+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| September 3rd, 2004 Volume 5, Number 35a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for qt, krb5, kdelibs, zlib, kernel,
acrobat, gaim, and the Linux kernel. The distributors include Debain,
Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and
TurboLinux.
-----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
-----
Introduction to Cryptography
Implementing any large security project on the Linux operating system
requires the use of cryptography. Several weeks ago, I wrote about a book
by Fred Piper and Sean Murphy titled, "Cryptography: A Very Short
Introduction." It offers a very good introduction to the subject, but
those wishing to implement cryptography in an open source projects need a
more in-depth understanding of the area. Another excellent resource is the
"Handbook of Applied Cryptography," by Menezes, Oorschot, and Vanstone. It
has often been considered "the bible of cryptography" and offers a
detailed and technical view.
The first several chapters of the book focus on the basics. It gives an
overview and history of cryptography and follows with an explanation of
the mathematics necessary to understand the algorithms. Midway through
the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After
the reader has an understanding of the algorithms, the book moves to
explain how they can be used in key establishment protocols. It also
offers chapters on key management and tips for efficient implementation.
For the long time manager, this book may be slightly on the technical
side. However, there are clear benefits for management having an
understanding of technical subjects. Cryptography today offers a very
strong level of protection. It only fails in implementation. For example,
keys are not properly protected or managed. For those of you wishing to
learn a little more about the fascinating subject of cryptography, I
highly recommend this book.
Perhaps the best part is that the book is available fully for free on the
Web: http://www.cacr.math.uwaterloo.ca/hac/
Hard-copies of the book can also be purchased through Amazon or any other
large bookseller.
When any company decides to take on a in-house software development
project, it is essential to include cryptographic mechanisms. Books such
as this, can give programmers the proper knowledge necessary to understand
how cryptography works and how to avoid problems.
Until next time, cheers!
Benjamin D. Thomas
-----
AIDE and CHKROOTKIT
Network security is continuing to be a big problem for companies and home
users. The problem can be resolved with an accurate security analysis. In
this article I show how to approach security using aide and chkrootkit.
http://www.linuxsecurity.com/feature_stories/feature_story-173.html
---------------------------------------------------------------------
An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code
Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com
http://www.linuxsecurity.com/feature_stories/feature_story-171.html
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
8/27/2004 - icecast-server cross site scripting vulnerability
Markus Wrle discovered a cross site scripting problem in
status-display (list.cgi) of the icecast internal webserver.
http://www.linuxsecurity.com/advisories/debian_advisory-4693.html
8/30/2004 - qt
arbitrary code execution and DoS
Several vulnerabilities were discovered in recent versions of Qt,
a commonly used graphic widget set.
http://www.linuxsecurity.com/advisories/debian_advisory-4716.html
8/31/2004 - python2.2 really fix buffer overflow
arbitrary code execution and DoS
This security advisory corrects DSA 458-1 which caused some
segmentation faults in gethostbyaddr with non-localhost input.
This update also disables IPv6 on all architectures.
http://www.linuxsecurity.com/advisories/debian_advisory-4718.html
8/31/2004 - krb5
several vulnerabilities
The MIT Kerberos Development Team has discovered a number of
vulnerabilities in the MIT Kerberos Version 5 software
http://www.linuxsecurity.com/advisories/debian_advisory-4723.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
8/31/2004 - krb5
double-free bugs (Core 1)
Several double-free bugs were found in the Kerberos 5 KDC and
libraries
http://www.linuxsecurity.com/advisories/fedora_advisory-4724.html
8/31/2004 - krb5
double-free bugs (Core 2)
Several double-free bugs were found in the Kerberos 5 KDC and
libraries.
http://www.linuxsecurity.com/advisories/fedora_advisory-4725.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
8/27/2004 - Mozilla, Firefox, Thunderbird New releases fix
vulnerabilities double-free bugs (Core 2)
New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox
fix several vulnerabilities, including remote DoS and buffer
overflows.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4708.html
8/27/2004 - kdelibs
Cross-domain cookie injection vulnerability
The cookie manager component in kdelibs contains a vulnerability
allowing an attacker to potentially gain access to a user's
session on a legitimate web server.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4711.html
8/27/2004 - zlib
enial of service vulnerabilit
The zlib library contains a Denial of Service vulnerability.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4714.html
8/27/2004 - gaim
New vulnerabilities
Gaim contains several security issues that might allow an attacker
to execute arbitrary code or commands.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4715.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
8/27/2004 - kernel
multiple vulnerabilities
A race condition was discovered in the 64bit file offset handling
by Paul Starzetz from iSEC.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4699.html
9/1/2004 - krb5
multiple vulnerabilities
A double-free vulnerability exists in the MIT Kerberos 5's KDC
program that could potentially allow a remote attacker to execute
arbitrary code on the KDC host.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4726.html
+---------------------------------+
| Distribution: OpenBSD | ----------------------------//
+---------------------------------+
8/31/2004 - zlib
reliabilty fix
A bug has been found in the version of zlib included in OpenBSD
3.5 (and only 3.5) that could allow an attacker to crash programs
linked with it
http://www.linuxsecurity.com/advisories/openbsd_advisory-4727.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
8/27/2004 - acrobat
security issues
An updated Adobe Acrobat Reader package that fixes multiple
security issues is now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4701.html
8/31/2004 - krb5
security vulnerabilities
Updated Kerberos (krb5) packages that correct double-free and
ASN.1 parsing bugs are now available for Red Hat Enterprise Linux.
http://www.linuxsecurity.com/advisories/redhat_advisory-4729.html
8/31/2004 - krb5
security issues
Updated krb5 packages that improve client responsiveness and fix
several security issues are now available for Red Hat Enterprise
Linux 3.
http://www.linuxsecurity.com/advisories/redhat_advisory-4730.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
8/27/2004 - gaim
updated again
A couple of bugs were found in the gaim 0.82 release, and
gaim-0.82.1 was released to fix them
http://www.linuxsecurity.com/advisories/slackware_advisory-4717.html
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
9/1/2004 - kernel
vulnerabilities
Various signedness issues and integer overflows have been fixed
within kNFSd and the XDR decode functions of kernel 2.6.
http://www.linuxsecurity.com/advisories/suse_advisory-4728.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
8/27/2004 - courier-imap, samba, zlib Multiple vulnerabilities
vulnerabilities
Security roll-up.
http://www.linuxsecurity.com/advisories/trustix_advisory-4705.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
8/31/2004 - rsync, qt vulnerabilities
vulnerabilities
Security roll-up for 31/Aug/2004.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-4719.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
