amdphr3@kXP Posted June 10, 2003 Share Posted June 10, 2003 In this post, i will post information on the latest exploits, this will (hopefully) be useful for everyone to help keep their pc's and servers secure Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 10, 2003 Author Share Posted June 10, 2003 [smartFTP] Two Buffer Overflow VulnerabilitiesPRODUCT : SmartFTPVERSIONS : 1.0.973VENDOR : SmartFTP (http://www.smartftp.com/)SEVERITY : Critical.Code Execution.SmartFTP has following two buffer overflow vulnerabilities;1. The buffer overflow vulnerability in the reply for PWD command.If the reply that contains a long address is returned froma server for "PWD" command request, the buffer overflow occurson the stack area.By exploiting this vulnerability, an attacker can executean arbitrary code on the user's system if the user connectsto the malicious server.2. The heap buffer overrun vulnerability in the File List.If the File List that contains a line of long string is returnedfrom a server, the buffer overrun occurs on the heap area.By exploiting this vulnerability, an attacker possibly couldexecute an arbitrary code on the user's system if the userconnects to the malicious server.With these vulnerabilities, there could be following risks;* Infection with Virus or Trojan, etc.* Destruction of the system.* Leak or alteration of the local data. Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 10, 2003 Author Share Posted June 10, 2003 [LeapFTP] "PASV" Reply Buffer Overflow VulnerabilityPRODUCT : LeapFTPVERSIONS : 2.7.3.600VENDOR : LeapWare (http://www.leapware.com/)SEVERITY : Critical.Code Execution.The buffer overflow occurs on the stack area if the reply that containsa long string is returned from a server for the "PASV" command request.By exploiting this vulnerability, an attacker can execute an arbitrarycode on the user's system if the user connects to the malicious server.With this vulnerability, there could be following risks;* Infection with Virus or Trojan, etc.* Destruction of the system.* Leak or alteration of the local data.SYSTEMS AFFECTEDLeapFTP 2.7.3.600And previous versions may have same vulnerability. Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 10, 2003 Author Share Posted June 10, 2003 Nokia GGSN (IP650 Based) DoSApplication: Nokia GGSN (IP650 Based)Platform: Nokia GGSN (IP650 Based)Severity: An attacker is able to cause GGSN to kernel panicOverview:Nokia's (http://www.nokia.com) GGSN (Gateway GPRS supportnode)is the platform that exists between Gn and Gi networks within a GPRSnetwork.There exists a vulnerability in the TCP stack that allows anattacker to cause the GGSN to kernel panic and shutdown. Thispotentially allows an attacker to crash all data connectivity withina GPRS based network.This is a good example of why network elements which introduce IPfunctionality to legacy networks should have their functionalityverified in terms of impact on security before deployment in aproduction environment.This vulnerability is exploited by sending a malformedIP packet with a TCP option of 0xFF over a cellphone to the affectednetwork. Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 10, 2003 Author Share Posted June 10, 2003 [LSD] HP-UX security vulnerabilities1. /usr/sbin/lanadmin/usr/sbin/landiagThe vulnerability in the lanadmin and landiag programs is caused by improperhandling of the TERM environment variable in the setupterm() function - itcopies this variable without any size checking into the stack buffer withthe use of strcpy function. This bug can be triggered by invoking lanadminor landiag program with TERM environment variable set to a long string value.When appropriately exploited it can lead to a local root compromise ofa vulnerable system.2. /opt/sharedprint/bin/pcltotiffThere exists a buffer overflow vulnerability in the command line parsingcode portion of the pcltotiff program. This bug can be triggered by invokingpcltotiff program with a long string argument passed with the -t command lineoption. During program execution, this argument is further insecurely copiedinto the stack buffer with the use of strcpy() function and without any sizechecking. When appropriately exploited this bug can lead to privilegeelevation attack as group id of bin can be gained on a vulnerable system.3. rpc.yppasswddThe rpc.yppasswdd service is typically instaled with NIS (Network InformationService) subsystem. The purpose of this service is to handle password changerequests from yppasswd program. In the HP-UX operating system, therpc.yppasswdd is installed as RPC service number 100009.We have found that there exists the same security vulnerability in HP-UXrpc.yppasswdd like in Solaris operating system (Bulletin Number #00209).This vulnerability can be remotely exploited to gain unauthorised access tothe target HP-UX system with administrative (root user) privileges.The vulnerability can be triggered by sending carefully crafted stringargument to the YPPASSWDPROC_UPDATE function. This function has twoarguments: a character string and a passwd struct (in our proof of conceptode we only send a string instead of the whole structure), which stand forrespectively the oldpass and passwd struct (in our case pw_name string).In the changepasswd() function the pw_name field of the passwd structureis copied to a fixed buffer with the use of strcpy() function call. As thiscall is done without any checking of the string length and boundaries,program stack can be overwritten in a result of a buffer overflow condition.Below you can see a detailed trace log from our bptrace tool, which clearlyillustrates the rpc.yppasswdd execution path that leads to the overflowcondition.[21110] 0x00012a98 1 changepasswd()[21110] 0x00025480 1 memset(0xffbefa30,0,40)[21110] 0x00014448 1 xdr_yppasswd()[21110] 0x00025738 1 xdr_wrapstring()[21110] 0x00014374 1 xdr_passwd()[21110] 0x00025744 1 xdr_uid_t()[21110] 0x00025750 1 xdr_gid_t()[21110] 0x000126b4 1 validstr()[21110] 0x0002545c 1 strlen("")[21110] 0x000255b8 1 strchr("",':')[21110] 0x000126b4 2 validstr()[21110] 0x000126b4 3 validstr()[21110] 0x00025474 1 strcmp("udp","ticlts")....[21110] 0x00025438 1 strcpy(0xffbef9d8,"overlfow string with shellcode")4. /usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000This vulnerability results from bad coding practices, specifically theway system() function call is used throughout the code of rs.F30002 program.This function call is used by rs.F30002 for invoking external programs(like rm) without specifying their absolute path. If PATH environmentvariable is appropriately set prior to such an unsafe system() callinvocation, user programs can be executed at elevated privileges(user=daemon).5. /usr/bin/stmkfontSimple buffer overflow vulnerability exists in the command line parsingcode portion of the stmkfont program. This bug can be triggered by invokingstmkfont program with a long string argument. When appropriately exploitedit can lead to privilege elevation attack as group id of bin can be gainedon a vulnerable system.6. /usr/bin/uucpThe buffer overflow vulnerability exists in the command line parsing codeportion of the uucp program. This bug can be triggered by invoking uucpprogram with a long string argument as option. When appropriately exploitedit can lead to the privilege elevation attack as user id of uucp can begained on a vulnerable system.7. /usr/bin/uusubThe buffer overflow vulnerability exists in the command line parsing codeportion of the uusub program. This bug can be triggered by invoking uusubprogram with a long string argument passed with -a command line option.When appropriately exploited it can lead to the privilege elevation attackas user id of uucp can can be gained on a vulnerable system. Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 10, 2003 Author Share Posted June 10, 2003 GNU gzexe Temporary File VulnerabilityIt has been reported that gzexe uses temporary files insecurely. During execution, an instance of gzexe creates a symbolic link in /tmp with a filename based on its process ID. This creates a race condition that may be exploited by local users to corrupt files writeable by target users. SYSTEMS AFFECTED GNU gzip 1.2.4 a+ MandrakeSoft Corporate Server 1.0.1+ MandrakeSoft Linux Mandrake 7.0+ MandrakeSoft Linux Mandrake 7.1+ MandrakeSoft Linux Mandrake 7.2+ MandrakeSoft Linux Mandrake 8.0+ MandrakeSoft Linux Mandrake 8.0 ppc+ MandrakeSoft Linux Mandrake 8.1+ MandrakeSoft Linux Mandrake 8.1 ia64+ MandrakeSoft Single Network Firewall 7.2+ RedHat Linux 6.2 alpha+ RedHat Linux 6.2 i386+ RedHat Linux 6.2 sparc+ SGI IRIX 6.5+ SGI IRIX 6.5.1+ SGI IRIX 6.5.2+ SGI IRIX 6.5.3+ SGI IRIX 6.5.4+ SGI IRIX 6.5.5+ SGI IRIX 6.5.6+ SGI IRIX 6.5.7+ SGI IRIX 6.5.8+ SGI IRIX 6.5.9+ SGI IRIX 6.5.10+ SGI IRIX 6.5.11 f+ SGI IRIX 6.5.11 m+ SGI IRIX 6.5.12 f+ SGI IRIX 6.5.12 m+ SGI IRIX 6.5.13 f+ SGI IRIX 6.5.13 m+ SGI IRIX 6.5.14 f+ SGI IRIX 6.5.14 m+ SGI IRIX 6.5.15 f+ SGI IRIX 6.5.15 m+ Trustix Secure Linux 1.1+ Trustix Secure Linux 1.2+ Trustix Secure Linux 1.5GNU gzip 1.2.4+ Debian Linux 2.2 68k+ Debian Linux 2.2 alpha+ Debian Linux 2.2 arm+ Debian Linux 2.2 IA-32+ Debian Linux 2.2 powerpc+ Debian Linux 2.2 sparc+ RedHat Linux 5.2 alpha+ RedHat Linux 5.2 i386+ RedHat Linux 5.2 sparc+ RedHat Linux 6.0+ RedHat Linux 6.0 alpha+ RedHat Linux 6.0 sparc+ RedHat Linux 6.1 alpha+ RedHat Linux 6.1 i386+ RedHat Linux 6.1 sparc+ Slackware Linux 7.0+ Slackware Linux 7.1+ Slackware Linux 8.0+ Sun Solaris 8.0+ Sun Solaris 8.0 _x86GNU gzip 1.3+ RedHat Linux 7.0 alpha+ RedHat Linux 7.0 i386+ RedHat Linux 7.0 sparc+ RedHat Linux 7.1 alpha+ RedHat Linux 7.1 i386+ RedHat Linux 7.2 alpha+ RedHat Linux 7.2 i386GNU gzip 1.3.2+ Debian Linux 3.0+ Debian Linux 3.0 alpha+ Debian Linux 3.0 arm+ Debian Linux 3.0 hppa+ Debian Linux 3.0 ia-32+ Debian Linux 3.0 ia-64+ Debian Linux 3.0 m68k+ Debian Linux 3.0 mips+ Debian Linux 3.0 mipsel+ Debian Linux 3.0 ppc+ Debian Linux 3.0 s/390+ Debian Linux 3.0 sparcSOLUTION Debian has issued upgrades that will eliminate the vulnerability in Debian packages. See DSA-308-1 (in the reference section) for URLs.TECHNICAL DETAILS It has been discovered that znew, a script included in the gzippackage, creates its temporary files without taking precautions toavoid a symlink attack (CAN-2003-0367).The gzexe script has a similar vulnerability which was patched in anearlier release but inadvertently reverted.For the stable distribution (woody) both problems have been fixed inversion 1.3.2-3woody1.For the old stable distribution (potato) CAN-2003-0367 has been fixedin version 1.2.4-33.2. This version is not vulnerable toCVE-1999-1332 due to an earlier patch.For the unstable distribution (sid) this problem will be fixed soon Link to comment Share on other sites More sharing options...
XPerties Posted June 10, 2003 Share Posted June 10, 2003 Apparently 2.8.12 is vuln to some type of exploit.You are running an insecure apache setup. You should run /scripts/easyapache and upgrade to a newer version as soon as possible to avoid your system being compromised.Update mod_ssl to 2.8.14 Link to comment Share on other sites More sharing options...
vcant Posted June 10, 2003 Share Posted June 10, 2003 wow, didnt know that about smartftp, thanx for the info.i think i need to run and inform one of the clients Link to comment Share on other sites More sharing options...
MSNwar Posted June 10, 2003 Share Posted June 10, 2003 Good stuff Rufo.Lets move this to:Networks, Internet and SecuritySecure your computer today against hackers and spyware, find out how!Moved Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 10, 2003 Author Share Posted June 10, 2003 Debian Security AdvisoryAffected Packages: kernel A number of vulnerabilities have been discovered in the Linux kernel.CVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets.CAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.CAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.CAN-2003-0247: Vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.This advisory covers only the i386 (Intel IA32) architectures. Other architectures will be covered by separate advisories.For the stable distribution (woody) on the i386 architecture, these problems have been fixed in kernel-source-2.4.18 version 2.4.18-9, kernel-image-2.4.18-1-i386 version 2.4.18-8, and kernel-image-2.4.18-i386bf version 2.4.18-5woody1.For the unstable distribution (sid) these problems are fixed in the 2.4.20 series kernels based on Debian sources.It is recommended that you upgrade your kernel packagesIf you are using the kernel installed by the installation system when the "bf24" option is selected (for a 2.4.x kernel), you should install the kernel-image-2.4.18-bf2.4 package. If you installed a different kernel-image package after installation, you should install the corresponding 2.4.18-1 kernel. You may use the table below as a guide.| If "uname -r" shows: | Install this package:| 2.4.18-bf2.4 | kernel-image-2.4.18-bf2.4| 2.4.18-386 | kernel-image-2.4.18-1-386| 2.4.18-586tsc | kernel-image-2.4.18-1-586tsc| 2.4.18-686 | kernel-image-2.4.18-1-686| 2.4.18-686-smp | kernel-image-2.4.18-1-686-smp| 2.4.18-k6 | kernel-image-2.4.18-1-k6| 2.4.18-k7 | kernel-image-2.4.18-1-k7NOTE: that this kernel is not binary compatible with the previous version. For this reason, the kernel has a different version number and will not be installed automatically as part of the normal upgrade process. Any custom modules will need to be rebuilt in order to work with the new kernel. Link to comment Share on other sites More sharing options...
Flash Posted June 11, 2003 Share Posted June 11, 2003 Notice alot of the 'affectants' is on Linux Operating systems Link to comment Share on other sites More sharing options...
vcant Posted June 11, 2003 Share Posted June 11, 2003 Notice alot of the 'affectants' is on Linux Operating systems i installed RedHat 9.0 on one of the computers, and they have something similar to windows update now, it has the icon that checkes for updates, and besides that, it sends the notification to the email, so im getting notified by email about different critical updated almost every day !!!and people say they seek of windows update Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 11, 2003 Author Share Posted June 11, 2003 from my experiences, i have found windows and linux just as exploitable as each other, a mate had a winxp box and a linux box and i was able to exploit one of these as easy as the other, they aren't very secure, as long as an attacker knows what he/she is doing, they can exploit either linux or windows with ease Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 14, 2003 Author Share Posted June 14, 2003 Sphera Hosting Director Control Panel Multiple Vulnerabilities: XSS-Session Hijacking-DoS/Buffer Overflow-Another User Accounts accessVersions:VULNERABLE- 3.x- 2.x- 1.xHostingDirector comprises three fundamental components that are integratedto provide rich offerings, maximum control for resellers and site owners,and easy, centralized administration of shared and dedicated environmentsrunning on Linux and Microsoft Windows®.SECURITY HOLES FOUND and PROOFS OF CONCEPT:---------------------------------------------------------| XSS in LOGIN |----------------I encountered XSS ( Cross Site Scripting ) vulnerabilities in theSPHERA's product called Hositng Director , located in the vds ( user ofhosting plans ) control panel.The problems , i think , are related to form tag closing by url codeinjection and the input validation system( there aren`t any ). In addition the success_msg variable ( in internalscripts ) is vulnerable to XSS too.With this you can insert html and script code by url command passing likethis:_______________________XSS IN THE LOGIN FORM:-----------------------]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?uid=">[XSSATTACK CODE]]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?error=">[XSSATTACK CODE]]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?error=[XSSATTACK CODE COMBINATED WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE"EITHER PASSWORD OR USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USERDATA]]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/login_screen.php?vds_ip=[VDSDOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRYCEST]&vds_server_ip=">[XSS ATTACK CODE]--------------| SAMPLES |--------------]/[iNSTALLATIONhttps://[TARGET]/[iNSTALLATION PATH]/login/login_screen.php?vds_ip=[VDSDOMAIN ORIP]&uid=">here%20comes%20your%20attack&tz=CEST&vds_server_ip=">Here%20comes%20your%20XSS%20Attack&error=Either+user+or+password+are+incorrect+,+please+re-fill+in+.]/[iNSTALLATIONhttps://[TARGET]/[iNSTALLATIONPATH]/login/sm_login_screen.php?uid=">XSS%20!------------------| COMMUNICATIONS || ENCRYPTION |------------------Sphera uses an "insecure" communications data encryption ( DES (16) ).DES is a not very secure algorithm ( i think ).In addition the control panel scripts don't check if you are using the httpsprotocol and allow you to use based http connections on port 80 ( withoutSSL ).----------------| SESSION || HIJACKING |----------------This is a very interesting thing in Sphera Hosting Director VDS ControlPanel ,if you don't close a session in the control panel , the session is saved allthe time that you use the cookie and the systemdon't close the session if you don't close with control panel !.This can be a big security problem if an attacker generates a session idrandomicing control.I explain it:if the first session id that you received is this :xx01xx01xxXand the next session id is..xx01xx02XxxThe first session id only differs in two parts with the second session ,this indicates a poor session id randomicing...the attacker can generate a profile analyzing the random session generatingand make an algorithm or script for make validsessions , this can be used for enter the system only changing the USER IDvalue and you have access to the system withthe USER ID permissions ! ;-)I think in another possibilty generating session id randomicing profileslike monitoring the use of resources and the stackblocks but this is very difficult for remote users.The remote method is not very easy but very possible.--------------------| BUFFER OVERFLOW || AND DoS |-------------------I found some possible buffer overflows and Denial of Service attacks .Some php files used by the vds control panel environment can conduct denialof service attacks to the installation server.Other php files can conduct stack attacks by url-based variable hacking andcommand injection.You can enter some crafted urls spoofing th variables and your referer formake actions in other user accounts.-Some Proof of Concepts-]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/dev/VDS/submitted.php Sphera Control Panel global used php fileand this file can be used for conduct DoS and Buffer Overflow attacks to the[TARGET] server with Sphera VDS Control Panel installed in[iNSTALLATION PATH] , i tell you some samples:Make a connection in POST mode and request this:]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/dev/VDS/submitted.php?[TARGETUSER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_msg=Remote USER VDS restarted trough this kind of attackI think that the system checks your referer for authenticate the request ,but you can spoof it easier.With this kinf of attacks you can make actions in other users hostingaccounts like password changing , virtual server restarting watch dogdeactivating and other features ;-) Link to comment Share on other sites More sharing options...
amdphr3@kXP Posted June 14, 2003 Author Share Posted June 14, 2003 SuSE Security Announcement: radiusd-cistron (SuSE-SA:2003:030)SuSE Security AnnouncementPackage: radiusd-cistronAnnouncement-ID: SuSE-SA:2003:030Date: Friday, Jun 13th 2003 09:32 METAffected products: 7.2, 7.3, 8.0Vulnerability Type: possible remote system compromiseSuSE default package: noCross References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063Content of this advisory:1) security vulnerability resolved: handling too large NAS numbersproblem description, discussion, solution and upgrade information2) pending vulnerabilities, solutions, workarounds:- lprng- frox- poster- ghostscript-library3) standard appendix (further information)______________________________________________________________________________1) problem description, brief discussion, solution, upgrade informationThe package radiusd-cistron is an implementation of the RADIUS protocol.Unfortunately the RADIUS server handles too large NAS numbers notcorrectly. This leads to overwriting internal memory of the serverprocess and may be abused to gain remote access to the system the RADIUSserver is running on.There is no temporary workaround known.Please download the update package for your distribution and verify itsintegrity by the methods listed in section 3) of this announcement.Then, install the package using the command "rpm -Fhv file.rpm" to applythe update.Our maintenance customers are being notified individually. The packagesare being offered to install from the maintenance web.Please note, missing packages will be published as soon as possible.Intel i386 Platform:SuSE-8.0:ftp://ftp.suse.com/pub/suse/i386/update/8...6.6-88.i386.rpme61fb299edfb092f24b3e455256cf262patch rpm(s):ftp://ftp.suse.com/pub/suse/i386/update/8....i386.patch.rpmd323307d4bc4c0e4dc0bcef3f848b91fsource rpm(s):ftp://ftp.suse.com/pub/suse/i386/update/8....6.6-88.src.rpmfc7718319972625612292798092d9a8bSuSE-7.3:ftp://ftp.suse.com/pub/suse/i386/update/7....4-182.i386.rpmee949e18ef02e87dffc4b5ea8d5d5ec5source rpm(s):ftp://ftp.suse.com/pub/suse/i386/update/7...6.4-182.src.rpmf4f87aab549967c0d4c216c8d2e312a1SuSE-7.2:ftp://ftp.suse.com/pub/suse/i386/update/7....4-182.i386.rpme5a20985f79c887739ce0b83539c347bsource rpm(s):ftp://ftp.suse.com/pub/suse/i386/update/7...6.4-182.src.rpmf5f73b9e9c3e5d338bfddd1a6b2b14d8Sparc Platform:SuSE-7.3:ftp://ftp.suse.com/pub/suse/sparc/update/....4-70.sparc.rpm7318cc63ec3c29618b81ae6c8eb29fc8source rpm(s):ftp://ftp.suse.com/pub/suse/sparc/update/....6.4-70.src.rpm0212fba5fd8d4ff3e9afe4a8a8802655PPC Power PC Platform:SuSE-7.3:ftp://ftp.suse.com/pub/suse/ppc/update/7....6.4-108.ppc.rpm30f9920f2a8d2db0e8eb2a0439d61118source rpm(s):ftp://ftp.suse.com/pub/suse/ppc/update/7....6.4-108.src.rpm8133911f08442832c383000cb65e70ca______________________________________________________________________________2) Pending vulnerabilities in SuSE Distributions and Workarounds:- lprngA race condition in psbanner was fixed that can be abused by localusers to overwrite file owned by daemon:lp.New packages are available on out FTP servers.- froxThe init script of frox handled tmp file in an insecure manner.This behavior can be exploited by local users.New packages are available on out FTP servers.- posterA possible buffer overflow due to usage of gets() was fixed which couldhave been exploited by malicious input data to execute code under theuser id of the user running poster.New packages are available on out FTP servers.- ghostscript-libraryMalicious PostScript[tm] files could execute shell commandseven if the ghostscript interpreter was invoked with the -dSAFERflag.______________________________________________________________________________3) standard appendix: authenticity verification, additional information- Package authenticity verification:SuSE update packages are available on many mirror ftp servers all overthe world. While this service is being considered valuable and importantto the free and open source software community, many users wish to besure about the origin of the package and its content before installingthe package. There are two verification methods that can be usedindependently from each other to prove the authenticity of a downloadedfile or rpm package:1) md5sums as provided in the (cryptographically signed) announcement.2) using the internal gpg signatures of the rpm package.1) execute the commandmd5sum after you downloaded the file from a SuSE ftp server or its mirrors.Then, compare the resulting md5sum with the one that is listed in theannouncement. Since the announcement containing the checksums iscryptographically signed (usually using the key security@suse.de),the checksums show proof of the authenticity of the package.We disrecommend to subscribe to security lists which cause theemail message containing the announcement to be modified so thatthe signature does not match after transport through the mailinglist software.Downsides: You must be able to verify the authenticity of theannouncement in the first place. If RPM packages are being rebuiltand a new version of a package is published on the ftp server, allmd5 sums for the files are useless.2) rpm package signatures provide an easy way to verify the authenticityof an rpm package. Use the commandrpm -v --checksig to verify the signature of the package, where is thefilename of the rpm package that you have downloaded. Of course,package authenticity verification can only target an un-installed rpmpackage file.Prerequisites:a) gpg is installed The package is signed using a certain key. The public part of thiskey must be installed by the gpg program in the directory~/.gnupg/ under the user's home directory who performs thesignature verification (usually root). You can import the keythat is used by SuSE in rpm packages for SuSE Linux by savingthis announcement to a file ("announcement.txt") andrunning the command (do "su -" to be root):gpg --batch; gpg SuSE Linux distributions version 7.1 and thereafter install thekey "build@suse.de" upon installation or upgrade, provided thatthe package gpg is installed. The file containing the public keyis placed at the top-level directory of the first CD (pubring.gpg)and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .- SuSE runs two security mailing lists to which any interested party maysubscribe:suse-security@suse.com- general/linux/SuSE security discussion.All SuSE security announcements are sent to this list.To subscribe, send an email to.suse-security-announce@suse.com- SuSE's announce-only mailing list.Only SuSE's security announcements are sent to this list.To subscribe, send an email to Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now