Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in Subversion, Apache's
mod_ssl, Squid, MIT's
krb5, RealOne, RealPlayer,
Jail(), Aspell, Tripwire, and
Subversion is an open source version control system designed to be usable as a CVS replacement. Versions of Subversion through 1.0.4 are reported to be vulnerable, under some conditions, to a buffer overflow that can be used in a denial-of-service attack and may be exploitable to execute arbitrary code with the permissions of the user running the
svnserve daemon or other software using the related
tunneled svn+:// protocols.
The Subversion project recommends that users upgrade to Subversion version 1.0.5 or newer as soon as possible and suggests as a possible workaround for users that cannot upgrade that
svnserve be turned off and replaced with
http:// access (DAV).
mod_proxy module distributed with Apache 1.3.31 or earlier contains a buffer overflow that may, under some circumstances, be exploitable by a remote attacker to execute code with the permissions of the user running Apache.
Affected users should consider disabling
mod_proxy until a repaired version of Apache has been installed.
|Linux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.|
mod_ssl contains a bug that can be remotely exploited as a denial-of-service attack or that possibly could result in code execution as the user the web server is running under. Only installations of Apache that have
FakeBasicAuth enabled and trust client certificates with an unusually long subject DN are vulnerable. The bug is reported to affect versions of
mod_ssl earlier than 2.8.18, and Apache 2.0.49-r2 and earlier.
Affected users should upgrade to a repaired version of
mod_ssl or Apache 2.*.
Squid is a free, open source Web proxy cache server designed for Unix systems with many features, including: proxying and caching of HTTP, FTP, and other URL types; proxying for SSL; transparent caching; extensive access controls; HTTP server acceleration; SNMP; and caching of DNS queries. A buffer overflow in the NTLM authentication function
ntlm_check_auth() can be used by a remote attacker to execute arbitrary code with the permissions of the user Squid is running under. Only Squid installations that are using the NTLM authentication helper are vulnerable to this buffer overflow.
Affected users should recompile Squid without the NTLM authentication helper support, watch for a new Squid release, or wait for a vendor-supplied package.
krb5 is an implementation of Kerberos, a network authentication protocol designed to provide strong cryptographic, secret-key-based authentication for client/server applications. Under some non-default configurations, a remote attacker can exploit multiple buffer overflows in the function
krb5_aname_to_localname() and cause arbitrary code to be executed with (in most cases) root permissions. Versions of
krb5-1.3.3 are reported to be vulnerable, but only in non-default configurations.
krb5 maintainers recommend upgrading to version
krb5, disabling the vulnerable functionality (explicit mapping or rules-based mapping), or applying an available patch.
The media players RealOne and RealPlayer are reported to be vulnerable to a buffer-overflow-based attack that can result in arbitrary code being executed as the user running the player. The attack uses a carefully crafted
.RA file to cause the buffer overflow.
RealNetworks has released upgrade information for Windows users, but it is not clear if RealOne and RealPlayer users on other platforms are affected. Users should contact RealNetworks for upgrade details. In all cases, users should exercise care in viewing content from untrusted sources.
Also in Security Alerts:
ksymoops-gznm script distributed with Mandrake Linux 10.0, 9.1, 9.2, and Corporate Server 2.1 is vulnerable to a temporary-file, symbolic-link-based attack that can, under some conditions, result in an attacker overwriting an arbitrary file with root's permissions.
Mandrake has released updated packages for all affected releases.
The email application gateway
smtp.proxy is reported to have a remotely exploitable format-string bug that may result in code being exploited on the server with the permissions
smtp.proxy is running under (which may be root).
Version 1.3.3 of
smtp.proxy is reported to be repaired.
icecast is reported to be vulnerable to a remotely exploitable denial-of-service attack.
icecast should watch their vendors for a repaired version.
The Aspell utility was written by the GNU project as a accurate and better replacement for the popular
ispell spell-checking utility. The
word-list-compress utility is distributed with Aspell and is used to compress and decompress word lists for use by Aspell. If by some method (perhaps a social engineering attack) an attacker could introduce arbitrary words into another user's word list, a buffer overflow in the
word-list-compress utility could be exploited, and arbitrary code executed with the victim's permissions.
Concerned users should watch their vendors for a repaired version of Aspell and should not let strangers put words into their wordlists.
Jail() function call is used to restrict a process and all of its descendants in a virtual "jail" that restricts access to the real system, even for root-owned processes. A bug in the FreeBSD
Jail() function can be abused by root-owned processes in a jail to manipulate the host's route tables.
It is recommended that affected users upgrade to FreeBSD 4.10-RELEASE or a repaired version of RELENG_4_8 or RELENG_4_9, or apply an available patch.
Tripwire is a utility used to make a cryptographic snapshot or fingerprint of the state of a machine so that changes to files on the machine can be recognized. The email functionality of Tripwire is vulnerable to a format-string-based attack that may be exploitable to execute arbitrary code (most often as root). Versions 2.4 and earlier of the commercial version of Tripwire and version 2.3.1 and earlier of the open source version of Tripwire are reported to be vulnerable.
Affected users should stop using the email functionality until they have upgraded to a repaired version of Tripwire.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the LinuxDevCenter.com.
Copyright © 2009 O'Reilly Media, Inc.