+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 7th, 2004 Volume 5, Number 19a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mc, libpng, LHA, httpd, and rsync. The distributors include Debian, Mandrake, Red Hat, and Trustix. ---- >> Certify your Software Integrity << As a software developer you know that the product you make available on the Internet can be tampered with if it is not secured. Our Free Guide will show you how to securely distribute your code over the Internet and how these certificates operate with different software platforms: Download a guide to learn more: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06 ---- Security Benefit In today's business world, there is an ever-increasing reliance on information technology. With this, businesses are discovering new ways to produce products and offer services with greater efficiency. New business opportunities are created by the production of digital products and service. However, with every business opportunity comes increased risks. IT systems are now a huge target. If a business is not properly prepared, a single system failure could result in a catastrophic outcome. Security is greatly important and a necessary part of keeping IT systems in operation. Traditionally, security has been viewed as a 'badge and gun' operation. The most important part is protecting the confidentiality, integrity, and availability of a system. In the process of improvement, security practitioners increase the number of firewall rules, increase password complexity, and impose additional limitations on each user's ability to access the information they need to conduct daily business. How do non- security types react to this? Of course, they don't like it! Security is not seen as a business benefit, but a hinderance. Rather than supporting business functions, it is making it more difficult to do even the simplest tasks. Sadly, increasing a security budget may be viewed as increasing the difficulty to conduct daily business. Today, security is changing. Managers are starting to realize that security only exists to support business. If the business did not exist, the security department protecting it wouldn't exist. As a security manager, it is important to deliver value to the business. This can be done a number of ways. First, create a security awareness program that educates others on the importance of protecting information. Next, only choose controls that are in line and appropriate for the information it is protecting. For example, military-grade security may not be appropriate for internal employee manuals. However, financial documents may require the tightest security. Secure appropriately! Finally, metrics are important. Report to superiors the effectiveness of current security controls. Report the number of incidents and types from least significant to most. Demonstrate with numbers how the current security is protecting the information assets. How many times was your network scanned in the last month? How many connections did the firewall reject/drop? How much spam did the filters keep out of inboxes? Good security goes unnoticed and ignored. It is important to remind management how well you are doing! Until next time, cheers! Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/30/2004 - libpng, libpng3 Out of bounds access vulnerability This problem could cause the program to crash if a defective or intentionally prepared PNG image file is handled by libpng. http://www.linuxsecurity.com/advisories/debian_advisory-4292.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/30/2004 - mc Multiple vulnerabilities Several vulnerabilities in Midnight Commander were found by Jacub Jelinek. http://www.linuxsecurity.com/advisories/mandrake_advisory-4296.html 4/30/2004 - libpng Out of bounds access vulnerability Bug could potentially lead to a DoS (Denial of Service) condition in a daemon that uses libpng to process PNG imagaes. http://www.linuxsecurity.com/advisories/mandrake_advisory-4297.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 4/30/2004 - X-Chat Buffer overflow vulnerability Out of bounds access vulnerability An updated X-Chat package fixes a vulnerability which could be exploited by a malicious Socks-5 proxy is now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4293.html 4/30/2004 - LHA Multiple vulnerabilities Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. http://www.linuxsecurity.com/advisories/redhat_advisory-4294.html 4/30/2004 - httpd Denial of service vulnerability Updated httpd packages are now available that fix a denial of service vulnerability in mod_ssl and include various other bug fixes. http://www.linuxsecurity.com/advisories/redhat_advisory-4295.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 4/30/2004 - rsync Path escape vulnerability Please either enable chroot or upgrade to 2.6.1. http://www.linuxsecurity.com/advisories/trustix_advisory-4298.html 4/30/2004 - libpng, proftpd Multiple vulnerabilities Path escape vulnerability Patches for a DoS using libpng and a ACL escape for proftpd. http://www.linuxsecurity.com/advisories/trustix_advisory-4299.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------