+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| April 29th, 2005 Volume 6, Number 17a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, articles were released for squid, gaim, evolution,
junkbuster, samba, cvs, kdelibs, libtiff, mc, dia, cyrus, ImageMagik,
openMosixview, kimgio, convert-UUlib, kernel, shareutils, and mozilla.
Distributors include Conectiva, Debian, Fedora, Gentoo, Red Hat,
and SuSE.
---
FREE ANTI-SPAM EVALUATION: Roaring Penguin Software
At last! An anti-spam solution that lets you stop spam on YOUR terms
by giving you full control over its setup and administration. CanIt-PRO
provides you with as much (or as little!) administrative and end-user
control as you want. Try a free 20-day evaluation and test it out
yourself.
Download your copy today:
http://www.roaringpenguin.com/promo/freecaniteval.php?id=linuxsecuritywneval0305
---
Sarbanes-Oxley Act, Part I
By: Erica R. Thomas
Looking at the integrity and accountability of financial reporting
has become headline news. Widely publicized financial scandals
have caused damage to investor, employee, and customer confidence.
Government and regulatory agencies have enacted and are starting
to enforce new regulations for corporate governance to restore
confidence and trust. The response from the United States government
regarding the Enron, WorldCom, and Tyco accounting scandals of the
late 1990's was the Sarbanes-Oxley Act (The Act) of 2002. It
establishes standards for maintaining and preserving electronic
and paper records in addition to the accountability of corporate
executives, employees, and auditors. The Act contains11 titles
and also established new standards for corporate accountability
and penalties of fines and imprisonment. Under the act, companies
must validate financial statements, maintain auditing practices,
report on the effectiveness of the internal controls, and assure
integrity and timeliness of data.
The main purpose of the legislation is to make organizations and
their executives be held responsible for the validity of corporate
reporting. The reporting requires all companies with public
interests to require executives to attest to the accuracy of the
financial conditions and disclosure of internal weaknesses. An
article written by Guardian Digital Inc. says that, "As mandated
by SOX (the Sarbanes-Oxley Act), corporations can accommodate these
regulations through the design, implementation, and maintenance of
efficient and effective internal controls."
There are many sections to the SOA that President Bush signed.
According to Mathew Bender in the book, "The Sarbanes Oxley Act of
2002 with Analysis", SOA contains two provisions requiring CEOs
and CFOs to certify certain SEC filings. The first section requires
them to certify that annual and quarterly reports have been reviewed
by themselves, does not contain any untrue statement or omit to
state a material fact, information fairly represents the situation,
and they must disclose any deficiencies or changes to the internal
controls. The second section requires that when a report is filed,
the CEO or CFO must have a written statement saying that fully
complies with the requirements and that it fairly represents the
financial and operational results. If they certify the report knowing
that it is false, they can face criminal penalties.
Part II coming May 6th 2003
----------------------
Measuring Security IT Success
In a time where budgets are constrained and Internet threats are
on the rise, it is important for organizations to invest in network
security applications that will not only provide them with powerful
functionality but also a rapid return on investment.
In most organizations IT success is generally calculated through
effectiveness, resource usage and, most importantly, how quickly the
investment can be returned. To correctly quantify the ROI of
information technology, organizations usually measure cost savings
and increased profits since the initial implementation. Additionally,
ROI can also be affected based on the overall impact the investment
has on employee productivity and overall work environment of the company.
http://www.linuxsecurity.com/content/view/118817/49/
---
Getting to Know Linux Security: File Permissions
Welcome to the first tutorial in the 'Getting to Know Linux Security'
series. The topic explored is Linux file permissions. It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod. This guide is intended for users new to Linux
security, therefore very simple. If the feedback is good, I'll
consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/
---
The Tao of Network Security Monitoring: Beyond Intrusion Detection
To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case
studies.
http://www.linuxsecurity.com/content/view/118106/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: squid Fixes for multiple squid vulnerabilities
27th, April, 2005
Squid[1] is a full-featured web proxy cache.
This announcement upgrades Squid from 2.5STABLE5 to 2.5STABLE9 in
order to fix bug #13718[2] and also fixes the two following
vulnerabilities.
http://www.linuxsecurity.com/content/view/118996
* Conectiva: gaim Fixes for gaim's vulnerabilities
27th, April, 2005
Gaim[1] is a multi-protocol instant messaging (IM) client.
This announcement fixes three denial of service vulnerabilities that
were encountered in Gaim.
http://www.linuxsecurity.com/content/view/118997
* Conectiva: evolution Fix for Evolution vulnerability
27th, April, 2005
Evolution[1] is the GNOME mailer, calendar, contact manager and
communications tool. This announcement fixes an issue[2] in
Evolution which caused it to crash when displaying certain message
types.
http://www.linuxsecurity.com/content/view/118999
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New junkbuster packages fix several vulnerabilities
21st, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118945
* Debian: New samba packages fix correct sporadic crash
21st, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118946
* Debian: New cvs packages fix unauthorised repository access
27th, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118987
* Debian: New kdelibs packages fix arbitrary code execution
26th, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118979
* Debian: New gaim packages fix denial of service
27th, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118988
* Debian: New lsh packages fix several vulnerabilities
27th, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118989
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 3 Update: libtiff-3.6.1-10.fc3
21st, April, 2005
The tools shipped in the libtiff package were missing
the JPEG support, even though the library was compiled
with JPEG support turned on.
http://www.linuxsecurity.com/content/view/118948
* Fedora Core 3 Update: mc-4.6.1-0.14.FC3
22nd, April, 2005
Updated package.
http://www.linuxsecurity.com/content/view/118957
* Fedora Core 3 Update: evolution-2.0.4-4
22nd, April, 2005
Updated packages.
http://www.linuxsecurity.com/content/view/118963
* Fedora Core 3 Update: net-snmp-5.2.1-10.FC3
26th, April, 2005
New upstream version + several 64bit issues fixed
http://www.linuxsecurity.com/content/view/118977
* Fedora Core 3 Update: dia-0.94-5.fc3
26th, April, 2005
rebuild of dia to clear use of incompatible abi
http://www.linuxsecurity.com/content/view/118978
* Fedora Core 3 Update: cyrus-imapd-2.2.12-1.1.fc3
27th, April, 2005
Several buffer overflow bugs were found in cyrus-imapd. It is
possible that an authenticated malicious user could cause the
imap server to crash. Additionally, a peer news admin could
potentially execute arbitrary code on the imap server when news
is received using the fetchnews command.
http://www.linuxsecurity.com/content/view/119000
* Fedora Core 3 Update: ImageMagick-6.2.2.0-1.fc3
27th, April, 2005
The update fixes a possible heap corruption issue in the
pnm decoder. It also includes a number of other bug fixes
and improvements.
http://www.linuxsecurity.com/content/view/119002
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: openMosixview Insecure temporary file creation
21st, April, 2005
openMosixview and the openMosixcollector daemon are vulnerable to
symlink attacks, potentially allowing a local user to overwrite
arbitrary files.
http://www.linuxsecurity.com/content/view/118944
* Gentoo: CVS Multiple vulnerabilities
22nd, April, 2005
The initial version did not fix several DoS vulnerabilities and one
instance of arbitrary code execution. The arbitrary code execution
was only possible under very specific circumstances. The updated
sections appear below.
http://www.linuxsecurity.com/content/view/118953
* Gentoo: gettext Insecure temporary file handling
22nd, April, 2005
gettext version 0.14.1 reintroduced an old vulnerability by failing
to apply the proper patch. The updated sections appear below.
http://www.linuxsecurity.com/content/view/118954
* Gentoo: RealPlayer, Helix Player Buffer overflow vulnerability
22nd, April, 2005
RealPlayer and Helix Player are vulnerable to a buffer overflow that
could lead to remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118955
* Gentoo: KDE kimgio PCX handling buffer overflow
22nd, April, 2005
KDE fails to properly validate input when handling PCX images,
potentially resulting in the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118958
* Gentoo: Kommander Insecure remote script execution
22nd, April, 2005
Kommander executes remote scripts without confirmation, potentially
resulting in the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118959
* Gentoo: eGroupWare XSS and SQL injection vulnerabilities
25th, April, 2005
eGroupWare is affected by several SQL injection and cross-site
scripting (XSS) vulnerabilities.
http://www.linuxsecurity.com/content/view/118971
* Gentoo: Rootkit Hunter Insecure temporary file creation
26th, April, 2005
Rootkit Hunter is vulnerable to symlink attacks, potentially allowing
a local user to overwrite arbitrary files.
http://www.linuxsecurity.com/content/view/118983
* Gentoo: Convert-UUlib Buffer overflow
26th, April, 2005
A buffer overflow has been reported in Convert-UUlib, potentially
resulting in the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118984
* Gentoo: xine-lib Two heap overflow vulnerabilities
26th, April, 2005
Two vulnerabilities have been found in xine-lib which could lead to
the remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/118985
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: firefox security update
21st, April, 2005
Updated firefox packages that fix various security bugs are now
available. This update has been rated as having Important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118941
* RedHat: Important: kernel security update
22nd, April, 2005
Updated kernel packages that fix several security issues in the Red
Hat Enterprise Linux 3 kernel are now available. This security
advisory has been rated as having important security impact by
the Red Hat Security Response Team. The Linux kernel handles the
basic functions of the operating system.
http://www.linuxsecurity.com/content/view/118961
* RedHat: Important: openoffice.org security update
26th, April, 2005
Updated openoffice.org packages are now available.
This update has been rated as having important security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118974
* RedHat: Moderate: cvs security update
26th, April, 2005
An updated cvs package that fixes security bugs is now available.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118975
* RedHat: Low: sharutils security update
26th, April, 2005
An updated sharutils package is now available.
This update has been rated as having low security impact by
the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118981
* RedHat: Important: Mozilla security update
26th, April, 2005
Updated mozilla packages that fix various security bugs are now
available. This update has been rated as having Important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/118982
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: Mozilla Firefox, Mozilla various
27th, April, 2005
Several problems have been fixed with the security update releases
of the Mozilla Firefox 1.0.3 web browser and the Mozilla Suite
1.7.7.
http://www.linuxsecurity.com/content/view/118993
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
