+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 27th, 2004 Volume 5, Number 34a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for ruby, rsync, kdelibs, mysql, acroread, Tomcat, glibc, spamassassin, qt3, ftpd, Netscape, the Linux kernel. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, SuSE, and Trustix. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Using swatch for log analysis With most services, when anything slightly significant happens, a message about it is reported to syslogd. The sooner the user is aware of the message, the sooner the user can take action in regard to that message if it is needed. With 1000+ long log files, log checkers are needed as time savers and to make sure an indication of trouble is not missed. Swatch stands for Simple WATCHer. Other log analysis software scans the logs periodically, they can tell you what HAS happened. Swatch can do this, but it can also actively scan log entries as syslogd gets them and tell you what IS happening. Not only this, swatch can also take actions when it encounters certain log messages. Installation: First, download the newest version of swatch. Then run: perl Makefile.PL make make test make install make realclean After swatch is installed, perl modules that are needed for use of swatch may also have to be downloaded. Configuration: Swatch uses regular expressions to find lines of interest. Once swatch finds a line that matches a pattern, it takes an action, such as printing it to the screen, emailing it, or taking a user defined action. watchfor /[dD]enied|/DEN.*ED/ echo bold bell 3 mail exec "/etc/call_pager 5551234 08" This is an example of a section of a swatch configuration script. First, swatch looks for a line that contains the word denied, Denied, or anything that starts with DEN and ends with ED. Once it finds a line that contains one of the three search strings, it echoes the line in bold into the terminal and makes the bell sound (^G) 3 times. Then, swatch emails the user that is running swatch (usually root) about the line and executes the /etc/call_pager program with the given options. ignore /sendmail/,/fax/,/unimportant stuff/ In this example, the search strings sendmail, fax, and unimportant stuff are going to be ignored, even if they would normally match one of the strings being looked for. Use: Using swatch is very simple. For using swatch to check logs normally, run: swatch --config-file=/home/chris/swatch.conf --examine=/var/log/messages This is assuming that the configuration file for swatch is located at /home/chris/swatch.conf and that the file that is to be checked in called /var/log/messages. To use swatch as a constantly running service that scans lines of a log file as they come in, run: swatch --config-file=/home/chris/swatch.conf --tail-file=/var/log/messages Security Tip Written by Chris Parker (news@xxxxxxxxxxxxxxxxx) Additional tips are available at the following URL: http://www.linuxsecurity.com/tips/ ---- An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-171.html --------------------------------------------------------------------- Security Expert Dave Wreski Discusses Open Source Security LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux, touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. http://www.linuxsecurity.com/feature_stories/feature_story-170.html ------ --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/20/2004 - ruby Insecure file permissions This can lead an attacker who has also shell access to the webserver to take over a session. http://www.linuxsecurity.com/advisories/debian_advisory-4689.html 8/20/2004 - rsync Insufficient path sanitation The rsync developers have discoverd a security related problem in rsync which offers an attacker to access files outside of the defined directory. http://www.linuxsecurity.com/advisories/debian_advisory-4690.html 8/20/2004 - kdelibs Insecure temporary file vulnerability This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly. http://www.linuxsecurity.com/advisories/debian_advisory-4691.html 8/20/2004 - mysql Insecure temporary file vulnerability Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method which is part of the mysql-server package. http://www.linuxsecurity.com/advisories/debian_advisory-4692.html +---------------------------------+ | Distribution: Fedora: | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient path sanitization This update backports a security fix to a path-sanitizing flaw that affects rsync when it is used in daemon mode without also using chroot. http://www.linuxsecurity.com/advisories/fedora_advisory-4688.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 8/20/2004 - acroread Buffer overflow vulnerabilities Acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs. http://www.linuxsecurity.com/advisories/gentoo_advisory-4682.html 8/20/2004 - Tomcat Insecure installation Improper file ownership may allow a member of the tomcat group to execute scripts as root. http://www.linuxsecurity.com/advisories/gentoo_advisory-4683.html 8/20/2004 - glibc Information leak vulnerability glibc contains an information leak vulnerability allowing the debugging of SUID binaries. http://www.linuxsecurity.com/advisories/gentoo_advisory-4684.html 8/20/2004 - rsync Insufficient path sanitation This vulnerability could allow the listing of arbitrary files and allow file overwriting outside module's path on rsync server configurations that allow uploading. http://www.linuxsecurity.com/advisories/gentoo_advisory-4685.html 8/20/2004 - xine-lib Buffer overflow vulnerability Insufficient path sanitation An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4686.html 8/20/2004 - courier-imap Format string vulnerability Insufficient path sanitation An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root). http://www.linuxsecurity.com/advisories/gentoo_advisory-4687.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient path sanitation If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/mandrake_advisory-4679.html 8/20/2004 - spamassassin Denial of service vulnerability Security fix prevents a denial of service attack open to certain malformed messages. http://www.linuxsecurity.com/advisories/mandrake_advisory-4680.html 8/20/2004 - qt3 Heap overflow vulnerability his vulnerability could allow for the compromise of the account used to view or browse malicious graphic files. http://www.linuxsecurity.com/advisories/mandrake_advisory-4681.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 8/20/2004 - ftpd Privilege escalation vulnerability A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session. http://www.linuxsecurity.com/advisories/netbsd_advisory-4678.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 8/20/2004 - Netscape Multiple vulnerabilities Netscape Navigator and Netscape Communicator have been removed from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part of Update 5. These packages were based on Netscape 4.8, which is known to be vulnerable to recent critical security issues, such as CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599. http://www.linuxsecurity.com/advisories/redhat_advisory-4673.html 8/20/2004 - kernel Denial of service vulnerability A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. http://www.linuxsecurity.com/advisories/redhat_advisory-4674.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Insufficient pathname sanitizing If rsync is running in daemon-mode and without a chroot environment it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. http://www.linuxsecurity.com/advisories/suse_advisory-4676.html 8/20/2004 - qt3 Buffer overflow vulnerability Chris Evans found a heap overflow in the BMP image format parser which can probably be abused by remote attackers to execute arbitrary code. http://www.linuxsecurity.com/advisories/suse_advisory-4677.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 8/20/2004 - rsync Path escape vulnerability Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected. http://www.linuxsecurity.com/advisories/trustix_advisory-4675.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------