----- Forwarded message from Roman Drahtmueller <[EMAIL PROTECTED]> ----- > From: Roman Drahtmueller <[EMAIL PROTECTED]> > Reply-To: Roman Drahtmueller <[EMAIL PROTECTED]> > Date: Fri, 4 Aug 2000 00:01:07 +0200 > To: [EMAIL PROTECTED] > Subject: SuSE Security: miscellaneous > > -----BEGIN PGP SIGNED MESSAGE----- > > August 3rd, 2000 > > This notice addresses the latest security advisories from various > Linux Vendors as well as private contributors. > > The list of packages: > > netscape > knfsd > system user account nobody > pam_console > gpm > openldap > mailman > cvsweb.cgi > kon2 > > > There will be SuSE Security Announcements for the packages where work is > in progress as indicated in the respective section below. > > > > * jpeg buffer overflows in netscape: > > The latest version of netscape is currently being tested. SuSE netscape > rpms contain efficient workarounds against some "morbid" properties of > netscape - it is necessary to provide stable packages. These additions > are being reworked right now. > _________________________________________________________________________ > > * rpc.kstatd > > The SuSE package containing rpc.kstatd (other vendors named it > rpc.statd) is called knfsd.rpm. An updated package is currently > being tested. > _________________________________________________________________________ > > * user `nobody's HOME directory set to / and misconfigured webservers: > > SuSE Linux used to have user nobody's HOME directory set to /tmp for > years. Starting with SuSE-7.0, it will be set to /var/lib/nobody . > Apache, as distributed with SuSE, is configured `UserDir public_html' > and is therefore not vulnerable for the http://machine/~nobody/-problem. > However, we encourage admins to change this user's home using the > commands > > mkdir -p /var/lib/nobody > chown nobody.nogroup /var/lib/nobody > usermod -d /var/lib/nobody > > Make sure that you move files belonging to user nobody from the former > location to the new home and that you don't rely on the old absolute > path in your scripts. > _________________________________________________________________________ > > * problems around pam_console: > > SuSE Linux does not contain the said pam-module because it isn't > included in the official pam release. The idea of it is intriguing, but > we have decided not to include the module into the distribution as a > consequence of the problems that accompany its use. > See Linux-Mandrake Security Update Advisory ID MDKSA-2000:029. > _________________________________________________________________________ > > * gpm DoS, setgid() return value: > > We ship a slightly older version of gpm because of some grief with the > latest versions. The vulnerabilities in gpm have been addressed to the > fully necessary extent back in April 5. > As mentioned above, there is no pam_console module that could change the > ownerships of the gpm control socket /dev/gpmctl. By consequence, a > local denial of service attack against gpm is possible. However, we > believe that the most effective measure against this is userdel(8), > since hogging disk space/performance, CPU, bandwidth etc is still > possible in the wild even with appropriate permissions on the gpm > socket. > _________________________________________________________________________ > > * modes of openldap package files: > > The files are installed 755 or 644. > There is no problem with this package in SuSE-Linux. > _________________________________________________________________________ > > * mailman problem > cvsweb.cgi (TurboLinux Advisory ID#: TLSA2000016-1): > kon2 (Linux-Mandrake Security Update Advisory ID: MDKSA-2000:028) > > SuSE-Linux either does not contain these packages or the files therein > causing the publically announced security vulnerabilities. > _________________________________________________________________________ > > > > Regards, > Roman Drahtm�ller. > - -- > - - > | Roman Drahtm�ller <[EMAIL PROTECTED]> // "Caution: Cape does | > SuSE GmbH - Security Phone: // not enable user to fly." > | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) | > - - > Type Bits/KeyID Date User ID > pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <[EMAIL PROTECTED]> > > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: 2.6.3i > > mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA > BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz > JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh > 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U > P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ > cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg > VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b > yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 > tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ > xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 > Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo > choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI > BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u > v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ > x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 > Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq > MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 > saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o > L0oixF12Cg== > =pIeS > - -----END PGP PUBLIC KEY BLOCK----- > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.3i > Charset: noconv > > iQEVAwUBOYnpPney5gA9JdPZAQEUOQf8DKKIHhn7oUvTW5Ol7gww2/aIwXmG2e5c > 4iKyQgGoU94YZURlGxRRI5Zf1Yydfj8JrKiUvnwxRCcQF2WWWCWkGNqQkJzt+c00 > BiEyU16fklxMV17JeI6zmb9rTrne0JftjAycAPubzYeDpheVDbmPtGvotanRwVUn > j2zaE3uLIBjie2025q8nZnYeTylXua4ulnTW0+PFDZnWgyxCMXvvu/1Lsf715vi6 > 1M6L78IlYkng5OV4OTeBVY5gm7sdy3eg/CQ/FiEHmIDgI33ywRVGQhXqhpp3QOrX > OA7UoIl6xAhNHBEX9lSPwNpfFaTsQrEAWVbihnzFYSLlBz3kxd1jdQ== > =5DM/ > -----END PGP SIGNATURE----- > > ----- End forwarded message ----- -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
