Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Apache Security Update

by Noel Davis
04/07/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a security update to Apache; a major problem in sendmail; buffer overflows in Balsa, libsmtp, passlogd, lpr-ppd, and Solaris' dtsession; and problems in NetPBM, Eye of GNOME, the Progress database, and Red Hat Linux 9's vsftpd daemon.

Apache 2.0.45

Apache 2.0.45 has been released and is described as "principally a security and bug fix release." This new version of Apache repairs a denial-of-service vulnerability, fixes several leaks of file descriptors to CGI scripts and other child processes, and repairs a collection of other non-security related bugs.

The Apache Software Foundation and The Apache HTTP Server Project encourage users of Apache to upgrade to version 2.0.45.

sendmail

sendmail has a buffer overflow, in the code that handles address parsing, that may be remotely exploitable to execute arbitrary code with root permissions.

Sendmail, Inc., and the Sendmail Consortium recommend that all users of sendmail upgrade to version 8.12.9 or apply the appropriate patch as soon as possible.

Balsa

Balsa is an email client for Gnome that supports POP3, IMAP, and local folders. Balsa is vulnerable to a buffer overflow in the code that handles mailbox names returned by an IMAP server. This buffer overflow can be exploited by a remote attacker that has control over an IMAP server to which the client connects.

Affected users should upgrade to a repaired version of Balsa as soon as possible.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

libsmtp

The library libsmtp contains a buffer overflow that can be exploited by sending the client unusually long responses from a SMTP server under the control of an attacker. Exploiting this buffer overflow can result in a denial of service or in the execution of arbitrary code.

Users should upgrade to version 0.8.11 or newer of libsmtp as soon as possible.

NetPBM

NetPBM is a toolkit for manipulation of graphic images. The NetPBM library contains vulnerabilities that can be exploited by an attacker using a carefully crafted graphics file to execute arbitrary code with the permissions of the user running the application linked to the library. It is reported that under Red Hat Linux, the printing system is vulnerable to an attack using this vulnerability, as it uses the NetPBM utilities to parse image files.

Affected users should watch their vendors for updated packages that fix these vulnerabilities. Red Hat Linux users should consider disabling their printing system until NetPBM has been updated.

Eye of GNOME

Eye of GNOME is an image viewer and cataloging program that is distributed with the GNOME desktop. Version 2.2.0 and earlier of Eye of GNOME contain vulnerabilities that can be exploited to execute arbitrary code with the permissions of the user running Eye of GNOME. It has been reported that this vulnerability can be exploited by sending a carefully crafted email to a user who is reading their email with an email client that views images using Eye of GNOME.

It is recommended that users upgrade to Eye of GNOME version 2.2.2 or newer, or watch their vendors for a repaired package.

passlogd

passlogd, the passive syslog capture daemon, is a custom network sniffer that is designed to capture syslog messages off of the network so that a backup logging machine can be created that does not have any open ports. Versions of passlogd before 0.1e contain vulnerabilities that can be used by a remote attacker to execute arbitrary code on the server running passlogd with, in many cases, root permissions.

Users should upgrade to version 0.1e or newer of passlogd as soon as possible and should disable it until it has been updated. Users should also consider protecting the logging machine from untrusted traffic using a tool such as a firewall.

Progress Database

The Progress database opens its configuration files as the root user. A local attacker can, by setting specific environmental variables to the path to protected files (such as /etc/shadow), cause Progress to display content from these files in its error messages.

A reported workaround is to remove the set-user-id bits from all of the Progress database applications. Users should watch for a repair for this problem.

lpr-ppd

A buffer overflow has been reported in lpr-ppd, a line printer daemon distributed with Debian (woody and sid), which can be exploited by a local attacker to gain root permissions. This vulnerability is reported to not affect older potato versions of Debian.

It is recommended that affected users upgrade to version 0.72-2.1 for woody and version 0.72-3 for sid.

Red Hat Linux 9 vsftpd Daemon

The vsftpd daemon distributed with Red Hat Linux 9 is configured to run as a standalone daemon and was not compiled against TCP wrappers. It will therefore not follow the restrictions configured in /etc/hosts.allow and /etc/hosts.deny. This problem only affects boxed sets with the part numbers RHF0120US and RHF0121US.

Affected users should upgrade to the upgraded packages as soon as possible. Users who do not use vsftpd should insure that it is removed or disabled.

Solaris dtsession

The CDE session manager dtsession distributed with Solaris is vulnerable to a buffer overflow, in the code that handles the HOME environmental variable, which can be exploited by a local attacker to obtain root permissions.

A suggested temporary workaround is to remove the set-user-id bit from dtsession. Users should watch Sun for a patch for dtsession. If CDE is not being used on the system, users should consider permanently removing the set-user-id bits from dtsession and other other CDE utilities.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.