+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| October 29th, 2004 Volume 5, Number 43a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for mozilla, zlib, kernel, glib2,
MySQL, Gaim, MIT, Netatalk, socat, mpg123, rssh, xpdf, gpdf, cups,
kdegraphics, squid, and libtiff. The distributors include Conectiva,
Fedora, Gentoo, Mandrake, Red Hat, Slackware, and SuSE.
-----
>> The Perfect Productivity Tools <<
WebMail, Groupware and LDAP Integration provide organizations with the
ability to securely access corporate email from any computer, collaborate
with co-workers and set-up comprehensive addressbooks to consistently keep
employees organized and connected.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05
-----
Developing A Security Policy
Create a simple, generic policy for your system that your users can
readily understand and follow. It should protect the data you're
safeguarding, as well as the privacy of the users. Some things to
consider adding are who has access to the system (Can my friend use my
account?), who's allowed to install software on the system, who owns what
data, disaster recovery, and appropriate use of the system.
A generally accepted security policy starts with the phrase: "That which
is not expressly permitted is prohibited"
This means that unless you grant access to a service for a user, that user
shouldn't be using that service until you do grant access. Make sure the
policies work on your regular user account, Saying, ``Ah, I can't figure
this permissions problem out, I'll just do it as root'' can lead to
security holes that are very obvious, and even ones that haven't been
exploited yet.
Additionally, there are several questions you will need to answer to
successfully develop a security policy:
What level of security do your users expect?
How much is there to protect, and what is it worth?
Can you afford the down-time of an intrusion?
Should there be different levels of security for different groups?
Do you trust your internal users?
Have you found the balance between acceptable risk and secure?
You should develop a plan on who to contact when there is a security
problem that needs attention.
There are quite a few documents available on developing a Site Security
Policy. You can start with the SANS Security Policy Project.
http://www.sans.org/resources/policies/
Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
10/22/2004 - mozilla
upstream fix
This announcement updates mozilla packages for Conectiva Linux 9
and 10 to mozilla version 1.7.3. This updates fixes lots of
vulnerabilities.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5004.html
10/25/2004 - zlib
denial of service vulnerabilities fix
Due to a Debian bug report[3], a denial of service
vulnerability[4] was discovered in the zlib compression library
versions 1.2.x, in the inflate() and inflateBack() functions.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5020.html
10/26/2004 - kernel
vulnerabilities fix
This announcement fixes a vulnerability in the Linux kernel which
could allow a local attacker to obtain sensitive information due
to an issue when handling 64-bit file offset pointers.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5024.html
10/27/2004 - foomatic-filters vulnerability
vulnerabilities fix
The foomatic-rip filter in foomatic-filters contains a
vulnerability[2][3] caused by insufficient checking of
command-line parameters and environment variables which may allow
arbitrary remote command execution on the print server with the
permissions of the spooler user ("lp").
http://www.linuxsecurity.com/advisories/conectiva_advisory-5029.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
10/26/2004 - cups-1.1.20-11.6 update
vulnerabilities fix
A problem with PDF handling was discovered by Chris Evans, and has
been fixed. The Common Vulnerabilities and Exposures project
(www.mitre.org) has assigned the name CAN-2004-0888 to this issue.
http://www.linuxsecurity.com/advisories/fedora_advisory-5023.html
10/27/2004 - glib2
and gtk2 md5sums update
The md5sums of the glib2-2.4.7-1.1 and gtk2-2.4.13-2.1 updates
don't match the ones in the announcements I sent out.
http://www.linuxsecurity.com/advisories/fedora_advisory-5026.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
10/24/2004 - MySQL
Multiple vulnerabilities
Several vulnerabilities including privilege abuse, Denial of
Service, and potentially remote arbitrary code execution have been
discovered in MySQL.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5013.html
10/24/2004 - Gaim
Multiple vulnerabilities
Multiple vulnerabilities have been found in Gaim which could allow
a remote attacker to crash the application, or possibly execute
arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5014.html
10/25/2004 - MIT
krb5 Insecure temporary file use in send-pr.sh
The send-pr.sh script, included in the mit-krb5 package, is
vulnerable to symlink attacks, potentially allowing a local user
to overwrite arbitrary files with the rights of the user running
the utility.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5016.html
10/25/2004 - Netatalk
Insecure tempfile handling in etc2ps.sh
The etc2ps.sh script, included in the Netatalk package, is
vulnerable to symlink attacks, potentially allowing a local user
to overwrite arbitrary files with the rights of the user running
the utility.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5017.html
10/25/2004 - socat
Format string vulnerability
socat contains a format string vulnerability that can potentially
lead to remote or local execution of arbitrary code with the
privileges of the socat process.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5018.html
10/27/2004 - mpg123
Buffer overflow vulnerabilities
Buffer overflow vulnerabilities have been found in mpg123 which
could lead to execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5025.html
10/27/2004 - rssh
Format string vulnerability
rssh is vulnerable to a format string vulnerability that allows
arbitrary execution of code with the rights of the connected user,
thereby bypassing rssh restrictions.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5027.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
10/22/2004 - xpdf
vulnerabilities fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package which can result in DOS or possibly arbitrary code
execution.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5000.html
10/22/2004 - gpdf
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package, which also effect software using embedded xpdf code, such
as gpdf.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5001.html
10/22/2004 - cups
DoS vulnerabilities fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package, which also effect software using embedded xpdf code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5002.html
10/22/2004 - kdegraphics
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package, which also effect software using embedded xpdf code, such
as kpdf.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5003.html
10/22/2004 - squid
SNMP processing vulnerability fix
iDEFENSE discovered a Denial of Service vulnerability in squid
version 2.5.STABLE6 and previous. The problem is due to an ASN1
parsing error where certain header length combinations can slip
through the validations performed by the ASN1 parser, leading to
the server assuming there is heap corruption or some other
exceptional condition, and closing all current connections then
restarting.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5007.html
10/22/2004 - gpdf
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package, which also effect software using embedded xpdf code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5008.html
10/22/2004 - kdegraphics
DoS vulnerability fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package, which also effect software using embedded xpdf code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5009.html
10/22/2004 - CUPS
DoS vulnerabilities fix
Chris Evans discovered numerous vulnerabilities in the xpdf
package, which also effect software using embedded xpdf code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5010.html
10/22/2004 - xpdf
vulnerabilities fix
Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0.
Also programs like cups which have embedded versions of xpdf.
These can result in writing an arbitrary byte to an attacker
controlled location which probably could lead to arbitrary code
execution.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5011.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
10/22/2004 - CUPS
security issues fix
Updated cups packages that fix denial of service issues, a
security information leak, as well as other various bugs are now
available.
http://www.linuxsecurity.com/advisories/redhat_advisory-5005.html
10/22/2004 - libtiff
update
Updated libtiff packages that fix various buffer and integer
overflows are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-5006.html
10/27/2004 - mysql-server update
update
An updated mysql-server package that fixes various security issues
is now available in the Red Hat Enterprise Linux 3 Extras channel
of Red Hat Network.
http://www.linuxsecurity.com/advisories/redhat_advisory-5030.html
10/27/2004 - xchat
SOCKSv5 proxy security issue fix
An updated xchat package that fixes a stack buffer overflow in the
SOCKSv5 proxy code.
http://www.linuxsecurity.com/advisories/redhat_advisory-5031.html
10/27/2004 - xpdf
security flaws fix
An updated xpdf package that fixes a number of integer overflow
security flaws is now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-5032.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
10/22/2004 - Gaim
buffer overflow
A buffer overflow in the MSN protocol handler for GAIM 0.79 to
1.0.1 allows remote attackers to cause a denial of service
(application crash) and may allow the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/slackware_advisory-5015.html
10/26/2004 - apache, mod_ssl, php security issues fix
buffer overflow
New apache and mod_ssl packages are available for Slackware 8.1,
9.0, 9.1, 10.0, and -current to fix security issues.
http://www.linuxsecurity.com/advisories/slackware_advisory-5021.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
10/22/2004 - libtiff
security vulnerability fix
Chris Evans found several security related problems during an
audit of the image handling library libtiff, some related to
buffer overflows, some related to integer overflows and similar.
http://www.linuxsecurity.com/advisories/suse_advisory-5012.html
10/26/2004 - xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups security
vulnerability fix
security vulnerability fix
Chris Evans found several integer overflows and arithmetic errors.
Additionally Sebastian Krahmer from the SuSE Security-Team found
similar bugs in xpdf 3.
http://www.linuxsecurity.com/advisories/suse_advisory-5019.html
10/26/2004 - xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups remote system
compromise
security vulnerability fix
Chris Evans found several integer overflows and arithmetic errors.
Additionally Sebastian Krahmer from the SuSE Security-Team found
similar bugs in xpdf 3.
http://www.linuxsecurity.com/advisories/suse_advisory-5022.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
