October 1999 - openSUSE Security - openSUSE Mailing Lists

SuSE Security Announcement
by Thomas Biege 20 Oct '99

20 Oct '99

-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: cdwtools < 093 Date: Wed Oct 20 13:04:19 CEST 1999 Affected: all Linux distributions using cdwtools _____________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _____________________________________________________________________________ 1. Problem Description The cdwtools package is a frontend for various programs used to create CDs. Several buffer overflows and /tmp vulnerabilities exist in the cdwtools package. Thanks to Brock Tellier bringing this problem to our attention. 2. Impact Everyone having the cdwtools package installed and SuSE configured for "easy" security setting (which is the default) are vulnerable to a local root compromise. 3. Solution Update the cdwtools package. See below. ______________________________________________________________________________ Here are the md5 checksums of the upgrade packages, please verify these before installing the new packages: 1d71866d165c7f5f1b84565313b02ea5 cdwtools-0.93-101.i386.rpm (6.1/x86) 53c3d210034cf8abb140977c8d5deb69 cdwtools-0.93-100.i386.rpm (6.2/x86) 74a493d82128566836cd3953ea23da82 cdwtools-0.93-101.alpha.rpm (6.1/AXP) ______________________________________________________________________________ You will find the update on our ftp-Server: ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/cdwtools-0.93-101.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/cdwtools-0.93-100.i386.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/cdwtools-0.93-101.alpha.rpm Webpage for patches: http://www.suse.de/patches/index.html or try the following web pages for a list of mirrors: http://www.suse.de/ftp.html http://www.suse.com/ftp_new.html ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security(a)suse.com - moderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce(a)suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, just send an emtpy message to suse-security-subscribe(a)suse.com or suse-security-announce-subscribe(a)suse.com like this: echo | mail suse-security-subscribe(a)suse.com or echo | mail suse-security-announce-subscribe(a)suse.com ______________________________________________________________________________ If you want to report *NEW* security bugs in the SuSE Linux Distribution please send an email to security(a)suse.de or call our support line. You may use pgp with the public key below to ensure confidentiality. ______________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security(a)suse.de> - -------BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - -------END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBOA2rK3ey5gA9JdPZAQFeBQf8C9ndEbYtOQSJWb6Wzund/U6rHlKUxg0/ edXt/ynK89yt5s3hknBfzrnUjFQCjq/rogd2YTliCbmgpT98xUL3MVX/SO4MpYsb ldCV+MVG8tkS5hnQdkiyGrRHQWYf/qvzcQQMHUHNL+2puZAL9AY53TTyPDwFvR1u FedC1Z+xf4WTgFUCTjcN0FvO1fAlrrt/pZtrdLg64NB2t+tYQsbCAUFFH/Vqc0Kj 0efJ6UGz0MD1HYaRs5R8R6QA3kyVVhyghuH8i87Pk8MLOC5LPYtu1mJxLee+72Pt ELoI3wMAKcTib3SNCYJ01/Wrbenh1DqWHmciERXjVhDfysHzCEf4PA== =2Whc -----END PGP SIGNATURE-----

1 0

Re: [suse-security] Firewall/router - doesn't forward (fwd)
by Mark Lutz 19 Oct '99

19 Oct '99

* romba(a)fem.maschinenbau.uni-dortmund.de writes: > Our setup passes all the tests described except one - it doesn't > forward. Does your "/etc/rc.config" say IP_FORWARD=yes If that's the case, IP forwarding will be activated by "/sbin/init.d/boot" executing echo "1" > /proc/sys/net/ipv4/ip_forward Does your "/usr/src/linux/.config" say CONFIG_IP_MASQUERADE_ICMP=y "This option adds additional support for masquerading ICMP packets, such as ping..."

1 0

Wofür ist scanlogd?
by Heiko Nardmann 19 Oct '99

19 Oct '99

Wofür ist das Executable /usr/sbin/scalogd? In meinem /var/log/messages file tauchen unregelmäßig Meldungen dieses Executables auf. Diese sehen aus wie folgt: Sep 19 00:10:31 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091, ..., flags ??r??u, TOS 08, TTL 45, started at 00:10:07 Sep 20 00:10:38 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 1141, 1142, 1143, 1144, 1145, 1146, 1147, 1148, 1149, ..., flags ??r??u, TOS 08, TTL 45, started at 00:10:17 Sep 21 00:14:30 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 1319, 1320, 1321, 1322, 1323, 1324, 1325, 1326, 1327, ..., flags ??r??u, TOS 08, TTL 45, started at 00:14:11 Sep 22 00:14:12 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 1478, 1479, 1480, 1481, 1482, 1483, 1484, 1485, 1486, ..., flags ??r??u, TOS 08, TTL 45, started at 00:13:49 Sep 24 00:18:10 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 2105, 2106, 2107, 2108, 2109, 2110, 2111, 2112, 2113, ..., flags ??r??u, TOS 08, TTL 45, started at 00:17:52 Sep 27 00:04:52 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 2467, 2468, 2469, 2470, 2471, 2472, 2473, 2474, 2475, ..., flags ??r??u, TOS 08, TTL 45, started at 00:04:36 Oct 3 00:07:20 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 3805, 3806, 3807, 3808, 3809, 3810, 3811, 3812, 3813, ..., flags ??r??u, TOS 08, TTL 45, started at 00:07:00 Oct 4 00:11:27 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 3852, 3853, 3854, 3855, 3856, 3857, 3858, 3859, 3860, ..., flags ??r??u, TOS 08, TTL 45, started at 00:11:09 Oct 10 00:39:10 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 4527, 4528, 4529, 4530, 4531, 4532, 4533, 4534, 4535, ..., flags ??r??u, TOS 08, TTL 46, started at 00:38:53 Oct 11 00:03:01 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 4591, 4592, 4593, 4594, 4595, 4596, 4597, 4598, 4599, ..., flags ??r??u, TOS 08, TTL 46, started at 00:02:45 Oct 12 00:05:40 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 4931, 4932, 4933, 4934, 4935, 4936, 4937, 4938, 4939, ..., flags ??r??u, TOS 08, TTL 46, started at 00:05:19 Oct 14 00:05:36 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 1476, 1477, 1478, 1479, 1480, 1481, 1482, 1483, 1484, ..., flags ??r??u, TOS 08, TTL 46, started at 00:05:18 Oct 15 00:12:30 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 1799, 1800, 1801, 1802, 1803, 1804, 1805, 1806, 1807, ..., flags ?????u, TOS 08, TTL 46, started at 00:12:11 Oct 17 00:10:26 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 2358, 2359, 2360, 2361, 2362, 2363, 2364, 2365, 2366, ..., flags ??r??u, TOS 08, TTL 46, started at 00:10:08 Oct 18 00:07:05 snsrv053 scanlogd: From 209.144.167.150:20 to 10.151.4.13 ports 2426, 2427, 2428, 2429, 2430, 2431, 2432, 2433, 2434, ..., flags ??r??u, TOS 08, TTL 46, started at 00:06:47 Was bedeuten diese Informationen? Laut nslookup handelt es sich bei dem Rechner 209.144.167.150 um ftp.suse.com. Wie kann dies sein? Mein Rechner steht hinter einer Firewall. Wie kann von ftp.suse.com ein Portscan ausgehen? Ich verwende SuSE Linux 6.1. -- Heiko Nardmann (Dipl.-Ing.), h.nardmann(a)secunet.de, Software Development secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de) Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50

5 4

Re: German Mix
by Chrissy LeMaire 19 Oct '99

19 Oct '99

Sorry, I was thinking of suse-linux-e and suse-linux ;) *heads on over to babblefish*

1 0

AW: [suse-security] Firewall with SuSE 6.2]
by Stephan Gerling 19 Oct '99

19 Oct '99

Hi Jochen you can´t do that without subnetting. MFG Stephan Gerling

1 0

AW: Firewall unter SUSE 6.2
by Stephan Gerling 19 Oct '99

19 Oct '99

Hi Jochen Try out www.little-idiot.de/firewall/ There you can find a very good german introduktion about Firewalls, Problems and so on. An other good resource is www.bsi.de The Bundesamt fuer Informationstechnologien. There you can find a studie about Firewalls and Protokolls. MFG Stephan Gerling

1 0

Re: Port 113?
by Jochen Lillich 18 Oct '99

18 Oct '99

Gerhard Sittig <Gerhard.Sittig(a)gmx.net> writes: > This is usually referenced from the remote host back to you when > you relay mail there. Is there smtp traffic in company with these > events? You might want to log them for investigation. It happens when I open a ssh connection to the web server. Then, the server tries to connect back to my workstations port 113. But I guess it's not wise just to open external connects to port 113 of all workstations I do ssh from? Also, another thing: ssh worked not until I permitted connects from the servers ssh port to my workstations. First, I just permitted traffic from my workstations' ssh port to the server (as does the SuSE firewall script), but then it won't connect. Is this normal behaviour? Thanks, Jochen -- *** Linux BBS: Die deutsche Website fuer Linux-News und -Infos *** http://www.linuxbbs.org/

4 3

(fwd) Firewall and masquerading scripts for RedHat 6.0
by Harald Milz 18 Oct '99

18 Oct '99

Ob das auf dem kaputten Teil von Bodo basiert? hm -- forwarded message -- Path: merlin.muc.suse.de!news2.suse.de!suse.de!newsfeed2.ecrc.net!news3-muc.ecrc.net!fu-berlin.de!newsfeed.tli.de!news.algonet.se!newsfeed1.telenordia.se!algonet!newsfeed1.funet.fi!newsfeed2.funet.fi!128.214.205.17.MISMATCH!news.helsinki.fi!not-for-mail From: Mirko Zeibig <mirko(a)picard.inka.de> Newsgroups: comp.os.linux.announce Subject: Firewall and masquerading scripts for RedHat 6.0 Followup-To: comp.os.linux.misc Date: Wed, 13 Oct 1999 21:24:34 GMT Organization: none Lines: 62 Approved: linux-announce(a)news.ornl.gov (Mikko Rauhala) Message-ID: <pycola.939849874.18187(a)revelation.bak.helsinki.fi> Reply-To: mz(a)webideal.de NNTP-Posting-Host: kenraalimajuri.in.helsinki.fi X-Trace: oravannahka.helsinki.fi 939849875 23377 128.214.204.110 (13 Oct 1999 21:24:35 GMT) X-Complaints-To: usenet(a)news.helsinki.fi NNTP-Posting-Date: 13 Oct 1999 21:24:35 GMT Old-Date: Tue, 12 Oct 1999 14:59:54 +0200 X-No-Archive: yes X-Auth: PGPMoose V1.1 PGP comp.os.linux.announce iQCVAgUBOAT4klrUI/eHXJZ5AQE1eQP/e2VCKaBN2cHv0fcTkCzRzz+76XS1WBfc eQMlH+RwTh6+cixOOZylea+Hl4LeJ2SqD7bisfttV94YYUQIWXwqYs1q4kI6CmF3 xBsUcMiNeCRFlwuHI6t/jQT0BZG3Y4vQMv6i8oL7MJ/CGzOqhMz5x2prLxSHUUzR 6KlfEtomRwk= =bJJj Xref: merlin.muc.suse.de comp.os.linux.announce:290 -----BEGIN PGP SIGNED MESSAGE----- Distribution: RedHat 6.0 mailto:mz@webideal.de?Subject=firewall URL: http://www.webideal.de/rh-isdn/downloads/ %description Two scripts to configure your machine as a firewall and/or masquerading router, originally written for SuSE, now adapted to RedHat 6.0 See /usr/doc/firewall-2.2 for more details. Authors: - -------- Bodo Bauer <bb(a)ricochet.net> Volker Graf <volker.graf(a)student.uni-tuebingen.de> (fcii) Name: firewall Release: 2 Copyright: GPL Requires: ipchains bash2 Summary: Firewall and masquerading scripts for RedHat Version: 2.2 %changelog * Tue Sep 21 1999 Mirko Zeibig <mirko.zeibig(a)gmx.de> - - changed the config-file a bit, included Back Orifice and Netbus in locked ports * Wed Jul 28 1999 Mirko Zeibig <mirko.zeibig(a)gmx.de> - - changed the scripts so they do run with RedHat 6.0 - - all rc.config-settings go to /etc/sysconfig/firewall/config - - all other config-files (fw-friends, fw-inout, fw-ssh) do reside in /etc/sysconfig/firewall/ as well - - with RH you will need bash2 as well!! - -- mailto: mirko.zeibig(a)gmx.de privat: http://sites.inka.de/picard commerce: http://www.webideal.de qmail, ldap, serialfax, rh-isdn: http://www.webideal.de/#downloads - -- This article has been digitally signed by the moderator, using PGP. http://www.iki.fi/mjr/cola-public-key.asc has PGP key for validating signature. Send submissions for comp.os.linux.announce to: linux-announce(a)news.ornl.gov PLEASE remember a short description of the software and the LOCATION. This group is archived at http://www.iki.fi/mjr/linux/cola.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 iQCVAgUBOAT4klrUI/eHXJZ5AQHtgAP/Y29n08W52kniSZXxAspHYd8N9G4ysr+3 CmqiY/h8mucJVYfvW8RlshmDv4961G1ZwkMqG1oauEWBNiy/0AKI6kxozzZbRswn Jxt21WoUer4UfhJnvI9gYA6pNFT/Pxez+yGa99pwpqksmsMaO0NMjkCmOcVbgg8n QVGce/p00PQ= =v7HZ -----END PGP SIGNATURE----- -- end of forwarded message -- -- Harald Milz phone +49 (0) 89 42769-0 SuSE Muenchen GmbH fax +49 (0) 89 4201-7701 Stahlgruberring 28, D-81829 Muenchen email hm(a)suse.de http://www.suse.de/ (Deutsch) http://www.suse.com/ (English)

1 0

default suse webserver
by Chris Reeves 18 Oct '99

18 Oct '99

hi all, i'm intending setting up a webserver to run from my computer. i was wondering if there would be any security issues with opening up the server as it is (i have documentation server installed, although only port 80 will be open, and have all the help packages and ht://dig, etc running on the suse html help system). are there holes in ht://dig that will let outsiders search my hard drive? is there any special way i should set this up to stop this happening? basically, if i open the server up now, with all help docs, etc, installed, will i be safe? thanks in advance, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\

3 3

News through firewall
by Hans Bouwers 18 Oct '99

18 Oct '99

Hi. I want to connect the newsserver from my ISP. I want to connect from a workstation through a firewall to my ISPs newsserver. But I cannot access the server (server not found) . How can I get this work? Greetings Hans Bouwers

3 3