Linux Advisory Watch - June 6th 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  June 6th, 2002                           Volume 4, Number 22a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for maelstrom, apache, tomcat, kernel,
wget, file, lprng, cups, ghostscript, kon2, gnupg, squirrelmail,
xinetd,lprng, lv, and httpd. The distributors include Gentoo, Immunix,
Mandrake, OpenPKG, Red Hat, Turbolinux, and Yellow Dog. This week there
were several new advisories. Red Hat and others released several patches
to their 2.4 kernel. For those of you using PPC architecture and running
Yellow Dog Linux, this is your week. Eight new advisories were released,
but most of these were fixes to known problems. Many would argue that late
is better than never. :)

Last week, I wrote about several choices a system administrator can make
to achieve a secure system. However, I did not discuss why someone would
want to pay particular attention to security. Perhaps it is because your
boss demands it, or because you are responsible and take special pride in
maintaining a secure system. Several industries are madated by the US
federal government to ensure privacy and security. If you are familiar the
health care industry, you have probably heard about HIPAA (The Health
Insurance Portability and Accountability Act of 1996), or if you you work
closely with the the financial industry, you've heard of the
Graham-Leach-Bliley Act.

If you have been to the doctor's office, dentist, or pharmacist in the
last few months, you should have been asked to sign several forms that
inform you of your privacy rights. This is a requirement of the HIPAA
privacy rule. Now, companies are working achieve compliance with the
second part of HIPAA, the security rule. Compliance must be met by April
21st 2005. You may be asking yourself, "I'm not part of the heath care
industry, why should I care?" The HIPAA security rule (164.308-164.312)
provides a high level outline of what it takes to achieve security in an
organization. It outlines administrative, physical, and technical
safeguards to ensure the confidentiality, integrity, and maximum
availability of data.

The Department of Health and Human Services has made a strong effort to
ensure that all mandatory and addressable rules follow industry standards.
The security requirements have been scrutinized and modified at the
request of health care industry leaders. Addressing each of the rules
prescribed by HIPAA should not be viewed as a hindrance, but as good
business practice. Although every organization has an established method
for maintaining security, a lot can be learned from HIPAA. No matter what
industry you're in, you should take a moment to review the requirements
and apply the principles to everyday operation. The final published
security rule can be found in the Federal Register, Volume 68, No. 34.
Some of the major parts of the security standards include the security
management process, incident procedures, contingency planning, workstation
security, audit controls, integrity, authentication, etc. In short, the
point I am trying to make is that the standards proposed by HIPAA can be
applied to almost any organization. Although I believe they are far from
perfect, they can be quite helpful.

If you have any questions on how the HIPAA standards can be applied to
your organizations, please feel free to write.

Until next time,
ben@xxxxxxxxxxxxxxxxx


>> Need to Secure Multiple Domain or Host Names? <<

Securing multiple domain or host names need not burden you with unwanted
administrative hassles. Learn more about how the cost-effective Thawte
Starter PKI program can streamline management of your digital
certificates.

 Click here to download our Free guide:
 http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte20


FEATURE: Real-Time Alerting with Snort
Real-time alerting is a feature of an IDS or any other monitoring
application that notifies a person of an event in an acceptably short
amount of time. The amount of time that is acceptable is different
for every person.

http://www.linuxsecurity.com/feature_stories/feature_story-144.html


--------------------------------------------------------------------

* Comprehensive SPAM Protection! - Guardian Digital's Secure Mail
Suite is unparalleled in security, ease of management, and features.
Open source technology constantly adapts to new threats. Email
firewall, simplified administration, automatically updated.

 --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2

--------------------------------------------------------------------

LINSECURITY.COM FEATURE:
Intrusion Detection Systems: An Introduction
By: Alberto Gonzalez

Intrusion Detection is the process and methodology of inspecting data for
malicious, inaccurate or anomalous activity. At the most basic levels
there are two forms of Intrusion Detection Systems that you will
encounter: Host and Network based.

http://www.linuxsecurity.com/feature_stories/feature_story-143.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 5/30/2003 - maelstrom
   buffer overflow vulnerability

   A local buffer overflow exists in maelstrom.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3305.html

 6/2/2003 - uw-imapd buffer overflow vulnerability
   buffer overflow vulnerability

   UW-imapd can also act as IMAP client, allowing user to connect to
   specified server. It is disabled for anonymous users, but allowed
   for everyone else.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3309.html

 6/2/2003 - apache
   2.x denial of service vulnerability

   Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash
   in certain circumstances.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3310.html

 6/2/2003 - tomcat
   file access vulnerability

   Versions prior to tomcat-4.1.24 created /opt/tomcat with a
   directory mode which allowed users to access files containing
   passwords.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3311.html


+---------------------------------+
|  Distribution: Immunix          | ----------------------------//
+---------------------------------+

 5/30/2003 - kernel
   raceguard rules

   Added patch to add raceguard cache clearing across sessions but
   not across process of different privilege levels.
   http://www.linuxsecurity.com/advisories/immunix_advisory-3306.html

 6/4/2003 - wget
   input vulnerability

   Steven M. Christey has discovered wget did not perform sufficient
   input sanitization of ftp server responses.
   http://www.linuxsecurity.com/advisories/immunix_advisory-3318.html

 6/4/2003 - file
   root vulnerability

   An anonymous reporter has reported to iDEFENSE a vulnerability in
   file that could allow for a root compromise, should root run file
   on a specially crafted file.
   http://www.linuxsecurity.com/advisories/immunix_advisory-3319.html

 6/5/2003 - lprng
   insecure tmp file vulnerability

   A vulnerability has been found in psbanner, which creates a
   temporary file with a known filename in an insecure manner.
   http://www.linuxsecurity.com/advisories/immunix_advisory-3328.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 5/30/2003 - cups
   denial of service vulnerability

   A Denial of Service (DoS) vulnerability was discovered in the CUPS
   printing system by Phil D'Amore of Red Hat.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3307.html

 6/2/2003 - apache
   2.x multiple vulnerabilities

   Two vulnerabilities were discovered in the Apache web server that
   affect all 2.x versions prior to 2.0.46.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3312.html


+---------------------------------+
|  Distributor: Apache            | ----------------------------//
+---------------------------------+

 5/30/2003 - 2.0 multiple vulnerabilities
   2.x multiple vulnerabilities

   Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash
   in certain circumstances.
   http://www.linuxsecurity.com/advisories/other_advisory-3304.html


+---------------------------------+
|  Distribution: OpenPKG          | ----------------------------//
+---------------------------------+

 6/3/2003 - ghostscript
   arbitrary command execution

   According to a Red Hat security advisory, a flaw in versions of
   Ghostscript before 7.07 allows malicious Postscript files to
   execute arbitrary commands even with command line option -dSAFER
   enabled.
   http://www.linuxsecurity.com/advisories/other_advisory-3314.html


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

 6/2/2003 - ghostscript
   arbitrary command execution vulnerability

   A flaw in unpatched versions of Ghostscript before 7.07 allows
   malicious postscript files to execute arbitrary commands even with
   -dSAFER enabled.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3313.html

 6/3/2003 - 2.4 kernel multiple vulnerabilities
   arbitrary command execution vulnerability

   These packages fix a ptrace-related vulnerability that can lead to
   elevated (root) privileges.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3315.html

 6/3/2003 - 2.4 kernel vulnerabilities and driver issues
   arbitrary command execution vulnerability

   Several security issues have been found that affect the Linux
   kernel.  This update also fixes some driver issues.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3316.html

 6/3/2003 - kon2
   buffer overflow vulnerability

   A buffer overflow in kon2 allows local users to obtain root
   privileges.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3317.html


+---------------------------------+
|  Distribution: Turbolinux       | ----------------------------//
+---------------------------------+

 5/30/2003 - gnupg
   key validity bug

   This bug causes keys with more than one user ID to give all user
   IDs on the key the amount of validity given to the most-valid key.
   http://www.linuxsecurity.com/advisories/turbolinux_advisory-3308.html


+---------------------------------+
|  Distribution: YellowDog        | ----------------------------//
+---------------------------------+

 6/4/2003 - squirrelmail
   multiple vulnerabilities

   Cross-site scripting vulnerabilities in SquirrelMail version
   1.2.10 and earlier allow remote attackers to execute script as
   other Web users via mailbox displays, message displays, or search
   results displays.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3320.html

 6/4/2003 - xinetd
   denial of service vulnerability

   Because of a programming error, memory was allocated and never
   freed if a connection was refused for any reason.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3321.html

 6/4/2003 - cups
   denial of service vulnerability

   Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP
   implementation.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3322.html

 6/4/2003 - gnupg
   key validation vulnerability

   When evaluating trust values for different UIDs assigned to a
   given key, GnuPG versions earlier than 1.2.2 would incorrectly
   associate the trust value of the UID with the highest trust value
   with every UID assigned to that key.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3323.html

 6/4/2003 - lprng
   insecure tmp file vulnerability

   A vulnerability has been found in psbanner, which creates a
   temporary file with a known filename in an insecure manner.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3324.html

 6/4/2003 - lv
   arbitrary code execution vulnerability

   A bug has been found in versions of lv that read a .lv file in the
   current     directory.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3325.html

 6/4/2003 - compat-gcc  missing module
   arbitrary code execution vulnerability

   The version of compat-gcc that comes with Yellow Dog Linux 3.0 is
   missing a compatibility version of the g77 fortran compiler.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3326.html

 6/4/2003 - httpd
   multiple vulnerabilities

   A build system problem in Apache 2.0 through 2.0.45 allows remote
   attackers to cause a denial of access to authenticated content
   when a threaded server is used.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3327.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux