+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 24th, 2003 Volume 4, Number 42a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for ircd, gdm, fileutils, sane, fetchmail, gdm, and fetchmail. The distributors include Conectiva, Immunix, Mandrake, and Turbolinux. --- >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache --- This week, Ballmer's comments comparing Windows and Linux Security have been all over the press. As you might suspect, the GNU/Linux community instantly fired back rebutting all of his points. Personally, I believe he was comparing apples and oranges and exploiting the ignorance people have for security. Fear, uncertainty, and doubt is a common theme that we should come to expect. Unfortunately, some believe everything they are being told without any verification of the facts. The point of this commentary is not to make any arguments for or against the security of Linux, but to re-emphasize the point that the ultimate responsibility of security relies on the person(s) that has chosen to implement a particular piece of software. For instance, by choosing to setup a Linux based Web server, that means you take the responsibility of ensuring that the bare minimum is installed, access is strictly controlled, and the system is patched as much as necessary. Unfortunately, there will always be vulnerabilities in software due to sloppy programming. I am not trying to discount the responsibility of software makers, I am merely suggesting that security isn't something that is controlled at a single point. Security is everyone's responsibility. When choosing to implement a piece of software, security should be one of the most significant factors. Does the vendor provide timely updates? If something goes horribly wrong, can I fix it myself? What is the security-history of this software? All questions are important and should be addressed. I just wanted to emphasize that security shouldn't be a game of "my OS has less vulnerabilities than yours," the point should be "how easily can the problem be fixed, and/or how long do I have to wait for an update." Security is the responsibility of all at many levels and we shouldn't forget that. Until next time, cheers! Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx --- EnGarde GDSN Subscription Price Reduction - Guardian Digital, the world's premier open source security company, announced today that they will be reducing the annual subscription cost of the Guardian Digital Secure Network for EnGarde Community users from $229 to $60 for a limited time. http://www.linuxsecurity.com/feature_stories/feature_story-151.html -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 10/17/2003 - ircd DoS vulnerability A buffer overflow vulnerability has been discovered that may allow an attacker to crash the ircd server, thus causing a denial of service condition. The package released with this advisory includes a patch that fixes the problem. http://www.linuxsecurity.com/advisories/connectiva_advisory-3736.html 10/17/2003 - gdm DoS Vulnerabilities Jarno Gassenbauer found two local denial of service vulnerabilites in GDM, both fixed in the versions 2.4.4.4, 2.4.1.7 and in the packages released with this advisory: http://www.linuxsecurity.com/advisories/connectiva_advisory-3737.html 10/22/2003 - fileutils denial of service vulnerability There is a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by calling it with the parameters "-w X -C" (where X is an arbitrary large number). http://www.linuxsecurity.com/advisories/connectiva_advisory-3741.html 10/22/2003 - sane tmp file vulnerabilities This update fixes several vulnerabilities in the sane package. http://www.linuxsecurity.com/advisories/connectiva_advisory-3742.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 10/20/2003 - fetchmail Multiple vulnerabilities This update fixes several bugs in fetchmail, including a broken boundary condition check in the multidrop code, a header overflow that neglected to account for '@' signs in email addresses, a header-rewriting bug, and a head-reading bug. http://www.linuxsecurity.com/advisories/immunix_advisory-3738.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 10/17/2003 - gdm multiple vulnerabilities Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that would allow a local attacker to cause gdm to crash or freeze. http://www.linuxsecurity.com/advisories/mandrake_advisory-3734.html 10/17/2003 - fetchmail denial of service vulnerability A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. http://www.linuxsecurity.com/advisories/mandrake_advisory-3735.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 10/20/2003 - kernel/kdebase Multiple updates denial of service vulnerability Multiple issues in the Linux kernel and KDM have been resolved. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3739.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------