Linux Advisory Watch - January 2nd 2004

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  January 2nd, 2004                         Volume 5, Number 1a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for xsok, cvs, and proftpd.  The
distributors include Debian, Gentoo, and Mandrake.

---

>> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<

In this guide you will find out how to test, purchase, install and use a
Thawte Digital Certificate on you Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.

Get your copy of this new guide now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29

---

One of the best parts of having a profession in information security and
IT, is the opportunity to continue learning.  To survive, one must
constantly stay on top of changing technology.  The problem with this is
that most of us do not have time to read books, journals, or simply
conduct adequate research on the Internet.  We are constantly trying to
extinguish fires and only gather enough information to do a particular
job.  Unfortunately, it seems there is never enough time to simply read a
little deeper, just to satisfy our own curiosities.

Being the new year, many of us have made new year's resolutions. For most
of us in IT, this involves learning something new. Perhaps you wish to
learn a new programming language, diagramming technique, or wish to build
a personal server for a particular function.  Many of us have no trouble
making personal goals, but following through is a different story.
Something that has worked well for me in the past is starting small, and
trying to accomplish the smallest tasks first.  This will give you the
feeling that progress is being made and the momentum will push you through
the larger tasks.  For example, if you have seven books you wish to read
this year, read the smallest one first.

For those of you who wish to have a better understanding of cryptography
in 2004, I have found the perfect book to get you started.  It is,
"Cryptography: A Very Short Introduction," by Fred Piper and Sean Murphy.
This book was published by Oxford press in 2002.  Rather than give
specific implementation examples, this book focuses on how several modern
algorithms work, uses of cryptography, and key management.  This book will
gives the proper foundation of knowledge necessary to evaluate products
and vendor claims. Also, if you are planning a large crypto software
development project this year, this book is the perfect primer to other
more specific cryptography related books.

The book is only 142 pages long and can fit in a shirt pocket. It is well
written and easy to read.  The book is filled with tables, charts, and
examples to explain the concepts.  This book should be read by upper
management and all others down the chain.  It could serve to demystify the
purpose and uses of cryptography in any organization.

The book can be easily found at Amazon.com for $9.95 USD.

Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx

---

FEATURE: OSVDB: An Independent and Open Source Vulnerability Database This
article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

http://www.linuxsecurity.com/feature_stories/feature_story-156.html

--------------------------------------------------------------------

CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.

http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2

--------------------------------------------------------------------

Guardian Digital Customers Protected From Linux Kernel Vulnerability

As a result of the planning and secure design of EnGarde Secure Linux, the
company's flagship product, Guardian Digital customers are securely
protected from a vulnerability that lead to the complete compromise of
several high-profile open source projects, including those belonging to
the Debian Project.

http://www.linuxsecurity.com/feature_stories/feature_story-155.html


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 12/30/2003 - xsok
   Missing privelige release

   Steve Kemp discovered a problem in xsok, a single player strategy game
   for X11, related to the Sokoban game, which leads a user to execute
   arbitrary commands under the GID of games.
   http://www.linuxsecurity.com/advisories/debian_advisory-3902.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 12/29/2003 - cvs
   Privilege escalation vulnerability

   This release adds code to the CVS server to prevent it from continuing
   as root after a user login, as an extra failsafe against a compromise
   of the CVSROOT/passwd file.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3901.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 12/31/2003 - proftpd
   Root access vulnerability

   A vulnerability was discovered by X-Force Research at ISS in ProFTPD's
   handling of ASCII translation.  An attacker, by downloading a carefully
   crafted file, can remotely exploit this bug to create a root shell.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3903.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux