Copyright © 2002-2008
EscapeBox Germany
|
|
|
Patches for a couple of recently discovered
security holes in the popular PHP-Nuke 6.0 web portal software have been
applied, dealing with illicit code execution and XSS as well as CRLF injection
vulnerabilities. There were no changes in functionality we know of.
|
|
|
There is a newly discovered remotely exploitable
security hole in MySQL prior to revision 3.23.54, which we fixed now.
Fortunately, in our setup, if MySQL runs at all (disabled by default) it does
so on a port number not directly accessible from the Internet (firewalled).
So, as long as there were no untrusted users in a box since this became
public, it is unlikely that there has been any abuse. This is a bug fix
release, and there were no changes in functionality we know of.
For more information please refer to
http://security.e-matters.de/advisories/042002.html
|
|
|
|
We upgraded Python to revision 2.2.2, which is a
pure bug fix release. There were no changes in functionality we know of.
|
|
|
|
For the sake of revision number clarity we upgraded
to Bind 8.3.4, which is basically 8.3.3 with the recent security fix
installed. There were no changes in functionality.
|
|
|
In the wake of yesterday's security update of the
Bind resolver libs a fix of the actual Bind utilities ('named', 'host'
etc.) had to follow suit. There were no changes in functionality.
For more information please refer to
http://www.isc.org/products/BIND/bind-security.html
|
|
|
A new bunch of remotely exploitable buffer overrun
vulnerabilities has been discovered in the ubiquitous Bind package which
is also part of FreeBSD. Since the problem is in the respective libraries,
and various core system utilities are linked statically, we had to recompile
and reinstall the whole base system.
To the user this major update was invisible since we basically replaced
the programs with binaries of exactly the same version, only with the
fix installed. There were no changes in functionality.
Due to the severity of the problem we had to
reboot all of our servers right away once we had the fixed binaries
in place. We apologize for the short service interruption
(less than 5 minutes).
For more information please refer to
http://www.kb.cert.org/vuls/id/738331
|
|
|
There has been a security problem with the 'smrsh'
utility that comes with Sendmail. Although we do not use Sendmail in our
setup, it is installed as part of the FreeBSD base distribution and therefore
needed to be fixed.
For more information please refer to
http://www.idefense.com/advisory/10.01.02.txt
|
|
|
We saw fit to upgrade OpenSSH because there is
a fix available for the new version that solves the problems we
experienced some time ago with the Privilege Separation mechanism.
OpenSSH has had its share of security vulnerabilities in the past,
so this is a feature one should have if at all possible.
Privilege Separation works by letting the process that
deals with the incoming user connection during the login phase
run as an unprivileged user (not 'root'), additionally confined to
an empty chroot() environment. So in case of newly discovered
security vulnerabilities in OpenSSH (buffer overflows etc.) an intruder
cannot break into the system any more. Privilege Separation is
enabled by default now.
|
|
|
Well, the grace period is over. We stayed at mod_php4 revision 4.1.2
for a while to give our users a chance to upgrade their scripts to
versions which are compatible with revision 4.2.x. New security fixes
that are available only for the current version of PHP4 forced us to
upgrade to mod_php4-4.2.3 now.
The change that makes upgrading such a pain
is the variable 'register_globals', whose default switched from 'on' to
'off'. This can break older scripts. Hopefully, by now most script
maintainers should have upgraded their software to deal with this.
We at least made sure that our preinstalled PHP4 packages work with
the current mod_php4 revision.
In case this upgrade really broke some of our
user's scripts, the quick fix would be to put the line
php_flag register_globals on
into a '.htaccess' file in the respective directory. Note, however, that
this should be only a temporary solution since setting this variable to
'on' poses a security risk in its own right. This is why the default
changed to 'off' in the first place.
|
|
|
Another couple of buffer overflows and a broken
boundary check have been discovered in the ongoing security audit for
fetchmail. This time we were forced to do a major revision upgrade
(5.9.11 -> 6.1.0) in order to fix the problem. We apologize for any
unexpected functional changes this might have introduced.
For more information please refer to
http://security.e-matters.de/advisories/032002.html
|
|
|
|
Due to several Cross Site Scripting (XSS)
problems discovered in SquirrelMail 1.2.7 we upgraded to release
1.2.8, which is believed to fix these security holes.
This was a bug fix upgrade, and there were no changes in functionality
we know of.
|
|
|
|
While we had the security fixes that came out after
OpenSSL 0.9.6e installed already, for the sake of version number clarity
we upgraded to revision 0.9.6g now.
This was a bug fix upgrade, and there were no changes in functionality
we know of.
|
|
|
We just learned that the source code archive of OpenSSH 3.4p1 on its
official FTP server ftp.openbsd.org contains a trojan horse which is
capable of allowing potential intruders shell access to affected
systems. Apparently someone broke into the FTP server and replaced the
archive with a tainted version. This definitely tops it off ...
However, we would like to reassure our users that,
although we installed exactly this release on 2002-06-30, the source
code archive we downloaded is not affected.
We use the FreeBSD Ports system which kind of automagically fetches
all relevant source archives and subsequently builds the respective
package from them. This system is protected with an MD5 verification
mechanism, where the MD5 checksums come from a different place than
the source archives. So an archive file that has been tampered with
gets detected immediately and stops the building process.
For more information please refer to
http://www.cert.org/advisories/CA-2002-24.html
|
|
|
OpenSSL is the underlying freeware package (mostly libraries) that enables
our various services to work with SSL encryption. A security alert has
been released pointing out multiple buffer overflow vulnerabilities.
We swiftly upgraded our system to version 0.9.6e and rebooted all
servers in order to ensure that currently running daemon processes
actually start using the fixed libraries. This was a bug fix upgrade,
and there were no changes in functionality we know of.
For more information please refer to
http://www.cert.org/advisories/CA-2002-23.html
|
|
|
|
We would like to reassure our users that the PHP4 exploit currently in
the news does not apply to the version installed in our base system.
Because of the serious functional changes in the 4.2.x releases we
plan to stick with the latest (bug fix) releases of 4.1.x for a
while in order to give PHP software authors all over the
Internet a chance to adapt their scripts to the semantics of the
new PHP4 version.
|
|
|
Related to the DNS resolver lib fix that forced us to recompile the entire
base system on 2002-06-27 there was also a fix of the resolver libs that
come with Bind 8, the DNS server installed in our boxes.
The new version (bind-8.3.3) we installed today is just a bug fix release
with no changes in functionality we know of.
|
|
|
|
Due to recently discovered exploitable security bugs in OpenSSH we upgraded
to release 3.4p1 today. In order to keep the functional differences at
a minumum we disabled the new Privilege Separation feature for now. It
apparently needs some additional time to mature enough for production
use. When we tried it that feature actually broke our server health
monitoring. Cause unknown, but probably a bug. We learned that Sun
disabled it on their Solaris OS, too, apparently for the same reasons.
|
|
|
Due to a buffer overflow bug in the DNS resolver lib we had to recompile
and reinstall the whole base system. Since various core system utilities
are linked statically (so they work even when the dynamic libraries are
broken or gone for some reason) just replacing the affected library was
not an option.
To the user this major update was invisible since we basically replaced
the programs with binaries of exactly the same version, only with the
fix installed. There were no changes in functionality.
For more information please refer to
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc
|
|
|
As some of our users might know, our boxes use so-called Accept Filters
for web connections. This feature makes the UNIX kernel wake up the web
server, or in our case the web accelerator, only when the complete HTTP
header has arrived. This makes for less process context switches and
therefore increases the overall efficiency of our system.
There was a bug discovered that would make this feature vulnerable to
DoS attacks. We would like to reassure our users, however, that we
fixed that problem long before the actual security advisory was published.
We closely monitor all relevant FreeBSD mailing lists in order to learn
about potential problems in time.
For more information please refer to
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:26.accept.asc
|
|
|
Bzip2 is part of the FreeBSD distribution itself, not an add-on port in our
case. By fetching the relevant patches from the FreeBSD CVS repository
we were able to fix the problem some weeks ahead of the official security
advisory released today. So all is well for our users.
For more information please refer to
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc
|
|
|
Due to a buffer overflow in the DNS resolver code we upgraded to
'webalizer-2.1.10' today. This is just a bug fix release, so there are
no changes in functionality we know of.
For more information please refer to
http://online.securityfocus.com/archive/1/267551
|
|
|
For the respective set of archived articles,
please select a year:
|
|
|
|
|
