Bug#343264: [CVE-2004-0564] attackers can overwrite any files when run with setuid root

2005-12-13 Thread FX 

package: pppoe
severity: grave
tags: security

Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet 
driver from Roaring Penguin. When the program is running setuid root, an 
attacker could overwrite any file on the file system.


CVE-2004-0564:  Roaring Penguin pppoe (rp-ppoe), if installed or 
configured to run setuid root contrary to its design, allows local users 
to overwrite arbitrary files.
NOTE: the developer has publicly disputed the claim that this is a 
vulnerability because pppoe is NOT designed to run setuid-root. 
Therefore this identifier applies *only* to those configurations and 
installations under which pppoe is run setuid root despite the 
developer's warnings.


This was fixed in Redhat a month ago despite their default configuration 
not using suid. See [FLSA-2005:152794]


In Debian Sarge, both /usr/sbin/pppd and /usr/sbin/pppoe files are 
-rwsr-xr-- root dip.





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#340337: CVE-2005-2970 exists in 2.0.54 too -- please fix stable branch

2005-12-11 Thread FX 
This problem exists in Debian's stable branch with apache2-mpm-worker 
2.0.54.


It appears to have been fixed already in Ubuntu versions 4.10, 5.4, and 
5.10.


From http://www.ubuntulinux.org/usn/usn-225-1

The problem can be corrected by upgrading the affected package to
version 2.0.50-12ubuntu4.9 (for Ubuntu 4.10), 2.0.53-5ubuntu5.4 (for
Ubuntu 5.04), or 2.0.54-5ubuntu3 (for Ubuntu 5.10). In general, a
standard system upgrade is sufficient to effect the necessary changes.

A remote attacker can repeatedly trigger this memory leak and exhaust 
all the memory.  Please fix and provide an update for the stable 
branch.  Thanks.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#336137: Version 6.4-1.1 (4-Sept-2005) does not exist in stable (CAN-2005-152)

2005-10-27 Thread FX 

package: awstats
severity: grave
tags: security

Version 6.4-1.1 which fixed CAN-2005-152 on Sept 4, 2005 is still not 
available in the stable branch as of October 28, 2005.


Running 'apt-get update  apt-get upgrade' on Debian 3.1 does not yet 
fix CAN-2005-152 which was fixed roughly 2 months ago.


The changelog for stable does not even mention CAN-2005-152:

http://packages.debian.org/changelogs/pool/main/a/awstats/awstats_6.4-1/changelog

There is no mention about any package versions being held back for any 
reason at:


http://packages.qa.debian.org/a/awstats.html

Is it normal for a fixed vulnerability to remain in the stable branch 
for 2 months?  Is there something other than 'apt-get update  apt-get 
upgrade' that sysadmins' must perform on Debian in order to get security 
updates?  Please advise.  Thanks.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#290245: SECURITY: Five new upstream versions 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9 available

2005-01-12 Thread FX 
package: vpopmail-bin
severity: grave
This package still contains an SQL Injection vulnerabilty that was fixed 
in an upstream version on 30-Jun-04.

In all, five new upstream versions were released after 5.4.4 which 
contain numerous fixes.  Most importantly, upstream version 5.4.6 
released on 30-Jun-04 fixes the SQL Injection security vulnerability 
(Bugtraq ID 10990 http://www.securityfocus.com/bid/10990/info/).

The changelog for the five new upstream versions are presented here for 
your consideration:
5.4.5 released 25-Jun-04
5.4.6 released 30-Jun-04  -- fixes SQL Injection vulerability
5.4.7 released 23-Sep-04
5.4.8 - released 12-Nov-04
5.4.9 - released 26-Dec-04

The last entry in the Debian changelog for this package is dated 10-Jun-04.
5.4.9 - released 26-Dec-04
Jeremy Kister
- Makefile.am: fix install problem on Solaris.  Some .h files
  weren't being installed correctly.
Charles Boening
- Fix logging in PostgreSQL.
- Change ENABLE_{MY|PG}SQL_LOGGING to ENABLE_SQL_LOGGING.
- Replace --enable-{my|pg}sql-logging with --enable-sql-logging
  in configure options.
	Tom Collins
	- Tweaking of Charles Boening's changes.
	- vchkpw: Fix problem in md5.h causing segfault in SMTP AUTH on 
	  amd64. [964843, 958799]
	- vpopmail.h: Add new error and flag defines from 5.5 series.
	- vchkpw: log webmail connections as 'vchkpw-webmail'.
	- vpopmail.c: fix problem related to sending SIGHUP to qmail-send.
	  Original problem could cause Signal 1 caught by ps error.

5.4.8 - released 12-Nov-2004
Rick Widmer
- vadddomain: Check for existing domain before prompting for
  password.
- vdeldomain: Fix uninitialized variable warning.
	Tom Collins
	- Fix problems with valias code in vmysql.c and vpgsql.c.  Storing
	  aliases in Postgres should work now, and it should fix problems
	  with processing Maildir valias entries in vdelivermail. [985011,
	  1024706, 1033801]
	- Fix bug in vmoddomlimits that wiped out the Domain Quota 
	  when editing default limits.
	- Change columns in Postgres valias table to varchar from char.
	  See README.pgsql for instructions on fixing existing tables.
	- vmoduser: update maildirsize instead of just deleting it when
	  modifying quota.
	- vchkpw: classify POP/IMAP connections from select IPs (defaults
	  to 127.0.0.1) as webmail and check NO_WEBMAIL user flag instead
	  of NO_POP and NO_IMAP.
	- Update qmail-smtpd-auth patch in contrib to latest (0.5.6).
	- Update README.quotas with note about domain quotas not working.
	- vpopmail.c: remove unused sys/varargs.h include.
	- vdominfo: fix broken -a option.
	- vdominfo: better display of real name for alias domains. [981335]
	- vpopmail.c: Improved maildir_to_email() function. [953439]

	Gentoo Port
	- Integrate vuserinfo patch to fix the -a option and to display 
	  the comment/gecos field (used for real name).

5.4.7 - released 23-Sep-04
	Michael Bowe
	- Mention in README.mysql that is is possible to create mailboxes 
	  by inserting entries directly into the MySQL table.

	Tom Collins
	- Don't try to delete dir-control for domain unless users-big-dir
	  is enabled.
	- Verify user exists before trying to set quota in vsetuserquota().
	  [984698]
	- Update cdb/Makefile so you can 'make install' without doing 
	  'make' first.
	- Fix size comparisons to MAX_PW_X (should be , not =).
	- Fix possible buffer overflows in vsybase.c.
	- Have vconvert reset dir_control and increment it for each user
	  added when converting from cdb to MySQL.
	- If crypt() doesn't support MD5 passwords, fall back to using
	  a valid, non-MD5 salt even if MD5 passwords are enabled.
	- Fix format string vuln. in vactivedir.c (thanks D4rk Eagle).
	- Added comment to vqmaillocal.c mentioning that it isn't
	  maintained and probably doesn't work.  Makefile no longer
	  installs vqmaillocal.

5.4.6 - released 30-Jun-04
[backport from 5.5.0]
- Consolidate table creation code in vmysql.c and vpgsql.c.
- Increase SQL_BUF_SIZE from 600 to 2048 for Oracle, Postgres
  and Sybase.
- Multiple fixes to vpgsql.c related to freeing PGresults and
  attempting to access NULL PGresults when reporting errors.
* These changes address SQL Injection vulnerability documented in
* Bugtraq ID 10990 http://www.securityfocus.com/bid/10990/info/
- Add qnprintf() to vpopmail.c for escaping strings in SQL queries.
- Use qnprintf() when building queries in vmysql.c, vpgsql.c,
  voracle.pc, and vsybase.c.
5.4.5 - released 25-Jun-04
fernando (at) telemacro (dot) com (dot) br
- Patch for vpgsql.c fixes bug with Postgres and roaming users
  (POP before SMTP). [895501]
Françoi Wautier
- Fix method used to open database in vauth_open_update of
  vmysql.c. [967994, 946983]
Pit Palme
- Show 'delete' as valid option to vdelivermail in docs. [951245]