+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 20th, 2002 Volume 4, Number 24a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for apache2, webmin, mikmod, typespeed, noweb, jnethack, ethereal, lprng, gzip, man, kon2, ghostscript, cups, gzip, BitchX, Xpdf, kernel, and mgetty. The distributors include Conectiva, Debian, Gentoo, Mandrake, Red Hat, Slackware, SuSe, and TurboLinux. Like last week, many of the advisories are fixes to older issues and minor problems. The Gentoo and Debian security teams were most active. Recently, there has been a lot of noise in the community about Gartner's latest report (Information Security Hype Cycle) suggesting that IDS technology fails to provide value relative to its costs and "will be obsolete by 2005." The report indicates that IDS' do not add an extra of security and they are a product of vendor puffery. Gartner's recommendation is to direct any budgeted IDS funds into better firewalls. "Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities." According to the research, IDS technology fails because the typical IT department does not have the resources to sift through all of the false positives and false negatives generated by normal traffic. If you've ever administered an IDS, I'm sure that you would agree with that. One conclusion that I have made over the past few years is that an IDS is not for the faint of heart. To reap benefit, a very skilled administrator is required and onethat has the ability to write custom signatures and configure in such a way that false positives/negatives can be minimized. Although this may be considered my <SOAPBOX> topic, I feel compelled to mention it. <SOAPBOX> No matter how many intrusion detection/prevention systems, firewalls, scanners, and applications are installed to improve security, systems will ultimately remain insecure until sysadmins start regularly patching vulnerabilities in a timely matter. I find it appalling that scriptkiddies are able to find an insecure application fingerprint, search on Google to find vulnerable hosts, then exploit it. Negligence is the greatest cause of problems today. </SOAPBOX> I apologize for lecturing, it is the "don't care" mindset that frustrates me. The ironic part about all of this is that if you're reading this, you probably agree with me and your systems are up-to-date. Education and awareness are very important. One must realize that there is no magic bullet. Until next time, Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://gothawte.com/rd763.html FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html -------------------------------------------------------------------- * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 -------------------------------------------------------------------- LINSECURITY.COM FEATURE: Intrusion Detection Systems: An Introduction By: Alberto Gonzalez Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity. At the most basic levels there are two forms of Intrusion Detection Systems that you will encounter: Host and Network based. http://www.linuxsecurity.com/feature_stories/feature_story-143.html +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 6/17/2003 - apache2 arbitrary command execution vulnerability The APR library contains a vulnerability in the apr_psprintf() function which could be used to make apache reference invalid memory. http://www.linuxsecurity.com/advisories/connectiva_advisory-3366.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/16/2003 - lyskom-server denial of service vulnerability arbitrary command execution vulnerability Calle Dybedahl discovered a bug in lyskom-server which could result in a denial of service where an unauthenticated user could cause the server to become unresponsive as it processes a large query. http://www.linuxsecurity.com/advisories/debian_advisory-3360.html 6/16/2003 - webmin session ID spoofing vulnerability miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. http://www.linuxsecurity.com/advisories/debian_advisory-3361.html 6/16/2003 - mikmod buffer overflow vulnerability Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. http://www.linuxsecurity.com/advisories/debian_advisory-3362.html 6/16/2003 - radiusd-cistron buffer overflow vulnerability buffer overflow vulnerability radiusd-cistron contains a bug allowing a buffer overflow when a long NAS-Port attribute is received. http://www.linuxsecurity.com/advisories/debian_advisory-3363.html 6/17/2003 - typespeed buffer overflow vulnerability radiusd-cistron contains a bug allowing a buffer overflow when a long NAS-Port attribute is received. http://www.linuxsecurity.com/advisories/debian_advisory-3367.html 6/17/2003 - noweb insecure tmp file vulnerability Jakob Lell discovered a bug in the 'noroff' script included in noweb whereby a temporary file was created insecurely. http://www.linuxsecurity.com/advisories/debian_advisory-3368.html 6/18/2003 - jnethack Multiple vulnerabilities Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/debian_advisory-3376.html 6/18/2003 - ethereal Multiple remote vulnerabilities Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/debian_advisory-3377.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/14/2003 - lprng Symlink attack Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/gentoo_advisory-3355.html 6/14/2003 - gzip Insecure temp files Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/gentoo_advisory-3356.html 6/14/2003 - man Format string vulnerability Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/gentoo_advisory-3357.html 6/14/2003 - kon2 Buffer overflow vulnerability Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/gentoo_advisory-3358.html 6/14/2003 - ghostscript Insecure temp file Multiple vulnerabilities including a buffer overflow and potential malicious code execution vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/gentoo_advisory-3359.html 6/16/2003 - cups denial of service vulnerability CUPS allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. http://www.linuxsecurity.com/advisories/gentoo_advisory-3364.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 6/17/2003 - ethereal multiple vulnerabilities Several vulnerabilities in ethereal were discovered by Timo Sirainen. http://www.linuxsecurity.com/advisories/mandrake_advisory-3369.html 6/17/2003 - gzip insecure tmp file vulnerability A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. http://www.linuxsecurity.com/advisories/mandrake_advisory-3370.html 6/17/2003 - BitchX Denial of Service Vulnerability A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. http://www.linuxsecurity.com/advisories/mandrake_advisory-3373.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 6/18/2003 - Xpdf Arbitrary code execution vulnerability A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. http://www.linuxsecurity.com/advisories/redhat_advisory-3374.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 6/18/2003 - kernel Multiple vulnerabilities A vulnerability exists in znew, a script included with gzip, that would create temporary files without taking precautions to avoid a symlink attack. http://www.linuxsecurity.com/advisories/slackware_advisory-3375.html +---------------------------------+ | Distribution: SuSe | ----------------------------// +---------------------------------+ 6/16/2003 - radiusd-cistron denial of service vulnerability Multiple vulnerabilities radiusd-cistron contains a bug allowing a buffer overflow when a long NAS-Port attribute is received. http://www.linuxsecurity.com/advisories/suse_advisory-3365.html +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ 6/17/2003 - mgetty multiple vulnerabilities These vulnerabilities allow remote attackers to cause a denial of service and possibly execute arbitrary code via a Caller ID string with a long CallerName argument as well as allow local users to modify fax transmission privilege. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3371.html 6/17/2003 - gzip insecure tmp file vulnerability A vulnerability znew in the gzip package that could allow local users to overwrite arbitrary files via a symlink attack on temporary files. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3372.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------