Linux Advisory Watch - August 22nd 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  August 22nd, 2003                        Volume 4, Number 33a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for openslp, zip, netris, autorespond,
unzip, eroaster, and GDM.  The distributors include Conectiva, Debian,
Mandrake, and Red Hat.

The United States National Institute of Standards and Technology recently
released the second draft of the "Guide for the Security Certification and
Accreditation of Federal Information System." It is currently in the
second public comment period, which ends August 31st 2003.  Although the
document is intended for government agency use, it is easily applicable to
organizations of other types.  As information security is becoming a more
important function of conducting business, there is an ever increasing
need for standards and methodologies.  This document is an excellent
starting point for those interested in creating an organization wide
information security program and/or certification and accreditation
procedures.

The document begins with an introduction to the concept of certification
and accreditation.  It includes the system development life cycle,
component evaluation, assessment activities, as well as other important
information.  Next, the document overviews the fundamentals of C&A
including roles and responsibilities, information system categories,
documentation, and monitoring.  Overall, the first two chapters of this
document provide a very overview of the base knowledge required to setup a
certification and accreditation program in your organization.

The final chapter of this document walks readers through the entire
process of C&A.  It covers initiation, certification, accreditation, and
finally monitoring.  This chapter gives readers a very good indication of
the work required to implement and C&A program.  In addition, after
reading this chapter the importance of beginning the C&A process becomes
apparent.

In addition to clear and informative writing, the document also provides
many easy to read diagrams.  The illustrations provided help readers more
easily visualize the authors intentions.  If you haven't had a chance to
take a look at this document, I highly recommend it.  The information is
valuable and freely available.  The entire document can be found at the
following URL:

http://csrc.nist.gov/publications/drafts/sp800-37-Draftver2.pdf

Until next time,
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx



Expert vs. Expertise: Computer Forensics and the Alternative OS

No longer a dark and mysterious process, computer forensics have been
significantly on the scene for more than five years now. Despite this,
they have only recently gained the notoriety they deserve.

http://www.linuxsecurity.com/feature_stories/feature_story-147.html

--------------------------------------------------------------------

>> FREE Apache SSL Guide from Thawte  <<

Are you worried about your web server security?  Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.

 Click Command:
 http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache

--------------------------------------------------------------------

REVIEW: Linux Security Cookbook

There are rarely straightforward solutions to real world issues,
especially in the field of security. The Linux Security Cookbook is an
essential tool to help solve those real world problems. By covering
situations that apply to everyone from the seasoned Systems Administrator
to the security curious home user, the Linux Security Cookbook
distinguishes itself as an indispensible reference for security oriented
individuals.

http://www.linuxsecurity.com/feature_stories/feature_story-145.html


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Conectiva        | ----------------------------//
+---------------------------------+

 8/15/2003 - openslp
   tmp file creation vulnerability

   There is a symbolic link vulnerability in the initscript used to
   control the openslp daemon.
   http://www.linuxsecurity.com/advisories/connectiva_advisory-3563.html

 8/21/2003 - zip
   directory traversal vulnerability

   This is a reedition of the announcement CLSA-2003:672[1].
   http://www.linuxsecurity.com/advisories/connectiva_advisory-3564.html


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 8/17/2003 - netris
   Buffer overflow vulnerability

   A netris client connectingto an untrusted netris server could be
   sent an unusually long datapacket, which would be copied into a
   fixed-length buffer withoutbounds checking.
   http://www.linuxsecurity.com/advisories/debian_advisory-3559.html

 8/16/2003 - autorespond
   Buffer overflow vulnerability

   This vulnerability could potentiallybe exploited by a remote
   attacker to gain the privileges of a user whohas configured qmail
   to forward messages to autorespond.
   http://www.linuxsecurity.com/advisories/debian_advisory-3560.html

 8/18/2003 - man-db denial of service vulnerability
   Buffer overflow vulnerability

   This update introduced an error in the routinethat resolves
   hardlinks: depending on the filenames of hardlinked manpages, that
   routine might itself overrun allocated memory, causing
   asegmentation fault.
   http://www.linuxsecurity.com/advisories/debian_advisory-3565.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 8/21/2003 - unzip
   arbitrary file overwrite vulnerability

   A vulnerability was discovered in unzip 5.50 and earlier that
   allows attackers to overwrite arbitrary files during archive
   extraction by placing non-printable characters between two "."
   characters.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3566.html

 8/21/2003 - eroaster
   tmp file creation vulnerability

   A vulnerability was discovered in eroaster where it does not take
   any security precautions when creating a temporary file for the
   lockfile.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3567.html


+---------------------------------+
|  Distribution: RedHat           | ----------------------------//
+---------------------------------+

 8/15/2003 - unzip
   Trojan vulnerability

   Updated unzip packages resolving a vulnerability allowing
   arbitrary filesto be overwritten are now available.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3561.html

 8/21/2003 - GDM
   multiple vulnerabilities

   Updated GDM packages are available which correct a bug allowing
   local usersto read any text files on the system, and a denial of
   service issue ifXDMCP is enabled.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3568.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux