Fixed patch was Re: Web Pages TODO List - Security
On Tue, Sep 02, 2003 at 06:10:40AM -0600, doug jensen wrote:
> On Tue, Sep 02, 2003 at 12:27:49PM +0200, Gerfried Fuchs wrote:
> > * Peter Karlsson <peter@softwolves.pp.se> [2003-09-02 12:10]:
> > > but it is a lot more work to figure out what word was changed in a
> > > re-justified paragraph.
> >
> > I don't think that we can't overemphasis on this. Don't do it...
> >
>
> Sorry, I will redo the patch and send in a new one.
>
Should I ask, "Please find errors in these patches." instead of "If this
is ok could someone please commit?"
Fixed patches? Attached.
Doug Jensen
ssh - http://www.debian.org/security/1999/19991215a
* NOTE: Changed formatting back to original.
- Fixed link to CoreLabs advisory.
- Added three database references (BID843, CVE-1999-0834, CA-1999-15).
qpopper - http://www.debian.org/security/1999/19991215
- Added two database references (bid133, CVE-1999-0006).
- Removed two entries added above BID133, CVE-1999-0006 (wrong bug).
- Added paragraph containing links to Stuttgart and SecurityFocus.
sendmail - http://www.debian.org/security/1999/19991207
* NOTE: Changed formatting back to original.
- Added BugTraq list link.
proftpd - http://www.debian.org/security/1999/19991111a
- Added BugTraq database reference, BID650.
- Added links to SUSE Security and BugTraq list.
lpr - http://www.debian.org/security/1999/19991030
* NOTE: Changed formatting back to original.
- Added the BugTraq link.
- Added the text from the 20000109 DSA page.
amd - http://www.debian.org/security/1999/19991018a
- Added database references BID614 and CA-1999-12.
- Added exploit description text from DSA page 19990924.
amd - http://www.debian.org/security/1999/19990924
- Added database references BID614 and CA-1999-12.
- Changed text in the "update" paragraph.
termcap-compat - http://www.debian.org/security/1999/19990823a
- Added database references BID588.
- Added link to Debian Bug#43141
rsync - http://www.debian.org/security/1999/19990823
* NOTE: Changed the next item to _excerpts_ from Andrew's message.
- Added Andrew Tridgell's message.
- Added LWN and Stuttgart links.
cfingerd - http://www.debian.org/security/1999/19990814
* NOTE: Changed the next item back to the original format.
- Changed "You should still" to "However, you should still".
- Added link to PacketStorm - cfingerd.txt.
- Changed "cfingerd prior from 1.2.0 to" to "cfingerd from 1.2.0, prior to".
isdnutils - http://www.debian.org/security/1999/19990807
- Changed "However is that while" to "However, while"
cfingerd - http://www.debian.org/security/1999/19990806
- Added database reference BID512.
- Added original bug report links.
- Removed broken link referencing SecurityFocus id 512.
- Added Stuttgart BugTraq archive link.
samba - http://www.debian.org/security/1999/19990804
* NOTE: Changed the next item back to the original format.
- Changed "was flawed which allowed" to "was flawed. Which allowed"
- Changed "arbitraty mountpoints in the filesystem" to "arbitrary
mount points in the file system."
mailman (bad python.org link) - http://www.debian.org/security/1999/19990623
- Added database reference BID480.
- Fixed python.org link (the link worked, but the data was unrelated).
* NOTE: The next three item were changed back to the original format.
- Changed webpages to web pages.
- Changed "version mailman" to "version of mailman,"
- Added a comma after "Debian GNU/Linux 2.1"
xfs - http://www.debian.org/security/1999/19990331a
- Added database references BID359 and CAN-1999-0434.
- Added X-Force alerts link.
- Added InDenial and Noehapsis, BugTraq archive links.
XFree86 - http://www.debian.org/security/1999/19990331
- Added database references BID326 and CVE-1999-0433.
- Added Packetstorm and BugTraq links.
lsof - http://www.debian.org/security/1999/19990220a
- Added database references CVE-1999-0405.
- Added Securityfocus link to hert.org posting.
super - http://www.debian.org/security/1999/19990215a
- Added database references BID342, BID397, CAN-1999-0373, and
CAN-1999-0381.
- Added Securityfocus archive link.
cfengine - http://www.debian.org/security/1999/19990215
- Changed "homedirectories" to "home directories".
FTP packages(bad link) - http://www.debian.org/security/1999/19990210
* NOTE: Changed formatting back to original.
- Reformated paragraph that begins with "If you are using Debian"
The text of that paragraph was not changed.
- Added database reference CA-1999-03
- Removed broken link to Netect (appears to be included in
CA-1999-03.
- Added reference about access with root privilege.
diff -u orig/1999/19990210.data new/1999/19990210.data
--- orig/1999/19990210.data Sat Jan 18 07:52:15 2003
+++ new/1999/19990210.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>Debian FTP packages</define-tag>
<define-tag report_date>1999-02-10</define-tag>
+<define-tag secrefs>CA-1999-03</define-tag>
<define-tag packages>proftpd, wu-ftpd-academ</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990210.wml new/1999/19990210.wml
--- orig/1999/19990210.wml Fri Apr 27 08:03:17 2001
+++ new/1999/19990210.wml Tue Sep 2 07:12:13 2003
@@ -3,6 +3,10 @@
(hamm) are vulnerable to a buffer overflow. It is possible to gain shell
access to the machine, and we recommend upgrading these packages immediately.
+<p>Extract from the Netect report in CA-1999-03:<br>
+Intruders who are able to exploit this vulnerability can ultimately gain
+interactive access to the remote ftp server with root privilege.
+
<p>If you are using Debian GNU/Linux 2.1 (slink) you should download
a new version. Note that wu-ftpd
will install in a disabled state on some configurations; you can enable wu-ftpd
@@ -10,7 +14,6 @@
<code>/etc/init.d/netbase reload</code>. The line for /usr/sbin/in.ftpd should
remain disabled.
-<p>See also <fileurl http://www.netect.com/advisory_0209.html>
</define-tag>
<define-tag description>Buffer overflow in some FTP servers</define-tag>
diff -u orig/1999/19990215.wml new/1999/19990215.wml
--- orig/1999/19990215.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990215.wml Mon Sep 1 20:53:27 2003
@@ -1,6 +1,6 @@
<define-tag moreinfo>The maintainer of Debian GNU/Linux cfengine package found
a error in the way cfengine handles temporary files when it runs the tidy
-action on homedirectories, which makes it susceptible to a symlink
+action on home directories, which makes it susceptible to a symlink
attack. The author has been notified of the problem but has not
released a fix yet.</define-tag>
<define-tag description>Security problem with temp file handling.</define-tag>
diff -u orig/1999/19990215a.data new/1999/19990215a.data
--- orig/1999/19990215a.data Sat Jan 18 07:59:08 2003
+++ new/1999/19990215a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>super</define-tag>
<define-tag report_date>1999-02-15</define-tag>
+<define-tag secrefs>CAN-1999-0373 CAN-1999-0381 BID342 BID397</define-tag>
<define-tag packages>super</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990215a.wml new/1999/19990215a.wml
--- orig/1999/19990215a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990215a.wml Mon Sep 1 20:53:27 2003
@@ -3,7 +3,12 @@
per-user .supertab files super didn't check for a buffer overflow when creating
the path to the user's .supertab file. Secondly another buffer overflow did
allow ordinary users to overflow super by creating a nasty personal .supertab
-file. We recommend you upgrade your super packages immediately.</define-tag>
+file. We recommend you upgrade your super packages immediately.
+
+<p>An analysis of the super vulnerability is available at this
+<a href="http://www.securityfocus.com/archive/1/12713";>Securityfocus archive </a>page.
+
+</define-tag>
<define-tag description>Buffer overflow in super.</define-tag>
# do not modify the following line
diff -u orig/1999/19990220a.data new/1999/19990220a.data
--- orig/1999/19990220a.data Sat Jan 18 08:01:48 2003
+++ new/1999/19990220a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>lsof</define-tag>
<define-tag report_date>1999-02-20</define-tag>
+<define-tag secrefs>CVE-1999-0405</define-tag>
<define-tag packages>lsof</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990220a.wml new/1999/19990220a.wml
--- orig/1999/19990220a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990220a.wml Tue Sep 2 12:41:33 2003
@@ -1,7 +1,11 @@
<define-tag moreinfo>When lsof is setuid-root or setgid kmem, it is vulnerable
to a buffer overflow that could lead to direct root compromise or root
-compromise thru live kernel patching.</define-tag>
-<define-tag description>Buffer overflow in lsof</define-tag>
+compromise thru live kernel patching.
+
+<p>This <a href="http://www.securityfocus.com/archive/1/12566/2003-04-12/2003-04-18/2";>Securityfocus archive </a>posting
+from hert.org, emphasizes that lsof should not be setuid-root or setgid.
+</define-tag>
+<define-tag description>Buffer overflow in lsof</define-tag>
# do not modify the following line
#include '$(ENGLISHDIR)/security/1999/19990220a.data'
diff -u orig/1999/19990331.data new/1999/19990331.data
--- orig/1999/19990331.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990331.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>XFree86</define-tag>
<define-tag report_date>1999-03-31</define-tag>
+<define-tag secrefs>CVE-1999-0433 BID326</define-tag>
<define-tag packages>none</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990331.wml new/1999/19990331.wml
--- orig/1999/19990331.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990331.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,15 @@
<define-tag moreinfo>Some versions of the X windowing system will make
/tmp/.X11-unix world readable, even if that location is a symbolic link to
another file on the system. Debian 2.1 (slink) is <em>not</em> affected by this
-problem.</define-tag>
+problem.
+
+<p>It appears that the bug was originally reported for a NetBSD system
+on <a href="http://packetstorm.icx.fr/9903-exploits/X11R6.txt";>Packetstorm - March 1999 exploits</a>,
+the page has a reference showing that Linux is also vulnerable. Additionally,
+SUSE Security Alert for this vulnerability is available on this
+<a href="http://lists.insecure.org/lists/bugtraq/1999/Mar/0216.html";>BugTraq list - 1999 Mar (0216) </a>page.
+
+</define-tag>
<define-tag description>symbolic link can be used to make any file world readable</define-tag>
# do not modify the following line
diff -u orig/1999/19990331a.data new/1999/19990331a.data
--- orig/1999/19990331a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990331a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>xfs</define-tag>
<define-tag report_date>1999-03-31</define-tag>
+<define-tag secrefs>CAN-1999-0434 BID359</define-tag>
<define-tag packages>xfs</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990331a.wml new/1999/19990331a.wml
--- orig/1999/19990331a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990331a.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,18 @@
<define-tag moreinfo>Some implementations of xfs incorrectly set the
permissions of /tmp/.font-unix even if that location is a symbolic link to
another file. Debian 2.1 (slink) is <em>not</em> vulnerable to this
-problem.</define-tag>
+problem.
+
+<p>This <a href="http://xforce.iss.net/static/3502.php";>IIS Security - X-Force Alerts - xfree86-xfs-symlink-dos </a>page
+provides a good summary of the xfs vulnerability.
+
+<p>The vulnerability can be used to change the permissions of the /etc/shadow
+file, as shown in
+<a href="http://archives.neohapsis.com/archives/bugtraq/1999_1/1166.html";>Neohapsis Archives (BugTraq) 1999 "bugs in xfs"</a>.
+The <a href="http://archives.indenial.com/hypermail/bugtraq/1999/March1999/index.html#241";>InDenial BugTraq Archives - 1999 Mar "bugs in xfs" </a>shows
+the thread.
+
+</define-tag>
<define-tag description>symbolic link can be used to change file permissions</define-tag>
# do not modify the following line
diff -u orig/1999/19990623.data new/1999/19990623.data
--- orig/1999/19990623.data Fri Jan 10 17:13:50 2003
+++ new/1999/19990623.data Mon Sep 1 20:53:18 2003
@@ -1,7 +1,7 @@
<define-tag pagetitle>mailman</define-tag>
<define-tag report_date>1999-06-23</define-tag>
<define-tag packages>mailman</define-tag>
-<define-tag secrefs>CVE-1999-0742</define-tag>
+<define-tag secrefs>CVE-1999-0742 BID480</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990623.wml new/1999/19990623.wml
--- orig/1999/19990623.wml Wed Mar 20 08:07:18 2002
+++ new/1999/19990623.wml Tue Sep 2 08:34:56 2003
@@ -4,7 +4,8 @@
using forged authentication cookies it was possible to access the list
administration webpages without knowing the proper password. More
information about this vulnerability can be found at
-<fileurl http://mail.python.org/pipermail/mailman-developers/1999-June/001128.html>
+python.org mailman-developers list for 1999-June, in the
+<a href="http://mail.python.org/pipermail/mailman-developers/1999-June/thread.html#5689";>"Cookie security hole in admin interface" </a>thread.
This has been fixed in version 1.0rc2-5.</define-tag>
<define-tag description>weak administrator authentication</define-tag>
diff -u orig/1999/19990804.wml new/1999/19990804.wml
--- orig/1999/19990804.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990804.wml Tue Sep 2 09:00:01 2003
@@ -5,7 +5,7 @@
<li>it was possible to exploit smbd if you had a message command defined which
used the %f or %M formatter.
<li>smbmnt's check to see if a user is allowed to create a mount was flawed
-which allowed users to mount at arbitraty mountpoints in the filesystem
+which allowed users to mount at arbitrary mount points in the file system.
</ul>
<p>These problems have been fixed in version 2.0.5a-1. We recommend you upgrade
diff -u orig/1999/19990806.data new/1999/19990806.data
--- orig/1999/19990806.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990806.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>cfingerd</define-tag>
<define-tag report_date>1999-08-06</define-tag>
+<define-tag secrefs>BID512</define-tag>
<define-tag packages>cfingerd</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990806.wml new/1999/19990806.wml
--- orig/1999/19990806.wml Fri Apr 27 08:03:17 2001
+++ new/1999/19990806.wml Mon Sep 1 20:53:27 2003
@@ -3,10 +3,17 @@
using versions of Debian prior to 2.0 or cfingerd versions prior to 1.3.2-9
should upgrade to the latest version of cfingerd.
+<p>The <a href="http://lists.insecure.org/lists/bugtraq/1999/Jul/0002.html";>original bug report</a>,
+referred to in the "credit" section of BugTraq ID 512, has additional
+information.
+
+<p>An email in the <a href="http://cert.uni-stuttgart.de/archive/bugtraq/1999/07/msg00009.html";>Stuttgart BugTraq archive 1999/07 (00009) </a>suggests
+using other variants of fingerd, instead of the patch referred to in the
+"solution" section of BugTraq ID 512.
+
<p><strong>Update:</strong> Another cfingerd exploit is covered in a later
advisory, available <a href="19990814">here</a>.
-<p>See also <a href="http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=512";>http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=512</a>
</define-tag>
<define-tag description>Buffer overflow in older versions of cfingerd.</define-tag>
diff -u orig/1999/19990807.wml new/1999/19990807.wml
--- orig/1999/19990807.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990807.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,7 @@
<define-tag moreinfo>Xmonisdn is an X applet that shows the status of the ISDN
links. You can configure it to run two scripts when the left or right mouse
button are clicked on it. Xmonisdn was installed setuid root so that the
-scripts could do things like add and delete the default route. However is that
+scripts could do things like add and delete the default route. However,
while the scripts were checked for owner root and not writeable by group or
others the scripts are run via the system() library function, which spawns a
shell to run it. This means that the scripts are open to attack via IFS and/or
diff -u orig/1999/19990814.wml new/1999/19990814.wml
--- orig/1999/19990814.wml Fri Apr 27 08:03:17 2001
+++ new/1999/19990814.wml Tue Sep 2 09:22:47 2003
@@ -11,9 +11,12 @@
cfingerd.conf file as shipped with the distribution you are safe. You should
still upgrade.
-<p>All versions of cfingerd prior from 1.2.0 to 1.4.0 were vulnerable to this
+<p>All versions of cfingerd from 1.2.0, prior to 1.4.0 were vulnerable to this
exploit. The fix from 1.4.0 has been added to cfingerd 1.3.2-18.1 for slink,
which is available at the location below.
+
+<p>More information about this bug can be found at
+<a href="http://packetstorm.icx.fr/new-exploits/cfingerd.txt";>PacketStorm - cfingerd.txt</a>
<p>N.B.: Fixed packages are available below for Debian 2.1 (slink). cfingerd
1.4.0 is included in Debian 2.2 (potato).
diff -u orig/1999/19990823.wml new/1999/19990823.wml
--- orig/1999/19990823.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990823.wml Tue Sep 2 10:02:42 2003
@@ -3,8 +3,27 @@
transferring an empty directory into a non-existent directory on a remote host,
permissions on the remote host may be mangled. This bug may only happen in
very rare cases. It's not likely that you have experienced this, but you'd
-better check the permissions of your home directories.</define-tag>
-<define-tag description>Rare problem with corrupted file permissions</define-tag>
+better check the permissions of your home directories.
+
+<p>Andrew Tridgell's message is available at <a href="http://lwn.net/1999/0408/a/rsync.html";>LWN - rsync (1999) </a>and
+<a href="http://cert.uni-stuttgart.de/archive/bugtraq/1999/04/msg00051.html";>Stuttgart BUGTRAQ - 1999.</a>
+
+<p>Here are some excerts from Andrew's message to BUGTRAQ:
+<p>... released rsync 2.3.1 to fix [the security hole].
+
+<p>A user can't exploit this hole deliberately to gain privileges (ie. this
+is not an "active" security hole) but a system administrator could ...
+inadvertently compromise the security of their system.
+<p>The fix is to chmod your home directory back to the correct permissions
+ and upgrade to rsync 2.3.1. The bug is in the receiving side of rsync,
+ so it is quite safe to continue to use older anonymous rsync servers as
+ long as you upgrade your client.
+
+<p>This bug has been present in all versions of rsync. I apologize for any
+ inconvenience.
+
+</define-tag>
+<define-tag description>Rare problem with corrupted file permissions</define-tag>
# do not modify the following line
#include '$(ENGLISHDIR)/security/1999/19990823.data'
diff -u orig/1999/19990823a.data new/1999/19990823a.data
--- orig/1999/19990823a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19990823a.data Mon Sep 1 20:53:18 2003
@@ -1,5 +1,6 @@
<define-tag pagetitle>termcap-compat</define-tag>
<define-tag report_date>1999-08-18</define-tag>
+<define-tag secrefs>BID588</define-tag>
<define-tag packages>termcap-compat</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990823a.wml new/1999/19990823a.wml
--- orig/1999/19990823a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990823a.wml Mon Sep 1 20:53:27 2003
@@ -3,7 +3,12 @@
exploitable by this bug since termcap was abandoned in favour of terminfo long
ago. However, if you have compiled your own programs using termcap or have
installed third party programs that depend on libtermcap and run as root they
-are exploitable.</define-tag>
+are exploitable.
+
+<p>See <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=43141";>Debian Bug#43141 </a>for additional information.
+
+
+</define-tag>
<define-tag description>Buffer overflow</define-tag>
# do not modify the following line
diff -u orig/1999/19990924.data new/1999/19990924.data
--- orig/1999/19990924.data Fri Jan 10 17:13:50 2003
+++ new/1999/19990924.data Mon Sep 1 20:53:18 2003
@@ -1,7 +1,7 @@
<define-tag pagetitle>amd</define-tag>
<define-tag report_date>1999-09-24</define-tag>
<define-tag packages>amd</define-tag>
-<define-tag secrefs>CVE-1999-0704</define-tag>
+<define-tag secrefs>CVE-1999-0704 BID614 CA-1999-12</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19990924.wml new/1999/19990924.wml
--- orig/1999/19990924.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19990924.wml Mon Sep 1 20:53:27 2003
@@ -2,8 +2,11 @@
GNU/Linux 2.1 is vulnerable to a remote exploit. Passing a big directory name
to amd's logging code would overflow a buffer which could be exploited. This
has been fixed in version 23.0slink1.
-<p>Note: This alert has been <a href=19991018a>updated,</a> please refer to the
-latest alert for details on correcting this problem.
+
+<p><em>Update: </em>This fix caused an error that has been corrected in
+version upl102-23.slink2. Please refer to the <a href=19991018a>updated
+DSA page for amd</a>, for information on correcting this problem.
+
</define-tag>
<define-tag description>Buffer overflow in amd</define-tag>
diff -u orig/1999/19991018a.data new/1999/19991018a.data
--- orig/1999/19991018a.data Fri Jan 10 17:13:50 2003
+++ new/1999/19991018a.data Mon Sep 1 20:53:18 2003
@@ -1,7 +1,7 @@
<define-tag pagetitle>amd</define-tag>
<define-tag report_date>1999-10-18</define-tag>
<define-tag packages>amd</define-tag>
-<define-tag secrefs>CVE-1999-0704</define-tag>
+<define-tag secrefs>CVE-1999-0704 BID614 CA-1999-12</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19991018a.wml new/1999/19991018a.wml
--- orig/1999/19991018a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991018a.wml Mon Sep 1 20:53:27 2003
@@ -1,7 +1,12 @@
<define-tag moreinfo>The version of amd that was distributed with Debian
-GNU/Linux 2.1 is vulnerable to a remote exploit. <a href=19990924>This was
-fixed in version 23.0slink1</a>. However that fix contained an error which has
-been corrected in version upl102-23.slink2.</define-tag>
+GNU/Linux 2.1 is vulnerable to a remote exploit. Passing a big directory
+name to amd's logging code would overflow a buffer which could be
+exploited. That vulnerability was fixed in version 23.0slink1, see the
+<a href=19990924>DSA page on 24 Sep 1999 for amd</a>. However, that fix
+contained an error which has been corrected in version upl102-23.slink2.
+Use the information below to get corrected packages.
+
+</define-tag>
<define-tag description>Buffer overflow in amd -- update</define-tag>
# do not modify the following line
diff -u orig/1999/19991030.wml new/1999/19991030.wml
--- orig/1999/19991030.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991030.wml Tue Sep 2 11:22:52 2003
@@ -6,9 +6,25 @@
<li>lpd did not check permissions of queue-files. As a result by using the -s
flag it could be tricked into printing files a user can otherwise not read
</ul>
+
<p><b>Update</b>: Additional vulnerabilities have been discovered in lpr. See
<a href=../2000/20000109>http://www.debian.org/security/2000/20000109</a> for
-more information.
+more information, including the following:
+
+<p>The version of lpr that was distributed with Debian GNU/Linux 2.1 and the
+updated version released in 2.1r4 have two security problems:
+<ul>
+<li>the client hostname wasn't verified properly, so if someone is able to
+control the DNS entry for their IP he could fool lpr into granting access.
+<li>it was possible to specify extra options to sendmail which could be used
+to specify another configuration file. This can be used to gain root access.
+</ul>
+<p>Both problems have been fixed in 0.48-0.slink1. We recommend you upgrade
+your lpr package immediately.
+
+<p>See <a href="http://lists.insecure.org/lists/bugtraq/1999/Oct/0176.html";>
+BugTraq list (1999 Oct 0176) </a>for more information.
+
</define-tag>
<define-tag description>users can see files they shouldn't</define-tag>
diff -u orig/1999/19991111a.data new/1999/19991111a.data
--- orig/1999/19991111a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19991111a.data Mon Sep 1 20:53:18 2003
@@ -1,6 +1,7 @@
<define-tag pagetitle>proftpd</define-tag>
<define-tag report_date>1999-11-11</define-tag>
<define-tag packages>proftpd</define-tag>
+<define-tag secrefs>BID650</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
diff -u orig/1999/19991111a.wml new/1999/19991111a.wml
--- orig/1999/19991111a.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991111a.wml Mon Sep 1 20:53:27 2003
@@ -8,8 +8,13 @@
</ul>
<p>Please note that this is not meant to be an exhaustive list.
<p>In addition to the security fixes a couple of Y2K problems were also fixed.
+
+<p>See this <a href="http://lists.suse.com/archive/suse-security/1999-Sep/0052.html";>SUSE Security (1999 Sep 0052) </a>Announcement
+and <a href="http://lists.insecure.org/lists/bugtraq/1999/Sep/0337.html";>BugTraq lists (1999 Sep 0337)</a>, for additional information.
+
<p>We have made a new package with version 1.2.0pre9-4 to address these
issues, and we recommend to upgrade your proftpd package immediately.
+
</define-tag>
<define-tag description>buffer overflows in proftpd</define-tag>
diff -u orig/1999/19991207.wml new/1999/19991207.wml
--- orig/1999/19991207.wml Thu Apr 19 09:52:08 2001
+++ new/1999/19991207.wml Tue Sep 2 11:33:13 2003
@@ -7,7 +7,11 @@
<p>This has been fixed by only allowing root and trusted users to regenerate
the aliases database.
-<p>We recommend you upgrade your sendmail package to new version.</define-tag>
+<p>We recommend you upgrade your sendmail package to new version.
+
+<p>See the <a href="http://lists.insecure.org/lists/bugtraq/1999/Nov/0313.html";>BugTraq list (1999/Nov/0313)</a> for more information.
+
+</define-tag>
<define-tag description>Denial of Service in Sendmail</define-tag>
# do not modify the following line
diff -u orig/1999/19991215.wml new/1999/19991215.wml
--- orig/1999/19991215.wml Wed Jul 18 06:00:39 2001
+++ new/1999/19991215.wml Mon Sep 1 20:53:27 2003
@@ -3,6 +3,14 @@
This version of qpopper is not included in Debian; the version of qpopper
shipped with Debian GNU/Linux 2.1 (qpopper 2.3-4) is <em>not</em> vulnerable
to the overflow.
+
+<p>The vulnerability is caused by not bounds checking the input buffers, when
+using vsprintf or sprintf. For details see the
+<a href="http://cert.uni-stuttgart.de/archive/bugtraq/1999/12/msg00009.html";>Stuttgart BugTraq archive </a>or
+the <a href="http://www.securityfocus.com/archive/1/36847/1999-11-27/1999-12-03/2";>SecurityFocus archive. </a>Both
+links refer to the same email from Qpopper Support at Qualcomm and include
+the original bug report from Mixter.
+
</define-tag>
<define-tag description>buffer overflow in qpopper</define-tag>
diff -u orig/1999/19991215a.data new/1999/19991215a.data
--- orig/1999/19991215a.data Thu Apr 19 09:52:08 2001
+++ new/1999/19991215a.data Mon Sep 1 20:53:18 2003
@@ -1,6 +1,7 @@
<define-tag pagetitle>ssh</define-tag>
<define-tag report_date>1999-12-15</define-tag>
<define-tag packages>ssh</define-tag>
+<define-tag secrefs>BID843 CA-1999-15 CVE-1999-0834</define-tag>
<define-tag isvulnerable>no</define-tag>
<define-tag fixed>no</define-tag>
diff -u orig/1999/19991215a.wml new/1999/19991215a.wml
--- orig/1999/19991215a.wml Wed Jul 18 05:52:19 2001
+++ new/1999/19991215a.wml Tue Sep 2 11:49:23 2003
@@ -5,8 +5,11 @@
Debian is <em>not</em> linked against rsaref2, and is <em>not</em> vulnerable
as shipped. Note that if you compile a local copy of ssh with the rsaref2
library, your local copy may be vulnerable. See the advisory at <a
-href=http://www.core-sdi.com/advisories/buffer_over_ing.htm>http://www.core-sdi.com/advisories/buffer_over_ing.htm</a>
+href="http://www1.corest.com/common/showdoc.php?idx=130&idxseccion=10&CORE=17f28e005bf48e41503333f6d8aa3d15";>CoreLabs Advisories - CORE-1201999 </a>
for more information.
+
+<p>Any software that uses the rsaref2 library could be vulnerable.
+
</define-tag>
<define-tag description>remote exploit in ssh</define-tag>
Only in new/1999/: index.wml
Reply to: