From schaefer at alphanet.ch Tue May 4 09:01:02 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue May 4 09:01:02 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #247 Message-ID: <20040504063753.GA1878@defian.alphanet.ch> Linux Kernel cpufreq /proc Handler Integer Handling Vulnerabi... BugTraq ID: 10201 Remote: No Date Published: Apr 23 2004 Relevant URL: http://www.securityfocus.com/bid/10201 Summary: A local integer handling vulnerability has been announced in the Linux kernel. It is reported that this vulnerability may be exploited by an unprivileged local user to obtain kernel memory contents. Additionally it is reported that a root user may exploit this issue to write to arbitrary regions of kernel memory, which may be a vulnerability in non-standard security enhanced systems where uid 0 does not have this privilege. The vulnerability presents itself due to integer handling errors in the proc handler for cpufreq. Linux kernel i810 DRM driver Unspecified Vulnerability BugTraq ID: 10210 Remote: No Date Published: Apr 22 2004 Relevant URL: http://www.securityfocus.com/bid/10210 Summary: An unspecified vulnerability has been identified in the Linux kernel that may allow an attacker to potentially cause a denial of service vulnerability or gain elevated privileges. Due to a lack of details, further information cannot be provided at the moment. This BID will be updated as more information becomes available. This issue has been identified in kernel version 2.4.22. Linux kernel framebuffer Code Unspecified Vulnerability BugTraq ID: 10211 Remote: No Date Published: Apr 22 2004 Relevant URL: http://www.securityfocus.com/bid/10211 Summary: An unspecified vulnerability has been identified in the Linux kernel. This vulnerability was reported in a security advisory (FEDORA-2004-111) issued by RedHat for the Fedora operating system. It has been reported that the issue exists in the framebuffer code accessing userspace directly instead of using correct interfaces. The impact of this issue cannot be confirmed at the moment due to a lack of information. This issue has been identified in kernel version 2.4.22. Apache mod_auth Malformed Password Potential Memory Corrupti... BugTraq ID: 10212 Remote: Yes Date Published: Apr 24 2004 Relevant URL: http://www.securityfocus.com/bid/10212 Summary: It has been reported that Apache may be prone to a memory corruption vulnerability when parsing malformed password values during authentication. The issue is reported to exist in the authentication modules (mod_auth, mod_auth3, mod_auth4) employed by Apache. All versions of Apache running on 16-bit and 64-bit systems could potentially be vulnerable to this issue. [ pas clair du tout, la d?monstration a ?t? discut?e dans bug-traq et n'a pas ?t? convaincante ] Samsung SmartEther Switch Firmware Authentication Bypass Vul... BugTraq ID: 10219 Remote: Yes Date Published: Apr 26 2004 Relevant URL: http://www.securityfocus.com/bid/10219 Summary: When accessing a Samsung SmartEther switch, via the telnet service or serial connection, authentication is required and the user is presented with a logon screen. It has been reported that it is possible to bypass this authentication procedure. An attacker may potentially exploit this condition to, for example, modify static MAC address mapping and perhaps enable man-in-the-middle style attacks. Other attacks are certainly possible. [ firmware ] Linux kernel do_fork() Memory Leakage Vulnerability BugTraq ID: 10221 Remote: No Date Published: Apr 26 2004 Relevant URL: http://www.securityfocus.com/bid/10221 Summary: It has been reported that the Linux kernel may be prone to a memory leakage vulnerability. The issue exists because memory is allocate for child processes but never freed. This issue has been identified in kernel versions 2.4 and 2.6. Zonet Wireless Router NAT Implementation Design Flaw Vulnera... BugTraq ID: 10225 Remote: Yes Date Published: Apr 23 2004 Relevant URL: http://www.securityfocus.com/bid/10225 Summary: A vulnerability has been reported to affect the implementation of NAT for the ZSR1104WE model Zonet Wireless Router. NAT for the wireless interface on the ZSR1104WE appliance is reported to modify IP data so that on the internal network, the origin address of forwarded traffic is that of the affected appliance. This issue may render the implementation of access controls on an internal host impossible. [ firmware ] Siemens S55 Cellular Telephone SMS Confirmation Message Bypa... BugTraq ID: 10227 Remote: Yes Date Published: Apr 27 2004 Relevant URL: http://www.securityfocus.com/bid/10227 Summary: Reportedly the Siemens S55 is affected by an SMS confirmation message bypass vulnerability. This issue is due to a race condition error that allows a malicious programmer to send SMS messages from unsuspecting cellular telephone user's telephones while obscuring the confirmation request. This issue may allow a malicious programmer to develop an application that can send SMS messages without the cellular telephone user's knowledge. [ firmware ] Linux Kernel Panic Function Call Undisclosed Buffer Overflow... BugTraq ID: 10233 Remote: No Date Published: Apr 29 2004 Relevant URL: http://www.securityfocus.com/bid/10233 Summary: The panic() function call of the Linux kernel has been reported prone to a buffer overflow vulnerability. The exact details of the overflow are currently unspecified, however it has been reported that this issue cannot be exploited. Other reports suggest that the issue may be exploited to reveal portions of kernel memory space. [ well ] From schaefer at alphanet.ch Tue May 11 10:11:01 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue May 11 10:11:01 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #248 Message-ID: <20040511075946.GA1833@defian.alphanet.ch> 1. sysklogd Crunch_List Buffer Overrun Vulnerability BugTraq ID: 10238 Remote: No Date Published: Apr 29 2004 Relevant URL: http://www.securityfocus.com/bid/10238 Summary: sysklogd has been reported to prone to a buffer overrun vulnerability. This condition may theoretically permit a local attacker to crash the server. It is not believed that this condition may be exploited to execute arbitrary with elevated privileges, since the syslogd component may not be installed with setuid/setgid permissions, though this has not been confirmed. Sesame Unauthorized Repository Access Vulnerability BugTraq ID: 10239 Remote: Yes Date Published: Apr 29 2004 Relevant URL: http://www.securityfocus.com/bid/10239 Summary: It has been reported that the Sesame RDF repository application is prone to an unauthorized repository access vulnerability. This issue is due to a failure of the application to properly secure repository contents in memory once they have been accessed. This issue might allow an attacker to gain access to other users repositories; potentially leading to the disclosure of sensitive information. 3Com SuperStack 3 NBX Netset Application Port Scan Denial of... BugTraq ID: 10240 Remote: Yes Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10240 Summary: A vulnerability has been discovered in 3Com SuperStack 3 NBX IP telephones. This issue occurs when an affected port is scanned with the Nessus security audit tool, configured in safeChecks mode. This will effectively cause the NBX Netset application to crash. It is reported that a hard reboot is required to restore normal functionality. [ firmware. Oui, les t?l?phones ont des buffer overflows ] Midnight Commander Multiple Unspecified Vulnerabilities BugTraq ID: 10242 Remote: Unknown Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10242 Summary: It has been reported that Midnight Commander is prone to multiple, unspecified vulnerabilities. These issues are due to various design and boundary condition errors. These issues could be leveraged by an attacker to execute arbitrary code on an affected system, which may facilitate unauthorized access. It is also possible for an attacker to carry out symbolic link attacks against an affected system, potentially facilitating a system wide denial of service. Multiple LHA Buffer Overflow/Directory Traversal Vulnerabili... BugTraq ID: 10243 Remote: Yes Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10243 Summary: LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). It is reported that LHA is prone to two stack based buffer overflow vulnerabilities. These vulnerabilities may be exploited to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer overflow vulnerabilities that were reported, LHA has been reported prone to a several directory traversal issues. These directory traversal vulnerabilities may likely be exploited to corrupt/overwrite files in the context of the user who is running the affected LHA utility. libpng Broken PNG Out Of Bounds Access Denial Of Service Vul... BugTraq ID: 10244 Remote: Yes Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10244 Summary: The libpng graphics library is reported to be prone to a denial of service vulnerability when handling certain types of broken images. It is conjectured that this issue will cause an access violation on certain systems if software that is linked to the vulnerable library is used to handle a malicious broken PNG image that is sufficient to trigger the vulnerability. SquirrelMail Folder Name Cross-Site Scripting Vulnerability BugTraq ID: 10246 Remote: Yes Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10246 Summary: It has been reported that SquirrelMail is affected by a cross-site scripting vulnerability in the handling of folder name displays. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamic web content. This issue may allow for theft of cookie-based authentication credentials. Other attacks are also possible. ReciPants SQL Injection and Cross-Site Scripting Vulnerabili... BugTraq ID: 10250 Remote: Yes Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10250 Summary: It has been reported that ReciPants is vulnerable to SQL injection and cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using the input in database queries. When a query fails, the error message, including the malicious content is displayed to the victim's browser. These issues may allow an attacker to gain access to sensitive information, corrupt database contents, and steal authentication credentials. Other attacks are also possible. ProFTPD CIDR Access Control Rule Bypass Vulnerability BugTraq ID: 10252 Remote: Yes Date Published: Apr 30 2004 Relevant URL: http://www.securityfocus.com/bid/10252 Summary: ProFTPD has been reported prone to an access control rule bypass vulnerability. The issue was reportedly introduced when a "portability workaround" was applied to ProFTPD version 1.2.9. This vulnerability may lead a system administrator into a false sense of security, where it is believed that access to the ProFTPD server is restricted by access control rules. In reality the access control restriction will not be enforced at all. Emacs flim Library Insecure Temporary File Creation Vulnerab... BugTraq ID: 10259 Remote: No Date Published: May 02 2004 Relevant URL: http://www.securityfocus.com/bid/10259 Summary: The Emacs flim library is prone to a symlink vulnerability. This could allow files to be overwritten with the privileges of the user running Emacs. [ Library to provide basic features about message for Emacsen, incompatible avec Gnus ] PaX 2.6 Kernel Patch Denial Of Service Vulnerability BugTraq ID: 10264 Remote: No Date Published: May 03 2004 Relevant URL: http://www.securityfocus.com/bid/10264 Summary: PaX for 2.6 series Linux kernels has been reported prone to a local denial of service vulnerability. The issue is reported to present itself when PaX Address Space Layout Randomization Layout (ASLR) is enabled. The vulnerability may be exploited by a local attacker to influence the kernel into an infinite loop. [ PaX est un patch au kernel 2.6 linux qui augmente la s?curit?. Enfin devrait. Ne pas confondre avec les outils pax qui remplaceront ? terme tar et cpio.] SmartPeer Undisclosed Local Vulnerability BugTraq ID: 10265 Remote: No Date Published: May 03 2004 Relevant URL: http://www.securityfocus.com/bid/10265 Summary: SmartPeer has been reported prone to an undisclosed vulnerability. The issue is reported to present itself when the smartpeer -p mynewpassword command is invoked. [ SmartPeer est un load-balancer pour serveur HTTP. Enfin si on parle du m?me. SecurityFocus semble de plus en plus enlever l'information importante de ses rapports. ] SmartPeer version 0.1 is reported prone to this vulnerability, previous versions might also be affected. APSIS Pound Remote Format String Vulnerability BugTraq ID: 10267 Remote: Yes Date Published: May 03 2004 Relevant URL: http://www.securityfocus.com/bid/10267 Summary: APSIS Pound has been found to be prone to a remote format string vulnerability. The problem presents itself when Pound handles certain requests containing embedded format string specifiers. Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected software, which would occur in the security context of the server process. [ http://www.apsis.ch/pound/, ?galement un load-balancer. S'agit-il de base de code commune ? ] IPMenu Log File Symbolic Link Vulnerability BugTraq ID: 10269 Remote: No Date Published: May 04 2004 Relevant URL: http://www.securityfocus.com/bid/10269 Summary: It has been reported that ipmenu is affected by a symbolic link vulnerability. This issue is due to a design error that allows for the creation of temporary files in an insecure fashion, facilitating symbolic links attacks. This issue may be leveraged to create a system wide denial of service condition. This issue may also be leveraged to escalate privileges on the affected system, although this is currently unverified. [ Editeur de r?gles de firewall netfilter: http://users.pandora.be/stes/ipmenu.html ] Kolab Groupware Server OpenLDAP Plaintext Password Storage V... BugTraq ID: 10277 Remote: No Date Published: May 05 2004 Relevant URL: http://www.securityfocus.com/bid/10277 Summary: It has been reported that Kolab groupware server is prone to a plaintext password storage vulnerability that may allow an attacker to disclose OpenLDAP passwords that are stored in plaintext format. Kolab Server versions 1.0.8 and prior may be prone to this issue. [ licence GPL. http://kroupware.org/. Projet de groupware soutenu par le gouvernement allemand et une entreprise. ] SuSE Linux Kernel HbaApiNode Improper File Permissions Denia... BugTraq ID: 10279 Remote: No Date Published: May 03 2004 Relevant URL: http://www.securityfocus.com/bid/10279 Summary: A vulnerability has been identified in the SuSE Linux kernel that may allow a local attacker to cause a denial of service condition on a vulnerable system. The issue is reported to be caused by improper file permissions on '/proc/scsi/qla2300/HbaApiNode' file. SuSE Linux Enterprise Server 8.0, SuSE Linux 8.1 and 9.0 are reported to be affected by this issue. Due to a lack of details, further information cannot be provided at the moment. This BID will be updated as more information becomes available. [ QLA2300 c'est un adaptateur Qlogic Fibre Channel, donc ?a m'?tonnerait que cela concerne tellement de gens -- enfin sauf si le kernel de base contient ce pilote.] FreeBSD Kernel VM_Map Local Denial Of Service Vulnerability BugTraq ID: 10285 Remote: No Date Published: May 05 2004 Relevant URL: http://www.securityfocus.com/bid/10285 Summary: The virtual memory mapping module for the FreeBSD kernel has been reported prone to a local denial of service vulnerability. A local user may exploit this issue to influence the virtual memory mapping module of the FreeBSD kernel into allocating arbitrary amounts of memory. This may potentially exhaust system resources. Once memory resources are exhausted, a kernel panic will likely occur, effectively denying service to legitimate users. It is not currently known if other BSD derivatives are affected by this issue. P4DB Multiple Input Validation Vulnerabilities BugTraq ID: 10286 Remote: Yes Date Published: May 05 2004 Relevant URL: http://www.securityfocus.com/bid/10286 Summary: It has been reported that P4DB is affected by multiple input validation vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. Both cross-site scripting and remote, arbitrary command execution vulnerabilities have been reported. The cross-site scripting issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks. Exploitation of the command execution vulnerabilities could allow a remote, unauthenticated user to remotely execute arbitrary commands on the underlying system with the privileges of the web server that is hosting the vulnerable application. Currently the information available is not sufficient to provide more information; this BID will be updated as new details are released. [ Un outil en Perl pour la consultation de base de donn?es de probl?mes / d?fauts ] Heimdal K5AdminD Remote Heap Buffer Overflow BugTraq ID: 10288 Remote: Yes Date Published: May 05 2004 Relevant URL: http://www.securityfocus.com/bid/10288 Summary: It has been reported that a remote heap overflow vulnerability exists in the k5admind daemon. This issue is due to an input validation error that fails to validate length given in the framing in kerberos 4 network communication packets. It has been reported that this issue will only affect versions of the daemon that include Kerberos 4 support; If the daemon does not include this compatibility then it is not vulnerable. The immediate consequences of an attacker will trigger a denial of service condition in the affected server. It might also be possible that this issue could facilitate remote code execution that would take place with the privileges of the affected daemon. Exim Sender Verification Remote Stack Buffer Overrun Vulnera... BugTraq ID: 10290 Remote: Yes Date Published: May 06 2004 Relevant URL: http://www.securityfocus.com/bid/10290 Summary: Exim has been reported prone to a remotely exploitable stack-based buffer overrun vulnerability. This is exposed if sender verification has been enabled in the agent and may be triggered by a malicious e-mail. Exploitation may permit execution of arbitrary code in the content of the mail transfer agent. This issue is reported in exist in Exim 3.35. Earlier versions may also be affected. It should be noted that the vulnerable functionality is not enabled in the default install, though some Linux/Unix distributions that ship the software may enable it. Exim Header Syntax Checking Remote Stack Buffer Overrun Vuln... BugTraq ID: 10291 Remote: Yes Date Published: May 06 2004 Relevant URL: http://www.securityfocus.com/bid/10291 Summary: Exim is reportedly prone to a remotely exploitable stack-based buffer overrun vulnerability. This issue is exposed if header syntax checking has been enabled in the agent and may be triggered by a malicious e-mail. Though not confirmed to be exploitable, if this condition were to be exploited, it would result in execution of arbitrary code in the context of the mail transfer agent. Otherwise, the agent would crash when handling malformed syntax in an e-mail message. The issue is reported to exist in both Exim 3.35 and 4.32, though the vulnerable code exists in different source files in each of these versions. It should be noted that the vulnerable functionality is not enabled in the default install, though some Linux/Unix distributions that ship the software may enable it. DeleGate SSLway Filter Remote Stack Based Buffer Overflow Vu... BugTraq ID: 10295 Remote: Yes Date Published: May 06 2004 Relevant URL: http://www.securityfocus.com/bid/10295 Summary: A remote buffer overflow vulnerability has been reported to affect the DeleGate SSLway filter. This filter is employed when DeleGate is applying SSL to arbitrary protocols. The issue presents itself due to a lack of sufficient boundary checks performed, when copying user-supplied certificate field contents. A remote attacker may potentially exploit this issue, to overwrite the return address of the static ssl_prcert() function. The attacker may corrupt any other saved value that is within 768 bytes from the end of the affected buffers. It has been reported that the X509_NAME_oneline() function will perform character conversion on characters below '0x20' or above '0x7e'; this may hinder exploitation of this issue. KAME Racoon Remote IKE Message Denial Of Service Vulnerabili... BugTraq ID: 10296 Remote: Yes Date Published: May 06 2004 Relevant URL: http://www.securityfocus.com/bid/10296 Summary: It has been reported that KAME is affected by a remote denial of service vulnerability when processing malformed IKE messages. This issue is due to a failure of the daemon to properly handle malformed messages. This issue can be leveraged to cause the affected daemon to enter an infinite loop; effectively denying service to legitimate users. SuSE LINUX 9.1 Personal Edition Live CD-ROM SSH Server Defau... BugTraq ID: 10297 Remote: Yes Date Published: May 06 2004 Relevant URL: http://www.securityfocus.com/bid/10297 Summary: It has been reported that SuSE LINUX 9.1 Personal Edition Live CD-ROM can allow an attacker to gain full access to a vulnerable system. The issue presents itself when a user boots the machine with the affected CD-ROM. It has been reported that due to a configuration error, the system configures an SSH server on the host with a default root account. [ knoppix a montr? la voie: pas de mot de passe pour root, sudo. Ou est-ce Apple ? PS: existe-t-il encore une version de SuSE compl?tement libre ?] From schaefer at alphanet.ch Thu May 13 11:11:02 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu May 13 11:11:02 2004 Subject: [gull-annonces] /ch/open: 2004-06-08: Geographische Informationssysteme (GIS) Message-ID: <20040512130147.GB579@defian.alphanet.ch> Un `event' /ch/open, en allemand, sur le th?me des syst?mes d'information g?ographiques (GIS), qui se donnera ? Z?rich. Technopark Zuerich, Raum Pascal 17.30 - ca. 18.30 Uhr: Vortrag Anschliessend an den Vortrag sind Sie zu einem Ap?ro eingeladen. Wo? Geographische Informationssysteme (GIS) auf Open-Source Basis ================================================================= Referent: --------- Pirmin Kalberer, Sourcepole Abstract: --------- Es gibt wenige Anwendungen, die ohne geographischen Bezug, also der Einordnung in die r?umliche Welt auskommen. Kartendarstellungen f?r die Lokalisierung von Adressen und Objekten, die geographische Verteilung von Kunden oder die Abdeckung mit Natel-Antennen und Flugschneisen - die Beispiele k?nnten endlos weitergef?hrt werden. Trotzdem ist das Know-How ?ber dieses Teilgebiet der Informatik sehr sp?rlich verbreitet. Das ist mit ein Grund f?r die seltene Integration geographischer Darstellungen in Applikationen, obwohl diese einen grossen Zusatznutzen f?r den Kunden bedeuten w?rde. Neben kommerzieller Software existiert eine grosse Zahl an Open Source Projekten, welche praktisch alle Anwendungsgebiete abdecken. Event-Ziel: Die Event-Teilnehmer erhalten einen ?berblick ?ber die verf?gbare OSS GIS-Software und deren Anwendungsgebiet. Sie k?nnen f?r konkret anstehende Projekte beurteilen, auf welche Weise geographische Bez?ge integrierbar sind. Themen: * Typische Anwendungen (Desktop-GIS, Web-Mapping, Viewer, usw.) * Datenformate und Datenbanken * Standards (WMS, GML, Interlis) * Von den Daten zur Karte im Browser * Vorstellung der wichtigsten OSS GIS-Applikationen Links: * www.freegis.org/ * www.sourcepole.ch/gis-knoppix/ Bio: ---- Pirmin Kalberer ist dipl. El. Ing. ETH und seit 10 Jahren in der Software-Entwicklung und Projektleitung t?tig. Er ist Mitinhaber der Sourcepole AG, welche Linux- und Open-Source L?sungen mit den Spezialgebieten GIS und Automatisierung plant und realisiert. Wir freuen uns ?ber Ihre Anmeldung unter . From schaefer at alphanet.ch Tue May 18 19:01:03 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue May 18 19:01:03 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #249 Message-ID: <20040518162109.GA1088@defian.alphanet.ch> Linux Kernel Local IO Access Inheritance Vulnerability BugTraq ID: 10302 Remote: No Date Published: May 07 2004 Relevant URL: http://www.securityfocus.com/bid/10302 Summary: It has been reported that the Linux Kernel is affected by an IO access inheritance vulnerability. This issue is due to an access validation error that fails to invalidate all io_bitmap pointers before a process exits. This issue could allow local users to lock up the affected system, denying service to legitimate users. This issue might also allow an attacker to gain escalated privileges. Icecast Server Base64 Authorization Request Remote Buffer Ov... BugTraq ID: 10311 Remote: Yes Date Published: May 10 2004 Relevant URL: http://www.securityfocus.com/bid/10311 Summary: It has been reported that Icecast server may be prone to a remote buffer overflow vulnerability when processing an excessively long base64 authentication request. A remote attacker could execute arbitrary code in the context of the server leading to unauthorized access. This issue is reported to exist in Icecast 2.0.0, however, it is possible that previous versions are affected as well. [ http://www.icecast.org/, un serveur de streaming MP3/Ogg ] Squid Proxy BugTraq ID: 10315 Remote: Yes Date Published: May 10 2004 Relevant URL: http://www.securityfocus.com/bid/10315 Summary: Squid proxy has been reported to be affected by an Internet access control bypass vulnerability. This issue is caused by a failure of the application to properly handle access controls when evaluating malformed URI requests. This issue is reported to affect version 2.3.STABLE5 of the software, it is likely however that other versions are also affected. This issue would allow users that are restricted from accessing Internet-based resources to access arbitrary web sites. Open Webmail Remote Command Execution Variant Vulnerability BugTraq ID: 10316 Remote: Yes Date Published: May 10 2004 Relevant URL: http://www.securityfocus.com/bid/10316 Summary: A vulnerability has been reported in Open Webmail that allows a remote attacker to execute arbitrary commands on a vulnerable host. The problem is due to insufficient sanitization of shell metacharacters that are passed to the vulnerable software through URI parameters. Exploitation of the vulnerability could allow a non-privileged user to remotely execute arbitrary commands in the context of the web server that is hosting the vulnerable application. [ http://www.openwebmail.org, bas? sur Neomail ] eMule Web Control Panel Denial Of Service Vulnerability BugTraq ID: 10317 Remote: Yes Date Published: May 10 2004 Relevant URL: http://www.securityfocus.com/bid/10317 Summary: It has been reported that eMule's Web Control Panel is susceptible to a remote denial of service vulnerability. This issue is reportedly triggered by sending malformed requests to the web interface. Upon processing malformed requests, the affected application will crash, denying service to legitimate users. [ un client pour r?seau P2P http://www.emule-project.net/ ] NetBSD/FreeBSD Port Systrace Exit Routine Access Validation ... BugTraq ID: 10320 Remote: No Date Published: May 11 2004 Relevant URL: http://www.securityfocus.com/bid/10320 Summary: A vulnerability has been reported that affects Systrace on NetBSD, as well as the FreeBSD port by Vladimir Kotal. The source of the issue is insufficient access validation when a systraced process is restoring privileges. This issue can be exploited by a local attacker to gain root privileges on a vulnerable system. Linux Kernel SCTP_SetSockOpt Integer Overflow Vulnerability BugTraq ID: 10326 Remote: No Date Published: May 11 2004 Relevant URL: http://www.securityfocus.com/bid/10326 Summary: An integer overflow vulnerability has been reported in the sctp_setsockopt() system call of the Linux kernel. This issue is related to the code for handling the SCTP_SOCKOPT_DEBUG_NAME socket option. The issue presents itself in the sctp_setsockopt() function of the net/sctp/socket.c source file, due to a lack of sufficient validation performed on user supplied integer values. This vulnerbaility may result in the allocation of a zero byte chunk in kernel memory space. Likely resulting in a kernel panic. The issue may also potentially be exploited however to compromise the system. This vulnerability is reported to affect Linux kernel versions up to and including version 2.4.25. [ apparemment une attaque sur l'impl?mentation du nouveau protocole SCTP, ajout?e tr?s r?cemment, voir http://www.sctp.org/ pour les d?tails sur le Stream Control Transmission Protocol, un protocole similaire ? TCP pr?vu pour les applications QoS ] Multiple Linksys Devices DHCP Information Disclosure and Den... BugTraq ID: 10329 Remote: Yes Date Published: May 13 2004 Relevant URL: http://www.securityfocus.com/bid/10329 Summary: It has been reported that the built-in DHCP server on these devices are prone to an information disclosure vulnerability. When attempting to exploit this issue, it has been reported that a denial of service condition may occur, stopping legitimate users from using the device. The DHCP server application on the device reportedly does not handle BOOTP packets properly, and can disclose the contents of the devices memory to an attacker. It may be possible for an attacker to use this vulnerability to watch traffic on an affected device. It may also be possible for an attacker to crash the device and deny service to legitimate users. [ firmware ] Linux Kernel Serial Driver Proc File Information Disclosure ... BugTraq ID: 10330 Remote: No Date Published: May 12 2004 Relevant URL: http://www.securityfocus.com/bid/10330 Summary: It has been reported that the Linux kernel is prone to a serial driver proc file information disclosure vulnerability. This issue is due to a design error that allows unprivileged access to potentially sensitive information. This issue might allow an attacker to gain access to sensitive information such as user password lengths. Linux Kernel strncpy() Information Leak Vulnerability BugTraq ID: 10331 Remote: No Date Published: May 12 2004 Relevant URL: http://www.securityfocus.com/bid/10331 Summary: This issue is reported to affect the vulnerable kernel only on platforms other than x86. It has been reported that the Linux kernel is prone to a 'strncpy()' information leak vulnerability. This issue is due to a failure of the libc code to properly implement the offending function on platforms other than x86. This issue might lead to information leakage, potentially facilitating further attacks against an affected system or process. Sweex Wireless Broadband Router/Access Point Unauthorized Ac... BugTraq ID: 10339 Remote: Yes Date Published: May 13 2004 Relevant URL: http://www.securityfocus.com/bid/10339 Summary: It has been reported that Sweex Wireless Broadband Router/Access Point is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable access point. It has been reported that the access point has a TFTP service running that is enabled by default. Successful exploitation of this issue may allow a remote attacker to gain access to sensitive information that could eventually allow an attacker to completely compromise the access point. Sweex Wireless Broadband Router/Access Point 11g is reported to be prone to this issue. [ firmware ] Multiple Vendor IEEE 802.11 Protocol Remote Denial Of Servic... BugTraq ID: 10342 Remote: Yes Date Published: May 13 2004 Relevant URL: http://www.securityfocus.com/bid/10342 Summary: It has been reported that the IEEE 802.11 wireless network protocol is affected by a remote denial of service vulnerability. This issue is due to a design error that might cause an affected device to stop transmitting network data through wireless mediums. This issue is reported to affect only wireless hardware devices that implement IEEE 802.11 using a DSSS physical layer. This issue might allow an attacker to cause all nodes on a wireless network, both access points and hosts, to stop transmitting network data; this would effectively cause a network wide denial of service condition. [ sauf erreur il s'agit de prendre l'adresse MAC de l'Access Point de mani?re ? mettre en place un DoS ] From schaefer at alphanet.ch Mon May 24 10:11:05 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon May 24 10:11:05 2004 Subject: [gull-annonces] Events soutenus par /ch/open Message-ID: <20040524075814.GA2919@defian.alphanet.ch> Plus d'informations sur http://www.ch-open.ch/events/ (la plupart des ces conf?rences sont r?gion Z?rich et en allemand) 25.5.: LogOn Info Day: Open Source & Linux at work =============================================== Peter Stevens h?lt einen Vortrag unter dem Titel "Linux in der Praxis: Das strategische Argument f?r Linux und Open Source Software" am Gratis-Anlass der Firma Logon Technology Transfer. 4.6.: Migros Klubschule Rapperswil - Linux im Trend =================================================== Am Freitag, 4. Juni findet an der Klubschule Rapperswil der Linux-Event statt. In diversen Workshops k?nnen Interessierte erste Erfahrungen mit Linux sammeln. Referent ist Remo Pini. 8.6.: Open Source - Chance oder Gefahr ====================================== Peter Stevens und Marcel Bernet geben eine Einf?hrung in OpenSource am Anlass des Vereins SwissICT. Die Veranstaltung richtet sich an Software-Entwickler, welche noch nicht ?ber Erfahrungen mit OpenSource verf?gen. From schaefer at alphanet.ch Mon May 24 10:41:01 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon May 24 10:41:01 2004 Subject: [gull-annonces] /ch/open-Workshop-Tage: Call for Papers Message-ID: <20040524080343.GB2919@defian.alphanet.ch> /ch/open organise comme chaque ann?e ses ateliers du 5 au 7 octobre au technikum de Rapperswil. Ceci est un appel ? contributions pour le programme suivant: 1. Java - conf?rences propos?es par le JUGS * OSS Dev Environment for Java Projects 2. Gestion de projets, direction, marketing * Rolf Nievergelt und Walter Jenni * /ch/open Process (Marcel Bernet, Thomas Fehlmann) 3. OSS actuel * Voice over IP (Asterisk) * Integration Linux/Exchange (Novell) * KDE Programming (using KParts) 4. OSS bases de donn?es * PostgreSQL mit Bruce Momjian * MySQL, neuste Features D?lai: 17.7.2004 Dur?e par atelier: 1/2 oder 1 Tag contenu/forme: Bonne r?partition entre th?orie et pratique, exercices, discussions et travail de groupe. Langues: Deutsch, fran?ais, English Formulaire d'inscription From schaefer at alphanet.ch Wed May 26 12:01:02 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed May 26 12:01:02 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #250 Message-ID: <20040526093210.GA2626@defian.alphanet.ch> Rappel des r?gles: - uniquement logiciel libre (sens DFSG) - clients IRC, chat, r?seaux d'?changes, PHP, etc exclus - le mat?riel est en g?n?ral trait? (firmware) m?me si propri?taire SecurityFocus rend mon travail de plus en plus difficile en ne donnant plus les licences approximatives des logiciels, ni leur plateforme et bien souvent une description incompl?te voire fausse du logiciel concern?. Apache mod_ssl Stack Buffer Overflow BugTraq ID: 10355 Remote: Yes Date Published: May 17 2004 Relevant URL: http://www.securityfocus.com/bid/10355 Summary: A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue is exposed in utility code for uuencoding binary data. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. KDE Multiple URI Handler Vulnerabilities BugTraq ID: 10358 Remote: Yes Date Published: May 17 2004 Relevant URL: http://www.securityfocus.com/bid/10358 Summary: It has been reported that KDE is prone to multiple input validation vulnerabilities in various URI handlers. The issues are reported to exist due to insufficient sanitization of user-supplied input by the telnet, rlogin, ssh and mailto URI handlers. Specifically, if a '-' character is present at the beginning of a host name, options may be passed to the programs to carry out an attack. GNU libtasn1 Undisclosed Vulnerability BugTraq ID: 10360 Remote: Yes Date Published: May 17 2004 Relevant URL: http://www.securityfocus.com/bid/10360 Summary: GNU libtasn1 has been reported prone to an undisclosed vulnerability. The issue is reported to present itself in the DER parsing functions of libtasn1. This BID will be updated as soon as further information regarding this vulnerability becomes available. Libtasn1 versions prior to 0.1.2 and 0.2.7 are reported prone to this vulnerability. [ Le parsing ASN1 est utilis? notamment dans tout ce qui touche aux protocoles ISO comme SNMP, etc. ] wget Insecure File Creation Race Condition Vulnerability BugTraq ID: 10361 Remote: No Date Published: May 17 2004 Relevant URL: http://www.securityfocus.com/bid/10361 Summary: wget has been reported prone to a race condition vulnerability. The issue exists because wget does not lock files that it creates and writes to during file downloads. A local attacker may exploit this condition to corrupt files with the privileges of the victim who is running the vulnerable version of wget. [ En fait, ceci n'est pas une vuln?rabilit? au sens usuel. wget incorpore un syst?me qui permet, si le fichier existe d?j?, de reprendre (-c) ou de cr?er un nouveau fichier (.1, .2, .3, etc). Mais bien s?r si entre le test et le transfert il y a cr?ation d'un fichier ou d'un r?pertoire portant ce nom, il y aura ?crasement ou erreur. Sous /tmp, on peut imaginer un exploit bas? sur des symlinks, mais le probl?me des r?pertoires partag?s n'est pas nouveau. En bref, si vous ?crivez des scripts utilisant wget, transf?rez les donn?es sous ~ (ou mieux, sous un r?pertoire sp?cial chmod 700 ~/tmp, ou cr?ez un r?pertoire sous /tmp, genre umask 077 && mkdir /tmp/blabla_$$ && cd /tmp/blabla_$$ || fail "error" ] libuser Multiple Unspecified Vulnerabilities BugTraq ID: 10368 Remote: Yes Date Published: May 17 2004 Relevant URL: http://www.securityfocus.com/bid/10368 Summary: libuser implements a standardized interface for manipulating and administering user and group accounts one Unix systems. It has been reported that several vulnerabilities exist in this library. Attackers could possibly crash applications that are linked to this library, or possibly cause the applications to write 4GB files containing garbage to disk. These issues could possibly lead to a denial of service condition, causing legitimate users to be unable to access resources. Mandrake Linux passwd Potential Vulnerabilities BugTraq ID: 10370 Remote: Unknown Date Published: May 17 2004 Relevant URL: http://www.securityfocus.com/bid/10370 Summary: Two potential security issues reportedly affect the implementation of passwd included with Mandrake Linux, according to Mandrake advisory MDKSA-2004:045. According to the report, passwords supplied to passwd via stdin are incorrectly one character shorter than they should be. It is not known whether this behavior occurs at the interactive prompt or if the implementation allows for passwords to be "piped" to passwd through stdin. This may or may not have security implications as the user's password will not be stored correctly and the user will not be able to login. It is conceivable that this could result in a less secure password. The second issue reported by Mandrake is that PAM may not be initialized correctly and "safe and proper" operation may not be ensured. Further technical details are not known. Blue Coat Systems SGOS Private Key Disclosure Vulnerability BugTraq ID: 10371 Remote: Yes Date Published: May 18 2004 Relevant URL: http://www.securityfocus.com/bid/10371 Summary: Blue Coat Systems Security Gateway OS (SGOS) 3.x devices are prone to a vulnerability that could cause the private encryption key to be disclosed to unauthorized parties. The issue reportedly occurs when the private key is imported through the web-based administrative interface. This will cause the private key and passphrase to logged in plaintext, potentially exposing this issue to other local users. It is also reported that certain administrative actions or configurations could also expose this information to other unauthorized parties, though specific details have not been publicized at this time. [ hardware/firmware ] Secure Computing Sidewinder G2 Multiple Unspecified Denial O... BugTraq ID: 10373 Remote: Yes Date Published: May 18 2004 Relevant URL: http://www.securityfocus.com/bid/10373 Summary: It has been reported that the Sidewinder G2 is prone to multiple unspecified denial of service vulnerabilities. The T.120, RTSP and SMTP proxies, and the mail filter all have been reported to contain denial of service vulnerabilities. These vulnerabilities could be exploited by a remote attacker to deny service to legitimate users. [ hardware/firmware ] Multiple Perl Implementation System Function Call Buffer Ove... BugTraq ID: 10375 Remote: Yes Date Published: May 18 2004 Relevant URL: http://www.securityfocus.com/bid/10375 Summary: ActiveState Perl and Perl for cygwin are both reported to be prone to a buffer overflow vulnerability. The issue is reported to exist due to a lack of sufficient bounds checking that is performed on data that is passed to a Perl system() function call. This vulnerability may permit an attacker to influence execution flow of a vulnerable Perl script to ultimately execute arbitrary code. Arbitrary code execution will occur in the context of the user who is running the malicious Perl script. [ ne concerne pas POSIX; de plus il est certain que les param?tres de system() ne devraient pas ?tre contr?lables par autre chose que le script lui-m?me. ] Multiple Perl Implementation Duplication Operator Integer Ov... BugTraq ID: 10380 Remote: Yes Date Published: May 18 2004 Relevant URL: http://www.securityfocus.com/bid/10380 Summary: ActiveState Perl is reported to be prone to an integer overflow vulnerability. It is revealed through testing that other implementations are also vulnerable. The issue is reported to exist due to a lack of sufficient bounds checking that is performed on multiplier data that is passed to a Perl duplicator statement. This vulnerability may permit an attacker to influence execution flow of a vulnerable Perl script to ultimately execute arbitrary code. Failed exploit attempts will result in a denial of service. [ non POSIX uniquement ] KDE Konqueror Embedded Image URI Obfuscation Weakness BugTraq ID: 10383 Remote: Yes Date Published: May 18 2004 Relevant URL: http://www.securityfocus.com/bid/10383 Summary: It is reported that KDE Konqueror is prone to a URI obfuscation weakness that may hide the true contents of a URI link. The issue occurs when an image is contained within a properly formatted HREF tag. This weakness could be employed to trick a user into following a malicious link. An attacker can exploit this issue by supplying a malicious image that appears to be a URI link pointing to a page designed to mimic that of a trusted site. If an unsuspecting victim is to mouseover the link in an attempt to verify the authenticity of where it references, they may be deceived into believing that the link references the actual trusted site. CVS Malformed Entry Modified and Unchanged Flag Insertion He... BugTraq ID: 10384 Remote: Yes Date Published: May 19 2004 Relevant URL: http://www.securityfocus.com/bid/10384 Summary: CVS is prone to a remote heap overflow vulnerability. This issue presents itself during the handling of user-supplied input for entry lines with 'modified' and 'unchanged' flags. This vulnerability can allow an attacker to overflow a vulnerable buffer on the heap, possibly leading to arbitrary code execution. CVS versions 1.11.15 and prior and CVS feature versions 1.12.7 and prior are prone to this issue. [ attaque grave en particulier si le pserver est actif, encore que peut-?tre un acc?s ?criture au CVS est n?cessaire, pas tr?s clair ] Neon WebDAV Client Library ne_rfc1036_parse Function Heap Ov... BugTraq ID: 10385 Remote: Yes Date Published: May 19 2004 Relevant URL: http://www.securityfocus.com/bid/10385 Summary: Neon WebDAV client library is prone to a heap overflow vulnerability. This issue exists due to improper boundary checks performed on user-supplied data. Reportedly a malformed string value may cause a sscanf() string overflow into static heap variables. Neon 0.24.5 and prior are prone to this issue. Subversion Date Parsing Function Buffer Overflow Vulnerabili... BugTraq ID: 10386 Remote: Yes Date Published: May 19 2004 Relevant URL: http://www.securityfocus.com/bid/10386 Summary: Subversion is prone to a buffer overflow vulnerability. This issue exists in one of the data parsing functions of the application. Specifically, Subversion calls an sscanf() function when converting data strings to different formats. This causes user-supplied data to be copied into an unspecified buffer without proper boundary checks performed by the application. Subversion versions 1.0.2 and prior are prone to this issue. F5 BIG-IP Syncookie Denial Of Service Vulnerability BugTraq ID: 10388 Remote: Yes Date Published: May 19 2004 Relevant URL: http://www.securityfocus.com/bid/10388 Summary: It has been reported that the switch is susceptible to a denial of service condition, whereby a remote attacker is able to panic the kernel. Once the kernel is in a panic condition, the switch is rendered completely incapacitated, denying access to legitimate users. The fault lies in a race condition in the syncookie evaluation code. A remote attacker could exploit this vulnerability by simple SYN flooding an affected switch. These switches are designed to add reliability to network applications, this could be a significant denial of service. The vulnerability functionality was included in version 4.5. Versions prior to 4.5 are not vulnerable to the issue. [ firmware ] vsftpd Listener Denial of Service Vulnerability BugTraq ID: 10394 Remote: Yes Date Published: May 21 2004 Relevant URL: http://www.securityfocus.com/bid/10394 Summary: According to the vendor, vsftpd is prone to a denial of service condition in the connection handling code. vsftpd's listener process can become unstable under extreme loads, denying service to legitimate users. The issue apparently arises from reentering malloc and free, possibly corrupting memory. Vsftpd calls non-reentrant functions inappropriately, thus leading to a denial of service vulnerability. [ probl?me peut-?tre d? au multithread, m?thode programmatique qui augmente la complexit? et l'inter-vuln?rabilit? ] UCD-SNMPD Command Line Parsing Local Buffer Overflow Vulnera... BugTraq ID: 10396 Remote: No Date Published: May 21 2004 Relevant URL: http://www.securityfocus.com/bid/10396 Summary: It is reported that the UCD-SNMP 'snmpd' daemon is prone to a command line parsing buffer overflow vulnerability. This issue is due to a failure of the application to properly validate the size of user-supplied argument strings before copying them into a finite buffer. This issue may permit a local attacker to influence execution flow of the affected snmpd daemon, and ultimately execute arbitrary instructions in the context of the process. This vulnerability is reported to affect UCD-SNMP versions up to an including version 4.2.6.