[gull-annonces] Résumé SecurityFocus Newsletter #248

Marc SCHAEFER schaefer at alphanet.ch
Tue May 11 10:11:01 CEST 2004


1. sysklogd Crunch_List Buffer Overrun Vulnerability
BugTraq ID: 10238
Remote: No
Date Published: Apr 29 2004
Relevant URL: http://www.securityfocus.com/bid/10238
Summary:
sysklogd has been reported to prone to a buffer overrun vulnerability.  

This condition may theoretically permit a local attacker to crash the
server.  It is not believed that this condition may be exploited to
execute arbitrary with elevated privileges, since the syslogd
component may not be installed with setuid/setgid permissions, though
this has not been confirmed.

Sesame Unauthorized Repository Access Vulnerability
BugTraq ID: 10239
Remote: Yes
Date Published: Apr 29 2004
Relevant URL: http://www.securityfocus.com/bid/10239
Summary:
It has been reported that the Sesame RDF repository application is
prone to an unauthorized repository access vulnerability.  This issue
is due to a failure of the application to properly secure repository
contents in memory once they have been accessed.

This issue might allow an attacker to gain access to other users
repositories; potentially leading to the disclosure of sensitive
information.

3Com SuperStack 3 NBX Netset Application Port Scan Denial of...
BugTraq ID: 10240
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10240
Summary:
A vulnerability has been discovered in 3Com SuperStack 3 NBX IP telephones. 

This issue occurs when an affected port is scanned with the Nessus
security audit tool, configured in safeChecks mode. This will
effectively cause the NBX Netset application to crash.

It is reported that a hard reboot is required to restore normal functionality.

[ firmware. Oui, les téléphones ont des buffer overflows ]

Midnight Commander Multiple Unspecified Vulnerabilities
BugTraq ID: 10242
Remote: Unknown
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10242
Summary:
It has been reported that Midnight Commander is prone to multiple,
unspecified vulnerabilities.  These issues are due to various design
and boundary condition errors.

These issues could be leveraged by an attacker to execute arbitrary
code on an affected system, which may facilitate unauthorized
access. It is also possible for an attacker to carry out symbolic link
attacks against an affected system, potentially facilitating a system
wide denial of service.

Multiple LHA Buffer Overflow/Directory Traversal Vulnerabili...
BugTraq ID: 10243
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10243
Summary:
LHA has been reported prone to multiple vulnerabilities that may allow
a malicious archive to execute arbitrary code or corrupt arbitrary
files when the archive is operated on.

The first issues reported have been assigned the CVE candidate
identifier (CAN-2004-0234). It is reported that LHA is prone to two
stack based buffer overflow vulnerabilities. These vulnerabilities may
be exploited to execute supplied instructions with the privileges of
the user who invoked the affected LHA utility.

The second set of issues has been assigned CVE candidate identifier
(CAN-2004-0235). In addition to the buffer overflow vulnerabilities
that were reported, LHA has been reported prone to a several directory
traversal issues. These directory traversal vulnerabilities may likely
be exploited to corrupt/overwrite files in the context of the user who
is running the affected LHA utility.

libpng Broken PNG Out Of Bounds Access Denial Of Service Vul...
BugTraq ID: 10244
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10244
Summary:
The libpng graphics library is reported to be prone to a denial of
service vulnerability when handling certain types of broken images.

It is conjectured that this issue will cause an access violation on
certain systems if software that is linked to the vulnerable library
is used to handle a malicious broken PNG image that is sufficient to
trigger the vulnerability.

SquirrelMail Folder Name Cross-Site Scripting Vulnerability
BugTraq ID: 10246
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10246
Summary:
It has been reported that SquirrelMail is affected by a cross-site
scripting vulnerability in the handling of folder name displays.  This
issue is due to a failure of the application to properly sanitize
user-supplied input prior to including it in dynamic web content.

This issue may allow for theft of cookie-based authentication
credentials.  Other attacks are also possible.

ReciPants SQL Injection and Cross-Site Scripting Vulnerabili...
BugTraq ID: 10250
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10250
Summary:
It has been reported that ReciPants is vulnerable to SQL injection and
cross-site scripting vulnerabilities. These issues are due to a
failure of the application to properly sanitize user-supplied input
prior to using the input in database queries. When a query fails, the
error message, including the malicious content is displayed to the
victim's browser.

These issues may allow an attacker to gain access to sensitive
information, corrupt database contents, and steal authentication
credentials. Other attacks are also possible.

ProFTPD CIDR Access Control Rule Bypass Vulnerability
BugTraq ID: 10252
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10252
Summary:
ProFTPD has been reported prone to an access control rule bypass
vulnerability. The issue was reportedly introduced when a "portability
workaround" was applied to ProFTPD version 1.2.9.

This vulnerability may lead a system administrator into a false sense
of security, where it is believed that access to the ProFTPD server is
restricted by access control rules. In reality the access control
restriction will not be enforced at all.

Emacs flim Library Insecure Temporary File Creation Vulnerab...
BugTraq ID: 10259
Remote: No
Date Published: May 02 2004
Relevant URL: http://www.securityfocus.com/bid/10259
Summary:
The Emacs flim library is prone to a symlink vulnerability.  This
could allow files to be overwritten with the privileges of the user
running Emacs.

[ Library to provide basic features about message for Emacsen,
  incompatible avec Gnus
]

PaX 2.6 Kernel Patch Denial Of Service Vulnerability
BugTraq ID: 10264
Remote: No
Date Published: May 03 2004
Relevant URL: http://www.securityfocus.com/bid/10264
Summary:
PaX for 2.6 series Linux kernels has been reported prone to a local
denial of service vulnerability. The issue is reported to present
itself when PaX Address Space Layout Randomization Layout (ASLR) is
enabled.

The vulnerability may be exploited by a local attacker to influence the kernel into an infinite loop.

[ PaX est un patch au kernel 2.6 linux qui augmente la sécurité. Enfin
devrait. Ne pas confondre avec les outils pax qui remplaceront à terme
tar et cpio.]

SmartPeer Undisclosed Local Vulnerability
BugTraq ID: 10265
Remote: No
Date Published: May 03 2004
Relevant URL: http://www.securityfocus.com/bid/10265
Summary:
SmartPeer has been reported prone to an undisclosed vulnerability. The
issue is reported to present itself when the smartpeer -p
mynewpassword command is invoked.

[ SmartPeer est un load-balancer pour serveur HTTP. Enfin si on parle du
même. SecurityFocus semble de plus en plus enlever l'information
importante de ses rapports. ]

SmartPeer version 0.1 is reported prone to this vulnerability,
previous versions might also be affected.

APSIS Pound Remote Format String Vulnerability
BugTraq ID: 10267
Remote: Yes
Date Published: May 03 2004
Relevant URL: http://www.securityfocus.com/bid/10267
Summary:
APSIS Pound has been found to be prone to a remote format string
vulnerability. The problem presents itself when Pound handles certain
requests containing embedded format string specifiers.

Ultimately this vulnerability could allow for execution of arbitrary
code on the system implementing the affected software, which would
occur in the security context of the server process.

[ http://www.apsis.ch/pound/, également un load-balancer. S'agit-il
de base de code commune ? ]

IPMenu Log File Symbolic Link Vulnerability
BugTraq ID: 10269
Remote: No
Date Published: May 04 2004
Relevant URL: http://www.securityfocus.com/bid/10269
Summary:
It has been reported that ipmenu is affected by a symbolic link
vulnerability.  This issue is due to a design error that allows for
the creation of temporary files in an insecure fashion, facilitating
symbolic links attacks.

This issue may be leveraged to create a system wide denial of service
condition.  This issue may also be leveraged to escalate privileges on
the affected system, although this is currently unverified.

[ Editeur de règles de firewall netfilter:
http://users.pandora.be/stes/ipmenu.html ]

Kolab Groupware Server OpenLDAP Plaintext Password Storage V...
BugTraq ID: 10277
Remote: No
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10277
Summary:
It has been reported that Kolab groupware server is prone to a
plaintext password storage vulnerability that may allow an attacker to
disclose OpenLDAP passwords that are stored in plaintext format.

Kolab Server versions 1.0.8 and prior may be prone to this issue.

[ licence GPL. http://kroupware.org/. Projet de groupware soutenu par
  le gouvernement allemand et une entreprise. ]

SuSE Linux Kernel HbaApiNode Improper File Permissions Denia...
BugTraq ID: 10279
Remote: No
Date Published: May 03 2004
Relevant URL: http://www.securityfocus.com/bid/10279
Summary:
A vulnerability has been identified in the SuSE Linux kernel that may
allow a local attacker to cause a denial of service condition on a
vulnerable system.  The issue is reported to be caused by improper
file permissions on '/proc/scsi/qla2300/HbaApiNode' file.

SuSE Linux Enterprise Server 8.0, SuSE Linux 8.1 and 9.0 are reported
to be affected by this issue.

Due to a lack of details, further information cannot be provided at
the moment.  This BID will be updated as more information becomes
available.

[ QLA2300 c'est un adaptateur Qlogic Fibre Channel, donc ça m'étonnerait
que cela concerne tellement de gens -- enfin sauf si le kernel de base
contient ce pilote.]

FreeBSD Kernel VM_Map Local Denial Of Service Vulnerability
BugTraq ID: 10285
Remote: No
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10285
Summary:
The virtual memory mapping module for the FreeBSD kernel has been
reported prone to a local denial of service vulnerability.

A local user may exploit this issue to influence the virtual memory
mapping module of the FreeBSD kernel into allocating arbitrary amounts
of memory. This may potentially exhaust system resources. Once memory
resources are exhausted, a kernel panic will likely occur, effectively
denying service to legitimate users.

It is not currently known if other BSD derivatives are affected by this issue.

P4DB Multiple Input Validation Vulnerabilities
BugTraq ID: 10286
Remote: Yes
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10286
Summary:
It has been reported that P4DB is affected by multiple input
validation vulnerabilities.  These issues are due to a failure of the
application to properly sanitize user-supplied URI input.

Both cross-site scripting and remote, arbitrary command execution
vulnerabilities have been reported.

The cross-site scripting issues could permit a remote attacker to
create a malicious URI link that includes hostile HTML and script
code. If this link were followed, the hostile code may be rendered in
the web browser of the victim user. This would occur in the security
context of the affected web site and may allow for theft of
cookie-based authentication credentials or other attacks.

Exploitation of the command execution vulnerabilities could allow a
remote, unauthenticated user to remotely execute arbitrary commands on
the underlying system with the privileges of the web server that is
hosting the vulnerable application.

Currently the information available is not sufficient to provide more
information; this BID will be updated as new details are released.

[ Un outil en Perl pour la consultation de base de données de
problèmes / défauts ]

Heimdal K5AdminD Remote Heap Buffer Overflow
BugTraq ID: 10288
Remote: Yes
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10288
Summary:
It has been reported that a remote heap overflow vulnerability exists
in the k5admind daemon.  This issue is due to an input validation
error that fails to validate length given in the framing in kerberos 4
network communication packets.

It has been reported that this issue will only affect versions of the
daemon that include Kerberos 4 support; If the daemon does not include
this compatibility then it is not vulnerable.

The immediate consequences of an attacker will trigger a denial of
service condition in the affected server.  It might also be possible
that this issue could facilitate remote code execution that would take
place with the privileges of the affected daemon.

Exim Sender Verification Remote Stack Buffer Overrun Vulnera...
BugTraq ID: 10290
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10290
Summary:
Exim has been reported prone to a remotely exploitable stack-based
buffer overrun vulnerability.

This is exposed if sender verification has been enabled in the agent
and may be triggered by a malicious e-mail.  Exploitation may permit
execution of arbitrary code in the content of the mail transfer agent.

This issue is reported in exist in Exim 3.35.  Earlier versions may
also be affected.

It should be noted that the vulnerable functionality is not enabled in
the default install, though some Linux/Unix distributions that ship
the software may enable it.

Exim Header Syntax Checking Remote Stack Buffer Overrun Vuln...
BugTraq ID: 10291
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10291
Summary:
Exim is reportedly prone to a remotely exploitable stack-based buffer
overrun vulnerability.

This issue is exposed if header syntax checking has been enabled in
the agent and may be triggered by a malicious e-mail.  Though not
confirmed to be exploitable, if this condition were to be exploited,
it would result in execution of arbitrary code in the context of the
mail transfer agent.  Otherwise, the agent would crash when handling
malformed syntax in an e-mail message.

The issue is reported to exist in both Exim 3.35 and 4.32, though the
vulnerable code exists in different source files in each of these
versions.

It should be noted that the vulnerable functionality is not enabled in
the default install, though some Linux/Unix distributions that ship
the software may enable it.

DeleGate SSLway Filter Remote Stack Based Buffer Overflow Vu...
BugTraq ID: 10295
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10295
Summary:
A remote buffer overflow vulnerability has been reported to affect the
DeleGate SSLway filter. This filter is employed when DeleGate is
applying SSL to arbitrary protocols.

The issue presents itself due to a lack of sufficient boundary checks
performed, when copying user-supplied certificate field contents.

A remote attacker may potentially exploit this issue, to overwrite the
return address of the static ssl_prcert() function. The attacker may
corrupt any other saved value that is within 768 bytes from the end of
the affected buffers.

It has been reported that the X509_NAME_oneline() function will
perform character conversion on characters below '0x20' or above
'0x7e'; this may hinder exploitation of this issue.

KAME Racoon Remote IKE Message Denial Of Service Vulnerabili...
BugTraq ID: 10296
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10296
Summary:
It has been reported that KAME is affected by a remote denial of
service vulnerability when processing malformed IKE messages.  This
issue is due to a failure of the daemon to properly handle malformed
messages.

This issue can be leveraged to cause the affected daemon to enter an
infinite loop; effectively denying service to legitimate users.

SuSE LINUX 9.1 Personal Edition Live CD-ROM SSH Server Defau...
BugTraq ID: 10297
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10297
Summary:
It has been reported that  SuSE LINUX 9.1 Personal Edition Live CD-ROM
can allow an attacker to gain full access to a vulnerable system.  The
issue presents itself when a  user boots the machine with the affected
CD-ROM.  It has  been reported that due to  a configuration error, the
system  configures an  SSH  server on  the  host with  a default  root
account.

[ knoppix a montré la voie: pas de mot de passe pour root, sudo. Ou
est-ce Apple ? 
PS: existe-t-il encore une version de SuSE complètement libre ?]




More information about the gull-annonces mailing list