Re: Web Pages TODO List - Security
On Wed, Aug 20, 2003 at 04:22:39AM -0700, Matt Kraai wrote:
>
> I've committed them (modulo a bunch of typo fixes). Thanks.
>
Matt, thanks for making all those corrections and committing the patches
for the undated directory.
This next set of patches are for the webwml/english/security/1999
directory. There is also a changes file included, that I hope will be
helpful. If this set of patches are ok, could someone please commit them?
Doug Jensen
ssh - http://www.debian.org/security/1999/19991215a
- Fixed link to CoreLabs advisory.
- Added three database references (bid843, CVE-1999-0834, CA-1999-15).
qpopper - http://www.debian.org/security/1999/19991215
- Added two database references (bid133, CVE-1999-0006).
- Removed two entries added above bid133, CVE-1999-0006 (wrong bug).
- Added paragraph containing links to Stuttgart and SecurityFocus.
sendmail - http://www.debian.org/security/1999/19991207
- Added BugTraq list link.
proftpd - http://www.debian.org/security/1999/19991111a
- Added BugTraq database reference.
- Added links to SUSE Security and BugTraq list.
lpr - http://www.debian.org/security/1999/19991030
- Added the BugTraq link.
- Added the text from the 20000109 DSA page.
amd - http://www.debian.org/security/1999/19991018a
- Added database references BID614 and CA-1999-12.
- Added exploit description text from DSA page 19990924.
amd - http://www.debian.org/security/1999/19990924
- Added database references BID614 and CA-1999-12.
- Changed text in the "update" paragraph.
termcap-compat - http://www.debian.org/security/1999/19990823a
- Added database references BID588.
- Added link to Debian Bug#43141
rsync - http://www.debian.org/security/1999/19990823
- Added Andrew Tridgell's message.
- Added LWN and Stuttgart links.
cfingerd - http://www.debian.org/security/1999/19990814
- Changed "You should still" to "However, you should still".
- Added link to PacketStorm - cfingerd.txt.
- Changed "cfingerd prior from 1.2.0 to" to "cfingerd from 1.2.0, and
prior to".
isdnutils - http://www.debian.org/security/1999/19990807
- Changed "However is that while" to "However, while"
cfingerd - http://www.debian.org/security/1999/19990806
- Added database reference BID512.
- Removed broken link referencing SecurityFocus id 512.
- Added Stuttgart BugTraq archive link.
samba - http://www.debian.org/security/1999/19990804
- Changed "was flawed which allowed" to "was flawed. Which allowed"
- Changed "arbitraty mountpoints in the filesystem" to "arbitrary
mount points in the file system."
mailman (bad python.org link) - http://www.debian.org/security/1999/19990623
- Added database reference BID480.
- Fixed python.org link (the link worked, but the data was unrelated).
- Changed webpages to web pages.
- Changed "version mailman" to "version of mailman,"
- Added a comma after "Debian GNU/Linux 2.1"
xfs - http://www.debian.org/security/1999/19990331a
- Added database references BID359 and CAN-1999-0434.
- Added X-Force alerts link.
- Added InDenial and Noehapsis, BugTraq archive links.
XFree86 - http://www.debian.org/security/1999/19990331
- Added database references BID326 and CVE-1999-0433.
- Added Packetstorm and BugTraq links.
lsof - http://www.debian.org/security/1999/19990220a
- Added database references CVE-1999-0405.
- Added Securityfocus link to hert.org posting.
super - http://www.debian.org/security/1999/19990215a
- Added database references BID342, BID397, CAN-1999-0373, and
CAN-1999-0381.
- Added Securityfocus archive link.
cfengine - http://www.debian.org/security/1999/19990215a
- Changed "homedirectories" to "home directories".
FTP packages(bad link) - http://www.debian.org/security/1999/19990210
- Reformated paragraph that begins with "If you are using Debian"
The text of that paragraph was not changed.
- Added database reference CA-1999-03
- Removed broken link to Netect (appears to be included in
CA-1999-03.
- Added reference about access with root privilege.
diff -u orig/1999/19990210.data new/1999/19990210.data
--- orig/1999/19990210.data Sat Jan 18 07:52:15 2003
+++ new/1999/19990210.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>Debian FTP packages</define-tag>
<define-tag report_date>1999-02-10</define-tag>
+<define-tag secrefs>CA-1999-03</define-tag>
<define-tag packages>proftpd, wu-ftpd-academ</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990210.wml new/1999/19990210.wml
--- orig/1999/19990210.wml Fri Apr 27 08:03:17 2001
+++ new/1999/19990210.wml Mon Sep 1 20:53:27 2003
@@ -3,14 +3,16 @@
(hamm) are vulnerable to a buffer overflow. It is possible to gain shell
access to the machine, and we recommend upgrading these packages immediately.
+<p>Extract from the Netect report in CA-1999-03:<br>
+Intruders who are able to exploit this vulnerability can ultimately gain
+interactive access to the remote ftp server with root privilege.
+
<p>If you are using Debian GNU/Linux 2.1 (slink) you should download
-a new version. Note that wu-ftpd
-will install in a disabled state on some configurations; you can enable wu-ftpd
-by uncommenting the line for /usr/sbin/ftpd in /etc/inetd.conf and running
-<code>/etc/init.d/netbase reload</code>. The line for /usr/sbin/in.ftpd should
-remain disabled.
+a new version. Note that wu-ftpd will install in a disabled state on
+some configurations; you can enable wu-ftpd by uncommenting the line for
+/usr/sbin/ftpd in /etc/inetd.conf and running <code>/etc/init.d/netbase
+reload</code>. The line for /usr/sbin/in.ftpd should remain disabled.
-<p>See also <fileurl http://www.netect.com/advisory_0209.html>
</define-tag>
<define-tag description>Buffer overflow in some FTP servers</define-tag>
diff -u orig/1999/19990215.wml new/1999/19990215.wml
--- orig/1999/19990215.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990215.wml Mon Sep 1 20:53:27 2003
@@ -1,6 +1,6 @@
<define-tag moreinfo>The maintainer of Debian GNU/Linux cfengine package found
a error in the way cfengine handles temporary files when it runs the tidy
-action on homedirectories, which makes it susceptible to a symlink
+action on home directories, which makes it susceptible to a symlink
attack. The author has been notified of the problem but has not
released a fix yet.</define-tag>
<define-tag description>Security problem with temp file handling.</define-tag>
diff -u orig/1999/19990215a.data new/1999/19990215a.data
--- orig/1999/19990215a.data Sat Jan 18 07:59:08 2003
+++ new/1999/19990215a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>super</define-tag>
<define-tag report_date>1999-02-15</define-tag>
+<define-tag secrefs>CAN-1999-0373 CAN-1999-0381 BID342 BID397</define-tag>
<define-tag packages>super</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990215a.wml new/1999/19990215a.wml
--- orig/1999/19990215a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990215a.wml Mon Sep 1 20:53:27 2003
@@ -3,7 +3,12 @@
per-user .supertab files super didn't check for a buffer overflow when creating
the path to the user's .supertab file. Secondly another buffer overflow did
allow ordinary users to overflow super by creating a nasty personal .supertab
-file. We recommend you upgrade your super packages immediately.</define-tag>
+file. We recommend you upgrade your super packages immediately.
+
+<p>An analysis of the super vulnerability is available at this
+<a href="http://www.securityfocus.com/archive/1/12713";>Securityfocus archive </a>page.
+
+</define-tag>
<define-tag description>Buffer overflow in super.</define-tag>
# do not modify the following line
diff -u orig/1999/19990220a.data new/1999/19990220a.data
--- orig/1999/19990220a.data Sat Jan 18 08:01:48 2003
+++ new/1999/19990220a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>lsof</define-tag>
<define-tag report_date>1999-02-20</define-tag>
+<define-tag secrefs>CVE-1999-0405</define-tag>
<define-tag packages>lsof</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990220a.wml new/1999/19990220a.wml
--- orig/1999/19990220a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990220a.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,11 @@
<define-tag moreinfo>When lsof is setuid-root or setgid kmem, it is vulnerable
to a buffer overflow that could lead to direct root compromise or root
-compromise thru live kernel patching.</define-tag>
-<define-tag description>Buffer overflow in lsof</define-tag>
+compromise thru live kernel patching.
+
+<p>This <a href="http://www.securityfocus.com/archive/1/12566/2003-04-12/2003-04-18/2";>Securityfocus archive </a>posting from hert.org, emphasizes that lsof
+should not be setuid-root or setgid.
+</define-tag>
+<define-tag description>Buffer overflow in lsof</define-tag>
# do not modify the following line
#include '$(ENGLISHDIR)/security/1999/19990220a.data'
diff -u orig/1999/19990331.data new/1999/19990331.data
--- orig/1999/19990331.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990331.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>XFree86</define-tag>
<define-tag report_date>1999-03-31</define-tag>
+<define-tag secrefs>CVE-1999-0433 BID326</define-tag>
<define-tag packages>none</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990331.wml new/1999/19990331.wml
--- orig/1999/19990331.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990331.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,15 @@
<define-tag moreinfo>Some versions of the X windowing system will make
/tmp/.X11-unix world readable, even if that location is a symbolic link to
another file on the system. Debian 2.1 (slink) is <em>not</em> affected by this
-problem.</define-tag>
+problem.
+
+<p>It appears that the bug was originally reported for a NetBSD system
+on <a href="http://packetstorm.icx.fr/9903-exploits/X11R6.txt";>Packetstorm - March 1999 exploits</a>,
+the page has a reference showing that Linux is also vulnerable. Additionally,
+SUSE Security Alert for this vulnerability is available on this
+<a href="http://lists.insecure.org/lists/bugtraq/1999/Mar/0216.html";>BugTraq list - 1999 Mar (0216) </a>page.
+
+</define-tag>
<define-tag description>symbolic link can be used to make any file world readable</define-tag>
# do not modify the following line
diff -u orig/1999/19990331a.data new/1999/19990331a.data
--- orig/1999/19990331a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990331a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>xfs</define-tag>
<define-tag report_date>1999-03-31</define-tag>
+<define-tag secrefs>CAN-1999-0434 BID359</define-tag>
<define-tag packages>xfs</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990331a.wml new/1999/19990331a.wml
--- orig/1999/19990331a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990331a.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,18 @@
<define-tag moreinfo>Some implementations of xfs incorrectly set the
permissions of /tmp/.font-unix even if that location is a symbolic link to
another file. Debian 2.1 (slink) is <em>not</em> vulnerable to this
-problem.</define-tag>
+problem.
+
+<p>This <a href="http://xforce.iss.net/static/3502.php";>IIS Security - X-Force Alerts - xfree86-xfs-symlink-dos </a>page
+provides a good summary of the xfs vulnerability.
+
+<p>The vulnerability can be used to change the permissions of the /etc/shadow
+file, as shown in
+<a href="http://archives.neohapsis.com/archives/bugtraq/1999_1/1166.html";>Neohapsis Archives (BugTraq) 1999 "bugs in xfs"</a>.
+The <a href="http://archives.indenial.com/hypermail/bugtraq/1999/March1999/index.html#241";>InDenial BugTraq Archives - 1999 Mar "bugs in xfs" </a>shows
+the thread.
+
+</define-tag>
<define-tag description>symbolic link can be used to change file permissions</define-tag>
# do not modify the following line
diff -u orig/1999/19990623.data new/1999/19990623.data
--- orig/1999/19990623.data Fri Jan 10 17:13:50 2003
+++ new/1999/19990623.data Mon Sep 1 20:53:18 2003
@@ -1,7 +1,7 @@
<define-tag pagetitle>mailman</define-tag>
<define-tag report_date>1999-06-23</define-tag>
<define-tag packages>mailman</define-tag>
-<define-tag secrefs>CVE-1999-0742</define-tag>
+<define-tag secrefs>CVE-1999-0742 BID480</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990623.wml new/1999/19990623.wml
--- orig/1999/19990623.wml Wed Mar 20 08:07:18 2002
+++ new/1999/19990623.wml Tue Sep 2 00:01:52 2003
@@ -1,10 +1,15 @@
-<define-tag moreinfo>We have become aware that the version mailman as supplied
-in Debian GNU/Linux 2.1 has a problem with verifying list administrators.
-The problem is that the cookie value generation used was predictable, so
-using forged authentication cookies it was possible to access the list
-administration webpages without knowing the proper password. More
-information about this vulnerability can be found at
-<fileurl http://mail.python.org/pipermail/mailman-developers/1999-June/001128.html>
+<define-tag moreinfo>We have become aware that the version of mailman, as
+supplied in Debian GNU/Linux 2.1, has a problem with verifying list
+administrators. The problem is that the cookie value generation used was
+predictable, so using forged authentication cookies it was possible to access
+the list administration web pages without knowing the proper password. More
+information about this vulnerability can be found at python.org
+mailman-developers list for 1999-June, in the
+<a href="http://mail.python.org/pipermail/mailman-developers/1999-June/thread.html#5689";>"Cookie security hole in admin interface" </a>thread.
+
+# This link, included on the original page is incorrect. Unfortunately,
+# it also appears in the security-announce archives.
+#<fileurl http://mail.python.org/pipermail/mailman-developers/1999-June/001128.html>
This has been fixed in version 1.0rc2-5.</define-tag>
<define-tag description>weak administrator authentication</define-tag>
diff -u orig/1999/19990804.wml new/1999/19990804.wml
--- orig/1999/19990804.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990804.wml Mon Sep 1 20:53:27 2003
@@ -4,8 +4,8 @@
<li>a Denial-of-Service attack against nmbd was possible
<li>it was possible to exploit smbd if you had a message command defined which
used the %f or %M formatter.
-<li>smbmnt's check to see if a user is allowed to create a mount was flawed
-which allowed users to mount at arbitraty mountpoints in the filesystem
+<li>smbmnt's check to see if a user is allowed to create a mount was flawed.
+Which allowed users to mount at arbitrary mount points in the file system.
</ul>
<p>These problems have been fixed in version 2.0.5a-1. We recommend you upgrade
diff -u orig/1999/19990806.data new/1999/19990806.data
--- orig/1999/19990806.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990806.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>cfingerd</define-tag>
<define-tag report_date>1999-08-06</define-tag>
+<define-tag secrefs>BID512</define-tag>
<define-tag packages>cfingerd</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990806.wml new/1999/19990806.wml
--- orig/1999/19990806.wml Fri Apr 27 08:03:17 2001
+++ new/1999/19990806.wml Mon Sep 1 20:53:27 2003
@@ -3,10 +3,17 @@
using versions of Debian prior to 2.0 or cfingerd versions prior to 1.3.2-9
should upgrade to the latest version of cfingerd.
+<p>The <a href="http://lists.insecure.org/lists/bugtraq/1999/Jul/0002.html";>original bug report</a>,
+referred to in the "credit" section of BugTraq ID 512, has additional
+information.
+
+<p>An email in the <a href="http://cert.uni-stuttgart.de/archive/bugtraq/1999/07/msg00009.html";>Stuttgart BugTraq archive 1999/07 (00009) </a>suggests
+using other variants of fingerd, instead of the patch referred to in the
+"solution" section of BugTraq ID 512.
+
<p><strong>Update:</strong> Another cfingerd exploit is covered in a later
advisory, available <a href="19990814">here</a>.
-<p>See also <a href="http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=512";>http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=512</a>
</define-tag>
<define-tag description>Buffer overflow in older versions of cfingerd.</define-tag>
diff -u orig/1999/19990807.wml new/1999/19990807.wml
--- orig/1999/19990807.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990807.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,7 @@
<define-tag moreinfo>Xmonisdn is an X applet that shows the status of the ISDN
links. You can configure it to run two scripts when the left or right mouse
button are clicked on it. Xmonisdn was installed setuid root so that the
-scripts could do things like add and delete the default route. However is that
+scripts could do things like add and delete the default route. However,
while the scripts were checked for owner root and not writeable by group or
others the scripts are run via the system() library function, which spawns a
shell to run it. This means that the scripts are open to attack via IFS and/or
diff -u orig/1999/19990814.wml new/1999/19990814.wml
--- orig/1999/19990814.wml Fri Apr 27 08:03:17 2001
+++ new/1999/19990814.wml Mon Sep 1 20:53:27 2003
@@ -8,12 +8,15 @@
in section "internal_config", i.e. that file contains a line "-ALLOW_EXECUTION"
<p>This is the default configuration of this package. If you use the default
-cfingerd.conf file as shipped with the distribution you are safe. You should
-still upgrade.
+cfingerd.conf file as shipped with the distribution you are safe. However,
+you should still upgrade.
-<p>All versions of cfingerd prior from 1.2.0 to 1.4.0 were vulnerable to this
-exploit. The fix from 1.4.0 has been added to cfingerd 1.3.2-18.1 for slink,
-which is available at the location below.
+<p>More information about this bug can be found at
+<a href="http://packetstorm.icx.fr/new-exploits/cfingerd.txt";>PacketStorm - cfingerd.txt</a>
+
+<p>All versions of cfingerd from 1.2.0, and prior to 1.4.0 were vulnerable to
+this exploit. The fix from 1.4.0 has been added to cfingerd 1.3.2-18.1 for
+slink, which is available at the location below.
<p>N.B.: Fixed packages are available below for Debian 2.1 (slink). cfingerd
1.4.0 is included in Debian 2.2 (potato).
diff -u orig/1999/19990823.wml new/1999/19990823.wml
--- orig/1999/19990823.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990823.wml Mon Sep 1 20:53:27 2003
@@ -3,8 +3,59 @@
transferring an empty directory into a non-existent directory on a remote host,
permissions on the remote host may be mangled. This bug may only happen in
very rare cases. It's not likely that you have experienced this, but you'd
-better check the permissions of your home directories.</define-tag>
-<define-tag description>Rare problem with corrupted file permissions</define-tag>
+better check the permissions of your home directories.
+
+<p>Andrew Tridgell sent a message to BUGTRAQ@NETSPACE.ORG on 7 Apr 1999,
+that is reproduced below. The message is also available at <a href="http://lwn.net/1999/0408/a/rsync.html";>LWN - rsync (1999) </a>and
+<a href="http://cert.uni-stuttgart.de/archive/bugtraq/1999/04/msg00051.html";>Stuttgart BUGTRAQ - 1999.</a>
+
+<p>Andrew's message to BUGTRAQ:
+<p>I discovered a security hole in rsync yesterday and have released rsync 2.3.1
+to fix it.
+
+<p>The problem happened when all of these conditions held true:<br>
+
+ 1) the source file list contains exactly one filename and that is the name
+ of an empty directory<br>
+ 2) the source directory name is specified on the command line as "somedir/"
+ or "somedir/." or "." not as "somedir"<br>
+ 3) the destination directory doesn't exist<br>
+ 4) you have recursion and permission transfer enabled (the -a option
+ will do this)<br>
+ 5) the working directory of the receiving process is not the destination
+ directory (this happens when you do remote rsync transfers)<br>
+
+<p>(the short summary is that you need to be transferring an empty directory
+into a non-existent directory)
+
+<p>In that case (which is quite rare) the permissions from the empty
+directory in the source file list were set on the working directory of
+the receiving process. In the case of a remote rsync over rsh or ssh
+this means that the permissions on your home directory are changed to
+those of the empty directory you are transferring.
+<p>This is a serious bug (and security hole) as it may change your home
+directory permissions to allow other users access to your files. A
+user can't exploit this hole deliberately to gain privileges (ie. this
+is not an "active" security hole) but a system administrator could
+easily be caught by the bug and inadvertently compromise the security
+of their system.
+
+<p>To see if you have been hit by this bug you should look at the permissions
+ on your home directory. If they are not what you expect then perhaps you
+ have been bitten by this bug.
+
+<p>The fix is to chmod your home directory back to the correct permissions
+ and upgrade to rsync 2.3.1. The bug is in the receiving side of rsync,
+ so it is quite safe to continue to use older anonymous rsync servers as
+ long as you upgrade your client.
+
+<p>This bug has been present in all versions of rsync. I apologize for any
+ inconvenience.
+
+<p>Tridge
+
+</define-tag>
+<define-tag description>Rare problem with corrupted file permissions</define-tag>
# do not modify the following line
#include '$(ENGLISHDIR)/security/1999/19990823.data'
diff -u orig/1999/19990823a.data new/1999/19990823a.data
--- orig/1999/19990823a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990823a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>termcap-compat</define-tag>
<define-tag report_date>1999-08-18</define-tag>
+<define-tag secrefs>BID588</define-tag>
<define-tag packages>termcap-compat</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990823a.wml new/1999/19990823a.wml
--- orig/1999/19990823a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990823a.wml Mon Sep 1 20:53:27 2003
@@ -3,7 +3,12 @@
exploitable by this bug since termcap was abandoned in favour of terminfo long
ago. However, if you have compiled your own programs using termcap or have
installed third party programs that depend on libtermcap and run as root they
-are exploitable.</define-tag>
+are exploitable.
+
+<p>See <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=43141";>Debian Bug#43141 </a>for additional information.
+
+
+</define-tag>
<define-tag description>Buffer overflow</define-tag>
# do not modify the following line
diff -u orig/1999/19990924.data new/1999/19990924.data
--- orig/1999/19990924.data Fri Jan 10 17:13:50 2003
+++ new/1999/19990924.data Mon Sep 1 20:53:18 2003
@@ -1,7 +1,7 @@
<define-tag pagetitle>amd</define-tag>
<define-tag report_date>1999-09-24</define-tag>
<define-tag packages>amd</define-tag>
-<define-tag secrefs>CVE-1999-0704</define-tag>
+<define-tag secrefs>CVE-1999-0704 BID614 CA-1999-12</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990924.wml new/1999/19990924.wml
--- orig/1999/19990924.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990924.wml Mon Sep 1 20:53:27 2003
@@ -2,8 +2,11 @@
GNU/Linux 2.1 is vulnerable to a remote exploit. Passing a big directory name
to amd's logging code would overflow a buffer which could be exploited. This
has been fixed in version 23.0slink1.
-<p>Note: This alert has been <a href=19991018a>updated,</a> please refer to the
-latest alert for details on correcting this problem.
+
+<p><em>Update: </em>This fix caused an error that has been corrected in
+version upl102-23.slink2. Please refer to the <a href=19991018a>updated
+DSA page for amd</a>, for information on correcting this problem.
+
</define-tag>
<define-tag description>Buffer overflow in amd</define-tag>
diff -u orig/1999/19991018a.data new/1999/19991018a.data
--- orig/1999/19991018a.data Fri Jan 10 17:13:50 2003
+++ new/1999/19991018a.data Mon Sep 1 20:53:18 2003
@@ -1,7 +1,7 @@
<define-tag pagetitle>amd</define-tag>
<define-tag report_date>1999-10-18</define-tag>
<define-tag packages>amd</define-tag>
-<define-tag secrefs>CVE-1999-0704</define-tag>
+<define-tag secrefs>CVE-1999-0704 BID614 CA-1999-12</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19991018a.wml new/1999/19991018a.wml
--- orig/1999/19991018a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991018a.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,12 @@
<define-tag moreinfo>The version of amd that was distributed with Debian
-GNU/Linux 2.1 is vulnerable to a remote exploit. <a href=19990924>This was
-fixed in version 23.0slink1</a>. However that fix contained an error which has
-been corrected in version upl102-23.slink2.</define-tag>
+GNU/Linux 2.1 is vulnerable to a remote exploit. Passing a big directory
+name to amd's logging code would overflow a buffer which could be
+exploited. That vulnerability was fixed in version 23.0slink1, see the
+<a href=19990924>DSA page on 24 Sep 1999 for amd</a>. However, that fix
+contained an error which has been corrected in version upl102-23.slink2.
+Use the information below to get corrected packages.
+
+</define-tag>
<define-tag description>Buffer overflow in amd -- update</define-tag>
# do not modify the following line
diff -u orig/1999/19991030.wml new/1999/19991030.wml
--- orig/1999/19991030.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991030.wml Tue Sep 2 00:38:55 2003
@@ -6,9 +6,25 @@
<li>lpd did not check permissions of queue-files. As a result by using the -s
flag it could be tricked into printing files a user can otherwise not read
</ul>
-<p><b>Update</b>: Additional vulnerabilities have been discovered in lpr. See
-<a href=../2000/20000109>http://www.debian.org/security/2000/20000109</a> for
-more information.
+
+<p>See <a href="http://lists.insecure.org/lists/bugtraq/1999/Oct/0176.html";>
+BugTraq list (1999 Oct 0176) </a>for more information.
+
+<p><b>Update</b>: Additional vulnerabilities have been discovered in lpr. See
+the <a href=../2000/20000109>DSA page on 09 Jan 2000 for lpr</a>, which
+has links to new packages and the following information:
+
+<p>The version of lpr that was distributed with Debian GNU/Linux 2.1 and the
+updated version released in 2.1r4 have two security problems:
+<ul>
+<li>the client hostname wasn't verified properly, so if someone is able to
+control the DNS entry for their IP he could fool lpr into granting access.
+<li>it was possible to specify extra options to sendmail which could be used
+to specify another configuration file. This can be used to gain root access.
+</ul>
+<p>Both problems have been fixed in 0.48-0.slink1. We recommend you upgrade
+your lpr package immediately.
+
</define-tag>
<define-tag description>users can see files they shouldn't</define-tag>
diff -u orig/1999/19991111a.data new/1999/19991111a.data
--- orig/1999/19991111a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19991111a.data Mon Sep 1 20:53:18 2003
@@ -1,6 +1,7 @@
<define-tag pagetitle>proftpd</define-tag>
<define-tag report_date>1999-11-11</define-tag>
<define-tag packages>proftpd</define-tag>
+<define-tag secrefs>BID650</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19991111a.wml new/1999/19991111a.wml
--- orig/1999/19991111a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991111a.wml Mon Sep 1 20:53:27 2003
@@ -8,8 +8,13 @@
</ul>
<p>Please note that this is not meant to be an exhaustive list.
<p>In addition to the security fixes a couple of Y2K problems were also fixed.
+
+<p>See this <a href="http://lists.suse.com/archive/suse-security/1999-Sep/0052.html";>SUSE Security (1999 Sep 0052) </a>Announcement
+and <a href="http://lists.insecure.org/lists/bugtraq/1999/Sep/0337.html";>BugTraq lists (1999 Sep 0337)</a>, for additional information.
+
<p>We have made a new package with version 1.2.0pre9-4 to address these
issues, and we recommend to upgrade your proftpd package immediately.
+
</define-tag>
<define-tag description>buffer overflows in proftpd</define-tag>
diff -u orig/1999/19991207.wml new/1999/19991207.wml
--- orig/1999/19991207.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991207.wml Mon Sep 1 20:53:27 2003
@@ -7,7 +7,11 @@
<p>This has been fixed by only allowing root and trusted users to regenerate
the aliases database.
-<p>We recommend you upgrade your sendmail package to new version.</define-tag>
+<p>See the <a href="http://lists.insecure.org/lists/bugtraq/1999/Nov/0313.html";>BugTraq list (1999/Nov/0313)</a> for more information.
+
+<p>We recommend you upgrade your sendmail package to the new version.
+
+</define-tag>
<define-tag description>Denial of Service in Sendmail</define-tag>
# do not modify the following line
diff -u orig/1999/19991215.wml new/1999/19991215.wml
--- orig/1999/19991215.wml Wed Jul 18 06:00:39 2001
+++ new/1999/19991215.wml Mon Sep 1 20:53:27 2003
@@ -3,6 +3,14 @@
This version of qpopper is not included in Debian; the version of qpopper
shipped with Debian GNU/Linux 2.1 (qpopper 2.3-4) is <em>not</em> vulnerable
to the overflow.
+
+<p>The vulnerability is caused by not bounds checking the input buffers, when
+using vsprintf or sprintf. For details see the
+<a href="http://cert.uni-stuttgart.de/archive/bugtraq/1999/12/msg00009.html";>Stuttgart BugTraq archive </a>or
+the <a href="http://www.securityfocus.com/archive/1/36847/1999-11-27/1999-12-03/2";>SecurityFocus archive. </a>Both
+links refer to the same email from Qpopper Support at Qualcomm and include
+the original bug report from Mixter.
+
</define-tag>
<define-tag description>buffer overflow in qpopper</define-tag>
diff -u orig/1999/19991215a.data new/1999/19991215a.data
--- orig/1999/19991215a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19991215a.data Mon Sep 1 20:53:18 2003
@@ -1,6 +1,7 @@
<define-tag pagetitle>ssh</define-tag>
<define-tag report_date>1999-12-15</define-tag>
<define-tag packages>ssh</define-tag>
+<define-tag secrefs>BID843 CA-1999-15 CVE-1999-0834</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>no</define-tag>
diff -u orig/1999/19991215a.wml new/1999/19991215a.wml
--- orig/1999/19991215a.wml Wed Jul 18 05:52:19 2001
+++ new/1999/19991215a.wml Mon Sep 1 20:53:27 2003
@@ -4,9 +4,11 @@
remote access to a host running the vulnerable program. The version of ssh in
Debian is <em>not</em> linked against rsaref2, and is <em>not</em> vulnerable
as shipped. Note that if you compile a local copy of ssh with the rsaref2
-library, your local copy may be vulnerable. See the advisory at <a
-href=http://www.core-sdi.com/advisories/buffer_over_ing.htm>http://www.core-sdi.com/advisories/buffer_over_ing.htm</a>
-for more information.
+library, your local copy may be vulnerable. See
+<a href="http://www1.corest.com/common/showdoc.php?idx=130&idxseccion=10&CORE=17f28e005bf48e41503333f6d8aa3d15";>CoreLabs Advisories - CORE-1201999 </a>for more information.
+
+<p>Any software that uses the rsaref2 library could be vulnerable.
+
</define-tag>
<define-tag description>remote exploit in ssh</define-tag>
Only in new/1999/: index.wml
Reply to: