[Full-disclosure] [USN-185-1] CUPS vulnerability
=== Ubuntu Security Notice USN-185-1 September 20, 2005 cupsys vulnerability CAN-2004-2154 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: cupsys The problem can be corrected by upgrading the affected package to version 1.1.20final+cvs20040330-4ubuntu16.5. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A flaw was detected in the printer access control list checking in the CUPS server. Printer names were compared in a case sensitive manner; by modifying the capitalization of printer names, a remote attacker could circumvent ACLs and print to printers he should not have access to. The Ubuntu 5.04 version of cupsys is not vulnerable against this. Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5.diff.gz Size/MD5: 1353545 138b931a4e026cacf0870ca3eba49506 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5.dsc Size/MD5: 867 0475f922a395811f2d1b4a39fd02c240 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330.orig.tar.gz Size/MD5: 5645146 5eb5983a71b26e4af841c26703fc2f79 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5:59052 6d80f59e40a3cdccf88a64e6eb8e8818 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5: 107326 6ad4b6a8b600d874b5de169588db23f7 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5: 3614844 22bb4ae245e3983b54ffac479f9d11bd http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5:62684 4a99fce77c094c644bb65701f544769b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5:53318 533e04c42b9cbb152d85760e09444b68 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5: 101814 ff09bf2b58473a1632115f4e2cf465bc http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb Size/MD5:74864 c919425bc8e6262d6f82cb1576b651bf i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5:58384 44200b1d889546564eb7b5e082dbf43b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5: 105106 682977ac2a18684f47021a0ca22ed4a1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5: 3603588 23983f6264ec0a023d238c08cccbecb5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5:62242 727919da03f41881e1f83e4b82f9cc8c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5:52900 259c429f529ebf82c822becdba40d22d http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5:98450 2748c1390c494e4794ff496258a7f64c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.1.20final+cvs20040330-4ubuntu16.5_i386.deb Size/MD5:72136 ea28e5097435eb43329420d3759af775 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.1.20final+cvs20040330-4ubuntu16.5_powerpc.deb Size/MD5:62964 4bba89312187f8a912b9bb8b8ffdb47a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.1.20final+cvs20040330-4ubuntu16.5_powerpc.deb Size/MD5: 114960 f47efaa57093742589f0321fb3e81b76 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5_powerpc.deb Size/MD5: 3633910 892c743ca13998b6e99b4703540349bd http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.1.20final+cvs20040330-4ubuntu16.5_powerpc.deb Size/MD5:61880 0a074b2e55c2da22209dd4794c8d17ea http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.1.20final+cvs20040330-4ubuntu16.5_powerpc.deb Size/MD5:55542 24d91159956370299a682efa35d06c60
[Full-disclosure] bacula insecure temporary file creation
# bacula insecure temporary file creation Vendor: http://www.bacula.org/ Advisory: http://www.zataz.net/adviso/bacula-09192005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low # The vulnerabilities ared due to insecure temporary files creations. They are symlink attacks to create arbitrary files with the privileges of the user running the affected script, sensitive informations disclosure, possible arbitrary commands execution. ## Versions: ## bacula = 1.36.3 ## Solution: ## Update to version 1.37.39 (sep 19 2005) # Timeline: # Discovered : 2005-09-06 Vendor notified : 2005-09-19 Vendor response : 2005-09-19 Vendor fix : 2005-09-20 Vendor Sec report ([EMAIL PROTECTED]) : no need Disclosure : 2005-09-20 # Technical details : # Vulnerable code : - * Take a look on : autoconf/randpass This file is used by configure and autoconf/configure.in to generate random password. 11 tmp=/tmp/p.tmp.$$ 12 cp autoconf/randpass.bc $tmp 13 ps | sum | tr -d ':[:alpha:] ' | sed 's/^/k=/' $tmp 14 date | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' $tmp 15 ls -l /tmp | sum | tr -d ':[:alpha:] ' | sed 's/^/k=k*/' $tmp 16 echo j=s(k); for (i = 0; i $PWL; i++) r() $tmp 17 echo quit $tmp 18 bc $tmp | awk -f autoconf/randpass.awk 19 rm $tmp They are 2 troubles, symlink attack (race condition) and password revelation to unstruted user (race condition). This vulnerability is exploitable on system that dont have openssl command. * Take a look at : rescue/linux/getdiskinfo Create bootstrap information files -- prelude to creating a Bacula Rescue Disk 192 cat mount_drives END_OF_DATA 193 #!/bin/sh 194 # 195 # Mount disk drives -- created by getdiskinfo 196 # 197 END_OF_DATA 198 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p' $di/mount.ext2.bsi mount_drives 199 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mkdir -p \/mnt\/disk\2/p' $di/mount.ext3.bsi mount_drives 200 echo # mount_drives 201 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p' $di/mount.ext2.bsi /tmp/1$$ 202 sed -n 's/\(^.*\)\ on\ \(.*\)\ type.*$/mount \1 \/mnt\/disk\2/p' $di/mount.ext3.bsi /tmp/1$$ 203 # sort so that root is mounted first 204 sort -k 3 /tmp/1$$ mount_drives 205 rm -f /tmp/1$$ 206 207 chmod 755 mount_drives 208 209 # copy sfdisk so we will have it 210 cp -f /sbin/sfdisk . 211 echo Done building scripts. 212 echo 213 echo You might want to do a: 214 echo 215 echo chown -R : * 216 echo 217 echo where is your userid and is your group 218 echo so that you can access all the files as non-root 219 echo They are two troubles, symlink attack (race condition) and possible arbitrary commands execution with users privileges (race condition) This file don't seem to be installed, we can consider this bug as invalid * Take a look at : scripts/mtx-changer.in Bacula interface to mtx autoloader 117loaded) 118 ${MTX} -f $ctl status /tmp/mtx.$$ 119 rtn=$? 120 cat /tmp/mtx.$$ | grep ^Data Transfer Element $drive:Full | awk {print \$7} 121 cat /tmp/mtx.$$ | grep ^Data Transfer Element $drive:Empty | awk {print 0} 122 rm -f /tmp/mtx.$$ 123 exit $rtn 124 ;; symlink attack (race condition) possible * Also we got this variable in a lot off script : working_directory = /tmp; Upstream should check the usage off this variable. # Related : # Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104986 Bug report http://bugs.bacula.org/bug_view_advanced_page.php?bug_id=422 CVE : # Credits : # Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo Security Scout Thxs to Gentoo Security Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Opera Mail Client Attachment Spoofing and Script Insertion
== Secunia Research 20/09/2005 - Opera Mail Client Attachment Spoofing and Script Insertion - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software Opera 8.02 Prior versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Script Insertion, Spoofing Where: From Remote == 3) Description of Vulnerability Secunia Research has discovered two vulnerabilities in the Opera Mail client, which can be exploited by a malicious person to conduct script insertion attacks and to spoof the name of attached files. 1. Attached files are opened without any warnings directly from the user's cache directory. This can be exploited to execute arbitrary JavaScript in context of file://. 2. Normally, filename extensions are determined by the Content-Type in Opera Mail. However, by appending an additional '.' to the end of a filename, an HTML file could be spoofed to be e.g. image.jpg.. The two vulnerabilities combined may be exploited to conduct script insertion attacks if the user chooses to view an attachment named e.g. image.jpg. e.g. resulting in disclosure of local files. == 4) Solution Update to version 8.50. http://www.opera.com/download/ == 5) Time Table 01/09/2005 - Initial vendor notification. 20/09/2005 - Public disclosure. == 6) Credits Discovered by Jakob Balle, Secunia Research. == 7) References No references available. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-42/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200509-14 ] Zebedee: Denial of Service vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200509-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Zebedee: Denial of Service vulnerability Date: September 20, 2005 Bugs: #105115 ID: 200509-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A bug in Zebedee allows a remote attacker to perform a Denial of Service attack. Background == Zebedee is an application that establishes an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/zebedee2.5.3 *= 2.4.1-r1 = 2.5.3 Description === Shiraishi.M reported that Zebedee crashes when 0 is received as the port number in the protocol option header. Impact == By performing malformed requests a remote attacker could cause Zebedee to crash. Workaround == There is no known workaround at this time. Resolution == All Zebedee users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose net-misc/zebedee References == [ 1 ] BugTraq ID 14796 http://www.securityfocus.com/bid/14796 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200509-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200509-15 ] util-linux: umount command validation error
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200509-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: util-linux: umount command validation error Date: September 20, 2005 Bugs: #105805 ID: 200509-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A command validation error in umount can lead to an escalation of privileges. Background == util-linux is a suite of useful Linux programs including umount, a program used to unmount filesystems. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sys-apps/util-linux 2.12q-r3= 2.12q-r3 Description === When a regular user mounts a filesystem, they are subject to restrictions in the /etc/fstab configuration file. David Watson discovered that when unmounting a filesystem with the '-r' option, the read-only bit is set, while other bits, such as nosuid or nodev, are not set, even if they were previously. Impact == An unprivileged user facing nosuid or nodev restrictions can umount -r a filesystem clearing those bits, allowing applications to be executed suid, or have device nodes interpreted. In the case where the user can freely modify the contents of the filesystem, privilege escalation may occur as a custom program may execute with suid permissions. Workaround == Two workarounds exist, first, the suid bit can be removed from the umount utility, or users can be restricted from mounting and unmounting filesystems in /etc/fstab. Resolution == All util-linux users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =sys-apps/util-linux-2.12q-r3 References == [ 1 ] CAN-2005-2876 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2876 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200509-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Cisco IOS hacked?
This may be a little off topic, but does anyone know where I can find technical details and solutions for Michael Lynne's IOS vulnerability? I am concerned that my systems aren't patched and evern since Ciscogate, K-otik, Secunia, Security-Focus have all removed their original vulnerability advisories. On 9/19/05, Kirill Bolshakov [EMAIL PROTECTED] wrote: No, this is not true. Just some old hacks for old stolen xxx sources.No POCs, nothing. Just some flame to support the book, which that guy isa co-author of. Seek a Russian-speaking neighbor ;) the automatic translation is inferior.Regards,Kirillciscoioshehehe wrote: today news on SecurityLab.ru (only in russian): http://www.securitylab.ru/news/240415.php * break CRC on CISCO IOS * Desgin Mechanism of cross-platform worm for IOS device. *Run IRC server on 2600 CISCO. * Found more vulnerabilities in EIGRP protocol. and some more... Online translate from Russian: http://www.translate.ru/url/tran_url.asp?lang=ruurl="" ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cisco IOS hacked? (-CAN-2005-2451)
This may be a little off topic, but does anyone know where I can find technical details and solutions for Michael Lynne's IOS vulnerability? I am concerned that my systems aren't patched and evern since Ciscogate, K-otik, Secunia, Security-Focus have all removed their original vulnerability advisories. These advisories you mentioned are alive: http://www.frsirt.com/english/advisories/2005/1264 http://secunia.com/advisories/16272/ http://www.securityfocus.com/bid/14414 Cisco reference http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml last updated on 11th August, 2005 is available (exact software versions listed) as well. CVE entry is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2451 - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:165 - Updated cups packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: cups Advisory ID:MDKSA-2005:165 Date: September 15th, 2005 Affected versions: 10.0, Corporate 3.0, Corporate Server 2.1 __ Problem Description: A vulnerability in CUPS would treat a Location directive in cupsd.conf as case-sensitive, allowing attackers to bypass intended ACLs via a printer name containing uppercase or lowecase letters that are different from that which was specified in the Location directive. This issue only affects versions of CUPS prior to 1.1.21rc1. The updated packages have been patched to correct this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2154 __ Updated Packages: Mandrakelinux 10.0: 5794ec0803d9b3950ae663371c2e 10.0/RPMS/cups-1.1.20-5.9.100mdk.i586.rpm ce7f1071f6c62590a1b6871ab9b17816 10.0/RPMS/cups-common-1.1.20-5.9.100mdk.i586.rpm f8271f099e17e7fc2a8b8d3707fe4611 10.0/RPMS/cups-serial-1.1.20-5.9.100mdk.i586.rpm 8d0e92e091f01dbfa43c80abc1e5521b 10.0/RPMS/libcups2-1.1.20-5.9.100mdk.i586.rpm 4b7e237ef3ba38546873231937eeaf14 10.0/RPMS/libcups2-devel-1.1.20-5.9.100mdk.i586.rpm 02f0085442de9f53ed52c53372921c54 10.0/SRPMS/cups-1.1.20-5.9.100mdk.src.rpm Mandrakelinux 10.0/AMD64: c741e915ab4478906c4c0c9975a28199 amd64/10.0/RPMS/cups-1.1.20-5.9.100mdk.amd64.rpm 844f1025e5689bfa1270b46b18092604 amd64/10.0/RPMS/cups-common-1.1.20-5.9.100mdk.amd64.rpm 519d6d527ff35b8589c22a77d01bb89c amd64/10.0/RPMS/cups-serial-1.1.20-5.9.100mdk.amd64.rpm 1409f88c2e6c6b64d2bc98054ba88c56 amd64/10.0/RPMS/lib64cups2-1.1.20-5.9.100mdk.amd64.rpm 49478b1e66b17ed734036f0699a73ace amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.9.100mdk.amd64.rpm 8d0e92e091f01dbfa43c80abc1e5521b amd64/10.0/RPMS/libcups2-1.1.20-5.9.100mdk.i586.rpm 02f0085442de9f53ed52c53372921c54 amd64/10.0/SRPMS/cups-1.1.20-5.9.100mdk.src.rpm Corporate Server 2.1: b382582f3c83bab30c115774033543c6 corporate/2.1/RPMS/cups-1.1.18-2.11.C21mdk.i586.rpm 29c884dd71f8422db48e7d3831eeccb8 corporate/2.1/RPMS/cups-common-1.1.18-2.11.C21mdk.i586.rpm 22b2e3c9e34671ba4c84ec368c0219cb corporate/2.1/RPMS/cups-serial-1.1.18-2.11.C21mdk.i586.rpm cdc9ca097da2cccf3c67cfe1a7e7d4ec corporate/2.1/RPMS/libcups1-1.1.18-2.11.C21mdk.i586.rpm 7e628218d90f639d24476cb635a64922 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.11.C21mdk.i586.rpm 7be4ece8ab5cba50791771a9065c78ed corporate/2.1/SRPMS/cups-1.1.18-2.11.C21mdk.src.rpm Corporate Server 2.1/X86_64: 8ebafcbc57a13198165a79082be2a78d x86_64/corporate/2.1/RPMS/cups-1.1.18-2.11.C21mdk.x86_64.rpm 56d85e620b01894f34660eba96d9ee40 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.11.C21mdk.x86_64.rpm 8a7fa44f47379d778a1657e5497c34b6 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.11.C21mdk.x86_64.rpm 8e9b8d6c247e091bd8dc38e1733f9c2f x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.11.C21mdk.x86_64.rpm 45cfd7747e040cee340fec0edf37be0d x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.11.C21mdk.x86_64.rpm 7be4ece8ab5cba50791771a9065c78ed x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.11.C21mdk.src.rpm Corporate 3.0: c0c6fa6731a99d3941ff0a2538b83d2c corporate/3.0/RPMS/cups-1.1.20-5.9.C30mdk.i586.rpm ad7e66e80f1336beeaef65678dcd06c1 corporate/3.0/RPMS/cups-common-1.1.20-5.9.C30mdk.i586.rpm 715af6b604429210810cb1fcb2d88b11 corporate/3.0/RPMS/cups-serial-1.1.20-5.9.C30mdk.i586.rpm 36d71921d656bb291dfd129d63a2519a corporate/3.0/RPMS/libcups2-1.1.20-5.9.C30mdk.i586.rpm a06251d040e615159758b548ee5da785 corporate/3.0/RPMS/libcups2-devel-1.1.20-5.9.C30mdk.i586.rpm 7c02299537a6646f6664fc8253895d03 corporate/3.0/SRPMS/cups-1.1.20-5.9.C30mdk.src.rpm Corporate 3.0/X86_64: 7fd22a6928fcdce24fda3e8de71cf39a x86_64/corporate/3.0/RPMS/cups-1.1.20-5.9.C30mdk.x86_64.rpm bb37ebd7097e663304baac02e394292a x86_64/corporate/3.0/RPMS/cups-common-1.1.20-5.9.C30mdk.x86_64.rpm 7c79a96dcbae50e6e0b27eb43fa249eb x86_64/corporate/3.0/RPMS/cups-serial-1.1.20-5.9.C30mdk.x86_64.rpm d013b48caa5339b855ec33d19bdb21db x86_64/corporate/3.0/RPMS/lib64cups2-1.1.20-5.9.C30mdk.x86_64.rpm 10a98e8e62085460bec857e516b7c577 x86_64/corporate/3.0/RPMS/lib64cups2-devel-1.1.20-5.9.C30mdk.x86_64.rpm 36d71921d656bb291dfd129d63a2519a x86_64/corporate/3.0/RPMS/libcups2-1.1.20-5.9.C30mdk.i586.rpm 7c02299537a6646f6664fc8253895d03 x86_64/corporate/3.0/SRPMS/cups-1.1.20-5.9.C30mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The
[Full-disclosure] Debian Security Host Bandwidth Saturation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - The Debian Projecthttp://www.debian.org/ Security Host Bandwidth Saturation [EMAIL PROTECTED] September 20th, 2005http://www.debian.org/News/2005/20050920 - Debian Security Host Bandwidth Saturation The recently released security update of XFree86 in DSA 816 for sarge and woody has caused the host security.debian.org to saturate its 100MBit/s network connection entirely. Due to the large number of X packages, the gross size of these packages and the high number of users who need to install the update, the server is busy sending out updates which exhaust its total outgoing bandwidth. This incident happens before new a security infrastructure is in place which would have avoided this. At the moment we ask our users to accept delays in their update until the situation is relaxed again. Yesterday morning, at about 11 o'clock (CEST, i.e. UCT +0200) the files for the security update DSA 816 (XFree86) were installed on the public security server. The result was similar to a distributed denial of service since literally thousands of users tried to fetch the updates. Since then the host saturates its network connection entirely. Independent of this there have been discussions about restructuring the security infrastructure in order to provide a more failsafe solution, that can also deal with high bandwidth peaks better than a single machine. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDMEKxW5ql+IAeqTIRArhRAKCrWBXrPLxEjI4TaAO0EysV3O8iGQCfTBC1 AcXjiglPKxS8wGqKzbHAeB0= =iLq8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: arc insecure temporary file creation
ZATAZ Audits wrote: The vulnerability is caused due to temporary file being created insecurely. The temporary file used for archive creation could be read by untrusted users. This is not just an information leak, but also a symlink vulnerability since the temporary file is created without ensuring that either it does not exist before or is owned by the same user, while it is placed in a usually publically writable directory. The following patch should fix both issues. --- arcsvc.c~ 2005-03-13 16:48:09.0 +0100 +++ arcsvc.c2005-09-17 09:41:51.0 +0200 @@ -17,6 +17,9 @@ Computer Innovations Optimizing C86 */ #include stdio.h +#include sys/types.h +#include sys/stat.h +#include fcntl.h #include arc.h #if_MTS #include mts.h @@ -52,7 +55,12 @@ openarc(chg) /* open archive */ } #endif if (chg) { /* if opening for changes */ - if (!(new = fopen(newname, OPEN_W))) + int fd; + + if ((fd = open(newname, O_CREAT|O_EXCL|O_RDWR, S_IREAD|S_IWRITE)) == -1) + arcdie(Cannot create archive copy: %s, newname); + + if (!(new = fdopen(fd, OPEN_W))) arcdie(Cannot create archive copy: %s, newname); changing = chg; /* note if open for changes */ Regards, Joey -- Linux - the choice of a GNU generation. Please always Cc to me when replying to me on the lists. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpBB 2.0.17 remote avatar size bug
SmOk3 wrote: I don't want to criticize the phpBB coders, but why is it dificult to check out the size of a image and telling the user that that size of image it's not possible, or even block the size on the viewtopic table, something like that. Having phpbb check the image size would add no security whatsoever. The malicious user could place the image on a server that uses mod_rewrite or PHP (or whatever...) to send a nice 100 x 75 image of a kitty cat when the phpbb server requests the image, and a 4000x3000 gaping goatse to everyone else. There is absolutely no way for phpbb to be able to enforce the size of images hosted on remote machines. All it can do is specify the width and height attributes of the IMG tag when it displays the image. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] UnixWare 7.1.4 : LibTIFF 3.72 malformed data code exec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SCO Security Advisory Subject:UnixWare 7.1.4 : LibTIFF 3.72 malformed data code exec Advisory number:SCOSA-2005.34 Issue date: 2005 September 20 Cross reference:sr894564 fz532775 erg712889 CAN-2005-1544 __ 1. Problem Description Tavis Ormandy has reported a vulnerability in libTIFF, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error and can be exploited to cause a buffer overflow via a specially crafted TIFF image containing a malformed BitsPerSample tag. Successful exploitation may allow execution of arbitrary code, if a malicious TIFF image is opened in an application linked against the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following name CAN-2005-1544 to this issue. 2. Vulnerable Supported Versions System Binaries -- UnixWare 7.1.4 Libtiff distribution 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.34 4.2 Verification MD5 (tiff.pkg) = b084c16db5ab1c70d1a3d461cfe09665 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download tiff.pkg to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/tiff.pkg 5. References Specific references for this advisory: http://bugzilla.remotesensing.org/show_bug.cgi?id=843 http://xforce.iss.net/xforce/xfdb/20533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1544 http://secunia.com/advisories/15320 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr894564 fz532775 erg712889. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments The SCO Group would like to thank Travis Ormandy __ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (SCO/SYSV) iD8DBQFDMEK0aqoBO7ipriERAiHyAJ9MpBK4U4a3UX/kDnhW9/BBU6zDhACeMzSw Gkiduk0ql3ar5iLEWYtpse0= =w5vg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UnixWare 7.1.4 : LibTIFF 3.72 malformed data code exec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wow!! Are they still around?? xyberpix On 20 Sep 2005, at 23:30, [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SCO Security Advisory Subject:UnixWare 7.1.4 : LibTIFF 3.72 malformed data code exec Advisory number: SCOSA-2005.34 Issue date: 2005 September 20 Cross reference:sr894564 fz532775 erg712889 CAN-2005-1544 __ 1. Problem Description Tavis Ormandy has reported a vulnerability in libTIFF, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error and can be exploited to cause a buffer overflow via a specially crafted TIFF image containing a malformed BitsPerSample tag. Successful exploitation may allow execution of arbitrary code, if a malicious TIFF image is opened in an application linked against the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following name CAN-2005-1544 to this issue. 2. Vulnerable Supported Versions SystemBinaries -- UnixWare 7.1.4 Libtiff distribution 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.34 4.2 Verification MD5 (tiff.pkg) = b084c16db5ab1c70d1a3d461cfe09665 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download tiff.pkg to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/tiff.pkg 5. References Specific references for this advisory: http://bugzilla.remotesensing.org/show_bug.cgi?id=843 http://xforce.iss.net/xforce/xfdb/20533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1544 http://secunia.com/advisories/15320 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr894564 fz532775 erg712889. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments The SCO Group would like to thank Travis Ormandy __ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (SCO/SYSV) iD8DBQFDMEK0aqoBO7ipriERAiHyAJ9MpBK4U4a3UX/kDnhW9/BBU6zDhACeMzSw Gkiduk0ql3ar5iLEWYtpse0= =w5vg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDMI9FcRMkOnlkwMERAogVAJ9iIcu5rcvOBUZwz07rKr7kCKFhXACfQ5sR HbqOOFF+stywNweLcAK9tWY= =KSpL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] phpBB 2.0.17 remote avatar size bug
I agree. This is not a security issue. If you can get that same image to install a virus on the server, then make a deal out of it. Until then, don't waste our time. Paul Greyhats Security http://greyhatsecurity.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Dessent Sent: Tuesday, September 20, 2005 4:12 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] phpBB 2.0.17 remote avatar size bug SmOk3 wrote: I don't want to criticize the phpBB coders, but why is it dificult to check out the size of a image and telling the user that that size of image it's not possible, or even block the size on the viewtopic table, something like that. Having phpbb check the image size would add no security whatsoever. The malicious user could place the image on a server that uses mod_rewrite or PHP (or whatever...) to send a nice 100 x 75 image of a kitty cat when the phpbb server requests the image, and a 4000x3000 gaping goatse to everyone else. There is absolutely no way for phpbb to be able to enforce the size of images hosted on remote machines. All it can do is specify the width and height attributes of the IMG tag when it displays the image. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UnixWare 7.1.4 : LibTIFF 3.72 malformed data code exec
Wow!! Are they still around?? Yeah, comical isn't it? They frequently release patches for 4-6 month old holes. They are kinda like the Microsoft[1] of the Unix/Linux world. tim 1. http://www.eeye.com/html/research/upcoming/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UnixWare 7.1.4 : LibTIFF 3.72 malformed data code exec
Even more comical is how they STILL can't patch that old ftp server of theirs. SITE EXEC loves SCO. Honeypot or stupidity, you decide... [EMAIL PROTECTED]:~$ ftp ftpput.sco.com Connected to ftpput.sco.com. 220 artemis FTP server (Version 2.1WU(1)) ready. Name (ftpput.sco.com:kfinisterre): anonymous 331 Guest login ok, send e-mail address as password. -KF Tim wrote: Wow!! Are they still around?? Yeah, comical isn't it? They frequently release patches for 4-6 month old holes. They are kinda like the Microsoft[1] of the Unix/Linux world. tim 1. http://www.eeye.com/html/research/upcoming/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] perldiver
- EXPL-A-2005-014 exploitlabs.com Advisory 043 - -perldiver - AFFECTED PRODUCTS = Perldiver v1.x and 2.x http://scriptsolutions.com/ OVERVIEW Perl Diver digs into your server's perl installation and giving you the information you need and quick and easy to find manner. DETAILS === 1. XSS Perldiver does not properly filter malicious script content. XSS my be inserted in the module parameter. ( v2.x ) or as a GET request in the main script ( v1.x ) The malicious script is the rendered and is executed in the context of the users brower. POC === 1.x -- http://[host]/[path]/perldiver.pl?testhereSCRIPTalert(document.domain);/SCRIPT 2.x -- http://[host]/[path]/perldiver.cgi?action=2020module=scriptdocument.write(document.domain)/script bonus vendor site vuln: http://www.scriptsolutions.com/programs/free/perldiver/perldiver.cgi?action=2020module=scriptdocument.write(document.domain)/script SOLUTION: = vendor contact: Sept 14, 2005 http://www.scriptsolutions.com/support/postlist.pl?Cat=Board=DDBugs response Sept 15, 2005 If you are a current PerlDiver user, you can either download the updated version, or insert the following line after my $module = param( 'module' ); in the module_detail subroutine: $module =~ s/^([A-Za-z0-9]|:)//g; updated version: http://www.scriptsolutions.com/support/showflat.pl?Board=DLPerlDiverNumber=446 http://www.scriptsolutions.com/support/files/4-446-perldiver.zip Credits === This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org orig advisory: http://exploitlabs.com/files/advisories/EXPL-A-2005-014-perldiver.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDKSA-2005:166 - Updated clamv packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: clamav Advisory ID:MDKSA-2005:166 Date: September 20th, 2005 Affected versions: 10.1, 10.2, Corporate 3.0 __ Problem Description: A vulnerability was discovered in ClamAV versions prior to 0.87. A buffer overflow could occure when processing malformed UPX-packed executables. As well, it could be sent into an infinite loop when processing specially-crafted FSG-packed executables. ClamAV version 0.87 is provided with this update which isn't vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2919 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2920 __ Updated Packages: Mandrakelinux 10.1: 9f85320efe6a337ae46db08b53e0eaba 10.1/RPMS/clamav-0.87-0.1.101mdk.i586.rpm 083a4c5972e960c2a47e598c4626506b 10.1/RPMS/clamav-db-0.87-0.1.101mdk.i586.rpm c3f10bb7176e61dcded0cee084fd2d24 10.1/RPMS/clamav-milter-0.87-0.1.101mdk.i586.rpm 990c343c993bf7bf44046e773faa9f84 10.1/RPMS/clamd-0.87-0.1.101mdk.i586.rpm 6c67cc650a9808ac1bd95fc7a1d4017a 10.1/RPMS/libclamav1-0.87-0.1.101mdk.i586.rpm 213a5145796b74cf65c983a482072455 10.1/RPMS/libclamav1-devel-0.87-0.1.101mdk.i586.rpm 2d75e236b21dbe8000a7c4b1be93217b 10.1/SRPMS/clamav-0.87-0.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: ef22edfa1aa4502f08000e050de5d36f x86_64/10.1/RPMS/clamav-0.87-0.1.101mdk.x86_64.rpm e33da1b6f6bcd366801a5e80eeb7c723 x86_64/10.1/RPMS/clamav-db-0.87-0.1.101mdk.x86_64.rpm 04c621676e2832c400c0dda74a498d49 x86_64/10.1/RPMS/clamav-milter-0.87-0.1.101mdk.x86_64.rpm da9cc77846812a4b34cb8250157d50b1 x86_64/10.1/RPMS/clamd-0.87-0.1.101mdk.x86_64.rpm 950f3adbe1fec12c9792f6c947b7cb76 x86_64/10.1/RPMS/lib64clamav1-0.87-0.1.101mdk.x86_64.rpm 6e53ad5c6d61a9ee3356d919b6589026 x86_64/10.1/RPMS/lib64clamav1-devel-0.87-0.1.101mdk.x86_64.rpm 2d75e236b21dbe8000a7c4b1be93217b x86_64/10.1/SRPMS/clamav-0.87-0.1.101mdk.src.rpm Mandrakelinux 10.2: bc2e4234b78790c9b0c5a5efcb15ba98 10.2/RPMS/clamav-0.87-0.1.102mdk.i586.rpm 0a99f74d25235e793a6fe05a56d79f7a 10.2/RPMS/clamav-db-0.87-0.1.102mdk.i586.rpm b7d275ba651524cc4e3ce5cfacb842e3 10.2/RPMS/clamav-milter-0.87-0.1.102mdk.i586.rpm c6862f992a927151d1c4c511cb874e0a 10.2/RPMS/clamd-0.87-0.1.102mdk.i586.rpm 303aeaa4d2a5de29f3cc5b0cdc539ab3 10.2/RPMS/libclamav1-0.87-0.1.102mdk.i586.rpm bcef24beead553b0b7af6a0454365384 10.2/RPMS/libclamav1-devel-0.87-0.1.102mdk.i586.rpm 96e1ce9dffda8199bf1b583bc2d51e60 10.2/SRPMS/clamav-0.87-0.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: fc09b5328e536f426f6edaac04453ca2 x86_64/10.2/RPMS/clamav-0.87-0.1.102mdk.x86_64.rpm f27bc62247ff84975019f8ed3d6ea5b1 x86_64/10.2/RPMS/clamav-db-0.87-0.1.102mdk.x86_64.rpm c9fb726280f84da9dd32e30542c29fcd x86_64/10.2/RPMS/clamav-milter-0.87-0.1.102mdk.x86_64.rpm 193644891c29c2973931c01a56e68d60 x86_64/10.2/RPMS/clamd-0.87-0.1.102mdk.x86_64.rpm 9568649a618f654600d78b71027174c9 x86_64/10.2/RPMS/lib64clamav1-0.87-0.1.102mdk.x86_64.rpm 6b54a7ac2e8d743e067bfdaa7638d90f x86_64/10.2/RPMS/lib64clamav1-devel-0.87-0.1.102mdk.x86_64.rpm 96e1ce9dffda8199bf1b583bc2d51e60 x86_64/10.2/SRPMS/clamav-0.87-0.1.102mdk.src.rpm Corporate 3.0: f86de5b6055236c9cd1ff173bc6c1d98 corporate/3.0/RPMS/clamav-0.87-0.1.C30mdk.i586.rpm 07071df1c078079e4b7d55f5fa13c7c8 corporate/3.0/RPMS/clamav-db-0.87-0.1.C30mdk.i586.rpm c96f4eb3cfd2ffb9060961e39c109204 corporate/3.0/RPMS/clamav-milter-0.87-0.1.C30mdk.i586.rpm 2445d80ee9c39b337da36554315b9ac1 corporate/3.0/RPMS/clamd-0.87-0.1.C30mdk.i586.rpm 196a1254be8dce937e17d4b731c5ec19 corporate/3.0/RPMS/libclamav1-0.87-0.1.C30mdk.i586.rpm a40bfe3465fcdceec2c8d9bfd52ba2b0 corporate/3.0/RPMS/libclamav1-devel-0.87-0.1.C30mdk.i586.rpm 3ff54d614c61c446d645f8a5c8458abb corporate/3.0/SRPMS/clamav-0.87-0.1.C30mdk.src.rpm Corporate 3.0/X86_64: 9d8b35a818da8a636e435b9aeca7 x86_64/corporate/3.0/RPMS/clamav-0.87-0.1.C30mdk.x86_64.rpm b5e2a4dcbce2882b73c8a561574a4d24 x86_64/corporate/3.0/RPMS/clamav-db-0.87-0.1.C30mdk.x86_64.rpm cd2da84bd6fe14cfc7822acdbbfb51da x86_64/corporate/3.0/RPMS/clamav-milter-0.87-0.1.C30mdk.x86_64.rpm cf5b819b5c911ece25afa929124bbbcf x86_64/corporate/3.0/RPMS/clamd-0.87-0.1.C30mdk.x86_64.rpm 7ba558d19e757c2a624e495055e0c218 x86_64/corporate/3.0/RPMS/lib64clamav1-0.87-0.1.C30mdk.x86_64.rpm ba046627c72dbe187eca48e5e1ae188c x86_64/corporate/3.0/RPMS/lib64clamav1-devel-0.87-0.1.C30mdk.x86_64.rpm 3ff54d614c61c446d645f8a5c8458abb
[Full-disclosure] MDKSA-2005:167 - Updated util-linux packages fix umount vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: util-linux Advisory ID:MDKSA-2005:167 Date: September 20th, 2005 Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1, Multi Network Firewall 2.0 __ Problem Description: David Watson disovered that the umount utility, when using the -r cpmmand, could remove some restrictive mount options such as nosuid. IF /etc/fstab contained user-mountable removable devices that specified nosuid, a local attacker could exploit this flaw to execute arbitrary programs with root privileges by calling umount -r on a removable device. The updated packages have been patched to ensure that -r can only be called by the root user. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2876 __ Updated Packages: Mandrakelinux 10.0: e28c42b0a18bf906ea339ffeb02d3320 10.0/RPMS/losetup-2.12-2.1.100mdk.i586.rpm 6dd9d97f688ab7b872dba55b9c427935 10.0/RPMS/mount-2.12-2.1.100mdk.i586.rpm b23bbbec6f75fbe1f2137f1335f782f9 10.0/RPMS/util-linux-2.12-2.1.100mdk.i586.rpm 0c84336fe4e647fe4b35686e6e938a8f 10.0/SRPMS/util-linux-2.12-2.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 1c972124af9eba5acc9691931e5629c8 amd64/10.0/RPMS/losetup-2.12-2.1.100mdk.amd64.rpm 2a0367d603f4c8e893e7f0ec158132e5 amd64/10.0/RPMS/mount-2.12-2.1.100mdk.amd64.rpm 4fe57def6145640a886feb35deb77a6d amd64/10.0/RPMS/util-linux-2.12-2.1.100mdk.amd64.rpm 0c84336fe4e647fe4b35686e6e938a8f amd64/10.0/SRPMS/util-linux-2.12-2.1.100mdk.src.rpm Mandrakelinux 10.1: 658b5ee36c137e2533397ac71aa86e0e 10.1/RPMS/losetup-2.12a-5.1.101mdk.i586.rpm b15ae4dbd367fcd46e38d418bb3d1a86 10.1/RPMS/mount-2.12a-5.1.101mdk.i586.rpm 701b35a4588f4ce5879b651724f72a1d 10.1/RPMS/util-linux-2.12a-5.1.101mdk.i586.rpm f1bbf1462e0f0987ce110388bd2e8d48 10.1/SRPMS/util-linux-2.12a-5.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: fbd4672670283fd495a652d0338467d4 x86_64/10.1/RPMS/losetup-2.12a-5.1.101mdk.x86_64.rpm b1773a98c38538db35e2c4fd8aa5e100 x86_64/10.1/RPMS/mount-2.12a-5.1.101mdk.x86_64.rpm 8a4e15cdaaa7efe10c7830a9cda27523 x86_64/10.1/RPMS/util-linux-2.12a-5.1.101mdk.x86_64.rpm f1bbf1462e0f0987ce110388bd2e8d48 x86_64/10.1/SRPMS/util-linux-2.12a-5.1.101mdk.src.rpm Mandrakelinux 10.2: 8314ea4ec99e8e603fb2da6941aae1d9 10.2/RPMS/losetup-2.12a-12.1.102mdk.i586.rpm 2a8a83e0e36295db943fc51a4aee863f 10.2/RPMS/mount-2.12a-12.1.102mdk.i586.rpm 01a4abab8ec329a29cf2310d8ee006d9 10.2/RPMS/util-linux-2.12a-12.1.102mdk.i586.rpm 2bedcdeed443ed6438f290dff54038b5 10.2/SRPMS/util-linux-2.12a-12.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 73e23481f84309a90b99394468885e20 x86_64/10.2/RPMS/losetup-2.12a-12.1.102mdk.x86_64.rpm 8dc01cc71d8b32fbba41d1936c861534 x86_64/10.2/RPMS/mount-2.12a-12.1.102mdk.x86_64.rpm 441ce68e9e3b07c807bb5486adde1903 x86_64/10.2/RPMS/util-linux-2.12a-12.1.102mdk.x86_64.rpm 2bedcdeed443ed6438f290dff54038b5 x86_64/10.2/SRPMS/util-linux-2.12a-12.1.102mdk.src.rpm Multi Network Firewall 2.0: 765b0e93637cce9d5b623a81bdc81e6e mnf/2.0/RPMS/losetup-2.12-2.1.M20mdk.i586.rpm 782d8a37c484ab76ae766dddcce2173e mnf/2.0/RPMS/mount-2.12-2.1.M20mdk.i586.rpm d6f35d4ccdb1cb9dcd21218ca5d6da72 mnf/2.0/RPMS/util-linux-2.12-2.1.M20mdk.i586.rpm 360a0c2f0e8d383b09a7eb44d1e654a2 mnf/2.0/SRPMS/util-linux-2.12-2.1.M20mdk.src.rpm Corporate Server 2.1: d560b7038ca8ae848b24414858fac1ef corporate/2.1/RPMS/losetup-2.11u-5.1.C21mdk.i586.rpm 81bf701d8b8129c0809c37205d4fbad0 corporate/2.1/RPMS/mount-2.11u-5.1.C21mdk.i586.rpm 321463758b000a1e7348111f7bea2959 corporate/2.1/RPMS/util-linux-2.11u-5.1.C21mdk.i586.rpm b1d2f438863cd5c807548ec4209b0179 corporate/2.1/SRPMS/util-linux-2.11u-5.1.C21mdk.src.rpm Corporate Server 2.1/X86_64: 141b7b38947d1fd2ef4088ba20e093f1 x86_64/corporate/2.1/RPMS/losetup-2.11u-5.1.C21mdk.x86_64.rpm ddb3ee3ebe56b399ff881806f9cd8832 x86_64/corporate/2.1/RPMS/mount-2.11u-5.1.C21mdk.x86_64.rpm a61050516b99231bca46507fa94aa5e8 x86_64/corporate/2.1/RPMS/util-linux-2.11u-5.1.C21mdk.x86_64.rpm b1d2f438863cd5c807548ec4209b0179 x86_64/corporate/2.1/SRPMS/util-linux-2.11u-5.1.C21mdk.src.rpm Corporate 3.0: bbcce593f1b51833383997590a13b834 corporate/3.0/RPMS/losetup-2.12-2.1.C30mdk.i586.rpm bb38ae724541d9c73ac64d382d4839e8 corporate/3.0/RPMS/mount-2.12-2.1.C30mdk.i586.rpm 55420d5f1fa9c7cc7f6e42f61c0428fc corporate/3.0/RPMS/util-linux-2.12-2.1.C30mdk.i586.rpm 28f6b881c65662695c84ac100ea9d012
[Full-disclosure] MDKSA-2005:168 - Updated masqmail packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: masqmail Advisory ID:MDKSA-2005:168 Date: September 20th, 2005 Affected versions: Multi Network Firewall 2.0 __ Problem Description: Jens Steube discovered two vulnerabilities in masqmail: When sending failed mail messages, the address was not properly sanitized which could allow a local attacker to execute arbitrary commands as the mail user (CAN-2005-2662). When opening the log file, masqmail did not relinquish privileges, which could allow a local attacker to overwrite arbitrary files via a symlink attack (CAN-2005-2663). The updated packages have been patched to address these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2663 __ Updated Packages: Multi Network Firewall 2.0: 368d7259f0d1663f24ab0d96ef316520 mnf/2.0/RPMS/masqmail-0.2.18-3.1.M20mdk.i586.rpm 53c6095a108ea52147909091b262517f mnf/2.0/SRPMS/masqmail-0.2.18-3.1.M20mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDMMmGmqjQ0CJFipgRApDXAJwIW99lzHviDg5Obc+gI6a0Me8vCACfUojK iLPXki02usAIVZJBAVGsJgM= =4ieO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/