+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| February 25th, 2005 Volume 6, Number 8a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for emacs, gftp, bidwatcher,
mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh,
postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups,
kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian,
Fedora, Gentoo, Mandrake, Red Hat, and SuSE.
---
>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been designed
with such robust security features. Engineered with security as a main
focus, the Guardian Digital Internet Productivity Suite is the
cost-effective solution small businesses have been waiting for.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07
---
VULNERABILITIES IN WEB APPLICATIONS
By Raymond Ankobia
The Internet has made the world smaller. In our routine usage we
tend to overlook that "www" really does mean "world wide web" making
virtually instant global communication possible. It has altered the
rules of marketing and retailing. An imaginative website can give the
small company as much impact and exposure as its much larger competitors.
In the electronics, books, travel and banking sectors long established
retail chains are increasingly under pressure from e-retailers. All this,
however, has come at a price ever more inventive and potentially
damaging cyber crime. This paper aims to raise awareness by discussing
common vulnerabilities and mistakes in web application development. It
also considers mitigating factors, strategies and corrective measures.
The Internet has become part and parcel of the corporate agenda. But
does the risk of exposing information assets get sufficient management
attention? Extension of corporate portals for Business-to Business (B2B)
or developments of websites for Business-to-Customer (B2C) transactions
have been largely successful. But the task of risk assessing
vulnerabilities and the threats to corporate information assets is still
avoided by many organisations. The desire to stay ahead of the competition
while minimising cost by leveraging technology means the process is driven
by pressure to achieve results. What suffers in the end is the application
development cycle; - this is achieved without security in mind. Section 1
of this paper introduces the world of e-business and sets the stage for
further discussions. Section 2 looks at common vulnerabilities inherent
in web application development. Section 3 considers countermeasures and
strategies that will minimise, if not eradicate. some of the
vulnerabilities. Sections 4 and 5 draw conclusions and look at current
trends and future expectations.
The TCP/IP protocol stack, the underlying technology is known for lack of
security on many of its layers. Most applications written for use on the
Internet use the application layer, traditionally using HTTP on port 80
on most web servers. The HTTP protocol is stateless and does not provide
freshness mechanisms for a session between a client and server; hence,
many hackers take advantage of these inherent weaknesses. TCP/IP may be
reliable in providing delivery of Internet packets, but it does not
provide any guarantee of confidentiality, integrity and little
identification. As emphasised in [1], Internet packets may traverse
several hosts between source and destination addresses. During its
journey it can be intercepted by third parties, who may copy, alter or
substitute them before final delivery. Failure to detect and prevent
attacks in web applications is potentially catastrophic. Attacks are
loosely grouped into two types, passive and active. Passive attackers
[6] engage in eavesdropping on, or monitoring of, transmissions. Active
attacks involve some modification of the data stream or creation of
false data streams [6].
Read Entire Article:
http://www.linuxsecurity.com/content/view/118427/49/
----------------------
Getting to Know Linux Security: File Permissions
Welcome to the first tutorial in the 'Getting to Know Linux Security'
series. The topic explored is Linux file permissions. It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod. This guide is intended for users new to Linux
security, therefore very simple. If the feedback is good, I'll
consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/
---
The Tao of Network Security Monitoring: Beyond Intrusion Detection
To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case
studies.
http://www.linuxsecurity.com/content/view/118106/49/
---
Encrypting Shell Scripts
Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure? If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).
http://www.linuxsecurity.com/content/view/117920/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New emacs21 packages fix arbitrary code execution
17th, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118356
* Debian: New gftp packages fix directory traversal vulnerability
17th, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118362
* Debian: New bidwatcher packages fix format string vulnerability
18th, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118384
* Debian: New mailman packages really fix several vulnerabilities
21st, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118391
* Debian: New squid packages fix denial of service
23rd, February, 2005
Updated packages.
http://www.linuxsecurity.com/content/view/118411
* Debian: New mod_python packages fix information leak
23rd, February, 2005
Updated packages.
http://www.linuxsecurity.com/content/view/118416
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 3 Update: kdeedu-3.3.1-2.3
17th, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118361
* Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.80
17th, February, 2005
Updated.
http://www.linuxsecurity.com/content/view/118364
* Fedora Core 3 Update: policycoreutils-1.18.1-2.9
17th, February, 2005
Updated.
http://www.linuxsecurity.com/content/view/118365
* Fedora Core 3 Update: gamin-0.0.24-1.FC3
18th, February, 2005
This update fixes a number of annoying bugs in gamin especially the
Desktop update problem in the GNOME environment that affected a
number of users.
http://www.linuxsecurity.com/content/view/118386
* Fedora Core 3 Update: pcmcia-cs-3.2.7-2.2
21st, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118397
* Fedora Core 2 Update: gaim-1.1.3-1.FC2
22nd, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118404
* Fedora Core 3 Update: gaim-1.1.3-1.FC3
22nd, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118405
* Fedora Core 3 Update: openssh-3.9p1-8.0.1
22nd, February, 2005
This update changes default ssh client configuration so the trusted
X11 forwarding is enabled. Untrusted X11 forwarding is not
supported by X11 clients and doesn't work with Xinerama.
http://www.linuxsecurity.com/content/view/118406
* Fedora Core 3 Update: postgresql-7.4.7-3.FC3.1
22nd, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118407
* Fedora Core 2 Update: postgresql-7.4.7-3.FC2.1
22nd, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118408
* Fedora Core 2 Update: squid-2.5.STABLE8-1.FC2.1
22nd, February, 2005
This update fixes
CAN-2005-0446 Squid DoS from bad DNS response
http://www.linuxsecurity.com/content/view/118409
* Fedora Core 3 Update: squid-2.5.STABLE8-1.FC3.1
22nd, February, 2005
This updat3 CAN-2005-0446 Squid DoS from bad DNS response
http://www.linuxsecurity.com/content/view/118410
* Fedora Core 3 Update: gimp-help-2-0.1.0.7.0.fc3.1
24th, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118424
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: Midnight Commander Multiple vulnerabilities
17th, February, 2005
Midnight Commander contains several format string errors, buffer
overflows and one buffer underflow leading to execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/118363
* Gentoo: Squid Denial of Service through DNS responses
18th, February, 2005
Squid contains a bug in the handling of certain DNS responses
resulting in a Denial of Service.
http://www.linuxsecurity.com/content/view/118382
* Gentoo: GProFTPD gprostats format string vulnerability
18th, February, 2005
gprostats, distributed with GProFTPD, is vulnerable to a format
string vulnerability, potentially leading to the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/118383
* Gentoo: gFTP Directory traversal vulnerability
19th, February, 2005
gFTP is vulnerable to directory traversal attacks, possibly leading
to the creation or overwriting of arbitrary files.
http://www.linuxsecurity.com/content/view/118388
* Gentoo: PuTTY Remote code execution
21st, February, 2005
PuTTY was found to contain vulnerabilities that can allow a malicious
SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP
clients.
http://www.linuxsecurity.com/content/view/118395
* Gentoo: Cyrus IMAP Server Multiple overflow vulnerabilities
23rd, February, 2005
The Cyrus IMAP Server is affected by several overflow vulnerabilities
which could potentially lead to the remote execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/118417
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: Updated cups packages fix
17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf
overlooked certain conditions when built for a 64 bit platform.
(formerly CAN-2004-0888). This also affects applications like cups,
that use embedded versions of xpdf. The updated packages are patched
to deal with these issues.
http://www.linuxsecurity.com/content/view/118367
* Mandrake: Updated gpdf packages fix
17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf
overlooked certain conditions when built for a 64 bit platform.
(formerly CAN-2004-0888). This also affects applications like gpdf,
that use embedded versions of xpdf. The updated packages are patched
to deal with these issues.
http://www.linuxsecurity.com/content/view/118368
* Mandrake: Updated kdelibs packages fix
17th, February, 2005
A bug in the way kioslave handles URL-encoded newline (%0a)
characters before the FTP command was discovered. Because of this,
it is possible that a specially crafted URL could be used to execute
any ftp command on a remote server, or even send unsolicited email.
http://www.linuxsecurity.com/content/view/118369
* Mandrake: Updated KDE packages address
17th, February, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118370
* Mandrake: Updated xpdf packages fix
17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf
overlooked certain conditions when built for a 64 bit platform.
(formerly CAN-2004-0888). This also affects applications that use
embedded versions of xpdf. The updated packages are patched to
deal with these issues.
http://www.linuxsecurity.com/content/view/118371
* Mandrake: Updated PostgreSQL packages
17th, February, 2005
A number of vulnerabilities were found.
http://www.linuxsecurity.com/content/view/118372
* Mandrake: Updated tetex packages fix
17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf
overlooked certain conditions when built for a 64 bit platform.
(formerly CAN-2004-0888). This also affects applications like tetex,
that use embedded versions of xpdf. The updated packages are patched
to deal with these issues.
http://www.linuxsecurity.com/content/view/118373
* Mandrake: Updated uim packages fix
24th, February, 2005
Takumi ASAKI discovered that uim always trusts environment variables
which can allow a local attacker to obtain elevated privileges when
libuim is linked against an suid/sgid application. This problem is
only exploitable in 'immodule for Qt' enabled Qt applications.
The updated packages are patched to fix the problem.
http://www.linuxsecurity.com/content/view/118425
* Mandrake: Updated squid packages fix
24th, February, 2005
The squid developers discovered that a remote attacker could cause
squid to crash via certain DNS responses. The updated packages are
patched to fix the problem.
http://www.linuxsecurity.com/content/view/118426
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Low: cpio security update
18th, February, 2005
An updated cpio package that fixes a umask bug and supports large
files (>2GB) is now available. This update has been rated as having
low security impact by the Red Hat Security Response Team
http://www.linuxsecurity.com/content/view/118378
* RedHat: Low: imap security update
18th, February, 2005
Updated imap packages that fix a security issue are now available for
Red Hat Enterprise Linux 2.1. This update has been rated as having
low security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118379
* RedHat: Low: vim security update
18th, February, 2005
Updated vim packages that fix a security vulnerability are now
available. This update has been rated as having low security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118380
* RedHat: Important: cups security update
18th, February, 2005
Updated cups packages that fix a security issue are now available.
This update has been rated as having important security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118381
* RedHat: Important: kernel security update
18th, February, 2005
Updated kernel packages that fix several security issues are now
available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/118385
* RedHat: Moderate: imap security update
23rd, February, 2005
Updated imap packages to correct a security vulnerability in CRAM-MD5
authentication are now available for Red Hat Enterprise Linux 3.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118418
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: squid remote denial of service
22nd, February, 2005
Squid is an Open Source web proxy.
A remote attacker was potentially able to crash the Squid web proxy
if the log_fqdn option was set to "on" and the DNS replies were
manipulated.
http://www.linuxsecurity.com/content/view/118403
* SuSE: cyrus-imapd buffer overflows
24th, February, 2005
This update fixes one-byte buffer overruns in the cyrus-imapd IMAP
server package.
http://www.linuxsecurity.com/content/view/118423
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
