+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| December 31st, 2004 Volume 5, Number 52a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
Happy New Year! This week advisories were released for netpbm,
libtiff, imlib, Xpdf,CUPS, and ViewCVS. The distributors include
Conectiva, Debian, Gentoo, and Mandrake.
----
Internet Productivity Suite: Open Source Security
Trust Internet Productivity Suite's open source architecture to give
you the best security and productivity applications available.
Collaborating with thousands of developers, Guardian Digital security
engineers implement the most technologically advanced ideas and
methods into their design.
http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml
---
A 2005 Linux Security Resolution
Year 2000, the coming of the new millennium, brought us great joy
and celebration, but also brought great fear. Some believed it
would result in full-scale computer meltdown, leaving Earth as a
nuclear wasteland. Others predicted minor glitches leading only to
inconvenience. The following years (2001-2004) have been tainted
with the threat of terrorism worldwide. Whether it be physical
terrorism, or malicious acts of information security, we have all
raised our level of awareness. For many across the world, the new
year brings a sense of rebirth and recommitment. All of us take
time to reflect on the past year, reexamine our lives, and focus
on how we can do better the upcoming year. Some have career related
goals, others only wish to make more time for their family because
of the realization that those close to you are in fact the real
and only reason for everything. Personally, I am one who loves
to set goals. Without a mission and plan, very little gets
accomplished. The new year should not only be a time to set
personal goals such as an exercise regiment, but also a time to
focus on security practices and configurations. 2005 will be
hostile, now is the time to prepare.
Reflect on Present
Those of us long-time security gurus always chant the mantra
"security is a process, not a product; repeat." The new year
should be a time to refine that process. Take a moment to analyze
and ask the following questions:
- Are we doing everything the way we should?
- What areas of our operation need to be improved?
- Are we following security best practices?
- Do I feel confident about our security practices?
- Do I have metrics to provide assurance about our security?
- Are we proactive, or do we always seem to be catching up?
Continue to Read Article Here:
http://www.linuxsecurity.com/content/view/117721/49/
---
State of Linux Security 2004
In 2004, security continued to be a major concern. The beginning of the
year was plagued with several kernel flaws and Linux vendor advisories
continue to be released at an ever-increasing rate. This year, we have
seen the reports touting Window's security superiority, only to be
debunked by other security experts immediately after release. Also,
Guardian Digital launched the new LinuxSecurity.com, users continue to
be targeted by automated attacks, and the need for security awareness
and education continues to rise.
http://www.linuxsecurity.com/content/view/117655/49/
-----
Users Respond with Constructive Feedback
When the new version of LinuxSecurity.com was launched on December 1st,
we also asked our readers to " Tell us what you think ." You have spoken,
and we appreciate that! We received hundreds of comments & requests, and
have been addressing a majority of them. We thought it was important to
share some of the comments with you. While some were purely positive
acknowledgements, others were thoughtful criticisms. We take every
critique into account and address each as resources become available
or when the criticism becomes the concern of many.
http://www.linuxsecurity.com/content/view/117614/49/
-----------------------------------------------------------------------
Vincenzo Ciaglia Speaks Security 2004
Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux
Security. A full immersion in the world of Linux Security from many
sides and points of view.
http://www.linuxsecurity.com/content/view/117515/49/
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: netpbm Insecure temporary file creation
29th, December, 2004
Utilities provided by the netpbm package prior to the 9.25 version
contain defects[2] in temporary file handling. They create temporary
files with predictable names without checking if the target file
already exists.
http://www.linuxsecurity.com/content/view/117694
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: libtiff arbitrary code execution fix
24th, December, 2004
"infamous41md" discovered a problem in libtiff, the Tag Image File
Format library for processing TIFF graphics files. Upon reading a
TIFF file it is possible to allocate a zero sized buffer and write to
it which would lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117664
* Debian: imlib arbitrary code execution fix
24th, December, 2004
Pavel Kankovsky discovered that several overflows found in the libXpm
library were also present in imlib, an imaging library for X and X11.
An attacker could create a carefully crafted image file in such a way
that it could cause an application linked with imlib to execute
arbitrary code when the file was opened by a victim.
http://www.linuxsecurity.com/content/view/117667
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: Xpdf, Gpdf New integer overflows
28th, December, 2004
New integer overflows were discovered in Xpdf, potentially resulting
in the execution of arbitrary code. GPdf includes Xpdf code and
therefore is vulnerable to the same issues.
http://www.linuxsecurity.com/content/view/117690
* Gentoo: CUPS Multiple vulnerabilities
28th, December, 2004
Multiple vulnerabilities have been found in CUPS, ranging from local
Denial of Service attacks to the remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/117691
* Gentoo: ViewCVS Information leak and XSS vulnerabilities
28th, December, 2004
ViewCVS is vulnerable to an information leak and to cross-site
scripting (XSS) issues.
http://www.linuxsecurity.com/content/view/117692
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: integer overflow vulnerabilities update
27th, December, 2004
Remote exploitation of an integer overflow vulnerability in the smbd
daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to
and including 3.0.9 could allow an attacker to cause controllable
heap corruption, leading to execution of arbitrary commands with root
privileges.
http://www.linuxsecurity.com/content/view/117683
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
