Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Linux 2.4 kernels, Apache, VMware, BRU, Oracle,
mpg123, and phpGroupWare.
Problems have been reported in the Linux 2.4 kernel that include: a
problem in the serial device that can be used by an attacker to gather information (such as possible password lengths or key stroke times); bugs in the
execve() function call that can lead to a system crash, or to a user being able to read a restricted file; a problem that may be exploitable by an normal user to bind to UDP ports (such as the ports used by the NFS server); a vulnerability in the /proc file system that may be exploited by local users to gain access to restricted data; a security problem in the STP protocol; a potential denial-of-service attack against the STP protocol; and a vulnerability in the forwarding of packets.
Linux users should watch their vendor for upgraded kernel packages that repair these problems. Red Hat has released kernel packages for Red Hat Linux versions 7.1, 7.2, 7.3, 8.0, and 9. EnGarde Secure Linux has released upgraded packages for EnGarde Secure Community 2 and EnGarde Secure Professional v1.5.
The Apache web server has a security problem and is vulnerable to
several denial-of-service attacks. The security problem is a result
of weak encryption being selected instead of the stronger encryption,
under some conditions. The denial-of-service vulnerabilities include: a bug in pre-fork MPM can cause a temporary denial-of-service condition, under some circumstances; a problem in the FTP proxy code when the remote host uses IPv6 but the proxy server can not open an IPv6 socket; and a problem with nested redirects and sub-requests that have been bypassed by creating a
LimitInternalRecursion configuration directive.
These bugs and problems have been repaired in Apache 2.0.47, and users are encouraged to upgrade as soon as possible.
A vulnerability has been discovered, in VMware GSX Server for Linux and VMware Workstation for Linux, that can be exploited by an attacker to execute an arbitrary program with root permissions on the server. This vulnerability is reported to affect VMware GSX Server 2.5.1 for Linux (build 4968), VMware Workstation 4.0 for Linux, and all earlier releases of these two products.
VMware recommends that affected users upgrade VMware Workstation to version 4.0.1, and that VMware GSX Server be upgraded to version 2.5.1 patch 1.
BRU, the Backup and Restore Utility for Unix, is vulnerable to a buffer overflow that can be exploited by a local attacker to execute arbitrary code with root permissions, if the set user id bit has been set on BRU.
The Tolisgroup recommends that users remove the set user id bit from BRU if it has been set, and upgrade to the latest version from the Tolisgroup.
A buffer overflow in the Extproc utility of Oracle has been reported that can be used by a remote attacker to execute arbitrary code with the permissions of the user running oracle (normally the "oracle" user). Also, a buffer overflow has been reported in the Oracle Applications Web Report Review (FNDWRR) program that comes with the Oracle E-Business Suite. The buffer overflow in FNDWRR can be used to execute arbitrary code with the permissions of the user running the web server.
Oracle has released patches to repair these buffer overflows. Affected users should contact Oracle for details and instructions.
fdclone, a small file manager written for the Linux console, is vulnerable to a temporary-file-symbolic-link-race-condition-based attack that can be exploited by a local attacker to overwrite arbitrary files on the server with the permissions of the user running
fdclone, and to view or alter files that
fdclone is being used to view.
Users should watch for a repaired version of
fdclone and should consider not using it until it has been updated.
simi is a MIME library used by the
emacs mail client
a fork of the
wimi have bugs, in the way they
handle temporary files, that can be exploited by a local attacker to
overwrite arbitrary files on the server with the permissions of the
user reading mail with
wl mail. The bugs are reported to affect
semi version 1.14.3.
It is recommended that users watch for versions of
wimi that have these bugs repaired.
Version 2.5.2 of the database administration tool phpMyAdmin has been released. This new version repairs problems that include a bug that can be used to display a listing of the phpMyAdmin directory, and path discloser and XSS problems. In addition the password is now encrypted using the blowfish algorithm.
Users are encouraged to upgrade to this new version.
Also in Security Alerts:
A buffer overflow has been found in the
nfs-utils package that may be exploitable by a remote attacker to execute arbitrary code with root permissions. This buffer overflow is reported to affect versions of
nfs-utils earlier than 1.0.4.
It is recommended that users upgrade to
nfs-utils 1.0.4 or newer or watch their vendors for an upgraded or repaired package.
The audio playback tool is vulnerable to an attack that uses a carefully crafted .mp3 file that has a zero bit rate.
Users should watch for a repaired version.
A flaw in phpGroupWare can be exploited to execute arbitrary PHP code (which can be located on a remote server) on the server, with the permissions of the user running the web server.
All users of phpGroupware should upgrade to version 0.9.14.006 as soon as possible.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.