oreilly.comSafari Books Online.Conferences.


Security Alerts Apache Repaired

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a problems with the Apache web server, the Linux kernel, Systrace, ssmtp, exim, SuSE Live CD 9.1, Heimdal k5admind, Kolab, IRIX Networking Security, and NukeJokes.

Apache httpd 1.3.31

Several security problems in the Apache HTTP web server have been repaired in version 1.3.31. These problems include: a format-string-based vulnerability that may, under some conditions, lead to arbitrary code being executed with increased permissions; the Apache module mod_digest was not verifying the return value from clients; an Apache server listening on multiple sockets may be vulnerable, under some conditions, to a race condition that can be used in a denial-of-service attack; and on big-endian 64-bit platforms, some IP-address-based allow/deny rules are not parsed correctly.

It is recommended that all affected users upgrade to version 1.3.31 of the Apache web server as soon as possible.

Linux Kernel

The Linux kernel contains a bug, in kernel versions 2.4.25 and earlier, in the code that handles the SCTP_SOCKOPT_DEBUG_NAME option that may be exploitable by an attacker to execute arbitrary code with root permissions.

Affected users should upgrade to Linux Kernel version 2.4.6 or 2.6 as soon as possible.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.


The implementations of Systrace on FreeBSD and NetBSD are reported to be vulnerable to attacks that may, under some circumstances, be used by an attacker to gain root permissions. Access to the /dev/systrace device is required to exploit this vulnerability. Versions of NetBSD prior to April 9, 2004 are reported to be vulnerable, as are versions of FreeBSD with the unofficial port of Systrace done by Vladimir Kotal.

Users of NetBSD 2.0 should obtain a kernel dated after April 17, 2004. FreeBSD users should watch for a port of Systrace that has been repaired.


ssmtp is a simple, send-only mail transport agent (MTA). Bugs in the ssmtp functions die() and log_event() may cause a format-string vulnerability that can be exploited by a remote attacker in a denial-of-service attack and may be exploitable to execute arbitrary code with the permissions of the user under which the ssmtp daemon is running.

Users should watch their vendors for repaired packages. New packages have been released for Gentoo Linux, OpenPKG, and Debian GNU/Linux.


Two buffer-overflow vulnerabilities have been identified in exim, a mail transfer agent developed by the University of Cambridge. The first buffer overflow is exploitable only when sender_verify = true has been set in the exim.conf file, and the second buffer overflow can only be exploited when headers_check_syntax has been enabled.

Repaired packages have been released for Debian GNU/Linux. Users of other systems should watch their vendors for an updated package.

SuSE Live CD 9.1

The SuSE Live CD 9.1 that was distributed with the SuSE Linux 9.1 Personal Edition contains a misconfiguration that will allow a remote attacker to log in with ssh as root without a password if the system is connected to a network. The SuSE Live CD will attempt to connect to any network that it detects during the boot process.

SuSE has released a reconfigured version of the SuSE Live CD 9.1 as an ISO image. The new configuration will not allow a remote logins for accounts that have a zero-length password and does not allow remote root logins.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Heimdal k5admind

Heimdal provides Kerberos 5 network authentication protocols and the Heimdal k5admind daemon provides an administrative interface for the Kerberos Key Distribution Center. In addition, under some configurations of Heimdal the k5admind daemon also provides Kerberos 4 compatibility. Overflow bugs in the Kerberos 4 support code may be remotely exploitable in a denial-of-service attack or to execute arbitrary code with, in most cases, root permissions. k5admind is not vulnerable unless the Kerberos 4 support has been enabled during its compile. Also, a bug in the code that verifies the transited field can be exploited on sites that have established trust relationships with other realms, and may allow an administrator in a trusted realm to authenticate as any Kerberos principal in any other realm.

Affected users should disable Kerberos 4 support by using the --no-kerberos4 command-line switch and should watch their vendors for a repaired version of Heimdal k5admind.


Kolab is the KDE Groupware server. It provides a web administration interface; a shared address book with provisions for mailbox users, as well as contacts, and POP3, as well as IMAP4 (rev1) access to mail. Kolab has a vulnerability caused by storing store OpenLDAP passwords in plain text.

It is highly recommended that users upgrade to kolab-1.0-1.0.20.src.rpm or newer as soon as possible.

IRIX Networking Security

Several bugs have been identified in IRIX's networking code. These bugs can be used in a denial-of-service-type attack or may, under some conditions, partially compromise the protection of a firewall.

SGI highly recommends affected users apply patches to protect their systems. Users of IRIX through version IRIX 6.5.22m should contact SGI for more information.

Crystal Reports

Business Object's Crystal Reports is a flexible reporting tool designed to access data across an enterprise. Crystal Reports Web Interface is reported to contain several vulnerabilities, but no details were announced.

Users of Crystal Reports should contact their vendors for more details and patch availability.


NukeJokes is an module for PHPNuke that provides for a database of jokes to be created and maintained. NukeJokes is reported to be vulnerable to SQL injection attacks, cross-site scripting attacks, and additional unspecified bugs.

Affected users should consider disabling NukeJokes until it has been repaired.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: