Linux Advisory Watch - June 13th 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  June 13th, 2002                          Volume 4, Number 23a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for the Linux kernel, eterm, xaos,
ethereal, atftp, gnocatan, nethack, slashem, cupsys, mod_php, zlib, kon2,
gzip, KDE, hanterm, pptpd, cups, and lv. The distributors include Debian,
Gentoo, Immunix, Mandrake, OpenPKG, RedHat, SuSE, Turbolinux, and Yellow
Dog.

Last week, I discussed how HIPAA should be viewed as a step in the right
direction, rather than a burden for U.S. healthcare companies. I received
a lot of positive feedback from readers who are happy that they now have
an adequate budget to address security problems. This week, I wanted to
take a look at BS7799 and ISO17799. BS7799 was first developed by the UK
Department of Trade and Industry's (DTI) Commercial Computer Security
Centre (CCSC) and prepared by the British Standards Institution with the
goal of developing a set of security management standards that can be used
across many industries. Soon after establishing the BS7799, it was
submitted to the International Organization for Standardization (ISO).
After several revisions, BS7799 was accepted and used as a basis for
ISO17799.

What is the goal of BS7799 & ISO17799? Each were created with the specific
purpose of providing an established starting point for organizations to
develop an information security program. Similar to HIPAA, the '7799'
standards intend to help an organization maintain strict data
confidentiality, integrity, and availability. The standards and
recommendations are written with upper information security management as
an intended audience. What makes up the standards? Each standard outlines
organizations security issues, asset classification, personnel security,
security policy, physical and operational security, access control,
systems development, business continuity management, and standards
compliance.

Organizations have many reasons for wanting to comply with international
standards. Although one could argue the case that '7799' is incomplete, it
does accomplish its goals. These standards provide the basic building
blocks for constructing an information security program in your
organization.

Until next time,

Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx



>> FREE Apache SSL Guide from Thawte <<

Are you worried about your web server security?  Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.

 Click Command:
 http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte23

FEATURE: Real-Time Alerting with Snort
Real-time alerting is a feature of an IDS or any other monitoring
application that notifies a person of an event in an acceptably short
amount of time. The amount of time that is acceptable is different
for every person.

http://www.linuxsecurity.com/feature_stories/feature_story-144.html


--------------------------------------------------------------------

* Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is
unparalleled in security, ease of management, and features. Open source
technology constantly adapts to new threats. Email firewall, simplified
administration, automatically updated.

 --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2

--------------------------------------------------------------------

LINSECURITY.COM FEATURE:
Intrusion Detection Systems: An Introduction
By: Alberto Gonzalez

Intrusion Detection is the process and methodology of inspecting data for
malicious, inaccurate or anomalous activity. At the most basic levels
there are two forms of Intrusion Detection Systems that you will
encounter: Host and Network based.

http://www.linuxsecurity.com/feature_stories/feature_story-143.html




+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 6/9/2003 - kernel
   Multiple vulnerabilities

   A number of vulnerabilities have been discovered in the Linux
   kernel.
   http://www.linuxsecurity.com/advisories/debian_advisory-3340.html

 6/6/2003 - eterm
   Buffer overflow vulnerability

   A number of vulnerabilities have been discovered in the Linux
   kernel.
   http://www.linuxsecurity.com/advisories/debian_advisory-3341.html

 6/8/2003 - xaos
   Improper setuid-root execution

   A number of vulnerabilities have been discovered in the Linux
   kernel.
   http://www.linuxsecurity.com/advisories/debian_advisory-3342.html

 6/11/2003 - 'ethereal' buffer/integer overflows
   Improper setuid-root execution

   Timo Sirainen discovered several vulnerabilities in ethereal, a
   network traffic analyzer.  These include one-byte buffer overflows
   in the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3,
   Rsync, SMB, SMPP, and TSP dissectors, and integer overflows in the
   Mount and PPP dissectors.
   http://www.linuxsecurity.com/advisories/debian_advisory-3349.html

 6/11/2003 - 'atftp' buffer overflow
   Improper setuid-root execution

   Rick Patel discovered that atftpd is vulnerable to a buffer
   overflow when a long filename is sent to the server.  An attacker
   could exploit this bug remotely to execute arbitrary code on the
   server.
   http://www.linuxsecurity.com/advisories/debian_advisory-3350.html

 6/11/2003 - 'gnocatan' buffer overflows, DoS
   Improper setuid-root execution

   Bas Wijnen discovered that the gnocatan server is vulnerable to
   several buffer overflows which could be exploited to execute
   arbitrary code on the server system
   http://www.linuxsecurity.com/advisories/debian_advisory-3351.html

 6/11/2003 - 'nethack' buffer overflow
   Improper setuid-root execution

   The nethack package is vulnerable to a buffer overflow exploited
   via a long '-s' command line option.  This vulnerability could be
   used by an attacker to gain gid 'games' on a system where nethack
   is installed.
   http://www.linuxsecurity.com/advisories/debian_advisory-3352.html

 6/12/2003 - buffer
   overflow in 'slashem'

   The slashem package is vulnerable to a buffer overflow exploited
   via a long '-s' command line option.  This vulnerability could be
   used by an attacker to gain gid 'games' on a system where slashem
   is installed.
   http://www.linuxsecurity.com/advisories/debian_advisory-3353.html

 6/12/2003 - 'cupsys' DoS
   overflow in 'slashem'

   The CUPS print server in Debian is vulnerable to a denial of
   service when an HTTP request is received without being properly
   terminated.
   http://www.linuxsecurity.com/advisories/debian_advisory-3354.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 6/8/2003 - mod_php
   Integer overflow vulnerability

   Integer overflows have been fixed in several php functions.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3338.html

 6/8/2003 - atftp
   Buffer overflow vulnerability

   A buffer overflow has been fixed in atftp.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3339.html


+---------------------------------+
|  Distribution: Immunix          | ----------------------------//
+---------------------------------+

 6/6/2003 - zlib
   buffer overflow vulnerability

   Richard Kettlewell has discovered a buffer overflow in zlib's
   gzprintf() function, which provides printf(3)-like functionality
   for compressed files. This update, includs a patch from the
   OpenPKG project, fixes this problem by enabling autoconf tests for
   vsnprintf(3).
   http://www.linuxsecurity.com/advisories/immunix_advisory-3330.html

 6/9/2003 - tetex, psutils, w3c-libwww
   buffer overflow vulnerability

   Richard Kettlewell has discovered a buffer overflow in zlib's
   gzprintf() function, which provides printf(3)-like functionality
   for compressed files. This update, includs a patch from the
   OpenPKG project, fixes this problem by enabling autoconf tests for
   vsnprintf(3).
   http://www.linuxsecurity.com/advisories/immunix_advisory-3344.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 6/6/2003 - kon2
   buffer overflow vulnerability

   A buffer overflow in the command line parsing can be exploited,
   leading to local users being able to gain root privileges.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3329.html

 6/11/2003 - several
   'kernel' vulnerabilities

   Multiple vulnerabilities were discovered and fixed in the Linux
   kernel.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3348.html


+---------------------------------+
|  Distribution: OpenPKG          | ----------------------------//
+---------------------------------+

 6/11/2003 - 'gzip' symlink attack
   info leak

   The GNU Bash based znew(1) shell script tried to prevent itself
   from overwriting existing files on shell redirection by using the
   POSIX "noclobber" shell option, but accidentally forgot to check
   for the results, and in case of existing files, stop further
   processing. This allowed a classical "symlink" attack.
   http://www.linuxsecurity.com/advisories/other_advisory-3347.html


+---------------------------------+
|  Distribution: RedHat           | ----------------------------//
+---------------------------------+

 6/6/2003 - KDE
   ssl man-in-the-middle attack

   Updated KDE packages that resolve a vulnerability in KDE's SSL
   implementation are now available.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3331.html

 6/6/2003 - hanterm
   multiple vulnerabilities

   Updated hanterm packages fix two security issues.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3332.html

 6/6/2003 - kernel
   advisory updates

   We have retracted two bug fix advisories that affected only the
   S/390 architecture of Red Hat Linux 7.2.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3333.html


+---------------------------------+
|  Distribution: SuSE             | ----------------------------//
+---------------------------------+

 6/6/2003 - pptpd
   Remote buffer overflow vulnerability

   We have retracted two bug fix advisories that affected only the
   S/390 architecture of Red Hat Linux 7.2.
   http://www.linuxsecurity.com/advisories/suse_advisory-3334.html

 6/6/2003 - cups
   Remote DoS vulnerability

   We have retracted two bug fix advisories that affected only the
   S/390 architecture of Red Hat Linux 7.2.
   http://www.linuxsecurity.com/advisories/suse_advisory-3335.html


+---------------------------------+
|  Distribution: Turbolinux       | ----------------------------//
+---------------------------------+

 6/6/2003 - lv
   Privilege escalation vulnerability

   An attackers may be able to gain the privileges of the user
   invoking lv.
   http://www.linuxsecurity.com/advisories/turbolinux_advisory-3336.html

 6/6/2003 - kdelibs
   Privilege escalation vulnerability

   An attackers may be able to gain the privileges of the user
   invoking lv.
   http://www.linuxsecurity.com/advisories/turbolinux_advisory-3337.html


+---------------------------------+
|  Distribution: Yellow Dog       | ----------------------------//
+---------------------------------+

 6/10/2003 - 'ghostscript' vulnerability
   Privilege escalation vulnerability

   A flaw in unpatched versions of Ghostscript before 7.07 allows
   malicious postscript files to execute arbitrary commands even with
   -dSAFER enabled.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3345.html

 6/10/2003 - 'hanterm-xf' vulnerabilities
   Privilege escalation vulnerability

   An attacker can craft an escape sequence that sets the window
   title of a victim using Hangul Terminal to an arbitrary command
   and then report it to the command line.
   http://www.linuxsecurity.com/advisories/yellowdog_advisory-3346.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux