Apache Trouble
by Noel Davis
08/11/2005
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in Apache, bzip2, Cisco devices,
fetchmail, Netpbm, Ethereal, Proftpd, pstotext, apt-cacher, Compress::Zlib, Gopher,
nbSMTP, and PowerDNS.
- Apache
bzip2- Cisco DoS
fetchmail- Netpbm
- Ethereal
- Proftpd
pstotextapt-cacher- Compress::Zlib
- Debian Gopher
nbSMTP- PowerDNS
Apache
The Apache web server is vulnerable to an attack when it is configured as
an HTTP proxy. This attack uses Transfer-Encoding: chunked and Content-Length
header headers and can result in traffic bypassing a firewall, cross-site scripting attacks, and web cache "poisoning" attacks. Both versions
2.0.45 and 1.3.29 have been reported to be vulnerable to this attack.
Affected users should watch their vendors for a repaired version of Apache.
bzip2
bzip2 is a file compression utility. The utility bzgrep, included with bzip2
does not properly handle shell meta-characters in input file names.
It is recommended that users exercise great care in using bzgrep until the
bzip2 package has been repaired.
Cisco DoS
Cisco has announced that any Cisco devices that are running Cisco IOS or Cisco IOS
XR and have at least one interface configured for IPv6 are vulnerable to a
denial-of-service (DoS) attack that may also lead to arbitrary code being executed
on the machine.
Affected users should contact Cisco for updated software. A possible workaround,
if IPV6 is not needed, is to disable IPV6 on all interfaces.
fetchmail
fetchmail, a tool used to retrieve email from POP, IMAP, ETRN, and ODMR mail servers, is reported to be vulnerable to a denial-of-service attack
that may, under some conditions, also cause arbitrary code to be executed with
the permissions of the user account running fetchmail.
The attack is conducted by using a carefully constructed email message to crash
fetchmail when the email is retrieved.
Version 6.2.5.2 is available to repair this vulnerability. Fetchmail's home
page seems to now be fetchmail.berlios.de.
It also seems to be no longer being maintained by Eric Raymond. Instead, the new maintainers
are Matthias Andree and Rob Funk.
Netpbm
Netpbm is a collection of graphics utilities and libraries. The pstopnm utility
included with Netpbm converts files in PostScript format to PNM images. A problem
in pstopnm may be exploited by a remote attacker who creates a carefully crafted
PostScript file that, when converted with pstopnm by the victim, could result
in arbitrary code being executed.
It has been reported that this problem is repaired in Netpbm version 10.28.
Ethereal
Ethereal, an open source network sniffer, contains several format-string-based
vulnerabilities in various dissectors. These vulnerabilities can be exploited
by a remote attacker by sending carefully crafted packets that are dissected
by Ethereal directly from the network or from a file containing recorded network traffic.
All users should upgrade to Ethereal 0.10.12 as soon as possible.
Proftpd
The FTP daemon Proftpd is reported to be vulnerable to several format-string-based bugs that may be exploitable by a remote user to cause a denial-of-service
attack or execute arbitrary code with root permissions.
All affected users should watch their vendors for a repaired version of Proftpd.
A possible workaround is to avoid using %C, %R, or %U in
the shutdown message and not setting SQLShowInfo.
pstotext
pstotext is a utility that converts PostScript and PDF files into text. A
remote attacker can create a PostScript file that, when converted with pstotext,
will execute arbitrary commands with the victim's permissions.
Users should watch for their vendors to release a repaired version of pstotext
and should not use it to convert files from untrusted sources until it has
been repaired.
apt-cacher
apt-cacher provides caching of Debian packages. An unspecified bug may be
exploitable by a remote attacker and allow the execution of arbitrary commands
with the permissions of the www-data user account. The woody distribution of
Debian does not include this package.
Users of the sarge or sid distributions of Debian should upgrade apt-cacher
as soon as possible.
Compress::Zlib
Compress::Zlib is a Perl module that contains a local copy of the zlib compression
library that is vulnerable to a buffer overflow that an attacker can exploit
to execute arbitrary code with the victim's permissions.
It is recommended that Compress::Zlib not be used until it has been upgraded
to a version that has a repaired copy of the zlib compression library.
Debian Gopher
Gopher is a client for the Gopher Distributed Hypertext protocol. The version
distributed with Debian Linux is reported to be vulnerable to a temporary-file,
symbolic-link race condition that could result in local files being overwritten
with the victim's permissions. It is not known if other versions are vulnerable.
If you are still using Gopher, and are using it on a multiuser machine, then
you should upgrade as soon as possible.
nbSMTP
nbSMTP is a small SMTP (email) client designed to be run inside of chroot
jails and other small environments, such as embedded systems, laptops, or workstations.
nbSMTP is vulnerable to a format-string-based vulnerability that may be exploitable
by a remote attacker to execute arbitrary code with the permissions of the
user account running nbSMTP.
All users of nbSMTP are encouraged to upgrade to version 1.0 as soon as possible.
PowerDNS
PowerDNS, or pdns, is a name server that can use DNS configuration information
from Bind zone files, relational databases, and LDAP directories. pdns has
been reported to be vulnerable to several denial-of-service attacks.
It is recommended that users upgrade to version 2.9.18 of PowerDNS or watch
their vendors for an updated version.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts
columns.
Return to LinuxDevCenter.com
