+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| June 6th, 2002 Volume 4, Number 22a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for maelstrom, apache, tomcat, kernel,
wget, file, lprng, cups, ghostscript, kon2, gnupg, squirrelmail,
xinetd,lprng, lv, and httpd. The distributors include Gentoo, Immunix,
Mandrake, OpenPKG, Red Hat, Turbolinux, and Yellow Dog. This week there
were several new advisories. Red Hat and others released several patches
to their 2.4 kernel. For those of you using PPC architecture and running
Yellow Dog Linux, this is your week. Eight new advisories were released,
but most of these were fixes to known problems. Many would argue that late
is better than never. :)
Last week, I wrote about several choices a system administrator can make
to achieve a secure system. However, I did not discuss why someone would
want to pay particular attention to security. Perhaps it is because your
boss demands it, or because you are responsible and take special pride in
maintaining a secure system. Several industries are madated by the US
federal government to ensure privacy and security. If you are familiar the
health care industry, you have probably heard about HIPAA (The Health
Insurance Portability and Accountability Act of 1996), or if you you work
closely with the the financial industry, you've heard of the
Graham-Leach-Bliley Act.
If you have been to the doctor's office, dentist, or pharmacist in the
last few months, you should have been asked to sign several forms that
inform you of your privacy rights. This is a requirement of the HIPAA
privacy rule. Now, companies are working achieve compliance with the
second part of HIPAA, the security rule. Compliance must be met by April
21st 2005. You may be asking yourself, "I'm not part of the heath care
industry, why should I care?" The HIPAA security rule (164.308-164.312)
provides a high level outline of what it takes to achieve security in an
organization. It outlines administrative, physical, and technical
safeguards to ensure the confidentiality, integrity, and maximum
availability of data.
The Department of Health and Human Services has made a strong effort to
ensure that all mandatory and addressable rules follow industry standards.
The security requirements have been scrutinized and modified at the
request of health care industry leaders. Addressing each of the rules
prescribed by HIPAA should not be viewed as a hindrance, but as good
business practice. Although every organization has an established method
for maintaining security, a lot can be learned from HIPAA. No matter what
industry you're in, you should take a moment to review the requirements
and apply the principles to everyday operation. The final published
security rule can be found in the Federal Register, Volume 68, No. 34.
Some of the major parts of the security standards include the security
management process, incident procedures, contingency planning, workstation
security, audit controls, integrity, authentication, etc. In short, the
point I am trying to make is that the standards proposed by HIPAA can be
applied to almost any organization. Although I believe they are far from
perfect, they can be quite helpful.
If you have any questions on how the HIPAA standards can be applied to
your organizations, please feel free to write.
Until next time,
ben@xxxxxxxxxxxxxxxxx
>> Need to Secure Multiple Domain or Host Names? <<
Securing multiple domain or host names need not burden you with unwanted
administrative hassles. Learn more about how the cost-effective Thawte
Starter PKI program can streamline management of your digital
certificates.
Click here to download our Free guide:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte20
FEATURE: Real-Time Alerting with Snort
Real-time alerting is a feature of an IDS or any other monitoring
application that notifies a person of an event in an acceptably short
amount of time. The amount of time that is acceptable is different
for every person.
http://www.linuxsecurity.com/feature_stories/feature_story-144.html
--------------------------------------------------------------------
* Comprehensive SPAM Protection! - Guardian Digital's Secure Mail
Suite is unparalleled in security, ease of management, and features.
Open source technology constantly adapts to new threats. Email
firewall, simplified administration, automatically updated.
--> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2
--------------------------------------------------------------------
LINSECURITY.COM FEATURE:
Intrusion Detection Systems: An Introduction
By: Alberto Gonzalez
Intrusion Detection is the process and methodology of inspecting data for
malicious, inaccurate or anomalous activity. At the most basic levels
there are two forms of Intrusion Detection Systems that you will
encounter: Host and Network based.
http://www.linuxsecurity.com/feature_stories/feature_story-143.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
5/30/2003 - maelstrom
buffer overflow vulnerability
A local buffer overflow exists in maelstrom.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3305.html
6/2/2003 - uw-imapd buffer overflow vulnerability
buffer overflow vulnerability
UW-imapd can also act as IMAP client, allowing user to connect to
specified server. It is disabled for anonymous users, but allowed
for everyone else.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3309.html
6/2/2003 - apache
2.x denial of service vulnerability
Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash
in certain circumstances.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3310.html
6/2/2003 - tomcat
file access vulnerability
Versions prior to tomcat-4.1.24 created /opt/tomcat with a
directory mode which allowed users to access files containing
passwords.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3311.html
+---------------------------------+
| Distribution: Immunix | ----------------------------//
+---------------------------------+
5/30/2003 - kernel
raceguard rules
Added patch to add raceguard cache clearing across sessions but
not across process of different privilege levels.
http://www.linuxsecurity.com/advisories/immunix_advisory-3306.html
6/4/2003 - wget
input vulnerability
Steven M. Christey has discovered wget did not perform sufficient
input sanitization of ftp server responses.
http://www.linuxsecurity.com/advisories/immunix_advisory-3318.html
6/4/2003 - file
root vulnerability
An anonymous reporter has reported to iDEFENSE a vulnerability in
file that could allow for a root compromise, should root run file
on a specially crafted file.
http://www.linuxsecurity.com/advisories/immunix_advisory-3319.html
6/5/2003 - lprng
insecure tmp file vulnerability
A vulnerability has been found in psbanner, which creates a
temporary file with a known filename in an insecure manner.
http://www.linuxsecurity.com/advisories/immunix_advisory-3328.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
5/30/2003 - cups
denial of service vulnerability
A Denial of Service (DoS) vulnerability was discovered in the CUPS
printing system by Phil D'Amore of Red Hat.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3307.html
6/2/2003 - apache
2.x multiple vulnerabilities
Two vulnerabilities were discovered in the Apache web server that
affect all 2.x versions prior to 2.0.46.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3312.html
+---------------------------------+
| Distributor: Apache | ----------------------------//
+---------------------------------+
5/30/2003 - 2.0 multiple vulnerabilities
2.x multiple vulnerabilities
Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash
in certain circumstances.
http://www.linuxsecurity.com/advisories/other_advisory-3304.html
+---------------------------------+
| Distribution: OpenPKG | ----------------------------//
+---------------------------------+
6/3/2003 - ghostscript
arbitrary command execution
According to a Red Hat security advisory, a flaw in versions of
Ghostscript before 7.07 allows malicious Postscript files to
execute arbitrary commands even with command line option -dSAFER
enabled.
http://www.linuxsecurity.com/advisories/other_advisory-3314.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
6/2/2003 - ghostscript
arbitrary command execution vulnerability
A flaw in unpatched versions of Ghostscript before 7.07 allows
malicious postscript files to execute arbitrary commands even with
-dSAFER enabled.
http://www.linuxsecurity.com/advisories/redhat_advisory-3313.html
6/3/2003 - 2.4 kernel multiple vulnerabilities
arbitrary command execution vulnerability
These packages fix a ptrace-related vulnerability that can lead to
elevated (root) privileges.
http://www.linuxsecurity.com/advisories/redhat_advisory-3315.html
6/3/2003 - 2.4 kernel vulnerabilities and driver issues
arbitrary command execution vulnerability
Several security issues have been found that affect the Linux
kernel. This update also fixes some driver issues.
http://www.linuxsecurity.com/advisories/redhat_advisory-3316.html
6/3/2003 - kon2
buffer overflow vulnerability
A buffer overflow in kon2 allows local users to obtain root
privileges.
http://www.linuxsecurity.com/advisories/redhat_advisory-3317.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
5/30/2003 - gnupg
key validity bug
This bug causes keys with more than one user ID to give all user
IDs on the key the amount of validity given to the most-valid key.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3308.html
+---------------------------------+
| Distribution: YellowDog | ----------------------------//
+---------------------------------+
6/4/2003 - squirrelmail
multiple vulnerabilities
Cross-site scripting vulnerabilities in SquirrelMail version
1.2.10 and earlier allow remote attackers to execute script as
other Web users via mailbox displays, message displays, or search
results displays.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3320.html
6/4/2003 - xinetd
denial of service vulnerability
Because of a programming error, memory was allocated and never
freed if a connection was refused for any reason.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3321.html
6/4/2003 - cups
denial of service vulnerability
Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP
implementation.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3322.html
6/4/2003 - gnupg
key validation vulnerability
When evaluating trust values for different UIDs assigned to a
given key, GnuPG versions earlier than 1.2.2 would incorrectly
associate the trust value of the UID with the highest trust value
with every UID assigned to that key.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3323.html
6/4/2003 - lprng
insecure tmp file vulnerability
A vulnerability has been found in psbanner, which creates a
temporary file with a known filename in an insecure manner.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3324.html
6/4/2003 - lv
arbitrary code execution vulnerability
A bug has been found in versions of lv that read a .lv file in the
current directory.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3325.html
6/4/2003 - compat-gcc missing module
arbitrary code execution vulnerability
The version of compat-gcc that comes with Yellow Dog Linux 3.0 is
missing a compatibility version of the g77 fortran compiler.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3326.html
6/4/2003 - httpd
multiple vulnerabilities
A build system problem in Apache 2.0 through 2.0.45 allows remote
attackers to cause a denial of access to authenticated content
when a threaded server is used.
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3327.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
