+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 19th, 2003 Volume 4, Number 50a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for lftp, xchat, irssi, BIND, apache,
and GnuPG. The distributors include Fedora, Gentoo, Immunix, Mandrake,
NetBSD, Red Hat, Slackware, Suse, and Turbolinux.
---
>> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
In this guide you will find out how to test, purchase, install and use a
Thawte Digital Certificate on you Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.
Get your copy of this new guide now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
---
It's now the holiday season and people all around the world are preparing
to take time off to spend with their families. In between office parties
and visions of LEDs from switches and routers dancing in your head, it is
important to think about the possibility of something going wrong. I'm
not talking about someone leaving the turkey in the oven too long allowing
it to dry out, but one of your servers getting compromised.
You've just been attacked! Can it get worse? Of course, because the
decision makers in the office have the most seniority, they're all off.
You are stuck trying to sort out what happened, and how to get the
critical server up as soon as possible. Your first instinct is to start
contacting all of the individuals who are ultimately responsible.
Because it is the holidays, suddenly it is impossible to get in with
contact anyone. People have either turned their phones off, or are taking
a vacation someplace sunny. Because you know that the compromised server
is critical to operation, you must get it patched and back online as soon
as possible. What about preserving forensic evidence? What if the
attacker planted a back door? This obviously puts you in a very sticky
situation. You know that management would want the server to be back
online, but because nothing like this has ever happened, you're unsure how
to appropriately respond.
The situation above could have been less stressful if the organization had
a incident response and or contingency plan in place. I realize that many
of you are from smaller companies and a 50 page plan is simply not
feasible. However, there are several lessons that can be learned. Know
where people will be over the holidays! Often, people will not be staying
home and will not be reachable at their regular numbers. It is important
to get the contact information from key individuals to ensure that in the
event of an emergency, decisions are still made at the appropriate level.
No one wants to be bothered during their time off, but more importantly no
manager would want bad decisions being made on their behalf when they are
away.
Collecting important phone numbers, putting them in a single email, and
circulating them around the office can make a world of difference. It
isn't always important to have fancy policies and plans, often a majority
of problems can be minimized by setting up clear communication channels
between employees. Proper communication will minimize the impact of any
incident.
I want to wish everyone a warm and safe holiday season.
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
---
FEATURE: OSVDB: An Independent and Open Source Vulnerability Database
This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.
http://www.linuxsecurity.com/feature_stories/feature_story-156.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
Guardian Digital Customers Protected From Linux Kernel Vulnerability
As a result of the planning and secure design of EnGarde Secure Linux, the
company's flagship product, Guardian Digital customers are securely
protected from a vulnerability that lead to the complete compromise of
several high-profile open source projects, including those belonging to
the Debian Project.
http://www.linuxsecurity.com/feature_stories/feature_story-155.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
12/15/2003 - lftp
Buffer overflow vulnerability
An attacker could create a carefully crafted directory on a website
such that, if a user connects to that directory using the lftp client
and subsequently issues a 'ls' or 'rels' command, the attacker could
execute arbitrary code on the users machine.
http://www.linuxsecurity.com/advisories/fedora_advisory-3880.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
12/12/2003 - app-crypt/gnupg Multiple vulnerabilities
Buffer overflow vulnerability
Two flaws have been found in GnuPG 1.2.3 including a format string
vulnerability and the compromise of ElGamal signing keys.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3871.html
12/15/2003 - xchat
Denial of service vulnerability
There is a remotely exploitable bug in xchat 2.0.6 that could lead to a
denial of service attack. This is caused by sending a malformed DCC
packet to xchat 2.0.6, causing it to crash.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3878.html
12/18/2003 - lftp
Multiple buffer overflow vulnerabilities
Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3894.html
12/18/2003 - lftp
Multiple buffer overflow vulnerabilities
Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3895.html
+---------------------------------+
| Distribution: Immunix | ----------------------------//
+---------------------------------+
12/15/2003 - lftp
Buffer overflow vulnerability
Ulf Hrnhammar has discovered remotely triggerable buffer overflows in
lftp; this update fixes both of these problems.
http://www.linuxsecurity.com/advisories/immunix_advisory-3875.html
12/16/2003 - lftp
Multiple vulnerabilities
Advisory updated Tue Dec 16 2003; an employee at Red Hat found another
bug in lftp that causes a crash when a response from a server is a
blank line. Currently, we don't expect this to be exploitable beyond a
crash.
http://www.linuxsecurity.com/advisories/immunix_advisory-3884.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
12/12/2003 - net-snmp Improper access vulnerability
Multiple vulnerabilities
A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an
existing user/community to gain access to data in MIB objects that were
explicitly excluded from their view.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3872.html
12/15/2003 - lftp
Buffer overflow vulnerability
A buffer overflow vulnerability was discovered by Ulf Harnhammar in the
lftp FTP client when connecting to a web server using HTTP or HTTPS and
using the "ls" or "rels" command on specially prepared directory.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3882.html
12/18/2003 - irssi
Remote crash vulnerability
A vulnerability in versions of irssi prior to 0.8.9 would allow a
remote user to crash another user's irssi client.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3896.html
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
12/17/2003 - BIND
Negative cache poisoning
Several versions of the BIND 8 name server are vulnerable to cache
poisoning via negative responses. To exploit this vulnerability, an
attacker must configure a name server to return authoritative negative
responses for a given target domain.
http://www.linuxsecurity.com/advisories/netbsd_advisory-3887.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
12/16/2003 - lftp
Buffer overflow vulnerability
An attacker could create a carefully crafted directory on a website
such that, if a user connects to that directory using the lftp client
and subsequently issues a 'ls' or 'rels' command, the attacker could
execute arbitrary code on the users machine.
http://www.linuxsecurity.com/advisories/redhat_advisory-3883.html
12/16/2003 - apache
Multiple (minor) vulnerabilities
Updated httpd packages that fix two minor security issues in the Apache
Web server are now available for Red Hat Linux 8.0 and 9.
http://www.linuxsecurity.com/advisories/redhat_advisory-3885.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
12/12/2003 - lftp
Code parsing vunlerability
According to the NEWS file, this includes "security fixes in html
parsing code" which could cause a compromise when using lftp to access
an untrusted site.
http://www.linuxsecurity.com/advisories/slackware_advisory-3874.html
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
12/15/2003 - lftp
Buffer overflow vulnerability
When using lftp via HTTP or HTTPS to execute commands like 'ls' or
'rels' specially prepared directories on the server can trigger a
buffer overflow in the HTTP handling functions of lftp to possibly
execute arbitrary code on the client-side.
http://www.linuxsecurity.com/advisories/suse_advisory-3876.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
12/17/2003 - GnuPG
Key compromise vulnerability
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys for signing. This is a significant security failure which
can lead to a compromise of almost all ElGamal keys used for signing.
Note that this is a real world vulnerability which will reveal your
private key within a few seconds.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3886.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
