Message-ID: <16666406.1075863406803.JavaMail.evans@thyme> Date: Mon, 22 Oct 2001 17:00:00 -0700 (PDT) From: security-bugpatch@bdcimail.com To: vkamins@enron.com Subject: Linux kernel vulnerability Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-From: NW Security and Bug Patch Alert @ENRON X-To: vkamins@enron.com X-cc: X-bcc: X-Folder: \VKAMINS (Non-Privileged)\Kaminski, Vince J\Deleted Items X-Origin: Kaminski-V X-FileName: VKAMINS (Non-Privileged).pst NETWORK WORLD NEWSLETTER: JASON MESERVE on SECURITY AND BUG PATCH ALERT 10/22/01 - Today's focus: Linux kernel vulnerability Dear Wincenty Kaminski, In this issue: * Patches and alerts for Linux ptrace, Microsoft, Apache, others * Viruses, including a Red Cross-disguised Trojan horse that steals credit card data * Users put early anti-DDoS tools to the test, plus other interesting reading _______________________________________________________________ This newsletter sponsored by Sygate Intruders can erase VPN cost savings in minutes. Firewalls, encryption, intrusion defense tools and VPNs are insufficient protection for remote and mobile users of corporate data. Learn more on how other companies secure their mobile workers and protect their investments with Sygate. http://nww1.com/go/3473900a.html _______________________________________________________________ TIME IS MONEY The adage is as true for teleworkers as it is for anyone else. Check out our "Telework Top 10" series where we provide you with a clear picture of the interrelated capabilities of today's critical, must-have technologies, and how your adoption of those technologies can help or hurt your bottom line. http://nww1.com/go/ad168.html _______________________________________________________________ Today's focus: Linux kernel vulnerability By Jason Meserve Today's bug patches and security alerts: * Ptrace flaw in Linux kernel A flaw in the ptrace command, which allows Linux users to debug code, could be used by a malicious local user to gain root privileges. Download the proper fix from: Red Hat (Kernel 2.4): http://www.redhat.com/support/errata/RHSA-2001-129.html Red Hat (Kernel 2.2): http://www.redhat.com/support/errata/RHSA-2001-130.html Caldera: http://www.caldera.com/support/security/advisories/CSSA-2001-036.0.txt Engarde: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ Immunix: http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-035-01 Trustix: http://www.trustix.net/pub/Trustix/updates/ ftp://ftp.trustix.net/pub/Trustix/updates/ * Microsoft withdraws faulty server patch A patch released by Microsoft Thursday to protect Windows 2000 and Windows NT servers against a denial-of-service vulnerability has been withdrawn after users who installed it complained that it caused their systems to malfunction. http://www.nwfusion.com/news/2001/1019microsoftpatch.html Computerworld, 10/19/01 Microsoft alert: http://www.microsoft.com/technet/security/bulletin/ms01-052.asp * IE screen spoofing possible Georgi Guninski has discovered a flaw in the way Internet Explorer uses JavaScript that could be used to trick an unsuspecting user into executing malicious code. Using JavaScript, it is possible to have IE take over the whole screen. A user box could be popped up with an innocuous message that can be redirected to a malicious site. For more on this, go to: http://www.guninski.com/popspoof.html * Conectiva, Engarde update Apache Two vulnerabilities have been discovered in Apache, the open source Web server software. The flaws could be exploited to view information that is normally not accessible to general Web users. Download the appropriate update from: Engarde: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ Conectiva: http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000430 * DoS vulnerability in Oracle Web Cache DefCom Labs is reporting a denial-of-service vulnerability in Oracle9iAS Web Cache Version 2.0.0.1.0. Attackers can exploit a buffer overflow that occurs when long URL requests are sent to the affected server. Patches can be downloaded from Oracle's site at: http://metalink.oracle.com * New openssh packages available A couple of security flaws have been discovered in the openssh packages for Linux. These flaws could be exploited to bypass openssh's key-based security system. Download the appropriate update from: Red Hat: http://www.redhat.com/support/errata/RHSA-2001-114.html Immunix: http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-034-01 Trustix: http://www.trustix.net/pub/Trustix/updates/ ftp://ftp.trustix.net/pub/Trustix/updates/ * Red Hat releases new util-linux packages According to a Red Hat alert, new util-linux packages are available that fix a problem with /bin/login's PAM implementation. This could, in some non-default setups, cause users to receive credentials of other users. It is recommended that all users update to the fixed packages. http://www.redhat.com/support/errata/RHSA-2001-132.html * New Red Hat squid packages available A denial-of-service vulnerability has been discovered in squid's FTP handling code. Red Hat users can download an updated version from: http://www.redhat.com/support/errata/RHSA-2001-113.html * Red Hat: Updated diffutils packages available Diffutils sdiff command creates insecure temporary files. Download the appropriate update from: Red Hat Linux 5.2: alpha: ftp://updates.redhat.com/5.2/en/os/alpha/diffutils-2.7-22.5x.alpha.rpm i386: ftp://updates.redhat.com/5.2/en/os/i386/diffutils-2.7-22.5x.i386.rpm sparc: ftp://updates.redhat.com/5.2/en/os/sparc/diffutils-2.7-22.5x.sparc.rpm Red Hat Linux 6.2: alpha: ftp://updates.redhat.com/6.2/en/os/alpha/diffutils-2.7-22.6x.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/diffutils-2.7-22.6x.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/diffutils-2.7-22.6x.sparc.rpm Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/en/os/alpha/diffutils-2.7-22.70.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/diffutils-2.7-22.70.i386.rpm Red Hat Linux 7.1: alpha: ftp://updates.redhat.com/7.1/en/os/alpha/diffutils-2.7-23.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/diffutils-2.7-23.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/diffutils-2.7-23.ia64.rpm * Vulnerability found in nvi and nvi-m17n According to an alert from Caldera, a "very stupid" format string vulnerability has been found in nvi and nvi-m17n. Debian users can get more information from: http://www.debian.org/security/2001/dsa-085 * Engarde patches xinetd An audit of the xinetd code turned up a number of potential security weaknesses. Engarde users can get updated versions of the package from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ * Debian patches w3m A problem with the way certain MIME headers are returned to the Web server could result in a buffer overflow. This flaw could be exploited to execute arbitrary commands on the affected system. For more information and links to the appropriate patch, go to: http://www.debian.org/security/2001/dsa-081 * Htdig flaw patched A problem in htdig, an indexing and search program for Linux, contains a vulnerability in its configuration file. This could be exploited by a malicious user to put the server in an endless loop or retrieve and read any file on the affected system. For more information, go to: http://www.debian.org/security/2001/dsa-080 * New procmail packages available A flaw in procmail could be exploited to crash the affected system. In some cases, malicious users could obtain unauthorized privileges. Download the appropriate patch from: http://www.debian.org/security/2001/dsa-083 * Root vulnerability in XVT Debian is reporting a possible root vulnerability in XVT. A buffer overflow exists in the program's argument handling code. It could be exploited by a user to gain root privileges. For more and links to patches, go to: http://www.debian.org/security/2001/dsa-082 Today's roundup of virus alerts: * Red Cross warns of Trojan horse that steals credit card data The American Red Cross is warning people of a credit card- stealing Trojan horse program sent via e-mail that looks like it comes from the disaster-relief organization. http://www.nwfusion.com/news/2001/1019redcross.html Computerworld, 10/19/01 * W32/Redesi-A - A Windows virus that comes with different subject lines and one of the following attachments: redo.exe, si.exe, common.exe, userconf.exe or disk.exe. It spreads via Outlook and displays an error message when it executes. (Sophos) * W32/Redesi-B - Similar to its cousin noted above, this Outlook-borne message spreads via e-mails with different subjects but a body that looks like a Microsoft security alert forwarded by friends. On Nov. 11, the virus adds a line to the autoexec.bat file that attempts to format the hard drive when the infected machine is rebooted. (Sophos) * WM97/Myna-AY - A Word macro virus with no malicious payload. (Sophos) * WM97/Myna-BA - Another Word macro virus with no malicious payload. (Sophos) * W32/Hai - This network-aware virus spreads to any attached drive and places itself in the \Windows directory with a random name. It then sets itself to run in the win.ini file each time the infected machine is started. (Sophos) * Worm/Dnet_Winit - A virus that spreads by searching random TCP/IP addresses looking for a potential host. When it finds one, it places a file called WININIT.EXE in the Windows\System directory. (Panda Software) * Backdoor/SecretService - A type of Trojan horse program that comes in two pieces, a client and server. The infected machine can be shutdown or rebooted remotely, used to send messages and passwords can be stolen. (Panda Software) * Keyboard_Bug Family - An MS-DOS virus that infects keyboard buffer, adding junk characters to text. (Panda Software) >From the interesting reading department: * Users put early anti-DDoS tools to test Mazu Networks, one of several young companies with products designed to combat distributed denial-of-service attacks, this week will make its new traffic-filtering appliance generally available. Even more impressive, the company is touting the first two enterprise network customers to publicly declare their willingness to spend money on such a product. http://www.nwfusion.com/archive/2001/126594_10-22-2001.html Network World, 10/22/01 * Certicom VPN software bolsters 802.11b security Certicom announced Tuesday that it has upgraded its VPN software for handheld devices to make it compatible with 802.11b wireless LANs. http://www.nwfusion.com/news/2001/1018certicom.html Network World Fusion, 10/18/01 * Archives online Every newsletter I've written is stored online in HTML format. Visit this body of work at: http://www.nwfusion.com/newsletters/bug/index.html _______________________________________________________________ To contact Jason Meserve: Jason Meserve is the Multimedia Editor of Network World Fusion and writes about streaming media, search engines and IP Multicast. Jason can be reached at mailto:jmeserve@nww.com. _______________________________________________________________ FEATURED READER RESOURCE Network World Fusion's Net.Worker site Whether your company is growing larger or scaling back, corporate managers are looking for ways to cut costs while retaining and recruiting star employees. One smart solution - at least on paper - is to let some employees work from home. Network World's Net.Worker Web site bridges the gap between the telework concept and the hardware, software and services needed to make it happen. We bring you news and reviews, sound advice and keen insight into the technologies and solutions you need to manage a remote and mobile workforce. Visit http://www.nwfusion.com/net.worker/index.html _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.nwwsubscribe.com/nl _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To unsubscribe from promotional e-mail go to: http://www.nwwsubscribe.com/ep To change your e-mail address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Fusion Sales Manager, at: mailto:jkalbach@nww.com Copyright Network World, Inc., 2001 ------------------------ This message was sent to: vkamins@enron.com