+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| March 25th, 2005 Volume 6, Number 12a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for cyrus-imapd, curl, xloadimage,
xli, PERL, slypheed, libgal2, libsoup, evolution, gimp, procps, lsof,
lockdev, xloadimage, mailman, boost, kdelibs, firefox, thunderbird,
mozilla, devhelp, epiphany, rxvt, LTris, MySQL, ethereal, ipsec-tools,
and ImageMagick. The distributors include Conectiva, Debian, Fedora,
Genotoo, Mandrake, Red Hat, and SuSE.
---
>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been designed
with such robust security features. Engineered with security as a main
focus, the Guardian Digital Internet Productivity Suite is the
cost-effective solution small businesses have been waiting for.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07
---
Authentication: Passwords
For most, the subject of passwords is novel. However, it is
important to take a step back and analyze their strengths,
weaknesses, and alternatives.
Using only passwords as a method of authentication is often
insufficient for critical data because they fundamentally have
weaknesses. Several of those include: users pick easy to guess
words, users often voluntarily give them away in order to make
work easier, and passwords are often easily intercepted. Many
applications/protocols that are still in use send passwords in
cleartext. A weak password is the equivalent of a faulty lock
on a safe. Passwords do not guarantee security, only increase
the time required to access data or information.
System administrators can improve password security for users
in several ways. First, a limit on log-in attempts should be
set. For example, user ids should be locked after a number of
failed login attempts. Next, passwords should have strength
requirements set. For example, passwords should have a minimum
length, special characters and capitalizations should be
required, and they should be checked against a dictionary
file. Password security can also be improved if there are
expiration dates set and passwords are not reused
consecutively.
Biometrics and other forms of authentication in addition to
passwords can dramatically increase security. Having a
second line of defense is critical. For example, ssh security
can be improved by using key-authentication and IP based
access controls. Passwords are slowly becoming obsolete with
improvements in technology, but will remain in use for many
years. Next week, I'll discuss how using single sign-on
mechanisms can improve password security and management
for users.
Until next time, cheers!
Benjamin D. Thomas
----------------------
Getting to Know Linux Security: File Permissions
Welcome to the first tutorial in the 'Getting to Know Linux Security'
series. The topic explored is Linux file permissions. It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod. This guide is intended for users new to Linux
security, therefore very simple. If the feedback is good, I'll
consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/
---
The Tao of Network Security Monitoring: Beyond Intrusion Detection
To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case
studies.
http://www.linuxsecurity.com/content/view/118106/49/
---
Encrypting Shell Scripts
Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure? If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).
http://www.linuxsecurity.com/content/view/117920/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: cyrus-imapd Fix for multiple cyrus-imapd
17th, March, 2005
cyrus-imapd[1] is an IMAP and POP3 mail server with
several advanced features such as SASL authentication,
server-side mail filtering, mailbox ACLs and others.
http://www.linuxsecurity.com/content/view/118624
* Conectiva: curl Fix for cURL vulnerability
21st, March, 2005
cURL[1] is a client to get/put files from/to servers,
using any of the supported protocols.
http://www.linuxsecurity.com/content/view/118655
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New xloadimage packages fix several vulnerabilities
21st, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118650
* Debian: New xli packages fix several vulnerabilities
21st, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118656
* Debian: New perl packages fix privilege escalation
22nd, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118663
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 2 Update: sylpheed-1.0.3-0.FC2
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118626
* Fedora Core 3 Update: libgal2-2.2.5-1
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118627
* Fedora Core 3 Update: libsoup-2.2.2-1.FC3
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118628
* Fedora Core 3 Update: evolution-data-server-1.0.4-3
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118629
* Fedora Core 3 Update: evolution-2.0.4-1
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118630
* Fedora Core 3 Update: evolution-connector-2.0.4-1
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118631
* Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.89
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118632
* Fedora Core 3 Update: policycoreutils-1.18.1-2.10
17th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118633
* Fedora Core 3 Update: gimp-2.2.4-0.fc3.3
18th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118640
* Fedora Core 3 Update: procps-3.2.3-5.2
18th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118641
* Fedora Core 3 Update: lsof-4.72-2.1
18th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118642
* Fedora Core 3 Update: lockdev-1.0.1-4.1
18th, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118643
* Fedora Core 2 Update: xloadimage-4.1-34.FC2
18th, March, 2005
This update fixes CAN-2005-0638, a problem in the
parsing of shell metacharacters in filenames. It also
fixes bugs in handling of malformed TIFF and PBM/PNM/PPM
issues.
http://www.linuxsecurity.com/content/view/118644
* Fedora Core 3 Update: xloadimage-4.1-34.FC3
18th, March, 2005
This update fixes CAN-2005-0638, a problem in the
parsing of shell metacharacters in filenames. It also
fixes bugs in handling of malformed TIFF and
PBM/PNM/PPM issues.
http://www.linuxsecurity.com/content/view/118645
* Fedora Core 2 Update: mailman-2.1.5-10.fc2
22nd, March, 2005
A cross-site scripting (XSS) flaw in the driver script
of mailman prior to version 2.1.5 could allow remote
attackers to execute scripts as other web users.
http://www.linuxsecurity.com/content/view/118667
* Fedora Core 3 Update: mailman-2.1.5-32.fc3
22nd, March, 2005
A cross-site scripting (XSS) flaw in the driver
script of mailman prior to version 2.1.5 could allow
remote attackers to execute scripts as other web
users. The Common Vulnerabilities.
http://www.linuxsecurity.com/content/view/118668
* Fedora Core 3 Update: boost-1.32.0-5.fc3
22nd, March, 2005
This is a bugfix release.
http://www.linuxsecurity.com/content/view/118669
* Fedora Core 2 Update: kdelibs-3.2.2-14.FC2
23rd, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118683
* Fedora Core 3 Update: firefox-1.0.2-1.3.1
23rd, March, 2005
A buffer overflow bug was found in the way Firefox
processes GIF images. It is possible for an attacker
to create a specially crafted GIF image, which when
viewed by a victim will execute arbitrary code as
the victim.
http://www.linuxsecurity.com/content/view/118684
* Fedora Core 3 Update: kdelibs-3.3.1-2.9.FC3
23rd, March, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118685
* Fedora Core 3 Update: thunderbird-1.0.2-1.3.1
23rd, March, 2005
A buffer overflow bug was found in the way
Thunderbird processes GIF images. It is possible for
an attacker to create a specially crafted GIF image,
which when viewed by a victim will execute arbitrary
code as the victim.
http://www.linuxsecurity.com/content/view/118686
* Fedora Core 3 Update: mozilla-1.7.6-1.3.2
23rd, March, 2005
A buffer overflow bug was found in the way Mozilla
processes GIF images. It is possible for an attacker
to create a specially crafted GIF image, which when
viewed by a victim will execute arbitrary code
as the victim.
http://www.linuxsecurity.com/content/view/118687
* Fedora Core 3 Update: devhelp-0.9.2-2.3.1
23rd, March, 2005
There were several security flaws found in the
mozilla package, which devhelp depends on. Users of
devhelp are advised to upgrade to this updated package
which has been rebuilt against a later version of
mozilla which is not vulnerable to these flaws.
http://www.linuxsecurity.com/content/view/118688
* Fedora Core 3 Update: epiphany-1.4.4-4.3.1
23rd, March, 2005
There were several security flaws found in the
mozilla package, which epiphany depends on. Users
of epiphany are advised to upgrade to this updated
package which has been rebuilt against a later
version of mozilla which is not vulnerable to these
flaws.
http://www.linuxsecurity.com/content/view/118689
* Fedora Core 3 Update: evolution-2.0.4-2
23rd, March, 2005
There were several security flaws found in the
mozilla package, which evolution depends on. Users
of evolution are advised to upgrade to this updated
package which has been rebuilt against a later
version of mozilla which is not vulnerable to these
flaws.
http://www.linuxsecurity.com/content/view/118690
* Gentoo: Grip CDDB response overflow
17th, March, 2005
Grip contains a buffer overflow that can be triggered
by a large CDDB response, potentially allowing the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118625
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: KDE Local Denial of Service
19th, March, 2005
KDE is vulnerable to a local Denial of Service attack.
http://www.linuxsecurity.com/content/view/118646
* Gentoo: rxvt-unicode Buffer overflow
20th, March, 2005
rxvt-unicode is vulnerable to a buffer overflow that
could lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118647
* Gentoo: LTris Buffer overflow
20th, March, 2005
LTris is vulnerable to a buffer overflow which could
lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118648
* Gentoo: Sylpheed, Sylpheed-claws Message reply overflow
20th, March, 2005
Sylpheed and Sylpheed-claws contain a vulnerability
that can be triggered when replying to specially
crafted messages.
http://www.linuxsecurity.com/content/view/118649
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: Updated KDE packages address
21st, March, 2005
New KDE packages are available to address various
bugs. The details are as follows.
http://www.linuxsecurity.com/content/view/118661
* Mandrake: Updated MySQL packages fix
21st, March, 2005
If an authenticated user had INSERT privileges on
the 'mysql' database, the CREATE FUNCTION command
allowed that user to use libc functions to execute
arbitrary code with the privileges of the user running
the database server (mysql) (CAN-2005-0709).
http://www.linuxsecurity.com/content/view/118662
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Moderate: ethereal security update
18th, March, 2005
Updated Ethereal packages that fix various security
vulnerabilities are now available. This update has been
rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/118636
* RedHat: Important: sylpheed security update
18th, March, 2005
An updated sylpheed package that fixes a buffer
overflow issue is now available. This update has been
rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118635
* RedHat: Important: mailman security update
21st, March, 2005
An updated mailman package that corrects a cross-site
scripting flaw is now available. This update has been
rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118658
* RedHat: Important: realplayer security update
21st, March, 2005
Updated realplayer packages that fix a number of
security issues are now available for Red Hat Enterprise
Linux 3 Extras. This update has been rated as having
important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/118659
* RedHat: Low: libexif security update
21st, March, 2005
Updated libexif packages that fix a buffer overflow
issue are now available. This update has been rated
as having low security impact by the RedHat Security
Response Team.
http://www.linuxsecurity.com/content/view/118660
* RedHat: Moderate: ImageMagick security update
23rd, March, 2005
Updated ImageMagick packages that fix a heap based
buffer overflow are now available. This update has been
rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/118670
* RedHat: Moderate: ipsec-tools security update
23rd, March, 2005
An updated ipsec-tools package that fixes a bug in
parsing of ISAKMP headers is now available. This update
has been rated as having moderate security impact by
the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118671
* RedHat: Moderate: ImageMagick security update
23rd, March, 2005
Updated ImageMagick packages that fix a format string
bug are now available for Red Hat Enterprise Linux 4. This
update has been rated as having moderate security impact
by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118672
* RedHat: Important: kdelibs security update
23rd, March, 2005
Updated kdelibs packages that fix several security
issues are now available for Red Hat Enterprise Linux 4.
This update has been rated as having important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118673
* RedHat: Critical: mozilla security update
23rd, March, 2005
Updated mozilla packages that fix various bugs are now
available. This update has been rated as having critical
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118679
* RedHat: Critical: mozilla security update
23rd, March, 2005
Updated mozilla packages that fix various bugs are
now available. This update has been rated as having
critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/118680
* RedHat: Critical: firefox security update
23rd, March, 2005
Updated firefox packages that fix various bugs are
now available. This update has been rated as having
critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/118681
* RedHat: Critical: thunderbird security update
23rd, March, 2005
Updated thunderbird packages that fix various bugs
are now available. This update has been rated as having
critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/118682
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: ImageMagick problems
23rd, March, 2005
A format string vulnerability was found in the
display program which could lead to a remote attacker
being to able to execute code as the user running
display by providing handcrafted filenames of images.
This is tracked by the Mitre CVE ID CAN-2005-0397.
http://www.linuxsecurity.com/content/view/118678
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
