Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at denial-of-service attacks against Apache, OpenSSL, and FreeBSD, and problems in Perl,
lsh, Teapop, ProFTPD, TclHttpd, MPlayer, Node,
mpg123, and Freesweep.
A bug in Apache can be used by an attacker who can execute custom CGI scripts to cause a denial of service in the
httpd server. When a CGI script writes more than 4k of data to
STDERR, the script and the Apache instance will hang. When all available Apache instances are hung, Apache will stop responding to additional requests.
Users can upgrade to the latest
mod_cgi.c from Apache 2.1's CVS tree or watch their vendors for an updated package. Mandrake has released an updated package for Mandrake Linux 9.1.
A problem in
safe.pm can be used by an attacker to break out of secure compartments and bypass
safe.pm's protections. In addition, the
start_form() function of
CGI.pm is vulnerable to a cross-site
scripting attack that can be used by an attacker, under some
circumstances, to execute arbitrary code in other users' browsers.
Affected users should upgrade to repaired Perl packages. Red Hat has released packages for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.
OpenSSL provides version 2 and 3 of the Secure Sockets Layer and
version 1 Transport Layer Security protocols, as well as full-strength
cryptography functions. OpenSSL has several vulnerabilities in the
code that handles
ASN.1 tags that may result in a denial-of-service condition or in the attacker being able to exploit arbitrary code.
It is recommended that users upgrade their OpenSSL libraries and that any applications statically linked against OpenSSL libraries be recompiled against a repaired library.
lsh, the GNU implementation of OpenSSH or SSH, is reported to be vulnerable to several remotely exploitable buffer overflows that may be usable by a remote attacker to execute arbitrary code as the root user.
Users who have installed
lsh should watch their vendors for a repaired version. SuSE has released updated and repaired packages for SuSE Linux 8.0, 8.1, and 8.2.
Teapop is a POP 3 email server that can authenticate using normal
password authentication, MySQL, Apache
htpasswd, or PostgreSQL. Teapop can be used in an SQL injection attack when it is configured to authenticate using PostgreSQL or MySQL.
It is recommended that affected users upgrade as soon as possible to a repaired version of Teapop.
ProFTPD, an FTP daemon, has a flaw that may be exploitable by any remote attacker that can upload a file in ASCII mode. Successfully exploiting the flaw will allow the attacker to execute arbitrary code with root permissions. This vulnerability is reported to affect version 1.2.7 and earlier versions of ProFTPD.
Users should watch for a repaired version of ProFTPD, and should consider disabling it until it has been updated.
TclHttpd is a web server, written in Tcl, that can be used as a base to build a web-server-based applications or as a general-purpose web server. Versions 3.4.2 and earlier of TclHttpd are reported to be vulnerable to many cross-site scripting attacks and a flaw that can be used to view arbitrary directories on the server.
A patch has been released for the directory-viewing problem. Users should watch for a new release that deals with the cross-site scripting problems.
MPlayer, a movie player for Linux and other Unixes that supports many movie formats, is vulnerable to a buffer overflow in the code that handles ASX headers. This vulnerability can be exploited by a remote attacker if the user reads remote ASX streaming content, and may result in arbitrary code being executed with the permissions MPlayer is running under. This vulnerability is reported to affect MPlayer versions from 0.90pre1 through 0.91 and version 1.0pre1.
It is recommended that users of 0.91 and earlier versions of MPlayer upgrade to MPlayer 0.92 and that users of 1.0pre1 upgrade using CVS.
Also in Security Alerts:
A flaw in the
arplookup() function of the FreeBSD kernel can be exploited, under some conditions, by a remote attacker to cause a denial-of-service condition that can cause the server to crash or become unresponsive. The attacker must be able to send spoofed ARP packets to the local network the server is on, and in many cases, that will prevent an attack from being viable. The flaw is reported to be in all versions of FreeBSD before the fix date.
Affected users should apply the appropriate patch or upgrade to a repaired version of the kernel.
The Amateur Packet Radio program Node is vulnerable to a format-string vulnerability that may be exploitable to execute arbitrary code with the permissions of the user running Node.
Affected users should watch for a repaired version. A new package for SuSE Linux has been reported to be available.
mpg123 command-line MPG music player is reported to be vulnerable to a buffer overflow that under some conditions may be exploitable by a remote attacker to execute arbitrary code with the permissions of the user running
It is recommended that users use
mpg123 versions 0.59r-r3 or 0.59s-r1.
The game Freesweep is reported to be vulnerable to a buffer overflow while dealing with some environmental variables that can be exploited to execute arbitrary code. On systems where Freesweep is installed set group ID games, exploiting this vulnerability can gain the attacker access to the games group.
Users should upgrade to a repaired version from their vendors when it becomes available.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.