+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 26th, 2004 Volume 5, Number 13a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for ecartis, OpenSSL, httpd, and
sysstat. The distributors include Debian, Fedora, Red Hat, and Trustix.
----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suites open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
----
Security Mindset
Information security is a game that is played by many roles. While it is
not always appropriate to box people in with labels, I think you'll find
that most people fit into one of these categories.
First, the authoritative mindset: This view is primarily held by law
enforcement officials and others who encourage strict laws and punishment
regarding information security. In the example of a system compromise,
the perpetrator should be caught and punished to the fullest extent of the
law. Later, the case should be used as an example to deter further crime.
Contrastingly, the liberated or 'hacker' mindset: The view is held that
all information should be free and breaking into a system is not actually
doing any harm. The liberated view sees security controls as a challenge
rather than protection. By breaking poorly constructed security
mechanisms he/she is actually doing society a favor by making it public.
Next, the popular mindset: How does the press view the compromise? What
is the general public saying about it? Is anyone concerned? Often,
crackers are immortalized in books, movies, and television giving the
public the wrong impression. Hyped media can create public hysteria and
panic. In the case of a high-profile compromise, the information filtered
to the public can cause people to make poor decisions when faced with
technology.
Finally, the security professional's view: We know that many compromises
are a direct result of negligence (either programmer or administrator) and
in most cases the cracker(s) involved is much less skilled than seen in
movies. A security professional's primary task is to secure a system up
to the management's accepted level of risk, while maintaining business
objectives. Security is a necessity for conducting business. After a
system is compromised, the security professional is most concerned with
minimizing business impact. Next, it is important to analyze faults in
the system and prevent it from happening again.
At this point, you're probably asking yourself, "What mindset do I fall
under?" My guess is that most of you are technically system
administrators or security practitioners, but slightly fall into all of
them. Security is an issue that has nearly 1024 shades of grey.
Security breaches can be stressful. Having a firm understanding of the
views of those you are working closely with can help the overall success
of the investigation.
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
Interview with Siem Korteweg: System Configuration Collector
In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open
source, and information on future developments.
http://www.linuxsecurity.com/feature_stories/feature_story-162.html
--------------------------------------------------------------------
Security: MySQL and PHP
This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one
has to abide by the following guidelines.
http://www.linuxsecurity.com/feature_stories/feature_story-130.html
--------------------------------------------------------------------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
3/24/2004 - ecartis
Multiple vulnerabilities
New version fixes multiple buffer overflows plus password
disclosure vulnerability.
http://www.linuxsecurity.com/advisories/debian_advisory-4155.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
3/23/2004 - OpenSSL
Denial of service vulnerabilities
This update includes OpenSSL packages to fix two security issues
affecting OpenSSL 0.9.7a which allow denial of service attacks.
http://www.linuxsecurity.com/advisories/fedora_advisory-4154.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
3/23/2004 - httpd
Denial of service vulnerability
Updated httpd packages are now available that fix a denial of
service vulnerability in mod_ssl
http://www.linuxsecurity.com/advisories/redhat_advisory-4153.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
3/19/2004 - sysstat
Insecure temporary file vulnerability
This patch removes the isag script, which creates insecure
temporary files.
http://www.linuxsecurity.com/advisories/trustix_advisory-4151.html
3/19/2004 - OpenSSL
Denial of service vulnerability
Several holes were discovered that could lead to denial of service
(DoS) attacks on SSL-enabled services.
http://www.linuxsecurity.com/advisories/trustix_advisory-4152.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
