+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 23rd, 2004 Volume 5, Number 17a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for cvs, neon, perl, logcheck, kernel,
iproute, xchat, ident2, utempter, cadaver, libneon, MySQL, samba,
utempter, OpenSSL, tcp, IA64, XFree86, tcpdump, and xine. The
distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat,
Slackware, and Trustix.
----
>> Free Trial SSL Certificate from Thawte <<
Take your first step towards giving your online business a competitive
advantage. Test-drive a Thawte SSL certificate 02 our easy online guide
will show you how.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten04
----
Data Classification
One of the biggest problems in security today is that business managers
and security administrators do not have a good idea of how much their
organization's proprietary data is worth. Consider the example of a
company's client details or schematics for a new product. How much money
should be spent to protect it? Who should access it? If this information
is leaked to competitors, how much impact would if have on the business?
If you aren't asking these types of questions, you should be.
One of the first steps in risk management in any organization is
determining the assets. Later, a value is assigned to each asset and
known risks are either accepted, transferred, or mitigated. When
determining the value of an organization's information, it can very easily
become infinitely complex.
A technique commonly used to assist with the valuation of information is
data classification. The concept involves assigning a label and in some
cases a classification to a piece of information, or a document. For
example, documents in any government agency will be assigned labels such
as unclassified, classified, secret, or top secret. Sometimes labeling is
more granular including labels such as unclassified but sensitive, or
internal. Most governments implement this in slightly different ways. A
security classification describes who the information is intended for.
For example, a budgeting document could be labeled classified and only
intended for the finance and accounting departments. This means that the
document's label is classified and the classification is finance and
accounting. In theory, only those individuals in the finance and
accounting departments with classified clearance should be able to access
that particular document.
Assigning labels to information gives security administrators a logical
way to create a protection strategy. Appropriately applying security
controls can be easier if similar data is held in similar places. Back to
the budgeting document example, because it is classified and intended only
for finance or accounting, it should only be stored on a confidential,
accounting or finance data-store/server. It is not always necessary to
have separate servers for each label. Segmentation can be done just as
easily by assigning group permissions to specific directories on a single
server.
Data classification allows managers to more easily determine the type and
quantity of information used by an organization. Also, it can simplify the
security administrator's role of providing consistent access control
across all information used.
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
Guardian Digital Launches Next Generation Internet
Defense & Detection System
Guardian Digital has announced the first fully open source system designed
to provide both intrusion detection and prevention functions. Guardian
Digital Internet Defense & Detection System (IDDS) leverages best-in-class
open source applications to protect networks and hosts using a unique
multi-layered approach coupled with the security expertise and ongoing
security vigilance provided by Guardian Digital.
http://www.linuxsecurity.com/feature_stories/feature_story-163.html
--------------------------------------------------------------------
Interview with Siem Korteweg: System Configuration Collector
In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open
source, and information on future developments.
http://www.linuxsecurity.com/feature_stories/feature_story-162.html
--------------------------------------------------------------------
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
4/17/2004 - cvs
Multiple vulnerabilities
Patch fixes bugs for both server and client which allows the
creation of arbitrary files.
http://www.linuxsecurity.com/advisories/debian_advisory-4243.html
4/17/2004 - neon
Format string vulnerability
These vulnerabilities could exploited by a malicious WebDAV server
to execute arbitrary code with libneon's privileges.
http://www.linuxsecurity.com/advisories/debian_advisory-4244.html
4/19/2004 - perl
Information leak vulnerabilities
DSA 431-1 incorporated a partial fix for this problem. This
advisory includes a more complete fix which corrects some
additional cases.
http://www.linuxsecurity.com/advisories/debian_advisory-4245.html
4/19/2004 - logcheck
Insecure temporary directory
This bug may be exploited to write or read arbitrary directories
to which the user has access.
http://www.linuxsecurity.com/advisories/debian_advisory-4246.html
4/19/2004 - kernel
2.4.17 Multiple vulnerabilities
This patch takes care of multiple kernel vulnerabilities,
specifially for kernal 2.4.17 on the PowerPC/apus and S/390
architectures.
http://www.linuxsecurity.com/advisories/debian_advisory-4247.html
4/19/2004 - kernel
2.4.19 Multiple vulnerabilities
Several serious problems have been discovered in the Linux kernel.
This update takes care of Linux 2.4.17 for the MIPS architecture.
http://www.linuxsecurity.com/advisories/debian_advisory-4248.html
4/19/2004 - zope
Arbitrary code execution vulnerability
A flaw in the security settings of ZCatalog allows anonymous users
to call arbitrary methods of catalog indexes. The vulnerability
also allows untrusted code to do the same.
http://www.linuxsecurity.com/advisories/debian_advisory-4249.html
4/19/2004 - iproute
Denial of service vulnerability
Herbert Xu reported that local users could cause a denial of
service against iproute, a set of tools for controlling networking
in Linux kernels.
http://www.linuxsecurity.com/advisories/debian_advisory-4250.html
4/21/2004 - xchat
Buffer overflow vulnerability
This bug allows an attacker to execute arbitrary code on the
users' machine.
http://www.linuxsecurity.com/advisories/debian_advisory-4263.html
4/22/2004 - ident2
Buffer overflow vulnerability
This vulnerability could be exploited by a remote attacker to
execute arbitrary code with the privileges of the ident2 daemon
(by default, the "identd" user).
http://www.linuxsecurity.com/advisories/debian_advisory-4269.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
4/21/2004 - utempter
Improper directory traversal vulnerability
An updated utempter package that fixes a potential symlink
vulnerability is now available.
http://www.linuxsecurity.com/advisories/fedora_advisory-4265.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
4/19/2004 - cadaver
Multiple format string vulnerabilities
There are multiple format string vulnerabilities in the neon
library used in cadaver, possibly leading to execution of
arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4251.html
4/19/2004 - XChat
Stack overflow vulnerability
XChat is vulnerable to a stack overflow that may allow a remote
attacker to run arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4252.html
4/19/2004 - monit
Multiple vulnerabilities
Two new vulnerabilities have been found in the HTTP interface of
monit, possibly leading to denial of service or execution of
arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4253.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
4/19/2004 - utempter
Multiple vulnerabilities
Incorrect path validation and denial of service vulnerabilities
are patched here.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4257.html
4/20/2004 - libneon
Format string vulnerabilities
A number of various format string vulnerabilities were discovered
in the error output handling of Neon.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4259.html
4/20/2004 - xine-ui Temporary file vulnerability
Format string vulnerabilities
This problem could allow local attackers to overwrite arbitrary
files with the privileges of the user invoking the script.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4260.html
4/20/2004 - MySQL
Temporary file vulnerabilities
An attacker could create symbolic links in /tmp that could allow
for overwriting of files with the privileges of the user running
the scripts.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4261.html
4/20/2004 - samba
Privilege escalation vulnerability
A user can use smbmnt along with a remote suid program to gain
root privileges remotely.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4262.html
4/22/2004 - utempter
Update to patch MDKSA-2004:031
This patch corrects some small problems with the original utempter
patch, released April 19th.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4270.html
4/22/2004 - xchat
Improper execution vulnerability
Successful exploitation could lead to arbitrary code execution as
the user running XChat.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4271.html
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
4/21/2004 - OpenSSL
Denial of service vulnerabilities
This patch fixes two seperate Denial of Service vulnerabilities.
http://www.linuxsecurity.com/advisories/netbsd_advisory-4267.html
4/21/2004 - tcp
Denial of service vulnerability
Patch modifies the TCP/IP stack to minimize the probability of a
disconnection or data injection attack, even without using IPSec.
http://www.linuxsecurity.com/advisories/netbsd_advisory-4268.html
+---------------------------------+
| Distribution: Openwall | ----------------------------//
+---------------------------------+
4/19/2004 - kernel
Multiple vulnerabiltiies
Descriptions and links for the newest kernel patches.
http://www.linuxsecurity.com/advisories/openwall_advisory-4256.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
4/21/2004 - kernel
Multiple vulnerabilities
Updated kernel packages that fix several minor security
vulnerabilities are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4266.html
4/22/2004 - kernel
Buffer overflow vulnerability
Updated kernel packages that fix a security vulnerability which
may allow local users to gain root privileges are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4272.html
4/22/2004 - IA64
kernel Multiple vulnerabilities
Updated IA64 kernel packages fix a variety of security
vulnerabilities.
http://www.linuxsecurity.com/advisories/redhat_advisory-4273.html
4/22/2004 - XFree86
Denial of service vulnerability
Flaws in XFree86 4.1.0 allows local or remote attackers who are
able to connect to the X server to cause a denial of service.
http://www.linuxsecurity.com/advisories/redhat_advisory-4274.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
4/19/2004 - tcpdump
Denial of service vulnerability
Upgraded tcpdump packages are available for Slackware 8.1, 9.0,
9.1, and -current to fix denial-of-service issues.
http://www.linuxsecurity.com/advisories/slackware_advisory-4254.html
4/19/2004 - cvs
Arbitrary file creation vulnerabilities
Two seperate cvs vulnerabilities, one for the client and one for
the server, allow the creation of files at arbitrary paths.
http://www.linuxsecurity.com/advisories/slackware_advisory-4255.html
4/20/2004 - utempter
Insecure symlink vulnerability
Steve Grubb has identified an issue with utempter-0.5.2 where
under certain circumstances an attacker could cause it to
overwrite files through a symlink.
http://www.linuxsecurity.com/advisories/slackware_advisory-4258.html
4/21/2004 - xine
Insecure temporary file vulnerability
This release fixes a security problem where opening a malicious
MRL could write to system (or other) files.
http://www.linuxsecurity.com/advisories/slackware_advisory-4264.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
4/16/2004 - ppp/squid ACL escape vulnerability
Insecure temporary file vulnerability
The PPP fix is a simple bugfix. The Squid fix involves the ability
to craft a URL to be ignored by Squid's ACLs.
http://www.linuxsecurity.com/advisories/trustix_advisory-4241.html
4/16/2004 - kernel
Multiple vulnerabilities
This patch fixes a variety of kernel sercurity holes, some
filesystem related.
http://www.linuxsecurity.com/advisories/trustix_advisory-4242.html
4/22/2004 - kernel
Integer overflow vulnerability
A successful exploit could lead to full superuser privileges.
http://www.linuxsecurity.com/advisories/trustix_advisory-4275.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
