Linux Advisory Watch - October 24th 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  October 24th, 2003                       Volume 4, Number 42a |
+----------------------------------------------------------------+

   Editors:     Dave Wreski                Benjamin Thomas
                dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for ircd, gdm, fileutils, sane,
fetchmail, gdm, and fetchmail.  The distributors include Conectiva,
Immunix, Mandrake, and Turbolinux.

---

 >> FREE Apache SSL Guide from Thawte  <<

Are you worried about your web server security?  Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.

  Click Command:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache

---

This week, Ballmer's comments comparing Windows and Linux Security have
been all over the press.  As you might suspect, the GNU/Linux community
instantly fired back rebutting all of his points. Personally, I believe he
was comparing apples and oranges and exploiting the ignorance people have
for security.  Fear, uncertainty, and doubt is a common theme that we
should come to expect.  Unfortunately, some believe everything they are
being told without any verification of the facts.

The point of this commentary is not to make any arguments for or against
the security of Linux, but to re-emphasize the point that the ultimate
responsibility of security relies on the person(s) that has chosen to
implement a particular piece of software.  For instance, by choosing to
setup a Linux based Web server, that means you take the responsibility of
ensuring that the bare minimum is installed, access is strictly
controlled, and the system is patched as much as necessary.
Unfortunately, there will always be vulnerabilities in software due to
sloppy programming.  I am not trying to discount the responsibility of
software makers, I am merely suggesting that security isn't something that
is controlled at a single point.  Security is everyone's responsibility.

When choosing to implement a piece of software, security should be one of
the most significant factors.  Does the vendor provide timely updates?
If something goes horribly wrong, can I fix it myself?  What is the
security-history of this software?  All questions are important and should
be addressed. I just wanted to emphasize that security shouldn't be a game
of "my OS has less vulnerabilities than yours," the point should be "how
easily can the problem be fixed, and/or how long do I have to wait for an
update."  Security is the responsibility of all at many levels and we
shouldn't forget that.

Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx

---

EnGarde GDSN Subscription Price Reduction -
Guardian Digital, the world's premier open source security company,
announced today that they will be reducing the annual subscription cost of
the Guardian Digital Secure Network for EnGarde Community users from $229
to $60 for a limited time.

http://www.linuxsecurity.com/feature_stories/feature_story-151.html

--------------------------------------------------------------------

CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.

http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2

--------------------------------------------------------------------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Conectiva        | ----------------------------//
+---------------------------------+

  10/17/2003 - ircd
    DoS vulnerability

    A buffer overflow vulnerability has been discovered that may allow an
    attacker to crash the ircd server, thus causing a denial of service
    condition. The package released with this advisory includes a patch
    that fixes the problem.
    http://www.linuxsecurity.com/advisories/connectiva_advisory-3736.html

  10/17/2003 - gdm
    DoS Vulnerabilities

    Jarno Gassenbauer found two local denial of service vulnerabilites in
    GDM, both fixed in the versions 2.4.4.4, 2.4.1.7 and in the packages
    released with this advisory:
    http://www.linuxsecurity.com/advisories/connectiva_advisory-3737.html

  10/22/2003 - fileutils
    denial of service vulnerability

    There is a memory starvation denial of service vulnerability in the ls
    program. It is possible to make ls allocate a huge amount of memory by
    calling it with the parameters "-w X -C"  (where X is an arbitrary
    large number).
    http://www.linuxsecurity.com/advisories/connectiva_advisory-3741.html

  10/22/2003 - sane
    tmp file vulnerabilities

    This update fixes several vulnerabilities in the sane package.
    http://www.linuxsecurity.com/advisories/connectiva_advisory-3742.html


+---------------------------------+
|  Distribution: Immunix          | ----------------------------//
+---------------------------------+

  10/20/2003 - fetchmail
    Multiple vulnerabilities

    This update fixes several bugs in fetchmail, including a broken
    boundary condition check in the multidrop code, a header overflow that
    neglected to account for '@' signs in email addresses, a
    header-rewriting bug, and a head-reading bug.
    http://www.linuxsecurity.com/advisories/immunix_advisory-3738.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

  10/17/2003 - gdm
    multiple vulnerabilities

    Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that
    would allow a local attacker to cause gdm to crash or freeze.
    http://www.linuxsecurity.com/advisories/mandrake_advisory-3734.html

  10/17/2003 - fetchmail
    denial of service vulnerability

    A bug was discovered in fetchmail 6.2.4 where a specially crafted
    email message can cause fetchmail to crash.
    http://www.linuxsecurity.com/advisories/mandrake_advisory-3735.html


+---------------------------------+
|  Distribution: Turbolinux       | ----------------------------//
+---------------------------------+

  10/20/2003 - kernel/kdebase Multiple updates
    denial of service vulnerability

    Multiple issues in the Linux kernel and KDM have been resolved.
    http://www.linuxsecurity.com/advisories/turbolinux_advisory-3739.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux