+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 12th, 2004 Volume 5, Number 11a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for the Linux kernel, sysstat,
mailman, coreutils, libxml2, mozilla, and kdelibs. The distributors
include Debian, Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, and Trustix.
----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suites open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
----
Lies, Damn Lies, and Statistics
The recent study released by a British security firm has caused a lot of
controversy. The report concluded that Linux is the "most-breached"
operating system, OS X was the least, and Windows somewhere floated in the
middle. Like clockwork, many IT journalists used the report as a basis
for articles. Headlines such as "Apple OS X Server is most secure system"
and "Apple Servers The Most Secure" tend to distort the truth. Most took
the report literally and failed to question the methods used to gather the
statistics. In the mean time, the security firm that released the report
has gained a lot of exposure because of its controversial findings.
I'm not writing this to dispute or agree with the conclusions. The debate
has been going on for a while and it would be pointless to rehash the
arguments already out there. My biggest concern is realized when
technologically naive management gets ahold of this information. Rather
than fully understanding the information presented, decisions are made
using distorted headlines. This week, platform X is most secure, next
week it will be platform Y. This type of analysis seems to imply that
there is a magic security silver bullet. Rather than responsible
administration, it implies that security is wholly attributed to choice of
software.
Security is extremely hard to measure. Quantifying security in terms of
'most-breached' or 'most hacked' is flawed because it does not take
administration faults into account. Some administrators are very
pro-active and can keep a server from being compromised, others are
negligent a leave vulnerabilities open.
As security practitioners or system administrators we should not focus on
flawed reports, but rather concentrate on security best practices. In the
real world, statistics of this sort provide little benefit because we all
have legacy systems to maintain. Appropriate time should be spend applying
security patches and verifying each system is configured properly.
Rather than asking, "Which system is more secure?" Administrators should
ask, "Which system will provide the most security flexibility?" "Which
operating system provides the fastest updates?"
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
Guardian Digital Introduces Innovative Open Source
Approach to Combating Email Threats
Guardian Digital, the world's premier open source security company, has
introduced Content and Policy Enforcement (CAPE) technology, an innovative
open source software system for securing enterprise email operations.
Unique in its approach, CAPE technology powers the email security
operations of Secure Mail Suite v3.0, the company's enterprise email and
productivity platform.
http://www.guardiandigital.com/company/press/2004/emailthreats.html
--------------------------------------------------------------------
Introduction to Netwox and Interview with Creator Laurent Constantin
In this article Duane Dunston gives a brief introduction to Netwox, a
combination of over 130 network auditing tools. Also, Duane interviews
Laurent Constantin, the creator of Netwox.
http://www.linuxsecurity.com/feature_stories/feature_story-158.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
3/8/2004 - kernel
2.2.19 Privilege escalation vulnerability
This is the Kernel 2.2.19 backported version of the mremap fix
that prevents a local root exploit.
http://www.linuxsecurity.com/advisories/debian_advisory-4113.html
3/9/2004 - wu-ftpd Multiple vulnerabilities
2.2.19 Privilege escalation vulnerability
These vulnerabilities allow a malicious user to bypass directory
access restrictions and execute arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-4120.html
3/10/2004 - python2.2 Buffer overflow vulnerability
2.2.19 Privilege escalation vulnerability
A crafted IPv6 address can overwrite memory in the stack.
http://www.linuxsecurity.com/advisories/debian_advisory-4121.html
3/10/2004 - sysstat
Insecure temporary file vulnerabilty
Crafted symlinks can be used to make systat write to/read from
arbitrary files.
http://www.linuxsecurity.com/advisories/debian_advisory-4129.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
3/5/2004 - mailman
Cross posting vulnerability
A cross-site scripting bug in the 'create' CGI script affects
versions of Mailman 2.1 before 2.1.3.
http://www.linuxsecurity.com/advisories/fedora_advisory-4111.html
3/5/2004 - util-linux Information leak vulnerability
Cross posting vulnerability
Fixed information leak in login program.
http://www.linuxsecurity.com/advisories/fedora_advisory-4112.html
3/11/2004 - coreutils
Integer overflow vulnerability
An integer overflow in ls in the fileutils or coreutils packages
may allow local users to cause a denial of service or execute
arbitrary code.
http://www.linuxsecurity.com/advisories/fedora_advisory-4130.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
3/8/2004 - libxml2
Buffer overflow vulnerability
Bug may be exploited by an attacker allowing the execution of
arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4114.html
3/8/2004 - kernel
2.4.x Privilege escalation vulnerabilty
Exploitation of this bug can allow a local user to run arbitrary
code as root.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4115.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
3/10/2004 - python2.2 Buffer overflow vulnerability
2.4.x Privilege escalation vulnerabilty
A crafted IPv6 address can overwrite stack memory with executable
code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4122.html
3/10/2004 - gdk-pixbuf Denial of service vulneraiblity
2.4.x Privilege escalation vulnerabilty
A malicious BMP file can crash the Evolution mail client.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4123.html
3/10/2004 - mozilla
Multiple vulnerabilities
Various serious vulnerabilities allow remote code execution and
the reading of authentication information with one's proxy.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4124.html
3/10/2004 - kdelibs
Path restriction escape vulnerability
Exploitation of this bug allows attacker to escape path
restrictions specified by cookie originator.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4125.html
+---------------------------------+
| Distribution: OpenBSD | ----------------------------//
+---------------------------------+
3/9/2004 - tcp/ip Denial of service vulnerability
Path restriction escape vulnerability
Vulnerability allows remotely triggered denial of service.
http://www.linuxsecurity.com/advisories/openbsd_advisory-4119.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
3/9/2004 - wu-ftpd Multiple vulnerabilities
Path restriction escape vulnerability
These vulnerabilities allow the escape of home-directory
restrictions and the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/redhat_advisory-4118.html
3/10/2004 - kdelibs
Path restriction escape vulnerability
Attacker can escape path restrictions set by cookie originator.
http://www.linuxsecurity.com/advisories/redhat_advisory-4126.html
3/10/2004 - Sysstat
Insecure temporary file vulnerability
Using symlinks, this bug can be exploited to cause Sysstat to
write to/read from arbitrary files.
http://www.linuxsecurity.com/advisories/redhat_advisory-4127.html
3/10/2004 - gdk-pixbuf Denial of service vulnerability
Insecure temporary file vulnerability
Malformed BMP file can segfault mail reader.
http://www.linuxsecurity.com/advisories/redhat_advisory-4128.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
3/8/2004 - nfs-utils Denial of service vulnerability
Insecure temporary file vulnerability
Certain incorrect DNS setups would cause rpc.mountd to crash,
resulting in a remote DoS of the DNS client at mount time.
http://www.linuxsecurity.com/advisories/trustix_advisory-4116.html
3/8/2004 - libxml2
Buffer overflow vulnerability
URLs longer than 4096 bytes would cause an overflow while using
nanohttp in libxml2.
http://www.linuxsecurity.com/advisories/trustix_advisory-4117.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
