New ApacheWelcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a new release of
Apache, and problems in fileutils, coreutil, anonftp, Kpopup, CUPS,
Libnids, PostgreSQL, thttpd, mod_security, and the Linux Java Installer.
fileutils and coreutilsanonftpthttpdmod_securityA new version of Apache has been released that fixes two security
problems. The mod_cgid module can, when threaded MPM is being used,
send the output of a CGI application to the wrong client. The
mod_alias and mod_rewrite modules contain buffer overflows that may
be exploitable by a local user when a regular expression is configured that contains more than nine captures.
It is recommended that users upgrade to Apache 2.0.48.
fileutils and coreutilsThe ls command distributed with the fileutils and coreutils packages can be used in a denial-of-service attack when it is used with certain command-line parameters. It also has a buffer overflow bug in the code that handles its command-line parameters, which is reported to not be exploitable. Both of these problems can be exploited remotely through applications such as wu-ftp.
Users should watch their vendor for updated fileutils and coreutils
packages. Updated packages have been released for Red Hat Linux 7.1,
7.2, 7.3, and 8.0, and Conectiva Linux versions 7.0, 8, and 9.
|
Related Reading 
Linux Security Cookbook |
anonftpThe anonftp packages contain a version of the ls command that has the same problems as the ls command in the fileutils and coreutils packages.
All users of anonftp should watch their vendor for an updated version. Updated anonftp packages have been released for Conectiva Linux versions 7.0, 8, and 9.
Kpopup, an application used to send and receive Microsoft Windows
WinPopup Messages, can be exploited by a local attacker to gain a
root shell. Kpopup is reported to be installed set user id root and
uses the system() function to call the killall command. By creating
an exploit script named killall, and by manipulating the path prior
to executing Kpopup, the attacker can cause Kpopup to execute the
exploit script with root permissions. A script to automate the
exploitation of this vulnerability has been released.
Anyone not using the functionality of Kpopup should remove any set user id or set group id permissions from it until it has been patched or upgraded. Users should watch their vendors for a repaired version.
The printing system CUPS has a bug in the IPP (Internet Printing Protocol) code that can be used by a remote attacker to cause a denial-of-service in the printer daemon. The attacker must be able to connect to the IPP port (631 in a default installation) to execute this attack.
Users of CUPS should upgrade to a repaired version or watch their vendors for updated packages. Red Hat has released updated packages for Red Hat Linux 8.0 and 9. If CUPS is not being used on a system, then disabling it or removing it should be considered.
Libnids is a component of a network intrusion detection system that emulates the IP stack of Linux 2.0.x and provides IP defragmentation, TCP stream assembly, and TCP port scan detection. Libnids contains a buffer overflow in the code that handles packet reassembly that, under some conditions, may be exploitable to execute code with root permissions.
It is recommended that all users of Libnids upgrade to version 1.18 or newer as soon as possible. Packages containing Libnids version 1.18 have been released for Conectiva Linux 7.0, 8, and 9.
The PostgreSQL database is vulnerable to a buffer overflow in the code
contained in the to_ascii() set of function calls that may be used by
a remote attacker to execute arbitrary code with the permissions the
database is running under.
Affected users should upgrade to PostgreSQL version 7.3.4 or a repaired package from their vendors as soon as possible. The OpenPKG project and Conectiva Linux have released repaired packages.
|
Also in Security Alerts: |
thttpdA buffer overflow and an information disclosure vulnerability have
been found in thttpd. thttpd is a small web server that is designed to be fast and secure. The buffer overflow can be remotely triggered but is not thought to be exploitable. The information disclosure bug is in the code that handles virtual hosting. When exploited, this bug will allow a remote attacker to read any file on the system that the user account that thttpd is running under can read.
Users should watch their vendor for an updated version that repairs these problems. SuSE has released a repaired package for SuSE Linux 7.3, 8.0, 8.1, 8.2, and 9.0.
mod_securityThe mod_security in Apache 2 is reported to be vulnerable to a buffer
overflow in the sec_filter_out() function that can, under some
conditions, be exploited by a remote attacker to execute code with the
permissions of the user running Apache. The remote attacker must have some method of uploading a script onto the server before this attack
can be successful.
Users should upgrade to version 1.7.2 of mod_security as soon as
possible.
The install program used to install Sun's JRE/JDK under Linux is vulnerable to several symbolic-link race conditions that can be used by a local attacker to overwrite arbitrary files on the system with, in most cases, root permissions. This problem is reported to affect both the binary installer and the RPM-based install.
On multiuser machines, it may be wise to bring the machine to single-user mode and check the contents of the /tmp directory for the files /tmp/.mailcap1, /tmp/.mime.types1, and /tmp/unpack.log before doing the install.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.