+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| March 18th, 2005 Volume 6, Number 11a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for gaim, kdenetwork, squirrelmail,
luxman, hwbrowser, at, bind, openoffice,ipsec-tools, sylpheed, koffice,
qt, ImageMagick, ethereal, udev, libXpm, Ethereal, rmtree, curl,
cyrus-sasl, gnupg, openslp, tetex, postfix, and squid. The distributors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE.
---
>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been designed
with such robust security features. Engineered with security as a main
focus, the Guardian Digital Internet Productivity Suite is the
cost-effective solution small businesses have been waiting for.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07
---
Information Security
In today's business world there is an ever-growing reliance on
information technology. Businesses and organizations rely on IT for
distributed processing, the automation of tasks and electronic
commerce. Processing that would have been done by hand years ago is
now done completely on computers. This has evolved so much that many
tasks are no longer feasible to conduct by hand. In fact, in some
cases it would be impossible. Typical business objects include
maximizing profit, having high sustainable growth, and keeping costs
low. In information security, we are aiming to preserve the
confidentiality, integrity, and availability of information from
disclosure, modification, destruction or misuse. Businesses are
at risk of loss of income, loss of competitive advantage, or
possibly legal penalties if no compliant with regulations.
Why information security? Information is an essential resource
for business today. Have the right information at the right time
in the hands of the right people is often the difference between
profit/loss, and success/failure. We must understand that
information is a key business asset and preserving confidentiality,
integrity, and availability is crucial to the continued success
of the business. Once again, manual processing is no longer a
feasible option. In the event of a failure, the employees would
loose productivity and it would be very costly to the company.
Information security can help protect from confidentiality breaches.
In the event of the unauthorized disclosure of schematics, a
business could loose millions to a competitor and loss of R&D time
and money. Ensuring data integrity is also essential. Information
security is also important to detect any violations that may occur,
or mitigate any consequential damagers that may occur from a breach.
Also, information security practice can aid in the planning and
facilitate a recovery strategy, ensuring that impact and loss in
minimized. In the event of an investigation, having proper
information security procedures in place can assist in the process
of gather evidence.
If managed properly, information security can be a business enabler.
Rather than the 'badge and gun' attitude, information security
professionals should approach it from a business perspective. How
can information security save the organization money? How can it
increase customer loyalty, etc. If information security does not
seem to help an organization, and only restrict, it will not be a
priority for executive management. Gaining top management support
is crucial to creating a security environment.
The recommended approach for information security management includes
setting a security policy, conducting a risk analysis, managing
those risks, setting appropriate policies and procedures, monitoring,
and developing a secure awareness and training program. The traditional
information security mechanisms include: access control, encipherment,
authentication, policies, procedures, and training.
Information security is important, but why management? As security
professionals, we must realize that technology is only part of the
solution. Security is mostly a people problem, and people need
managing. Policies, procedures, and creating an information security
centered culture in an organization can often go much farther than
technology alone can provide. Security is only as strong as the weakest
link in the system. Often, the weakest link is management. Information
security management provides managers with the appropriate information
to make decisions based on knowledge and facts, rather than feelings.
Managers no longer should make decisions based on fear, uncertainty,
and doubt, but make decisions which apply appropriate controls for
the information at risk. Appropriate means a balance between
controls/convinience, and costs of control/potential loss. Information
security should not be only a set of restrictive controls, it should
be a business enabler.
Management activities such as risk analysis, ownership, policy
creation/enforcement, procedures, should all be part of an overall
information security program. Often, the best way to approach management
is using well thought-out standards and methodologies such as ISO-17799
and the ISF Standards. Information security exists in business, only
to support business. We should realize that.
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----------------------
Getting to Know Linux Security: File Permissions
Welcome to the first tutorial in the 'Getting to Know Linux Security'
series. The topic explored is Linux file permissions. It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod. This guide is intended for users new to Linux
security, therefore very simple. If the feedback is good, I'll
consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/
---
The Tao of Network Security Monitoring: Beyond Intrusion Detection
To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case
studies.
http://www.linuxsecurity.com/content/view/118106/49/
---
Encrypting Shell Scripts
Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure? If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).
http://www.linuxsecurity.com/content/view/117920/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: gaim Fixes for gaim's vulnerabilities
14th, March, 2005
Gaim[1] is a multi-protocol instant messaging (IM) client.
This announcement fixes three denial of service vulnerabilities that
were encountered in Gaim.
http://www.linuxsecurity.com/content/view/118571
* Conectiva: kdenetwork Fix for kppp vulnerability
16th, March, 2005
kppp[1] is the KDE[2] internet dialer. This announcement fixes a
privileged file descriptors leak vulnerability[3,4] which could
allow local attackers to hijack a system's domain name
resolution function.
http://www.linuxsecurity.com/content/view/118617
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New squirrelmail package fixes regression
14th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118572
* Debian: New luxman packages fix local root exploit
14th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118574
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 3 Update: hwbrowser-0.20-0.fc3.1
11th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118553
* Fedora Core 3 Update: at-3.1.8-68_FC3
11th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118554
* Fedora Core 3 Update: bind-9.2.5-1
11th, March, 2005
Upgraded to ISC BIND 9.2.5 (final release) o Added libbind man-pages
(see 'man libbind-resolver', 'man libbind-irs.conf') o Fixed libbind
h_errno handling (bug 150288)
http://www.linuxsecurity.com/content/view/118555
* Fedora Core 2 Update: openoffice.org-1.1.3-9.4.0.fc2
14th, March, 2005
This update makes the Fedora Core 2 version of OpenOffice.org
equivalent to the version in Fedora Core 3.
http://www.linuxsecurity.com/content/view/118575
* Fedora Core 3 Update: openoffice.org-1.1.3-9.5.0.fc3
14th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118576
* Fedora Core 3 Update: NetworkManager-0.3.4-1.1.0.fc3
14th, March, 2005
Many fixes. Check the changelog for details.
http://www.linuxsecurity.com/content/view/118577
* Fedora Core 3 Update: at-3.1.8-68_FC3
14th, March, 2005
Added check in at(1) to verify if atd PAM authentication will
succeed; Job submission will be denied if atd PAM authentication
fails.
http://www.linuxsecurity.com/content/view/118578
* Fedora Core 2 Update: ipsec-tools-0.5-2.fc2
14th, March, 2005
This update fixes a potential DoS in parsing ISAKMP headers in
racoon. (CAN-2005-0398)
http://www.linuxsecurity.com/content/view/118585
* Fedora Core 3 Update: ipsec-tools-0.5-2.fc3
14th, March, 2005
This update fixes a potential DoS in parsing ISAKMP headers in
racoon. (CAN-2005-0398)
http://www.linuxsecurity.com/content/view/118586
* Fedora Core 3 Update: sylpheed-1.0.3-0.FC3
15th, March, 2005
Updated pacakge.
http://www.linuxsecurity.com/content/view/118593
* Fedora Core 3 Update: koffice-1.3.5-0.FC3.2
15th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118594
* Fedora Core 3 Update: qt-3.3.4-0.fc3.0
15th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118595
* Fedora Core 3 Update: ImageMagick-6.0.7.1-5.fc3
15th, March, 2005
The updated packages fix a bug which could cause segfaults when
writing TIFF images to the standard output.
http://www.linuxsecurity.com/content/view/118598
* Fedora Core 3 Update: ethereal-0.10.10-1.FC3.1
16th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118612
* Fedora Core 2 Update: ethereal-0.10.10-1.FC2.1
16th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118613
* Fedora Core 3 Update: system-config-samba-1.2.28-0.fc3.1
16th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118614
* Fedora Core 3 Update: kdenetwork-3.3.1-3
16th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118615
* Fedora Core 3 Update: udev-039-10.FC3.7
16th, March, 2005
Fixed DRI permissions and SCSI hotplug replay in start_udev.
http://www.linuxsecurity.com/content/view/118616
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: X.org libXpm vulnerability
12th, March, 2005
A new vulnerability has been discovered in libXpm, which is included
in X.org, that can potentially lead to remote code execution.
http://www.linuxsecurity.com/content/view/118556
* Gentoo: Ethereal Multiple vulnerabilities
12th, March, 2005
Multiple vulnerabilities exist in Ethereal, which may allow an
attacker to run arbitrary code or crash the program.
http://www.linuxsecurity.com/content/view/118557
* Gentoo: libexif Buffer overflow vulnerability
12th, March, 2005
libexif fails to validate certain inputs, making it vulnerable to
buffer overflows.
http://www.linuxsecurity.com/content/view/118558
* Gentoo: Ringtone Tools Buffer overflow vulnerability
15th, March, 2005
The Ringtone Tools utilities contain a buffer overflow vulnerability,
potentially leading to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118591
* Gentoo: Perl rmtree and DBI tmpfile vulnerabilities
15th, March, 2005
The rmtree race conditions were only partly fixed in the original
GLSA. New versions of dev-lang/perl have been released to address the
remaining issues (CAN-2005-0448). The updated sections appear below.
http://www.linuxsecurity.com/content/view/118592
* Gentoo: Ringtone Tools Buffer overflow vulnerability
15th, March, 2005
The Ringtone Tools utilities contain a buffer overflow vulnerability,
potentially leading to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118597
* Gentoo: MySQL Multiple vulnerabilities
16th, March, 2005
MySQL contains several vulnerabilities potentially leading to the
overwriting of local files or to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118610
* Gentoo: curl NTLM response buffer overflow
16th, March, 2005
curl is vulnerable to a buffer overflow which could lead to the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118611
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: Updated lvm2 packages fix
14th, March, 2005
A bug in the lvm2 packages caused it to recurse symlinked directories
indefinitely which caused lvm commands to be really slow or timeout.
A patch has been applied to correct this problem.
http://www.linuxsecurity.com/content/view/118587
* Mandrake: Updated cyrus-sasl packages
15th, March, 2005
A buffer overflow was discovered in cyrus-sasl's digestmd5 code.
This could lead to a remote attacker executing code in the context of
the service using SASL authentication. This vulnerability was fixed
upstream in version 2.1.19. The updated packages are patched to deal
with this issue.
http://www.linuxsecurity.com/content/view/118599
* Mandrake: Updated gnupg packages fix
15th, March, 2005
The OpenPGP protocol is vulnerable to a timing-attack in order to
gain plain text from cipher text. The timing difference appears as a
side effect of the so-called "quick scan" and is only exploitable on
systems that accept an arbitrary amount of cipher text for automatic
decryption.
http://www.linuxsecurity.com/content/view/118600
* Mandrake: Updated ethereal packages
15th, March, 2005
A number of issues were discovered in Ethereal versions prior to
0.10.10, which is provided by this update.
http://www.linuxsecurity.com/content/view/118601
* Mandrake: Updated openslp packages fix
15th, March, 2005
An audit by the SUSE Security Team of critical parts of the OpenSLP
package revealed various buffer overflow and out of bounds memory
access issues. These problems can be triggered by remote attackers
by sending malformed SLP packets. The packages have been patched
to prevent these problems.
http://www.linuxsecurity.com/content/view/118602
* Mandrake: Updated evolution packages
16th, March, 2005
It was discovered that certain types of messages could be used to
crash the Evolution mail client. Fixes have been applied to correct
this behaviour.
http://www.linuxsecurity.com/content/view/118618
* Mandrake: Updated kdelibs packages fix
16th, March, 2005
A vulnerability in dcopserver was discovered by Sebastian Krahmer of
the SUSE security team. A local user can lock up the dcopserver of
other users on the same machine by stalling the DCOP authentication
process, causing a local Denial of Service.
http://www.linuxsecurity.com/content/view/118619
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: gaim security update
10th, March, 2005
An updated gaim package that fixes various security issues as well as
a number of bugs is now available. This update has been rated as having
important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118548
* RedHat: Moderate: tetex security update
16th, March, 2005
Updated tetex packages that resolve security issues are now available
for Red Hat Enterprise Linux 4. This update has been rated as
having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/118607
* RedHat: Low: postfix security update
16th, March, 2005
Updated postfix packages that include a security fix and two other
bug fixes are now available for Red Hat Enterprise Linux 4.
This update has been rated as having low security impact by the
Red Hat Security Response Team
http://www.linuxsecurity.com/content/view/118608
* RedHat: Moderate: squid security update
16th, March, 2005
An updated squid package that fixes a denial of service issue is now
available for Red Hat Enterprise Linux 4. This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/118609
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: openslp (SUSE-SA:2005:015)
14th, March, 2005
The SUSE Security Team reviewed critical parts of the OpenSLP
package, an open source implementation of the Service Location
Protocol (SLP).
http://www.linuxsecurity.com/content/view/118573
* SuSE: multiple Mozilla Firefox
16th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118606
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
