Insecurity News |
| Cyrus-imapd |
|
The Cyrus IMAP Server is an efficient, highly-scalable IMAP e-mail server. Multiple vulnerabilities have been discovered in the argument parsers of the partial and fetch commands of the Cyrus IMAP Server (CAN-2004-1012, CAN-2004-1013). There are also buffer overflows in the `imap magic plus' code that are vulnerable to exploitation as well (CAN-2004-1011, CAN-2004-1015). An attacker can exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server. There is no known workaround at this time. All Cyrus-IMAP Server users should upgrade to the latest version. Debian reference: DSA-597-1 cyrus-imapd Gentoo reference: GLSA 200411-34 / cyrus-imapd Suse reference: SUSE-SA:2004:043 |
| Ruby |
|
Ruby is an interpreted scripting language for quick and easy object-oriented programming. Ruby's CGI module can be used to build web applications. Ruby's developers found and fixed an issue in the Ruby CGI module that can be triggered remotely. This vulnerability in the CGI module could potentially cause an infinite loop. A remote attacker could trigger the vulnerability through an exposed Ruby web application and cause the server to use unnecessary CPU resources, potentially resulting in a denial of service attack. This issue has been assigned the Mitre CVE CAN-2004-0983. There is no known workaround to this problem with Ruby's CGI module. All Ruby 1.6.x users should upgrade to the latest version: Mandrake reference: MDKSA-2004:128 |
| Security Posture of Major Distributions |
| Kernel |
|
The Linux kernel handles the basic functions of the operating system. A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1068 to this issue. Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use these flaws to gain read access to executable-only binaries or possibly gain privileges. (CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073) A flaw when setting up TSS limits was discovered that affects AMD AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local user could use this flaw to cause a denial of service (crash) or possibly gain privileges. (CAN-2004-0812) An integer overflow flaw was discovered in the ubsec_keysetup function in the Broadcom 5820 cryptonet driver. On systems using this driver, a local user could cause a denial of service (crash) or possibly gain elevated privileges. (CAN-2004-0619) Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels prior to 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges. In order to exploit these flaws the user would require control of a connected Samba server. (CAN-2004-0883, CAN-2004-0949) SGI discovered a bug in the elf loader that affects kernels prior to 2.4.25 which could be triggered by a malformed binary. On architectures other than x86, a local user could create a malicious binary which could cause a denial of service (crash). (CAN-2004-0136) Conectiva discovered flaws in USB drivers affecting kernels prior to 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow users to read small amounts of kernel memory. (CAN-2004-0685) Red Hat reference: RHSA-2004:549-10 Suse reference: SUSE-SA:2004:042 |
| SUN Java Plugin |
|
The Java plug-in security in Sun and Blackdown Java environments can be bypassed to access arbitrary packages, allowing untrusted Java applets to perform unrestricted actions on the host system. This issue has been assigned the Mitre CVE CAN-2004-1029. Sun and Blackdown both provide implementations of Java Development Kits (JDK) and Java Runtime Environments (JRE). All these implementations provide a Java plug-in that can be used to execute Java applets in a restricted environment for web browsers. All Java plug-ins are subject to a vulnerability allowing unrestricted Java package access. A remote attacker could embed a malicious Java applet in a web page and entice a victim to view it. This applet can then bypass security restrictions and execute any command or access any file with the rights of the user running the web browser. As a workaround you could disable Java applets on your web browser. All Sun JDK users should upgrade to the latest version: Gentoo reference: GLSA 200411-38 / Java |
| BNC |
|
BNC is an IRB session-bouncing proxy. Leon Juranic discovered that BNC does not always protect buffers from being overwritten. This could be exploited by a malicious IRC server to overflow a buffer of limited size and execute arbitrary code on the client host. This issue has been assigned the Mitre CVE CAN-2004-1052.n Debian reference: DSA-595-1 bnc Gentoo reference: GLSA 200411-24 / BNC |
| ez-ipupdate |
|
ez-ipupdate is a utility for updating host name information for a large number of dynamic DNS services. Ulf Harnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate. This issue has been assigned the Mitre CVE CAN-2004-0980. There is no known workaround at this time. All ez-ipupdate users should upgrade to the latest version. Debian reference: DSA-592-1 ez-ipupdate Gentoo reference: GLSA 200411-20 / ez-ipupdate |
| Samba |
|
Samba is a freely available SMB/CIFS implementation which allows seamless interoperability of file and print services to other SMB/CIFS clients. Several Samba vulnerabilities have been identified recently. There is a problem in the Samba file sharing service daemon, which allows a remote user to have the service consume lots of computing power and potentially crash the service by querying special wildcarded filenames. This attack can be successful if the Samba daemon is running and a remote user has access to a share (even read only). This issue has been assigned the Mitre CVE ID CAN-2004-0930. Stefan Esser found a problem in the Unicode string handling in the Samba file handling which could lead to a remote heap buffer overflow and might allow remote attackers to inject code in the smbd process. This issue has been assigned the Mitre CVE ID CAN-2004-0882. Updated packages are not vulnerable to these issues. All Samba users should upgrade to the latest version. Gentoo reference: GLSA 200411-21 / samba Mandrake reference: MDKSA-2004:136 Red Hat reference: RHSA-2004:632-17 Suse reference: SUSE-SA:2004:040 |
| sudo |
|
sudo is a program that provides limited super user privileges to specific users. Liam Helmer noticed that sudo does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user. This fact leaves the system vulnerable to the possibility that an attacker could find a way to overload system routines. This issue has been assigned the Mitre CVE CAN-2004-1051. These vulnerabilities can only be exploited by users who have been granted limited super user privileges. We recommend that you upgrade your sudo package. Debian reference: DSA-596-2 sudo Mandrake reference: MDKSA-2004:133 |
| Apache |
|
The Apache HTTP Server is one of the most popular web servers on the Internet. Chintan Trivedi discovered a vulnerability in Apache httpd 2.0 that is caused by improper enforcing of the field length limit in the header-parsing code. By sending a large amount of specially-crafted HTTP GET requests, a remote attacker could cause a denial of service of the targeted system. This issue has been assigned the Mitre CVE CAN-2004-0942. Crazy Einstein has discovered a vulnerability in the mod_include module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code. This issue has been assigned the Mitre CVE CAN-2004-0940. Larry Cashdollar has discovered a potential buffer overflow in the htpasswd utility, which could be exploited when user-supplied is passed to the program via a CGI (or PHP, or ePerl, ...) program. All Apache users should upgrade to the latest version: Debian reference: DSA-594-1 apache Gentoo reference: GLSA 200411-18 / apache Mandrake reference: MDKSA-2004:134 Red Hat reference: RHSA-2004:562-11 |
| Openssl |
|
OpenSSL is a toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a general-purpose cryptography library. It includes the der_chop script. Groff (GNU Troff) is a typesetting package that includes the groffer command. groffer and the der_chop script create temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When groffer or der_chop is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. For more on this problem, see the Mitre CVEs CAN-2004-0969 and CAN-2004-0975. Debian reference: DSA-603-1 openssl Gentoo reference: GLSA 200411-15 / OpenSSL Mandrake reference: MDKSA-2004:147 |