Linux Advisory Watch - November 28th 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  November 28th, 2003                      Volume 4, Number 47a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for BIND, Ethereal, Glibc, Libnids,
phpSysInfo, Stunnel, EPIC, iproute, Pan, and XFree86. The distributors
include Guardian Digital's EnGarde Linux, Gentoo, Mandrake, and Red Hat.

---

>> Free Trial SSL Certificate from Thawte <<

Take your first step towards giving your online business a competitive
advantage. Test-drive a Thawte SSL certificate our easy online guide will
show you how.

Get started now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte28

---

Business and IT centers today are controlled by the growth of the
Internet.  Just in ten years, technology has changed so rapidly that the
old rules no longer apply.  Today, businesses are forced to comply with
the momentum of the Internet, or face extinction. Change is always
difficult, but now more than ever it is necessary. With every change in
business, security must constantly be re- evaluated.

In a typical corporate IT environment, new business requirements arise
each day.  The application development team is constantly being asked to
add new features to software, the networking team is increasingly being
asked to provide access at anywhere, anytime and managers have the
opinion, "make it work now, and no you can't have a budget."  Well, it's
usually not that bad, but you get the idea.  Everyone is being stretched
to the limit and it puts a great strain on the organization.  In the
middle of adding more features, access points, and bandwidth, security is
often forgotten.  That's okay, isn't it?  "We'll just add security later
once we get the system working."

That is exactly the problem all of us have today when working in security.
It is typical to receive a memo at the end of the day stating that ten new
servers is going to be deployed tomorrow morning, then at the end it asks,
"Is this ok with security?" Of course not!  The typical problem that we
all face does not have to do with technology, it is simply a people
problem. Unfortunately, attitudes can't be changed over night.
Sometimes, they may not be able to be changed or years.  The only way to
address this is through a security awareness program.  The smaller the
organization, the easier it should be.  People must be reminded daily that
security is important to the organization, and is a high priority.  The
quickest way to get results, is to get top management on board.  If you
see that key management figures are unwilling to comply, and the
organization is large enough, total security awareness may be an
impossible task.

Security is everyone's problem.  One administrator simply patching a
server each week is a good start, but it shouldn't stop there.  Having
adequate business security depends on many.  Often, it is your job to let
those people know.  I realize that this task harder than it sounds, but
hopefully I've given you some inspiration to begin getting others on
board.  Don't face the fire alone!

Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx

---

Guardian Digital Launches First Secure Small Business Internet
Productivity Solution

Building a complete Internet security and productivity system for your
organization just got a whole lot simpler and more secure with Guardian
Digital Internet Productivity Suite. Web-based management, spam and virus
control, groupware, VPN services, and more!

Find out more now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=ips01

--------------------------------------------------------------------

OpenVPN: An Introduction and Interview with Founder, James Yonan In this
article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

http://www.linuxsecurity.com/feature_stories/feature_story-152.html



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: EnGarde          | ----------------------------//
+---------------------------------+

 11/26/2003 - BIND
   cache poisoning vulnerability

   A cache poisoning vulnerability exists in the version of BIND shipped
   with all versions of EnGarde Secure Linux.  Successful exploitation of
   this vulnerability may result in a temporary denial of service until
   the bad record expires from the cache.
   http://www.linuxsecurity.com/advisories/engarde_advisory-3816.html


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

 11/25/2003 - Ethereall
   buffer overflow vulnerability

   These updated ethereal packages fix a security problem found in
   versions prior to 0.9.16. It also fixes several other minor bugs and
   problems.
   http://www.linuxsecurity.com/advisories/fedora_advisory-3814.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 11/24/2003 - Ethereal
   multiple vulnerabilities

   It may be possible to make Ethereal crash or run arbitrary code by
   injecting a purposefully malformed packet onto the wire, or by
   convincing someone to read a malformed packet trace file.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3808.html

 11/24/2003 - Glibc
   buffer overrun vulnerability

   A bug in the getgrouplist function can cause a buffer overflow if the
   size of the group list is too small to hold all the user's groups. This
   overflow can cause segmentation faults in user applications. This
   vulnerability exists only when an administrator has placed a user in a
   number of groups larger than that expected by an application.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3809.html

 11/24/2003 - Libnids
   remote code execution

   There is a bug in the part of libnids code responsible for TCP
   reassembly. The flaw probably allows remote code execution.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3810.html

 11/24/2003 - phpSysInfo
   directory traversal

   phpSysInfo contains two vulnerabilities which could allow local files
   to be read or arbitrary PHP code to be executed, under the privileges
   of the web server process.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3811.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 11/21/2003 - freeswan
   directory traversal

   The version of freeswan bundled with the latest kernel update did not
   match the freeswan package which essentially rendered it unuseable.
   This update brings the freeswan package up to date with the kernel
   version.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3803.html

 11/26/2003 - Stunnel
   file descriptor leak

   A vulnerability was discovered in stunnel versions 3.24 and earlier, as
   well as 4.00, by Steve Grubb.  It was found that stunnel leaks a
   critical file descriptor that can be used to hijack stunnel's services.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3815.html


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

 11/24/2003 - EPIC
   Buffer overflow vulnerability

   Updated EPIC packages which fix an exploitable buffer overflow
   vulnerability are now available.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3804.html

 11/24/2003 - iproute
   Local denial of service vulnerability

   Updated iproute packages that close a locally-exploitable denial of
   service vulnerability are now available.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3805.html

 11/24/2003 - stunnel
   Signal-handling vulnerability

   Updated stunnel packages are now available for Red Hat Linux 7.1, 7.2,
   7.3, and 8.0 systems.  These updates address problems stemming from
   improper use of non-reentrant functions in signal handlers.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3806.html

 11/24/2003 - Pan
   Denial of service vulnerability

   Updated Pan packages that close a denial of service vulnerability are
   now available.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3807.html

 11/25/2003 - XFree86
   Multiple vulnerabilities

   Multiple integer overflows in the transfer and enumeration of font
   libraries in XFree86 allow local or remote attackers to cause a denial
   of service or execute arbitrary code via heap-based and stack-based
   buffer overflow attacks.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3812.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux