Brought to you by our friends at the SANS Institute.



-- Security Alert Consensus --
Number 042 (02.42)
Thursday, October 24, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.



If you're not running on the latest Linux kernel, you should definitely
consider it. Both the 2.4 and 2.2 series kernels have fixes for local
security problems. We've reported these issues as items {02.42.001}
and {02.42.002}.

Microsoft also released a patch for the MS Word field code problem
we discussed in an earlier SAC editorial. You can read about MS02-059
in item {02.42.009}.

And, if you haven't heard, the Internet root name servers went under
DDoS attack earlier this week; nine of the 13 fell prey. You can read
more about it at:
http://www.washingtonpost.com/wp-dyn...2002Oct22.html

Until next week,
--Security Alert Consensus Team

************************************************************************



TABLE OF CONTENTS:

{02.42.009} Win - MS02-059: MS Word/Excel field codes may leak
information
{02.42.010} Win - MS02-060: Windows XP Help and Support Center control
file deletion
{02.42.011} Win - MS02-061: SQL Server Web tasks command execution
{02.42.024} Win - CoolSoft Personal FTP Server ftproot escaping
{02.42.001} Linux - Linux kernel 2.4 driver vulnerabilities
{02.42.002} Linux - Linux kernel 2.2 vulnerabilities
{02.42.003} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{02.42.004} Linux - Update {02.32.017}: xinetd signal pipe descriptor
DoS
{02.42.005} Linux - Update {02.38.003}: xfree86 libX11.so LD_PRELOAD
vulnerability
{02.42.006} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
{02.42.007} Linux - Update {02.40.024}: Sendmail smrsh execution
restriction bypass
{02.42.014} Linux - Update {02.39.013}: gv sscanf() overflow
{02.42.015} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
{02.42.016} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
{02.42.018} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
{02.42.021} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
{02.42.008} BSD - Short ESP packet IPSEC DoS
{02.42.025} NApps - Cisco Catalyst CatOS HTTP service DoS
{02.42.012} Other - Update {02.06.011}: Multiple vendor SNMP problems
{02.42.013} Cross - Apache mod_ssl host name CSS
{02.42.017} Cross - PAM treats disabled passwords as empty
{02.42.020} Cross - Heimdal kadmind multiple vulnerabilities
{02.42.022} Cross - Ximian Evolution SSL certificate validation
{02.42.023} Cross - VBZoom forum CGI multiple vulnerabilities


- --- Windows News
-------------------------------------------------------

*** {02.42.009} Win - MS02-059: MS Word/Excel field codes may leak
information

Microsoft released MS02-059 ("MS Word/Excel field codes may leak
information"). Various versions of MS Word and Excel support 'field
codes,' which allow a document to import other documents. If a user
receives a (malicious) document, edits it and then sends it back,
the document may be able to import other files during the edit/saving
process, thereby allowing the recipient access to that data.

FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-059.asp

Source: Microsoft
http://archives.neohapsis.com/archiv...2-q4/0006.html

*** {02.42.010} Win - MS02-060: Windows XP Help and Support Center
control file deletion

Microsoft released MS02-060 ("Windows XP Help and Support Center
control file deletion"). The Help and Support Center ActiveX control
included with Windows XP allows a malicious Web site to delete
arbitrary files on the user's system.

FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-060.asp

Source: Microsoft
http://archives.neohapsis.com/archiv...2-q4/0005.html

*** {02.42.011} Win - MS02-061: SQL Server Web tasks command execution

Microsoft released MS02-061 ("SQL Server Web tasks command
execution"). SQL Server allows a nonprivileged user to modify and
submit new scheduled Web tasks, thereby allowing arbitrary commands
to be executed under the elevated privileges of the SQL Agent
account. This is also a cumulative patch, which fixes all prior SQL
Server and MSDE vulnerabilities.

FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-061.asp

Source: Microsoft
http://archives.neohapsis.com/archiv...2-q4/0007.html

*** {02.42.024} Win - CoolSoft Personal FTP Server ftproot escaping

CoolSoft's Personal FTP Server version 2.24 reportedly contains
vulnerabilities in the handling of various FTP commands that would
allow an attacker to manipulate and read files outside the allowed
ftproot directory. Login credentials (user names and passwords)
are also stored in plain text in the ftpserver.ini file.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-10/0142.html


- --- Linux News
---------------------------------------------------------

*** {02.42.001} Linux - Linux kernel 2.4 driver vulnerabilities

The ixj telephony card driver, pcilynx firewire driver and bttv
video capture card driver included with the Linux 2.4 series kernel
contains security vulnerabilities that allow a local attacker to gain
root privileges.

These vulnerabilities are confirmed.

Updated Red Hat RPMs:
http://archives.neohapsis.com/archiv...2-q4/0026.html
http://archives.neohapsis.com/archiv...2-q4/0025.html

Source: Red Hat
http://archives.neohapsis.com/archiv...2-q4/0026.html
http://archives.neohapsis.com/archiv...2-q4/0025.html

*** {02.42.002} Linux - Linux kernel 2.2 vulnerabilities

Various vulnerabilities have been found in the Linux 2.2 series
kernels prior to version 2.2.22. Many of these bugs stem from signed
comparison problems via /proc/ entry handlers.

These vulnerabilities are confirmed.

Updated Red Hat RPMs:
http://archives.neohapsis.com/archiv...2-q4/0027.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archiv...2-10/0250.html

Updated EnGarde RPMs:
http://archives.neohapsis.com/archiv...2-q4/0004.html

Source: Red Hat, Trustix, EnGarde (SF Bugtraq)
http://archives.neohapsis.com/archiv...2-q4/0027.html
http://archives.neohapsis.com/archiv...2-10/0250.html
http://archives.neohapsis.com/archiv...2-q4/0004.html

*** {02.42.003} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities

Trustix released updated Apache packages, which fix the vulnerability
discussed in {02.40.013} ("Apache host name CSS, ab overflow and
shared memory vulnerabilities").

Updated RPMs are listed at:
http://archives.neohapsis.com/archiv...2-10/0254.html

Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archiv...2-10/0254.html


*** {02.42.004} Linux - Update {02.32.017}: xinetd signal pipe
descriptor DoS

Red Hat released updated xinetd packages, which fix the vulnerability
discussed in {02.32.017} ("xinetd signal pipe descriptor DoS").

Updated RPMs are listed at:
http://archives.neohapsis.com/archiv...2-q4/0022.html

Source: Red Hat
http://archives.neohapsis.com/archiv...2-q4/0022.html

*** {02.42.005} Linux - Update {02.38.003}: xfree86 libX11.so
LD_PRELOAD vulnerability

Conectiva released updated xfree86 packages, which fix the
vulnerability discussed in {02.38.003} ("xfree86 libX11.so LD_PRELOAD
vulnerability").

Updated RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archiv...2-q4/0005.html

*** {02.42.006} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities

Conectiva released updated Fetchmail packages, which fix the
vulnerability discussed in {02.39.006} ("Fetchmail multiple
vulnerabilities").

Updated RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archiv...2-q4/0003.html

*** {02.42.007} Linux - Update {02.40.024}: Sendmail smrsh execution
restriction bypass

Conectiva released updated Sendmail packages, which fix the
vulnerability discussed in {02.40.024} ("Sendmail smrsh execution
restriction bypass").

Updated RPMs are listed at the reference URL below.

Source: Conectiva
http://archives.neohapsis.com/archiv...2-q4/0004.html

*** {02.42.014} Linux - Update {02.39.013}: gv sscanf() overflow

Mandrake released updated ghostview packages, which fix the
vulnerability discussed in {02.39.013} ("gv sscanf() overflow").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archiv...2-q4/0034.html

Updated Debian DEBs:
http://archives.neohapsis.com/archiv...2-q4/0277.html
http://archives.neohapsis.com/archiv...2-q4/0334.html

Source: Mandrake, Debian
http://archives.neohapsis.com/archiv...2-q4/0034.html
http://archives.neohapsis.com/archiv...2-q4/0277.html
http://archives.neohapsis.com/archiv...2-q4/0334.html

*** {02.42.015} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows

SuSE released updated postgres packages, which fix the vulnerability
discussed in {02.37.002} ("Multiple Postgres function buffer
overflows").

Updated RPMs are listed at the reference URL below.

Source: SuSE
http://archives.neohapsis.com/archiv...2-q4/0294.html

*** {02.42.016} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow

EnGarde released updated syslog-ng packages, which fix the
vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
overflow").

Updated RPMs are listed at the reference URL below.

Source: EnGarde
http://archives.neohapsis.com/archiv...2-q4/0003.html

*** {02.42.018} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities

Red Hat re-released updated Mozilla packages, which fix the
vulnerability discussed in {02.38.013} ("Multiple Mozilla 1.0
vulnerabilities").

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archiv...2-q4/0029.html

*** {02.42.021} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal

EnGarde released updated tar packages, which fix the vulnerability
discussed in {02.39.003} ("GNU tar file extraction directory
traversal").

Updated RPMs are listed at the reference URL below.

Source: EnGarde
http://archives.neohapsis.com/archiv...2-10/0032.html


- --- BSD News
-----------------------------------------------------------

*** {02.42.008} BSD - Short ESP packet IPSEC DoS

A NetBSD advisory indicates that a bug in the handling of short ESP
IPSEC packets causes the system to kernel panic.

NetBSD-1.5 as of Sept. 5, 2002, as well as -1.6 and -current as of
Aug. 23, 2002, contain the fix.

Source: NetBSD
http://archives.neohapsis.com/archiv...2-q4/0085.html


- --- Network Appliances News
--------------------------------------------

*** {02.42.025} NApps - Cisco Catalyst CatOS HTTP service DoS

A Cisco advisory indicates that CatOS versions 5.4 through 7.3
contain a buffer overflow in the embedded CiscoView HTTP server,
thereby allowing a remote attacker to cause the switch to reset.

Cisco confirmed this problem; a list of updates is available at the
reference URL below.

Source: Cisco
http://archives.neohapsis.com/archiv...2-q4/0001.html


- --- Other News
---------------------------------------------------------

*** {02.42.012} Other - Update {02.06.011}: Multiple vendor SNMP
problems

HP released updated SNMP packages for MPE/iX, which fix the
vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
problems").

Update information is listed at the reference URL below.

Source: HP
http://archives.neohapsis.com/archiv...2-q4/0010.html


- --- Cross-Platform News
------------------------------------------------

*** {02.42.013} Cross - Apache mod_ssl host name CSS

The mod_ssl module for Apache contains a cross-site scripting error
when printing error messages under certain configurations involving
wildcard DNS names.

Debian confirmed this vulnerability and released updated DEBs, which
are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archiv...2-q4/0385.html

*** {02.42.017} Cross - PAM treats disabled passwords as empty

A Debian advisory indicates that some versions of PAM (version 0.76
is mentioned in particular) will treat disabled accounts with an '*'
in the password field as an empty password, thereby allowing login.

Updated Debian DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archiv...2-q4/0304.html

*** {02.42.020} Cross - Heimdal kadmind multiple vulnerabilities

A buffer overflow was found in the kadmind daemon of the Heimdal
Kerberos package. The buffer overflow exists in the Kerberos 4 support
code section as well as in versions prior to version 0.5.1.

Updated Debian DEBs:
http://archives.neohapsis.com/archiv...2-q4/0296.html

NetBSD-1.6, -1.6, and -current as of Oct 22, 2002 contain a fix.

Source: Debian, NetBSD
http://archives.neohapsis.com/archiv...2-q4/0296.html
http://archives.neohapsis.com/archiv...2-q4/0083.html

*** {02.42.022} Cross - Ximian Evolution SSL certificate validation

Ximian Evolution versions 1.0.x and prior do not properly validate
SSL certificates, potentially allowing a malicious Web site to present
an invalid SSL certificate that the browser will accept.

The vendor confirmed this vulnerability. Versions 1.1.x and 1.2.x
contain fixes.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-10/0045.html

*** {02.42.023} Cross - VBZoom forum CGI multiple vulnerabilities

VBZoom.com's VBZoom forum CGI suite version 1.01 contains two
vulnerabilities: arbitrary user passwords reset in register.php;
and uploaded files are not properly filtered, thereby allowing the
upload of PHP script code.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-10/0111.html
http://archives.neohapsis.com/archiv...2-10/0126.html

************************************************************************