New Apacheby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in Apache 2.x, GNU Radius,
cdrtools, SUS, and Webmin.
Apache 2.0.51Version 2.0.51 of the Apache web server has been released. This new version of Apache fixes the following security-related bugs: a minor denial-of-service vulnerability in the code that handles IPv6 URI parsing can result in a single child instance of the web server crashing; a buffer overflow in the code that parses configuration files that may be exploitable by a local attacker using a .htaccess file to trigger the overflow and execute code with the permissions of the web server; a denial-of-service vulnerability when proxying to a remote SSL server, where the remote SSL server can, under some conditions, crash a child instance of the web server; and a bug in WebDAV authoring that can be exploited using
LOCKrequests to crash a child instance of the web server. In all of the listed denial-of-service attacks, other instances of Apache will continue to handle web page requests. It is recommended that all users of the version 2.x series of the Apache web server upgrade to version 2.0.51.
GNU RadiusThe GNU version of the remote user authentication and accounting daemon Radius is vulnerable to a buffer overflow that is reported to be exploitable in a denial-of-service attack that crashes the Radius daemon and denies service to users attempting to authenticate. The buffer overflow is in code located in the
asn_decode_string()function and is reported to only be vulnerable when Radius is compiled with the
--enable-snmpoption. Versions 1.1 and 1.2 of GNU Radius are reported to be vulnerable. Users affected this vulnerability should upgrade to version 1.2.94 of GNU Radius or recompile Radius without the
libXpmlibrary contains multiple buffer overflows that may, under some conditions, lead to arbitrary code being executed with the permissions of a victim who uses an application linked against the
libXpmlibrary to view a carefully crafted XPM file. Users should watch their vendors for updated packages that repair the buffer overflows and replace any affected applications.
CUPSCUPS, the Common Unix Printing System, is vulnerable to a denial-of-service attack that, when executed by a remote attacker, will disable browsing and prevent the CUPS server from seeing remote printer changes. This attack is conducted by sending an empty UDP packet to port 631 on the victim's machine. In addition, a bug in the
foomatic-ripfilter (which allows the use of a printer and driver database) can, under some conditions, be exploitable by a remote attacker to execute arbitrary code. The denial-of-service vulnerability has been repaired in CUPS version 1.1.21rc2 and in CUPS CVS repository. Users of the
foomatic-ripfilter package should watch their vendors for updated packages or upgrade to
gdk-pixbugis reported to contain several buffer overflow bugs that may be exploitable under some conditions to execute arbitrary code with the permissions of the user, or used as part of a denial-of-service-type attack. These buffer overflows are in the code that loads BMP, ICO, and XPM files. Users should watch their vendors for a repaired version of
Some versions of the
cdrecordutility supplied with the
cdrtoolsare vulnerable to an attack if the package is installed set user id root.
cdrecorddoes not drop any root permissions before executing the command pointed to by the
$RSHenvironmental variable. A script to automate the exploitation of this problem has been released to the public. Some vendors have patched
cdrecordto prevent this problem. Affected users should upgrade
cdrtoolsto a repaired version and remove the set user id bit from
cdrecordor restrict who can execute it using a group.
SUSSUS, a utility that allows specified users to execute certain commands with root permissions, is reported to be vulnerable to a format-string-related bug that may, under some conditions, be exploitable by a local attacker to execute any and all commands with root permissions. SUS is also vulnerable to a format-string-bug-based vulnerability that may be exploitable by a local attacker to execute arbitrary code with root permissions. Users of tools such as SUS or Sudo should keep in mind that this is an expected vulnerability of utilities that allow users to perform a limited number of commands with root permissions, and if they still must use the tool, they should watch carefully for vulnerabilities in it. The format-string bug is reported to be repaired in SUS version 2.0.6. For the present time, users of SUS should install the latest available release.
WebminWebmin is a web-based toolkit for Unix systems that can administer user accounts, controlling Apache, DNS, file sharing, and more. It is reported that, under some conditions, Webmin may be vulnerable to a symbolic-link race condition due to an insecure temporary directory. This can result in arbitrary files being written with the permissions of the web server. There is also a vulnerability in the web mail functionality of Webmin that may be exploitable by a remote attacker to execute arbitrary shell commands as the user running the web server. Affected users should upgrade to version 1.090 or newer of Webmin and should consider disabling Webmin until it can be upgraded.
Read more Security Alerts columns.
Return to LinuxDevCenter.com