software that implements and invokes the vulnerable 'ls' utility to trigger a denial of service in the affected software. It has been conjectured that this issue may present itself when affected software invokes 'ls' and expects a return of data. When 'ls' hangs the invoking software may also subsequently hang. The integer overflow vulnerability in 'ls' has not been reported to be exploitable to execute arbitrary instructions. [ license ? ] Sylpheed-Claws Mail Client SMTP Error Reporting Format Strin... BugTraq ID: 8877 Remote: Yes Date Published: Oct 22 2003 Relevant URL: http://www.securityfocus.com/bid/8877 Summary: Sylpheed-Claws is a branch of the Sylpheed mail client, designed to implement and test less stable features. Both code bases are regularly updated to match each others behavior. Sylpheed-Claws is available for the Linux operating system. It has been reported that Sylpheed-Claws is prone to a format string bug when handling error messages received from an SMTP server. These errors are typically generated when an action cannot be carried out correctly or an incorrect command has been received, however an attacker may be capable of transmitting an error message immediately upon connection. The problem specifically occurs within the 'send_message.c' source file, which includes a call to the 'alertpanel_error_log' function when handling error messages. This function takes formatted arguments and reports the error message; however when an error message is encountered the function is incorrectly called without a format specifier, but is passed the SMTP server-supplied error data. As a result, a malformed SMTP server may be capable of having arbitrary format specifiers interpreted by the Sylpheed-Claws mail client, ultimately allowing for code execution. All code executed in this manner would be run with the privileges of the user invoking the affected mail client program. It has been confirmed that the Sylpheed mail client is also affected by this vulnerability. This issue has been addressed in version 0.9.7. From ysagon at hasa.ch Tue Oct 28 22:29:11 2003 From: ysagon at hasa.ch (Yann Sagon) Date: Tue Oct 28 22:29:11 2003 Subject: [gull-annonces] [GULL][COURS][RAPPEL] Active-DVI - un logiciel libre de =?ISO-8859-1?B?cHLpc2VudGF0aW9u?= Message-ID: <20031028212804.M44780@hasa.ch> Cours 24 - Active-DVI - un logiciel libre de pr?sentation Par: Jos? Manuel Nunes Description: Active DVI Active-DVI est un afficheur de fichiers DVI et un pr?sentateur programmable d'expos?s ?crits en LaTeX. Public: Ceux qui ont besoin de faire des pr?sentations de temps en temps, les amateurs de LaTeX et les amateurs d'Objective Caml. Lieu : Grenier Bernois ? Morges (adresse et plan ? http://www.linux-gull.ch/pv/images/AG2003plan.jpg) Horaire: jeudi 30 octobre 2003 de 19h30 ? 22h00 Support de cours: Pas encore disponible Inscriptions: http://www.linux-gull.ch/cours/index.html#24 Tarifs: Gratuit pour les membres du GULL, 50.- pour les non-membres -- Yann Sagon