+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 7th, 2003 Volume 4, Number 44a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for bugzilla, fileutils, postgresql, apache, CUPS, and thttpd. The distributors include Conectiva, Guardian Digital's EnGarde Linux, Gentoo, Immunix, Mandrake, RedHat, Slackware, and SuSE. >> Get Thawte's NEW Step-by-Step SSL Guide for Apache << In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on you Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get you copy of this new guide now: Click Command: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte26 Although the update has been out for several weeks, the SANS Top20 list still remains important. For administrators and management, it is a good way to get an idea of some of the most vulnerable services. Although best practice should dictate that these services have already been eliminated or secured, this is often not the case. The SANS Top20 can should be an eye-opener to those who do not regularly patch and update systems. Both the problem and beauty of the Top20 list is its length. For those of us with only Unix and/or Linux based servers, the list is cut down to 10. Some of the vulnerabilities listed are related to BIND, RPC, Apache, passwords, and clear text services. The list is very useful because of its length giving people a quick idea of some of the biggest problems. My concern is that diligence will stop after number 10. After each of the 10 Unix system vulnerabilities are addressed, administrators may have a false sense of security. It is important to equally ensure that all other services have been patched. One of the most common-sense ways to reduce this workload is simply to not start services, or have software installed that may be a potential problem in the future. Living with only the minimum necessary requirements is often difficult. For example, when installing a particular flavor of Linux, it takes much more time to individually choose the packages you require, rather than simply installing a pre-configured server configuration. The Top20 list should only be a starting point for those wishing to maintain a secure network. After each item on the list has been addressed, security staff should then strive to achieve compliance with standards such as BS-7799/ISO-17799, NIST security standards, the ISF's Standard of Good Practice, and others. Once again, the common re-occurring theme in information security process and standardization. The absolute best way to achieve a secure operating environment is the continual re-evaluation of policies, procedures, and practices. Until next time, cheers! Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx --- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 11/6/2003 - bugzilla multiple vulnerabilities Several vulnerabilities have been announced and are being fixed in this update. http://www.linuxsecurity.com/advisories/connectiva_advisory-3760.html 11/6/2003 - apache multiple vulnerabilities New versions of the Apache web server have been made available with the following security fixes. http://www.linuxsecurity.com/advisories/connectiva_advisory-3761.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 11/4/2003 - 'openssl' ASN.1 parsing DoS multiple vulnerabilities This vulnerability (triggered by certain ASN.1 sequences which cause a large recursion) is only believed to be exploitable as a denial of service on the Windows platform at this time. http://www.linuxsecurity.com/advisories/engarde_advisory-3757.html 11/5/2003 - 'apache' mod_alias and mod_rewrite buffer overflow multiple vulnerabilities A buffer overflow in mod_alias and mod_rewrite was discovered in the Apache web server. This vulnerability may be exploited when a regular expression with more then nine captures is defined in either the httpd.conf or an .htaccess file. http://www.linuxsecurity.com/advisories/engarde_advisory-3759.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 10/31/2003 - net-www/apache Buffer overflow vulnerability multiple vulnerabilities A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. http://www.linuxsecurity.com/advisories/gentoo_advisory-3753.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 10/31/2003 - fileutils Memory exhaustion vulnerability An off-by-one attack that may lead to a memory exhaustion vulnerability has been fixed. http://www.linuxsecurity.com/advisories/immunix_advisory-3749.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 11/3/2003 - postgresql Buffer overflow vulnerability Two bugs were discovered that lead to a buffer overflow in PostgreSQL versions 7.2.x and 7.3.x prior to 7.3.4, in the abstract data type (ADT) to ASCII conversion functions. http://www.linuxsecurity.com/advisories/mandrake_advisory-3755.html 11/3/2003 - apache Buffer overflow vulnerability A buffer overflow in mod_alias and mod_rewrite was discovered in Apache versions 1.3.19 and earlier as well as Apache 2.0.47 and earlier. http://www.linuxsecurity.com/advisories/mandrake_advisory-3756.html 11/6/2003 - CUPS denial of service vulnerability A bug in versions of CUPS prior to 1.1.19 was reported in the Internet Printing Protocol (IPP) implementation would result in CUPS going into a busy loop, which could result in a Denial of Service (DoS) condition. http://www.linuxsecurity.com/advisories/mandrake_advisory-3762.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 11/3/2003 - CUPS Denial of Service vulnerability Updated CUPS packages that fix a problem where CUPS can hang are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3754.html 11/6/2003 - fileutils denial of service vulnerability Georgi Guninski discovered a memory starvation denial of service vulnerability in the ls program. http://www.linuxsecurity.com/advisories/redhat_advisory-3763.html 11/6/2003 - CUPS denial of service vulnerability Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. http://www.linuxsecurity.com/advisories/redhat_advisory-3764.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 11/4/2003 - apache multiple vulnerabilities These updates fix local vulnerabilities that could allow users who can create or edit Apache config files to gain additional privileges. http://www.linuxsecurity.com/advisories/slackware_advisory-3758.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 11/1/2003 - thttpd Remote privilege escalation vulnerability A Buffer overflow and privilege escalation vulnerabilty have been fixed. http://www.linuxsecurity.com/advisories/suse_advisory-3752.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------