+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 13, 2004 Volume 5, Number 32a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx This week, advisories were released for apache, Cfengine, Courier, Ethereal, Gaim, glibc, gnome-vfs, gv, imagemagick, kernel, libpng, libpng10, mozilla, MPlayer, Nessus, Opera, PuTTY, Roundup, sox, SpamAssassin, squirrelmail, and shorewall. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, Red Hat, Slackware, Suse, Trustix, and Turbolinux. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Root Security Keeping the superuser account secure should be a top priority for any system. The most sought-after account on your machine is the superuser account. This account has authority over the entire machine, which may also include authority over other machines on the network. Remember that you should only use the root account for very short specific tasks and should mostly run as a normal user. Running as root all the time is a very very very bad idea. Several tricks to avoid messing up your own box as root: - When doing some complex command, try running it first in a non destructive way...especially commands that use globbing: e.g., you are going to do a rm foo*.bak, instead, first do: ls foo*.bak and make sure you are going to delete the files you think you are. Using echo in place of destructive commands also works. - Provide your users with a default alias to the /bin/rm command to ask for confirmation for deletion of files. - Only become root to do single specific tasks. If you find yourself trying to figure out how to do something, go back to a normal user shell until you are sure what needs to be done by root. - The command path for the root user is very important. The command path, or the PATH environment variable, defines the location the shell searches for programs. Try and limit the command path for the root user as much as possible, and never use '.', meaning 'the current directory', in your PATH statement. Additionally, never have writable directories in your search path, as this can allow attackers to modify or place new binaries in your search path, allowing them to run as root the next time you run that command. - Never use the rlogin/rsh/rexec (called the "r-utilities") suite of tools as root. They are subject to many sorts of attacks, and are downright dangerous run as root. Never create a .rhosts file for root. - The /etc/securetty file contains a list of terminals that root can login from. By default (on Red Hat Linux) this is set to only the local virtual consoles (vtys). Be very careful of adding anything else to this file. You should be able to login remotely as your regular user account and then use su if you need to (hopefully over ssh or other encrypted channel), so there is no need to be able to login directly as root. - Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type! Security Tip Written by Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Multiple vulnerabilities Chris Evans found several vulnerabilities in unpatched libpng versions pior to 1.0.16rc1 and 1.2.6rc1 http://www.linuxsecurity.com/advisories/conectiva_advisory-4655.html 8/11/2004 - apache Format string vulnerability Ralf S. Engelschall found[1] a dangerous call[2] to ssl_log function in ssl_engine_log.c that could allow remote attackers to execute arbitrary messages http://www.linuxsecurity.com/advisories/conectiva_advisory-4656.html 8/13/2004 - squirrelmail Multiple vulnerabilities This patch addresses four vulnerabilities in SquirrelMail, including XSS and SQL injection attacks. http://www.linuxsecurity.com/advisories/conectiva_advisory-4669.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/11/2004 - squirrelmail Multiple vulnerabilities This patch addresses multiple Cross Site Scripting and SQL Injection vulnerabilities. http://www.linuxsecurity.com/advisories/debian_advisory-4653.html 8/11/2004 - libpng Multiple vulnerabilities This patch addresses a large number of vulnerabilities in libpng. http://www.linuxsecurity.com/advisories/debian_advisory-4654.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 8/11/2004 - kernel Multiple vulnerabilities This update kernel for Fedora Core 2 contains the security fixes as found by Paul Starzetz from isec.pl. http://www.linuxsecurity.com/advisories/fedora_advisory-4657.html 8/11/2004 - libpng10 Multiple vulnerabilities Multiple libpng vulnerabilities are backpatched to the old 1.0.x libpng libraries. http://www.linuxsecurity.com/advisories/fedora_advisory-4658.html 8/11/2004 - libpng Multiple vulnerabilities This patch fixes numerous buffer overflow and pointer dereference vulnerabilities that a security audit turned up in libpng 1.2.x http://www.linuxsecurity.com/advisories/fedora_advisory-4659.html 8/11/2004 - kernel Unsafe pointer vulnerabilities A local unprivileged user could make use of these flaws to access large portions of kernel memory. http://www.linuxsecurity.com/advisories/fedora_advisory-4660.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 8/11/2004 - MPlayer Buffer overflow vulnerability When compiled with GUI support MPlayer is vulnerable to a remotely exploitable buffer overflow attack. http://www.linuxsecurity.com/advisories/gentoo_advisory-4645.html 8/11/2004 - Courier Cross-site scripting vulnerability The SqWebMail web application, included in the Courier suite, is vulnerable to cross-site scripting attacks. http://www.linuxsecurity.com/advisories/gentoo_advisory-4646.html 8/11/2004 - libpng Multiple vulnerabilities libpng contains numerous vulnerabilities potentially allowing an attacker to perform a Denial of Service attack or even execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4647.html 8/11/2004 - PuTTY Buffer overflow vulnerability PuTTY contains a vulnerability allowing a SSH server to execute arbitrary code on the connecting client. http://www.linuxsecurity.com/advisories/gentoo_advisory-4648.html 8/11/2004 - Opera Multiple vulnerabilities Several new vulnerabilities were found and fixed in Opera, including one allowing an attacker to read the local filesystem remotely. http://www.linuxsecurity.com/advisories/gentoo_advisory-4649.html 8/11/2004 - SpamAssassin Denial of service vulnerability SpamAssassin is vulnerable to a Denial of Service attack when handling certain malformed messages. http://www.linuxsecurity.com/advisories/gentoo_advisory-4650.html 8/11/2004 - Horde-IMP Input validation vulnerability Denial of service vulnerability Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code so that it is not safe for users of Internet Explorer when using the inline MIME viewer for HTML messages. http://www.linuxsecurity.com/advisories/gentoo_advisory-4651.html 8/11/2004 - Cfengine Heap corruption vulnerability Cfengine is vulnerable to a remote root exploit from clients in AllowConnectionsFrom. http://www.linuxsecurity.com/advisories/gentoo_advisory-4652.html 8/13/2004 - Roundup Filesystem access vulnerability Roundup will make files owned by the user that it's running as accessable to a remote attacker. http://www.linuxsecurity.com/advisories/gentoo_advisory-4664.html 8/13/2004 - gv Buffer overflow vulnerability gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4665.html 8/13/2004 - Nessus Race condition vulnerability Nessus contains a vulnerability allowing a user to perform a privilege escalation attack using "adduser". http://www.linuxsecurity.com/advisories/gentoo_advisory-4666.html 8/13/2004 - Gaim Buffer overflow vulnerability Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4667.html 8/13/2004 - kdebase,kdelibs Multiple vulnerabilities Buffer overflow vulnerability KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection. http://www.linuxsecurity.com/advisories/gentoo_advisory-4668.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Buffer overflow vulnerabilities Chris Evans discovered numerous vulnerabilities in the libpng graphics library. http://www.linuxsecurity.com/advisories/mandrake_advisory-4643.html 8/11/2004 - shorewall Insecure temporary file vulnerability The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. http://www.linuxsecurity.com/advisories/mandrake_advisory-4644.html 8/13/2004 - gaim Buffer overflow vulnerabilities Sebastian Krahmer discovered two remotely exploitable buffer overflow vunerabilities in the gaim instant messenger. http://www.linuxsecurity.com/advisories/mandrake_advisory-4662.html 8/13/2004 - mozilla Multiple vulnerabilities A large number of Mozilla vulnerabilites is addressed by this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-4663.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 8/11/2004 - kernel Multiple vulnerabilities his corrects the access control check in the Linux kernel which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files. http://www.linuxsecurity.com/advisories/openwall_advisory-4642.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 8/11/2004 - kernel Multiple vulnerabilities Updated kernel packages that fix potential information leaks and a incorrect driver permission for Red Hat Enterprise Linux 2.1 are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4635.html 8/11/2004 - kernel Multiple vulnerabilities Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4636.html 8/11/2004 - libpng Buffer overflow vulnerabilities An attacker could create a carefully crafted PNG file in such a way that it would cause an application linked with libpng to execute arbitrary code when the file was opened by a victim. http://www.linuxsecurity.com/advisories/redhat_advisory-4637.html 8/11/2004 - gnome-vfs VFS Multiple vulnerabilities An attacker who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. http://www.linuxsecurity.com/advisories/redhat_advisory-4638.html 8/11/2004 - glibc Multiple vulnerabilities Updated glibc packages that fix a security flaw in the resolver as well as dlclose handling are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4639.html 8/11/2004 - mozilla Multiple vulnerabilities Updated mozilla packages based on version 1.4.3 that fix a number of security issues for Red Hat Enterprise Linux are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4640.html 8/11/2004 - Ethereal Multiple vulnerabilities Updated Ethereal packages that fix various security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4641.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Buffer overflow vulnerabilities Exploitation could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. http://www.linuxsecurity.com/advisories/slackware_advisory-4631.html 8/11/2004 - mozilla Multiple vulnerabilities This is a full upgrade of Mozilla, put in place to remove security vulnerabilities whose fixes were not backported. http://www.linuxsecurity.com/advisories/slackware_advisory-4632.html 8/11/2004 - imagemagick Buffer overflow vulnerabilities This imagemagick patch fixes issues with PNG images. http://www.linuxsecurity.com/advisories/slackware_advisory-4633.html 8/11/2004 - sox Buffer overflow vulnerabilities Fixes buffer overflow security issues that could allow a malicious WAV file to execute arbitrary code. http://www.linuxsecurity.com/advisories/slackware_advisory-4634.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 8/6/2004 - libpng Multiple vulnerabilities Several different security vulnerabilities were found in the PNG library which is used by applications to support the PNG image format. http://www.linuxsecurity.com/advisories/suse_advisory-4626.html 8/11/2004 - kernel Multiple vulnerabilities This patch fixes a large number of kernel vulnerabilities, including a recently discovered race condition that can be exploited for access to kernel memeory. http://www.linuxsecurity.com/advisories/suse_advisory-4630.html 8/12/2004 - gaim Buffer overflow vulnerabilities Remote attackers can execute arbitrary code as the user running the gaim client. http://www.linuxsecurity.com/advisories/suse_advisory-4661.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 8/6/2004 - libpng Multiple vulnerabilities This is a roundup patch that fixes all known vulnerabilites with respect to libpng. http://www.linuxsecurity.com/advisories/trustix_advisory-4627.html 8/11/2004 - kernel Multiple vulnerabilities This roundup patch fixes a large number of kernel vulnerabilites. http://www.linuxsecurity.com/advisories/trustix_advisory-4629.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 8/11/2004 - libpng Multiple vulnerabilities Multiple buffer overflows and a potential NULL pointer dereference in libpng allow remote attackers to execute arbitrary code via malformed PNG images. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4628.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
