[Start] [Organized] [Chronological] [Date Prev] [Date Next]

[SECWS] Bul - 1556 - 08/30/2005


The SECURITY WATCH                                    APOGÉE-Communications
Edition of Tuesday, August 30 2005                      All rights reserved
___________________________________________________________________________

 SUMMARY OF THIS BULLETIN
 ------------------------

* ALERTS (4)
 - COURIER        - Cross-Site Scripting in 'SqWebMail'
 - PHPLDAPADMIN   - Information disclosure via 'phpLDAPadmin'
 - MICROSOFT      - Arbitrary code execution via 'Internet Explorer'
 - COURIER        - Local privileges escalation in 'maildrop'

* INFORMATION (7)
 - LINUX DEBIAN   - Patches for 'Kismet'
 - SUN            - Revision of the bulletin 101677 (formerly 57769)
 - LINUX DEBIAN   - Patches for 'php4'
 - LINUX DEBIAN   - Patches for 'phpLDAPadmin'
 - SUN            - Revision of the bulletin 101810
 - LINUX REDHAT   - Patches for 'Evolution'
 - LINUX FEDORA   - Patches for 'dbus'

* REISSUES OF ALERTS (1)
 - CIAC           - Reissue of the HP HPSBMA01224 alert
___________________________________________________________________________

ALERTS
___________________________________________________________________________

* COURIER        - Cross-Site Scripting in 'SqWebMail'

A flaw in 'SqWebMail' allows a remote attacker to lead Cross-Site Scripting
attacks.

 - Date:        August 29 2005
 - Platform:    Courier 'SqWebMail' version 5.0.4 and prior
 - Severity:    High
 - Origin:      Processing of HTML emails
 - Problem:     Insufficient validation of input data
 - Damage:      Cross-Site Scripting
 - CVE names:   No CVE name assigned at the present time
 - Description: A flaw has been discovered in the processing of HTML emails
                by 'SqWebMail'. It allows a remote attacker to lead
                Cross-Site Scripting attacks by sending a crafted email.
 - References:  Secunia [2005-39/advisory]
                 http://secunia.com/secunia_research/2005-39/advisory
                Courier [sqwebmail-latest / 2005-08-26]
                 http://cvs.sourceforge.net/viewcvs.py/*checkout*/courier/courier/webmail/ChangeLog?content-type=text/plain&rev=sqwebmail-latest
 - Solution:    An official patch has been merged in the latest development
                snapshot.
                 http://www.courier-mta.org/?download.php
___________________________________________________________________________

* PHPLDAPADMIN   - Information disclosure via 'phpLDAPadmin'

A coding error in 'phpLDAPadmin', a LDAP directories administration tool,
can cause an information disclosure.

 - Date:        August 30 2005
 - Platform:    phpLDAPadmin 'phpLDAPadmin' version not available
 - Severity:    High
 - Origin:      Handling of the 'disable_anon_bind' parameter
 - Problem:     Coding error
 - Damage:      Information disclosure
 - CVE names:   CAN-2005-2654
 - Description: A coding error affects the 'phpLDAPadmin' tool. A remote
                user can anonymously access a LDAP directory, even if the
                'disable_anon_bind' parameter is configured to prevent
                this.
 - References:  Debian Security Announce
                [debian-security-announce-2005/msg00178]
                 http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00178.html
 - Solution:    There is no official patch currently available to our
                knowledge.
                Apply the fixed packages for your system when they are made
                available.
___________________________________________________________________________

* MICROSOFT      - Arbitrary code execution via 'Internet Explorer'

An undocumented flaw in the 'Internet Explorer' browser can cause a denial
of service and potentially the execution of arbitrary code.

 - Date:        August 29 2005
 - Platform:    Microsoft 'Internet Explorer' version 6.0 (Windows XP SP2)
                Other versions may be vulnerable.
 - Severity:    High
 - Origin:      Not available
 - Problem:     Not available
 - Damage:      Denial of service
                Arbitrary code execution
 - CVE names:   No CVE name assigned at the present time
 - Description: An undocumented flaw affects the 'Internet Explorer'
                Microsoft browser. This issue can be triggered by a crafted
                HTML page that will cause a denial of service of a
                vulnerable browser. This issue can also be exploited to
                potentially cause an arbitrary code execution.
 - References:  SecurityTracker [1014809]
                 http://securitytracker.com/id?1014809
 - Solution:    There is no official patch currently available.
___________________________________________________________________________

* COURIER        - Local privileges escalation in 'maildrop'

A flaw in 'maildrop' allows a local user to obtain the privileges of the
"mail" group.

 - Date:        August 30 2005
 - Platform:    Courier 'maildrop' version unavailable
 - Severity:    High
 - Origin:      'lockmail' program
 - Problem:     Coding error
 - Damage:      Local privileges escalation
 - CVE names:   CAN-2005-2655
 - Description: The 'lockmail' program, which is part of 'maildrop', does
                not drop the privileges of the "mail" group before
                executing the commands provided as parameters. A malevolent
                local user can exploit this to execute arbitrary commands
                with the privileges of this group.
 - References:  Debian [DSA-791]
                 http://www.debian.org/security/2005/dsa-791
 - Solution:    There is no official patch currently available.
                Install the patches provided by the editor of your Linux
                distribution if they are available.
                Debian
                 http://security.debian.org/pool/updates/main/m/maildrop
___________________________________________________________________________

INFORMATION
___________________________________________________________________________

* LINUX DEBIAN   - Patches for 'Kismet'

Debian has announced, in the bulletin DSA-788, the availability of patches
for 'Kismet' on Debian GNU/Linux version 3.1 (sarge).
They fix several flaws that allowed triggering the corruption of
information and the execution of arbitrary code.
CAN-2005-2626, CAN-2005-2627
KISMET 'Kismet' [SA16447] (bulletin 1549 dated 08/19/2005)

http://www.debian.org/security/2005/dsa-788
___________________________________________________________________________

* SUN            - Revision of the bulletin 101677 (formerly 57769)

Sun has revised the bulletin 101677 (formerly 57769) about multiple
vulnerabilities in the 'libtiff' library that allowed triggering denials of
service and executing arbitrary code. This revision brings new information
in the "Contributing Factors" and "Resolution" sections.
CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, CAN-2004-1308
UNIX, LIBTIFF, SUN 'tif_next.c', 'tif_thunder.c', 'tif_luv.c',
'tif_dirread.c' [CESA-2004-006], [DSA-567-1], [174] (bulletins 1335 dated
10/15/2004, 1336 dated 10/18/2004, 1381 dated 12/22/2004 and 1469 dated
04/26/2005)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101677-1
___________________________________________________________________________

* LINUX DEBIAN   - Patches for 'php4'

Debian has announced, in the bulletin DSA-789, the availability of patches
for the 'php4' packages on Debian GNU/Linux versions 3.0 (woody) and 3.1
(sarge). They fix several flaws that allowed corrupting arbitrary files and
executing arbitrary code.
CAN-2005-1751, CAN-2005-1921, CAN-2005-2498
GNU, PHP 'Shtool', 'XML_RPC' [shtool-05252005], [SA15861], [SA16429]
(bulletins 1491 dated 05/27/2005, 1515 dated 06/30/2005 and 1546 dated
08/16/2005)

http://www.debian.org/security/2005/dsa-789
___________________________________________________________________________

* LINUX DEBIAN   - Patches for 'phpLDAPadmin'

Debian has announced, in the bulletin DSA-790, the availability of patches
for the 'phpLDAPadmin' package on Debian GNU/Linux version 3.1 (sarge).
They fix a coding error that allowed a remote user to anonymously access a
LDAP directory and thus obtain information.
CAN-2005-2654
PHPLDAPADMIN 'disable_anon_bind' [debian-security-announce-2005/msg00178]
(bulletin 1556 dated 08/30/2005)

http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00178.html
___________________________________________________________________________

* SUN            - Revision of the bulletin 101810

Sun has revised the bulletin 101810 regarding a vulnerability in the
'krb5_recvauth()' function of Kerberos 5 that could lead to the execution
of arbitrary code. This revision updates the "Contributing Factors" and
"Resolution" sections.
KERBEROS 'krb5_recvauth()', 'kpropd', 'klogind', 'krshd'
[MITKRB5-SA-2005-003-recvauth], [101810] (bulletin 1524 dated 07/13/2005)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101810-1
___________________________________________________________________________

* LINUX REDHAT   - Patches for 'Evolution'

Red Hat has announced, in the bulletin RHSA-2005:267, the availability of
patches for the 'Evolution' package on Red Hat Desktop versions 3 and 4,
and Red Hat Enterprise Linux AS, ES and WS versions 3 and 4. They fix
multiple format string errors that allowed triggering a denial of service
and executing arbitrary code.
CAN-2005-2549, CAN-2005-2550
NOVELL/XIMIAN 'Evolution', 'vCard' [112370355819832] (bulletin 1544 dated
08/11/2005)

https://rhn.redhat.com/errata/RHSA-2005-267.html
___________________________________________________________________________

* LINUX FEDORA   - Patches for 'dbus'

Red Hat has announced, in the bulletin FEDORA-2005-822, the availability of
patches for the 'dbus' packages on Linux Fedora Core 4. They fix a flaw
that allowed highjacking a session.
CAN-2005-0201
FREEDESKTOP 'D-BUS' [2436], [FEDORA-2005-111] (bulletin 1413 dated
02/04/2005)

http://www.redhat.com/archives/fedora-announce-list/2005-August/msg00131.html
___________________________________________________________________________

REISSUES OF ALERTS
___________________________________________________________________________

* CIAC           - Reissue of the HP HPSBMA01224 alert

The CIAC has reissued, under the P-293 reference, the HP advisory
HPSBMA01224 (SSRT051023) about a lack of validation of the
'connectedNodes.ovpl' script from HP 'OV NNM'. This flaw can allow a remote
attacker to obtain an unauthorized access to a vulnerable system.
HP 'OV NNM', 'connectedNodes.ovpl' [HPSBMA01224] (bulletin 1555 dated
08/29/2005)

http://www.ciac.org/ciac/bulletins/p-293.shtml
___________________________________________________________________________

Yours sincerely,

The Security Watch Team



--
Security Watch Service
mailto:veille-sec@veille.apogee-com.fr
APOGEE Communications
15, Avenue du Cap Horn
ZA de Courtaboeuf 
91940 LES ULIS
Tel : + 33 1 69 85 78 00
Fax : + 33 1 69 85 78 51

Technical support : + 33 1 73 23 17 00

Nota: Trademarks and products appearing in this bulletin are property
      of their respective depositaries.