+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 13th, 2002 Volume 4, Number 23a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for the Linux kernel, eterm, xaos, ethereal, atftp, gnocatan, nethack, slashem, cupsys, mod_php, zlib, kon2, gzip, KDE, hanterm, pptpd, cups, and lv. The distributors include Debian, Gentoo, Immunix, Mandrake, OpenPKG, RedHat, SuSE, Turbolinux, and Yellow Dog. Last week, I discussed how HIPAA should be viewed as a step in the right direction, rather than a burden for U.S. healthcare companies. I received a lot of positive feedback from readers who are happy that they now have an adequate budget to address security problems. This week, I wanted to take a look at BS7799 and ISO17799. BS7799 was first developed by the UK Department of Trade and Industry's (DTI) Commercial Computer Security Centre (CCSC) and prepared by the British Standards Institution with the goal of developing a set of security management standards that can be used across many industries. Soon after establishing the BS7799, it was submitted to the International Organization for Standardization (ISO). After several revisions, BS7799 was accepted and used as a basis for ISO17799. What is the goal of BS7799 & ISO17799? Each were created with the specific purpose of providing an established starting point for organizations to develop an information security program. Similar to HIPAA, the '7799' standards intend to help an organization maintain strict data confidentiality, integrity, and availability. The standards and recommendations are written with upper information security management as an intended audience. What makes up the standards? Each standard outlines organizations security issues, asset classification, personnel security, security policy, physical and operational security, access control, systems development, business continuity management, and standards compliance. Organizations have many reasons for wanting to comply with international standards. Although one could argue the case that '7799' is incomplete, it does accomplish its goals. These standards provide the basic building blocks for constructing an information security program in your organization. Until next time, Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte23 FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html -------------------------------------------------------------------- * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 -------------------------------------------------------------------- LINSECURITY.COM FEATURE: Intrusion Detection Systems: An Introduction By: Alberto Gonzalez Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity. At the most basic levels there are two forms of Intrusion Detection Systems that you will encounter: Host and Network based. http://www.linuxsecurity.com/feature_stories/feature_story-143.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/9/2003 - kernel Multiple vulnerabilities A number of vulnerabilities have been discovered in the Linux kernel. http://www.linuxsecurity.com/advisories/debian_advisory-3340.html 6/6/2003 - eterm Buffer overflow vulnerability A number of vulnerabilities have been discovered in the Linux kernel. http://www.linuxsecurity.com/advisories/debian_advisory-3341.html 6/8/2003 - xaos Improper setuid-root execution A number of vulnerabilities have been discovered in the Linux kernel. http://www.linuxsecurity.com/advisories/debian_advisory-3342.html 6/11/2003 - 'ethereal' buffer/integer overflows Improper setuid-root execution Timo Sirainen discovered several vulnerabilities in ethereal, a network traffic analyzer. These include one-byte buffer overflows in the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP, and TSP dissectors, and integer overflows in the Mount and PPP dissectors. http://www.linuxsecurity.com/advisories/debian_advisory-3349.html 6/11/2003 - 'atftp' buffer overflow Improper setuid-root execution Rick Patel discovered that atftpd is vulnerable to a buffer overflow when a long filename is sent to the server. An attacker could exploit this bug remotely to execute arbitrary code on the server. http://www.linuxsecurity.com/advisories/debian_advisory-3350.html 6/11/2003 - 'gnocatan' buffer overflows, DoS Improper setuid-root execution Bas Wijnen discovered that the gnocatan server is vulnerable to several buffer overflows which could be exploited to execute arbitrary code on the server system http://www.linuxsecurity.com/advisories/debian_advisory-3351.html 6/11/2003 - 'nethack' buffer overflow Improper setuid-root execution The nethack package is vulnerable to a buffer overflow exploited via a long '-s' command line option. This vulnerability could be used by an attacker to gain gid 'games' on a system where nethack is installed. http://www.linuxsecurity.com/advisories/debian_advisory-3352.html 6/12/2003 - buffer overflow in 'slashem' The slashem package is vulnerable to a buffer overflow exploited via a long '-s' command line option. This vulnerability could be used by an attacker to gain gid 'games' on a system where slashem is installed. http://www.linuxsecurity.com/advisories/debian_advisory-3353.html 6/12/2003 - 'cupsys' DoS overflow in 'slashem' The CUPS print server in Debian is vulnerable to a denial of service when an HTTP request is received without being properly terminated. http://www.linuxsecurity.com/advisories/debian_advisory-3354.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/8/2003 - mod_php Integer overflow vulnerability Integer overflows have been fixed in several php functions. http://www.linuxsecurity.com/advisories/gentoo_advisory-3338.html 6/8/2003 - atftp Buffer overflow vulnerability A buffer overflow has been fixed in atftp. http://www.linuxsecurity.com/advisories/gentoo_advisory-3339.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 6/6/2003 - zlib buffer overflow vulnerability Richard Kettlewell has discovered a buffer overflow in zlib's gzprintf() function, which provides printf(3)-like functionality for compressed files. This update, includs a patch from the OpenPKG project, fixes this problem by enabling autoconf tests for vsnprintf(3). http://www.linuxsecurity.com/advisories/immunix_advisory-3330.html 6/9/2003 - tetex, psutils, w3c-libwww buffer overflow vulnerability Richard Kettlewell has discovered a buffer overflow in zlib's gzprintf() function, which provides printf(3)-like functionality for compressed files. This update, includs a patch from the OpenPKG project, fixes this problem by enabling autoconf tests for vsnprintf(3). http://www.linuxsecurity.com/advisories/immunix_advisory-3344.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 6/6/2003 - kon2 buffer overflow vulnerability A buffer overflow in the command line parsing can be exploited, leading to local users being able to gain root privileges. http://www.linuxsecurity.com/advisories/mandrake_advisory-3329.html 6/11/2003 - several 'kernel' vulnerabilities Multiple vulnerabilities were discovered and fixed in the Linux kernel. http://www.linuxsecurity.com/advisories/mandrake_advisory-3348.html +---------------------------------+ | Distribution: OpenPKG | ----------------------------// +---------------------------------+ 6/11/2003 - 'gzip' symlink attack info leak The GNU Bash based znew(1) shell script tried to prevent itself from overwriting existing files on shell redirection by using the POSIX "noclobber" shell option, but accidentally forgot to check for the results, and in case of existing files, stop further processing. This allowed a classical "symlink" attack. http://www.linuxsecurity.com/advisories/other_advisory-3347.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 6/6/2003 - KDE ssl man-in-the-middle attack Updated KDE packages that resolve a vulnerability in KDE's SSL implementation are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3331.html 6/6/2003 - hanterm multiple vulnerabilities Updated hanterm packages fix two security issues. http://www.linuxsecurity.com/advisories/redhat_advisory-3332.html 6/6/2003 - kernel advisory updates We have retracted two bug fix advisories that affected only the S/390 architecture of Red Hat Linux 7.2. http://www.linuxsecurity.com/advisories/redhat_advisory-3333.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 6/6/2003 - pptpd Remote buffer overflow vulnerability We have retracted two bug fix advisories that affected only the S/390 architecture of Red Hat Linux 7.2. http://www.linuxsecurity.com/advisories/suse_advisory-3334.html 6/6/2003 - cups Remote DoS vulnerability We have retracted two bug fix advisories that affected only the S/390 architecture of Red Hat Linux 7.2. http://www.linuxsecurity.com/advisories/suse_advisory-3335.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 6/6/2003 - lv Privilege escalation vulnerability An attackers may be able to gain the privileges of the user invoking lv. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3336.html 6/6/2003 - kdelibs Privilege escalation vulnerability An attackers may be able to gain the privileges of the user invoking lv. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3337.html +---------------------------------+ | Distribution: Yellow Dog | ----------------------------// +---------------------------------+ 6/10/2003 - 'ghostscript' vulnerability Privilege escalation vulnerability A flaw in unpatched versions of Ghostscript before 7.07 allows malicious postscript files to execute arbitrary commands even with -dSAFER enabled. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3345.html 6/10/2003 - 'hanterm-xf' vulnerabilities Privilege escalation vulnerability An attacker can craft an escape sequence that sets the window title of a victim using Hangul Terminal to an arbitrary command and then report it to the command line. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3346.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------