+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 25, 2004 Volume 5, Number 26a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. This week, advisories were released for sup, super, rlpr, Multiple, kernel, libpng and Usermin. The distributors include Debian, EnGarde, Fedora, Gentoo, Openwall, Red Hat, Trustix, and Turbolinux. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Tripwire Monitoring Tripwire is a program that monitors file integrity by maintainig a database of cryptographic signature for programs and configuration files installed on the system, and reports changes in any of these files. A database of checksums and other characteristics for the files listed in the configuration file is created. Each subsequent run compares any differences to the reference database, and the administrator is notified. The greatest level of assurance that can be provided occurs if Tripwire is run immediately after Linux has been installed and security updates applied, and before it is connected to a network. A text configuration file, called a policy file, is used to define the characteristics for each file that are tracked. Your level of paranoid determines the frequency in which the intergrity of the files are checked. Administration requries constant a ttention to the system changes, and can be time-consuming if used for many systems. Tripwire is available in unsupported commercial binary for Red Hat and similar distributions. Here are several examples: # Create policy file from text file /usr/TSS/bin/twadmin -m P policy.txt # Initialize database according to policy file /usr/TSS/bin/tripwire --init # Print database /usr/TSS/bin/twprint -m d # Generate daily report file /usr/TSS/bin/tripwire -m c -t 1 -M # Update database according to policy file and report file /usr/TSS/bin/tripwire --update --polfile policy/tw.pol --twrfile report/-.twr Security Tip Written by Ryan Maple (ryan@xxxxxxxxxxxxxxxxxxx) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/tip-25.html Until next time, cheers! Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx ----- Open Source Leaving Microsoft Sitting on the Fence? The open source model, with special regard to Linux, has no doubt become a formidable competitor to the once sole giant of the software industry, Microsoft. It is expected when the market share of an industry leader becomes threatened, retaliation with new product or service offerings and marketing campaigns refuting the claims of the new found competition are inevitable. However, in the case of Microsoft, it seems they have not taken a solid or plausible position on the use of open source applications as an alternative to Windows. http://www.linuxsecurity.com/feature_stories/feature_story-168.html ------------------------------------------------------------------- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc. He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/19/2004 - sup Format string vulnerability By explointing this, a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process http://www.linuxsecurity.com/advisories/debian_advisory-4494.html 6/19/2004 - super Format string vulnerability This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. http://www.linuxsecurity.com/advisories/debian_advisory-4500.html 6/19/2004 - www-sql Buffer overflow vulnerability Format string vulnerability Exploiting this vulnerability, a local user could cause the execution of arbitrary code by creating a web page and processing it with www-sql. http://www.linuxsecurity.com/advisories/debian_advisory-4501.html 6/21/2004 - rlpr Format string vulnerabilities By exploiting one of these vulnerabilities, a local or remote user could potentially cause arbitrary code to be executed with the privileges of 1) the rlprd process (remote), or 2) root (local). http://www.linuxsecurity.com/advisories/debian_advisory-4508.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 6/21/2004 - Multiple 'kernel' vulnerabilities This update fixes several security vulnerabilities in the Linux Kernel shipped with EnGarde Secure Linux. http://www.linuxsecurity.com/advisories/engarde_advisory-4509.html 6/21/2004 - kernel 2.4 Multiple vulnerabilities This update fixes several security vulnerabilities, including the famous "fsave/frstor" vulnerability and an information leak in the e1000 driver. http://www.linuxsecurity.com/advisories/engarde_advisory-4510.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 6/21/2004 - libpng 1.2 Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code. http://www.linuxsecurity.com/advisories/fedora_advisory-4506.html 6/21/2004 - libpng 1.0 Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code when opened by a victim. http://www.linuxsecurity.com/advisories/fedora_advisory-4507.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/18/2004 - Usermin Multiple vulnerabilities Usermin contains two security vulnerabilities which could lead to a Denial of Service attack and information disclosure. http://www.linuxsecurity.com/advisories/gentoo_advisory-4485.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 6/21/2004 - kernel Multiple vulnerabilities This update fixes multiple security-related bugs in the Linux kernel as well as two non-security bugs in the patch itself. This includes the now-famous DoS bug. http://www.linuxsecurity.com/advisories/openwall_advisory-4504.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 6/18/2004 - libpng Buffer overflow vulnerability Updated libpng packages that fix a possible buffer overflow are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4486.html 6/21/2004 - kernel Multiple vulnerabilities This contains two similar advisories, once set fixing RHEE 3, and the other RHEE 2.1. Patch addresses two DoS attacks and several vulnerable drivers. http://www.linuxsecurity.com/advisories/redhat_advisory-4503.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 6/21/2004 - kernel Multiple vulnerabilities During checks of the Linux 2.6 source using an automated tool called sparse, several issues were discovered. Some of these were discovered to also apply to the 2.4 series of the Linux kernel. http://www.linuxsecurity.com/advisories/trustix_advisory-4502.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 6/19/2004 - kernel Denial of service vulnerability The vulnerability allows an attacker to make the cause of the denial of service of the kernel. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4493.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
