+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 19th, 2004 Volume 5, Number 12a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for xitalk, calife, samba, OpenSSL,
the Linux kernel, httpd, isakmpd, and Mozilla. The distributors include
Debian, EnGarde, FreeBSD, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware,
and SuSE.
----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suites open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
----
Programming Faults
Vulnerabilities in CGI scripts and Web applications have been a long time
problem of the Internet. In my opinion, much of this stems from the fact
that most Web programmers are self-taught, or the University classes taken
did not sufficiently focus on security. Years ago when I was a kid first
trying to teach myself programming, I was more concerned with making the
programs work rather than coding properly. Years later when I was a
student in computer science courses, I learned many formal aspects of
coding, but not security. The attitude was, and in many cases still is
'security is something than can be added later once the application is
fully up and running.' The reality of fact is that in many cases it is
never added later. Or the security improvements that are made are not
sufficient. Budgets run out and new projects take priority. Software
will never be secure unless it is a development priority from the
beginning.
In the last few years, the landscape has changed. Developers are
realizing that input should never be trusted and assumed to be malicious.
Books and online guides are now available to help those wanting to learn
more secure techniques to code. If you are a developer wanting to learn
more, or have developers in your IT department that should be concerned
about security, a great place to start is David Wheeler's Security
Programming for Linux and Unix HOWTO. It is available at the following
URL:
http://www.linuxsecurity.com/docs/LDP/Secure-Programs-HOWTO/
Simply understanding secure programming techniques if often not enough.
To have a full understanding of the risks involved, exploiting poorly
written code is sometimes necessary. Rather than specifically writing
code to exploit, the WebGoat project can be helpful. It is a project
designed to teach secure programming techniques and demonstrate how the
vulnerabilities can be exploited in the real world. The WebGoat project
is available at the following URL:
http://www.owasp.org/development/webgoat/
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
Security: MySQL and PHP
This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one
has to abide by the following guidelines.
http://www.linuxsecurity.com/feature_stories/feature_story-130.html
--------------------------------------------------------------------
Configure Web/DNS/Mail Securely in 5 Minutes with EnGarde
Web, DNS, and Mail are the building block services of the Internet. In
this article, I show how to setup a Web, DNS, and Mail server with a few
clicks of the mouse using EnGarde Secure Linux.
http://www.linuxsecurity.com/feature_stories/feature_story-161.html
--------------------------------------------------------------------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
3/12/2004 - xitalk
Missing privilege release
A local user can exploit this problem and execute arbitrary
commands under the GID utmp.
http://www.linuxsecurity.com/advisories/debian_advisory-4131.html
3/12/2004 - calife
Buffer overflow vulnernability
Overflow allows users with any specific superuser privileges in
/etc/calife.auth to gain general superuser privileges.
http://www.linuxsecurity.com/advisories/debian_advisory-4132.html
3/15/2004 - samba
Privilege escalation vulnerability
Remote user-owned setuid programs can be accessed via "smbmnt" and
used to gain local root privileges.
http://www.linuxsecurity.com/advisories/debian_advisory-4133.html
3/17/2004 - gdk-pixbuf Denial of service vulnerability
Privilege escalation vulnerability
A malformed BMP file can remotely crash programs using this
library, such as Evolution.
http://www.linuxsecurity.com/advisories/debian_advisory-4137.html
3/17/2004 - OpenSSL
Denial of service vulnerabilities
Resolves two vulnerabilities explained in
http://www.uniras.gov.uk/vuls/2004/224012/index.htm
http://www.linuxsecurity.com/advisories/debian_advisory-4143.html
3/18/2004 - kernel
2.2.x Privilege escalation vulnerability
This patch corrects a root exploit specifically for the 2.2.x
kernel on the PowerPC platform.
http://www.linuxsecurity.com/advisories/debian_advisory-4147.html
+---------------------------------+
| Distribution: EnGarde | ----------------------------//
+---------------------------------+
3/17/2004 - OpenSSL
Denial of service vulnerabilities
Engarde Secure Linux is vulnerable to two of three recently
discovered Denial of Service attacks against OpenSSL.
http://www.linuxsecurity.com/advisories/engarde_advisory-4136.html
+---------------------------------+
| Distribution: FreeBSD | ----------------------------//
+---------------------------------+
3/17/2004 - OpenSSL
Denial of service vulnerabilities
Remote attacker can crash OpenSSL by triggering a null pointer
dereference.
http://www.linuxsecurity.com/advisories/freebsd_advisory-4144.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
3/18/2004 - OpenSSL
Denial of service vulnerabilities
Three vulnerabilities have been found in OpenSSL via a commercial
test suite for the TLS protocol developed by Codenomicon Ltd.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4149.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
3/17/2004 - OpenSSL
Denial of service vulnerabilities
This update resolves two vulnerabilities in OpenSSL that can
remotely trigger a crash.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4146.html
+---------------------------------+
| Distribution: OpenBSD | ----------------------------//
+---------------------------------+
3/15/2004 - httpd
Improper rule non-match
Using IP addresses without a netmask on big endian 64-bit
platforms causes the rules to fail to match.
http://www.linuxsecurity.com/advisories/openbsd_advisory-4134.html
3/17/2004 - isakmpd
Denial of service vulnerability
An attacker can craft malformed payloads that can cause the
isakmpd(8) process to stop processing requests.
http://www.linuxsecurity.com/advisories/openbsd_advisory-4141.html
3/17/2004 - OpenSSL
Denial of service vulnerability
Remote attacker can trigger a null-pointer dereference, crashing
OpenSSL.
http://www.linuxsecurity.com/advisories/openbsd_advisory-4145.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
3/17/2004 - OpenSSL
Denial of service vulnerabilities
Updated OpenSSL packages that fix a remote denial of service
vulnerability are now available for Red Hat Enterprise Linux 2.1.
http://www.linuxsecurity.com/advisories/redhat_advisory-4138.html
3/17/2004 - OpenSSL
Denial of service vulnerabilities
Updated OpenSSL packages that fix several remote denial of service
vulnerabilities are available for Red Hat Enterprise Linux 3.
http://www.linuxsecurity.com/advisories/redhat_advisory-4139.html
3/17/2004 - OpenSSL
Denial of service vulnerabilities
Updated OpenSSL packages that fix several remote denial of service
vulnerabilities are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4142.html
3/18/2004 - Mozilla
Multiple vulnerabilities
This patch resolves a DoS attack, a cross-site scripting
vulnerability, and a cookie path escape vulnerability.
http://www.linuxsecurity.com/advisories/redhat_advisory-4148.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
3/18/2004 - OpenSSL
Denial of service vulnerability
Fixes available for two potential denial-of-service issues in
earlier versions of OpenSSL.
http://www.linuxsecurity.com/advisories/slackware_advisory-4150.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
3/17/2004 - OpenSSL
Denial of Service vulnerabilities
Resolved null pointer assignment due to handshake and crash with
Kerberos cipher-suite support.
http://www.linuxsecurity.com/advisories/suse_advisory-4140.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
