+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 6th, 2002 Volume 4, Number 22a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for maelstrom, apache, tomcat, kernel, wget, file, lprng, cups, ghostscript, kon2, gnupg, squirrelmail, xinetd,lprng, lv, and httpd. The distributors include Gentoo, Immunix, Mandrake, OpenPKG, Red Hat, Turbolinux, and Yellow Dog. This week there were several new advisories. Red Hat and others released several patches to their 2.4 kernel. For those of you using PPC architecture and running Yellow Dog Linux, this is your week. Eight new advisories were released, but most of these were fixes to known problems. Many would argue that late is better than never. :) Last week, I wrote about several choices a system administrator can make to achieve a secure system. However, I did not discuss why someone would want to pay particular attention to security. Perhaps it is because your boss demands it, or because you are responsible and take special pride in maintaining a secure system. Several industries are madated by the US federal government to ensure privacy and security. If you are familiar the health care industry, you have probably heard about HIPAA (The Health Insurance Portability and Accountability Act of 1996), or if you you work closely with the the financial industry, you've heard of the Graham-Leach-Bliley Act. If you have been to the doctor's office, dentist, or pharmacist in the last few months, you should have been asked to sign several forms that inform you of your privacy rights. This is a requirement of the HIPAA privacy rule. Now, companies are working achieve compliance with the second part of HIPAA, the security rule. Compliance must be met by April 21st 2005. You may be asking yourself, "I'm not part of the heath care industry, why should I care?" The HIPAA security rule (164.308-164.312) provides a high level outline of what it takes to achieve security in an organization. It outlines administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and maximum availability of data. The Department of Health and Human Services has made a strong effort to ensure that all mandatory and addressable rules follow industry standards. The security requirements have been scrutinized and modified at the request of health care industry leaders. Addressing each of the rules prescribed by HIPAA should not be viewed as a hindrance, but as good business practice. Although every organization has an established method for maintaining security, a lot can be learned from HIPAA. No matter what industry you're in, you should take a moment to review the requirements and apply the principles to everyday operation. The final published security rule can be found in the Federal Register, Volume 68, No. 34. Some of the major parts of the security standards include the security management process, incident procedures, contingency planning, workstation security, audit controls, integrity, authentication, etc. In short, the point I am trying to make is that the standards proposed by HIPAA can be applied to almost any organization. Although I believe they are far from perfect, they can be quite helpful. If you have any questions on how the HIPAA standards can be applied to your organizations, please feel free to write. Until next time, ben@xxxxxxxxxxxxxxxxx >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte20 FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html -------------------------------------------------------------------- * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 -------------------------------------------------------------------- LINSECURITY.COM FEATURE: Intrusion Detection Systems: An Introduction By: Alberto Gonzalez Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity. At the most basic levels there are two forms of Intrusion Detection Systems that you will encounter: Host and Network based. http://www.linuxsecurity.com/feature_stories/feature_story-143.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 5/30/2003 - maelstrom buffer overflow vulnerability A local buffer overflow exists in maelstrom. http://www.linuxsecurity.com/advisories/gentoo_advisory-3305.html 6/2/2003 - uw-imapd buffer overflow vulnerability buffer overflow vulnerability UW-imapd can also act as IMAP client, allowing user to connect to specified server. It is disabled for anonymous users, but allowed for everyone else. http://www.linuxsecurity.com/advisories/gentoo_advisory-3309.html 6/2/2003 - apache 2.x denial of service vulnerability Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain circumstances. http://www.linuxsecurity.com/advisories/gentoo_advisory-3310.html 6/2/2003 - tomcat file access vulnerability Versions prior to tomcat-4.1.24 created /opt/tomcat with a directory mode which allowed users to access files containing passwords. http://www.linuxsecurity.com/advisories/gentoo_advisory-3311.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 5/30/2003 - kernel raceguard rules Added patch to add raceguard cache clearing across sessions but not across process of different privilege levels. http://www.linuxsecurity.com/advisories/immunix_advisory-3306.html 6/4/2003 - wget input vulnerability Steven M. Christey has discovered wget did not perform sufficient input sanitization of ftp server responses. http://www.linuxsecurity.com/advisories/immunix_advisory-3318.html 6/4/2003 - file root vulnerability An anonymous reporter has reported to iDEFENSE a vulnerability in file that could allow for a root compromise, should root run file on a specially crafted file. http://www.linuxsecurity.com/advisories/immunix_advisory-3319.html 6/5/2003 - lprng insecure tmp file vulnerability A vulnerability has been found in psbanner, which creates a temporary file with a known filename in an insecure manner. http://www.linuxsecurity.com/advisories/immunix_advisory-3328.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 5/30/2003 - cups denial of service vulnerability A Denial of Service (DoS) vulnerability was discovered in the CUPS printing system by Phil D'Amore of Red Hat. http://www.linuxsecurity.com/advisories/mandrake_advisory-3307.html 6/2/2003 - apache 2.x multiple vulnerabilities Two vulnerabilities were discovered in the Apache web server that affect all 2.x versions prior to 2.0.46. http://www.linuxsecurity.com/advisories/mandrake_advisory-3312.html +---------------------------------+ | Distributor: Apache | ----------------------------// +---------------------------------+ 5/30/2003 - 2.0 multiple vulnerabilities 2.x multiple vulnerabilities Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain circumstances. http://www.linuxsecurity.com/advisories/other_advisory-3304.html +---------------------------------+ | Distribution: OpenPKG | ----------------------------// +---------------------------------+ 6/3/2003 - ghostscript arbitrary command execution According to a Red Hat security advisory, a flaw in versions of Ghostscript before 7.07 allows malicious Postscript files to execute arbitrary commands even with command line option -dSAFER enabled. http://www.linuxsecurity.com/advisories/other_advisory-3314.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 6/2/2003 - ghostscript arbitrary command execution vulnerability A flaw in unpatched versions of Ghostscript before 7.07 allows malicious postscript files to execute arbitrary commands even with -dSAFER enabled. http://www.linuxsecurity.com/advisories/redhat_advisory-3313.html 6/3/2003 - 2.4 kernel multiple vulnerabilities arbitrary command execution vulnerability These packages fix a ptrace-related vulnerability that can lead to elevated (root) privileges. http://www.linuxsecurity.com/advisories/redhat_advisory-3315.html 6/3/2003 - 2.4 kernel vulnerabilities and driver issues arbitrary command execution vulnerability Several security issues have been found that affect the Linux kernel. This update also fixes some driver issues. http://www.linuxsecurity.com/advisories/redhat_advisory-3316.html 6/3/2003 - kon2 buffer overflow vulnerability A buffer overflow in kon2 allows local users to obtain root privileges. http://www.linuxsecurity.com/advisories/redhat_advisory-3317.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 5/30/2003 - gnupg key validity bug This bug causes keys with more than one user ID to give all user IDs on the key the amount of validity given to the most-valid key. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3308.html +---------------------------------+ | Distribution: YellowDog | ----------------------------// +---------------------------------+ 6/4/2003 - squirrelmail multiple vulnerabilities Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and earlier allow remote attackers to execute script as other Web users via mailbox displays, message displays, or search results displays. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3320.html 6/4/2003 - xinetd denial of service vulnerability Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3321.html 6/4/2003 - cups denial of service vulnerability Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP implementation. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3322.html 6/4/2003 - gnupg key validation vulnerability When evaluating trust values for different UIDs assigned to a given key, GnuPG versions earlier than 1.2.2 would incorrectly associate the trust value of the UID with the highest trust value with every UID assigned to that key. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3323.html 6/4/2003 - lprng insecure tmp file vulnerability A vulnerability has been found in psbanner, which creates a temporary file with a known filename in an insecure manner. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3324.html 6/4/2003 - lv arbitrary code execution vulnerability A bug has been found in versions of lv that read a .lv file in the current directory. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3325.html 6/4/2003 - compat-gcc missing module arbitrary code execution vulnerability The version of compat-gcc that comes with Yellow Dog Linux 3.0 is missing a compatibility version of the g77 fortran compiler. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3326.html 6/4/2003 - httpd multiple vulnerabilities A build system problem in Apache 2.0 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3327.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------