Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2007 > Three Mandriva Linux Security Advisories: 1. MDKSA-2006:217-2 - Updated proftpd packages fix vulnerabilities 2. MDKSA-2007:025 - Updated kernel packages fix multiple vulnerabilities and bugs 3. MDKSA-2007:026 - Updated squid packages fix vulnerabilities

January 2007

Three Mandriva Linux Security Advisories: 1. MDKSA-2006:217-2 - Updated proftpd packages fix vulnerabilities 2. MDKSA-2007:025 - Updated kernel packages fix multiple vulnerabilities and bugs 3. MDKSA-2007:026 - Updated squid packages fix vulnerabilities

ID: 00048
Ref: 45/2007
Date: 25 January 2007:14:05:55
Version: 1
Title: Three Mandriva Linux Security Advisories: 1. MDKSA-2006:217-2 - Updated proftpd packages fix vulnerabilities 2. MDKSA-2007:025 - Updated kernel packages fix multiple vulnerabilities and bugs 3. MDKSA-2007:026 - Updated squid packages fix vulnerabilities
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
Title
=====


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Three Mandriva Linux Security Advisories:

1. MDKSA-2006:217-2 - Updated proftpd packages fix vulnerabilities

2. MDKSA-2007:025 - Updated kernel packages fix multiple vulnerabilities and bugs

3. MDKSA-2007:026 - Updated squid packages fix vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRbi4U2l7oeQsXfKvEQIItgCcC7OFU7EEy5RxHzLzprnlsonfzz4AoPBl
fIOpRbjs+y/3V5AqDAPGv7hG
=mvIj
-----END PGP SIGNATURE-----

Detail
======

1. A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."

2. Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel.

3. A vulnerability in squid was discovered that could be remotely exploited by using a special ftp:// URL Another Denial of Service vulnerability was discovered in squid 2.6 that allows remote attackers to crash the server by causing an external_acl_queue overload



1.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:217-2
http://www.mandriva.com/security/
_______________________________________________________________________

Package : proftpd
Date : January 23, 2007
Affected: Corporate 3.0
_______________________________________________________________________

Problem Description:

A stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0 and earlier, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
(CVE-2006-5815)

Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via a large data length argument, a different vulnerability than CVE-2006-5815.
(CVE-2006-6170)

ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from an initial vague disclosure. NOTE:
ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability. (CVE-2006-6171)

Packages have been patched to correct these issues.

Update:

The update for the Corporate 3.0 platforms had a bad patch for CVE-2006-5815, which prevented some clients from being able to use the server. This update corrects this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
98a60448e690842a0afe6cb50925ceeb corporate/3.0/i586/proftpd-1.2.9-3.7.C30mdk.i586.rpm
9aee57777e7d355fa8b730a79f4a58df corporate/3.0/i586/proftpd-anonymous-1.2.9-3.7.C30mdk.i586.rpm
1cf5d2e63700ee924b0346bdd72505d9 corporate/3.0/SRPMS/proftpd-1.2.9-3.7.C30mdk.src.rpm

Corporate 3.0/X86_64:
a3baa6cdea37f84a99c24b4c3c681ca6 corporate/3.0/x86_64/proftpd-1.2.9-3.7.C30mdk.x86_64.rpm
de981e7a4a3eec5371a31079c50d5c17 corporate/3.0/x86_64/proftpd-anonymous-1.2.9-3.7.C30mdk.x86_64.rpm
1cf5d2e63700ee924b0346bdd72505d9 corporate/3.0/SRPMS/proftpd-1.2.9-3.7.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFtmozmqjQ0CJFipgRAhtpAKCWjInDTsN+klJssg25l46lYy3TGwCgrFLL
eC5oR5Z7A0UFcICGSPfmnJo=
=/+m9
-----END PGP SIGNATURE-----



2.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:025
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kernel
Date : January 23, 2007
Affected: Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________

Problem Description:

Some vulnerabilities were discovered and corrected in the Linux 2.6
kernel:

The 2.6 kernel prior to 2.6.12 allows remote attackers to poison the bridge forwarding table using frames that have already been dropped by filtering, which can cause the bridge to forward spoofed packets (CVE-2005-3272).

Prior to 2.6.15.5, the kernel allows local users to cause a DoS ("endless recursive fault") via unknown attack vectors related to a "bad elf entry address" on Intel processors (CVE-2006-0741).

A race condition in the socket buffer handling in the 2.6.9 kernel and earlier versions could allow a remote attacker to cause a DoS (crash) (CVE-2006-2446).

Stephane Eranian discovered an issue with permon2.0 where, under certain circumstances, the perfmonctl() system call may not correctly manage the file descriptor reference count, resulting in the system possibly running out of file structure (CVE-2006-3741).

Prior to and including 2.6.17, the Universal Disk Format (UDF) filesystem driver allowed local users to cause a DoS (hang and crash) via certain operations involving truncated files (CVE-2006-4145).

Various versions of the Linux kernel allowed local users to cause a DoS
(crash) via an SCTP socket with a certain SO_LINGER value, which is possibly related to the patch used to correct CVE-2006-3745 (CVE-2006-4535).

The __block_prepate_write function in the 2.6 kernel before 2.6.13 does not properly clear buffers during certain error conditions, which allows users to read portions of files that have been unlinked (CVE-2006-4813).

The clip_mkip function of the ATM subsystem in the 2.6 kernel allows remote attackers to dause a DoS (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (CVE-2006-4997).

The seqfile handling in the 2.6 kernel up to 2.6.18 allows local users to cause a DoS (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels (CVE-2006-5619).

A missing call to init_timer() in the isdn_ppp code of the Linux kernel can allow remote attackers to send a special kind of PPP pakcet which may trigger a kernel oops (CVE-2006-5749).

The aio_setup_ring() function initializes a variable incorrectly which can be used in error path to free allocated resources which could allow a local user to crash the node (CVE-2006-5754).

A vulnerability in the bluetooth support could allow for overwriting internal CMTP and CAPI data structures via malformed packets (CVE-2006-6106).

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
c807857c820dae84bad9beac5ff132c2 corporate/3.0/i586/kernel-2.6.3.36mdk-1-1mdk.i586.rpm
9502a05c5049f394b50a4f2128ca7311 corporate/3.0/i586/kernel-BOOT-2.6.3.36mdk-1-1mdk.i586.rpm
26b4a92d5ed2c1953fb88fd304584281 corporate/3.0/i586/kernel-doc-2.6.3-36mdk.i586.rpm
c2f4619bf4b4d9d3952ccad7eb4be16d corporate/3.0/i586/kernel-enterprise-2.6.3.36mdk-1-1mdk.i586.rpm
20970c40ded39599c4ad6bc976447c8c corporate/3.0/i586/kernel-i686-up-4GB-2.6.3.36mdk-1-1mdk.i586.rpm
5856cd990d971667d673216603cc9b1f corporate/3.0/i586/kernel-p3-smp-64GB-2.6.3.36mdk-1-1mdk.i586.rpm
0e978fa73922d870b487c2f8d14eaff3 corporate/3.0/i586/kernel-secure-2.6.3.36mdk-1-1mdk.i586.rpm
fa9f0cdd42385ec68aa79198d2615617 corporate/3.0/i586/kernel-smp-2.6.3.36mdk-1-1mdk.i586.rpm
8f9766f48b56d6a56333dcec3cfa611d corporate/3.0/i586/kernel-source-2.6.3-36mdk.i586.rpm
841863d5446060606da060acf72afce0 corporate/3.0/i586/kernel-source-stripped-2.6.3-36mdk.i586.rpm
15c7992f878a9ebcf38694d5700d90af corporate/3.0/SRPMS/kernel-2.6.3.36mdk-1-1mdk.src.rpm

Corporate 3.0/X86_64:
9f3bb7174878cc5044386356e1c4bc57 corporate/3.0/x86_64/kernel-2.6.3.36mdk-1-1mdk.x86_64.rpm
613608913f5dcb696b26e31ce5c01828 corporate/3.0/x86_64/kernel-BOOT-2.6.3.36mdk-1-1mdk.x86_64.rpm
b6daad6d8d1c8bb7b8053935434ccd4b corporate/3.0/x86_64/kernel-doc-2.6.3-36mdk.x86_64.rpm
19857cc0134d55a81cfecf099b5f1715 corporate/3.0/x86_64/kernel-secure-2.6.3.36mdk-1-1mdk.x86_64.rpm
b0cc99ea1220b2e3bd7922be994b3aef corporate/3.0/x86_64/kernel-smp-2.6.3.36mdk-1-1mdk.x86_64.rpm
8044690dcbf0a3a0c7b2e09bcc76a8d6 corporate/3.0/x86_64/kernel-source-2.6.3-36mdk.x86_64.rpm
b67484105e125306b4dd5fdb5b84d67d corporate/3.0/x86_64/kernel-source-stripped-2.6.3-36mdk.x86_64.rpm
15c7992f878a9ebcf38694d5700d90af corporate/3.0/SRPMS/kernel-2.6.3.36mdk-1-1mdk.src.rpm

Multi Network Firewall 2.0:
c807857c820dae84bad9beac5ff132c2 mnf/2.0/i586/kernel-2.6.3.36mdk-1-1mdk.i586.rpm
20970c40ded39599c4ad6bc976447c8c mnf/2.0/i586/kernel-i686-up-4GB-2.6.3.36mdk-1-1mdk.i586.rpm
5856cd990d971667d673216603cc9b1f mnf/2.0/i586/kernel-p3-smp-64GB-2.6.3.36mdk-1-1mdk.i586.rpm
0e978fa73922d870b487c2f8d14eaff3 mnf/2.0/i586/kernel-secure-2.6.3.36mdk-1-1mdk.i586.rpm
fa9f0cdd42385ec68aa79198d2615617 mnf/2.0/i586/kernel-smp-2.6.3.36mdk-1-1mdk.i586.rpm
15c7992f878a9ebcf38694d5700d90af mnf/2.0/SRPMS/kernel-2.6.3.36mdk-1-1mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFtjLVmqjQ0CJFipgRAh4NAJ9mBphKCqAcJJxFx+Pu93PWLFj2QgCfTU9W
Pjt+NcjswOJYQvr5JIMDWzg=
=Vm8v
-----END PGP SIGNATURE-----



3.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:026
http://www.mandriva.com/security/
_______________________________________________________________________

Package : squid
Date : January 23, 2007
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A vulnerability in squid was discovered that could be remotely exploited by using a special ftp:// URL (CVE-2007-0247).

Another Denial of Service vulnerability was discovered in squid 2.6 that allows remote attackers to crash the server by causing an external_acl_queue overload (CVE-2007-0248).

Additionally, a bug in squid 2.6 for max_user_ip handling in ntlm_auth has been corrected.

The updated packages have been patched to correct this problem.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0247
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0248
http://www.squid-cache.org/bugs/show_bug.cgi?id=1792
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
08e2ff96f1951e61a976ef60bbf6bea5 2006.0/i586/squid-2.5.STABLE10-10.3.20060mdk.i586.rpm
59613107122da1dd6c0ce6724f563fed 2006.0/i586/squid-cachemgr-2.5.STABLE10-10.3.20060mdk.i586.rpm
96bdafa2207c70e46e2c6b958748b884 2006.0/SRPMS/squid-2.5.STABLE10-10.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
60c1f397b2ce5b283757b76da8c70df1 2006.0/x86_64/squid-2.5.STABLE10-10.3.20060mdk.x86_64.rpm
b0ec419dcae41638d2f628f013c0e050 2006.0/x86_64/squid-cachemgr-2.5.STABLE10-10.3.20060mdk.x86_64.rpm
96bdafa2207c70e46e2c6b958748b884 2006.0/SRPMS/squid-2.5.STABLE10-10.3.20060mdk.src.rpm

Mandriva Linux 2007.0:
21dd893ce118c427d7b34656e41939ec 2007.0/i586/squid-2.6.STABLE1-4.2mdv2007.0.i586.rpm
4021d4e323f1fc695aa956832ede5dbd 2007.0/i586/squid-cachemgr-2.6.STABLE1-4.2mdv2007.0.i586.rpm
6800d5a945187fca10197220d3068e01 2007.0/SRPMS/squid-2.6.STABLE1-4.2mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
dd5ac455b5f94d7b5589d1ff80972dc3 2007.0/x86_64/squid-2.6.STABLE1-4.2mdv2007.0.x86_64.rpm
e9968cd35f6c21988691982ab3d6c9dc 2007.0/x86_64/squid-cachemgr-2.6.STABLE1-4.2mdv2007.0.x86_64.rpm
6800d5a945187fca10197220d3068e01 2007.0/SRPMS/squid-2.6.STABLE1-4.2mdv2007.0.src.rpm

Corporate 3.0:
95c1ca980282b1c49b50a8507c7fd82d corporate/3.0/i586/squid-2.5.STABLE9-1.6.C30mdk.i586.rpm
7a65ca526a37b6850f4b33f1959d8595 corporate/3.0/SRPMS/squid-2.5.STABLE9-1.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
5c575f5fb19da84a3c0f3ee92429c65c corporate/3.0/x86_64/squid-2.5.STABLE9-1.6.C30mdk.x86_64.rpm
7a65ca526a37b6850f4b33f1959d8595 corporate/3.0/SRPMS/squid-2.5.STABLE9-1.6.C30mdk.src.rpm

Corporate 4.0:
db2095e0e73bb231ffe40897b1666fbf corporate/4.0/i586/squid-2.6.STABLE1-4.2.20060mlcs4.i586.rpm
7fff9071842f6d87f10643a66d858373 corporate/4.0/i586/squid-cachemgr-2.6.STABLE1-4.2.20060mlcs4.i586.rpm
46198dfe46b61033924be7a1050bf1d7 corporate/4.0/SRPMS/squid-2.6.STABLE1-4.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
a3431be4855f377ae0efaf7bf60c845f corporate/4.0/x86_64/squid-2.6.STABLE1-4.2.20060mlcs4.x86_64.rpm
7953d0208a17451f1465c69d244736fd corporate/4.0/x86_64/squid-cachemgr-2.6.STABLE1-4.2.20060mlcs4.x86_64.rpm
46198dfe46b61033924be7a1050bf1d7 corporate/4.0/SRPMS/squid-2.6.STABLE1-4.2.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
6df4b826639660123bd8cbaf045b3efd mnf/2.0/i586/squid-2.5.STABLE9-1.6.M20mdk.i586.rpm
0c6029fd8710939fa1e187acbf2e1c70 mnf/2.0/SRPMS/squid-2.5.STABLE9-1.6.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFtnD3mqjQ0CJFipgRAhh/AKDeZDFmAclCBbLZnW8QhNUqNX3ywACeLpcn
KBexN76SNlVNaZ98ZFcqRyU=
=FiiN
-----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |