+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 24th, 2005 Volume 6, Number 25a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for elinks, mikmod, tcpdump,
parted, system-config-securitylevel, checkpolicy, spamassassin,
gaim, ruby, arts, kde, util-linux, sudo, gawk, mc, pilot-link,
alsa-utils, jpilot, ImageMagick, hwdata, webapp, cpio,
squirrelmail, and bzip2. The distributors include Fedora,
Gentoo, and Red Hat.
---
## Internet Productivity Suite: Open Source Security ##
Trust Internet Productivity Suite's open source architecture to
give you the best security and productivity applications available.
Collaborating with thousands of developers, Guardian Digital
security engineers implement the most technologically advanced
ideas and methods into their design.
Click to find out more!
http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml
---
SPF: Ready for Prime Time, Part II
By: Pete O'Hara
Spammers are Using SPF
At this point in time it's no big secret that spammers are publishing
their own SPF records to thwart the system and once their domains end
up on a URI block list they throw them away and start with new domains
with new SPF records. There may be future solutions to this such as
"reputation" schemes (i.e. Aspen Framework) to judge a domain
credibility but not at this time.
Why isn't there a standard for SPF?
The MARID group (MTA Authorization Records in DNS) was created by
the IETF (The Internet Engineering Task Force) to "produce a standard
in the area of DNS-stored policies related to and accessible by MTAs."
Due to a failure to come to an agreement to a solution the MARID group
was dissolved as reported in an email from the IESG secretary
(http://www.imc.org/ietf-mxcomp/mail-archive/msg05061.html). "From
the outset, however, the working group participants have had fundamental
disagreements on the nature of the record to be provided and the
mechanism by which it would be checked. Technical discussion of the
merits of these mechanisms has not swayed their proponents, and what
data is available on existing deployments has not made one choice
obviously superior. Each represents trade-offs, and the working group
has not succeeded in establishing which trade-offs are the most
appropriate for this purpose. These assessments have been difficult
in part because they have been moved out of the realm of pure
engineering by the need to evaluate IPR and licensing related to at
least one proposal in the light of a variety of licenses associated
with the deployed base of MTAs."
It seems that the problem came down to the "last call" when a proposed
solution (Sender ID) to MARID included PRA (Purported Responsible
Address algorithm) which Microsoft claimed intellectual property rights
to. Microsoft was willing to allow free use but only in conjunction
with a patent license. Most of the MARID participants objected to
this and rightfully so. Many strongly suspected the intention to
gain control over another piece of the industry.
The Future
The future of email sender verification has several possibilities.
Some of which are Yahoo's "DomainKeys", Cisco's "IIM" (Identified
Internet Mail), a mix of both of these referred to as "DKIM", the
"Aspen Framework" (which incorporates second generation "Unified"
SPF) and CSV (Client SMTP Verification). Here is a brief run down
on these proposals.
Read Entire Article:
http://infocenter.guardiandigital.com/documentation/spf.html
----------------------
Measuring Security IT Success
In a time where budgets are constrained and Internet threats are
on the rise, it is important for organizations to invest in network
security applications that will not only provide them with powerful
functionality but also a rapid return on investment.
http://www.linuxsecurity.com/content/view/118817/49/
---
Getting to Know Linux Security: File Permissions
Welcome to the first tutorial in the 'Getting to Know Linux Security'
series. The topic explored is Linux file permissions. It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod. This guide is intended for users new to Linux
security, therefore very simple. If the feedback is good, I'll
consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/
---
The Tao of Network Security Monitoring: Beyond Intrusion Detection
To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case
studies.
http://www.linuxsecurity.com/content/view/118106/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 4 Update: elinks-0.10.3-3.1
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119321
* Fedora Core 4 Update: mikmod-3.1.6-35.FC4
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119322
* Fedora Core 4 Update: tcpdump-3.8.2-13.FC4
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119323
* Fedora Core 4 Update: parted-1.6.22-3.FC4
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119324
* Fedora Core 4 Update: system-config-securitylevel-1.5.8.1-1
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119325
* Fedora Core 3 Update: checkpolicy-1.17.5-1.2
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119327
* Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.9
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119328
* Fedora Core 3 Update: spamassassin-3.0.4-1.fc3
16th, June, 2005
Important update for a Denial of Service vulnerability, plus more
bug fixes from upstream. More details available at:
http://wiki.apache.org/spamassassin/NextRelease
http://www.linuxsecurity.com/content/view/119332
* Fedora Core 4 Update: spamassassin-3.0.4-1.fc4
16th, June, 2005
Important update for a Denial of Service vulnerability, plus more
bug fixes from upstream. More details available at:
http://wiki.apache.org/spamassassin/NextRelease
http://www.linuxsecurity.com/content/view/119333
* Fedora Core 3 Update: gaim-1.3.1-0.fc3
16th, June, 2005
More bug and denial of service fixes.
http://www.linuxsecurity.com/content/view/119334
* Fedora Core 4 Update: gaim-1.3.1-0.fc4
16th, June, 2005
More bug and denial of service fixes.
http://www.linuxsecurity.com/content/view/119335
* Fedora Core 4 Update: ruby-1.8.2-7.fc4.1
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119338
* Fedora Core 3 Update: ruby-1.8.2-1.fc3.2
16th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119339
* Fedora Core 4 Update: arts-1.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119342
* Fedora Core 4 Update: kdelibs-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119343
* Fedora Core 4 Update: kdebase-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119344
* Fedora Core 4 Update: kdemultimedia-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119345
* Fedora Core 4 Update: kdesdk-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119346
* Fedora Core 4 Update: kdeaccessibility-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119347
* Fedora Core 4 Update: kdeaddons-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119348
* Fedora Core 4 Update: kdeartwork-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119349
* Fedora Core 4 Update: kdebindings-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119350
* Fedora Core 4 Update: kdeedu-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119351
* Fedora Core 4 Update: kdegames-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119352
* Fedora Core 4 Update: kdegraphics-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119353
* Fedora Core 4 Update: kdenetwork-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119354
* Fedora Core 4 Update: kdepim-3.4.1-0.fc4.2
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119355
* Fedora Core 4 Update: kdeutils-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119356
* Fedora Core 4 Update: kdevelop-3.2.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119357
* Fedora Core 4 Update: kdewebdev-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119358
* Fedora Core 4 Update: kdeadmin-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119359
* Fedora Core 4 Update: kde-i18n-3.4.1-0.fc4.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119360
* Fedora Core 4 Update: util-linux-2.12p-9.5
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119363
* Fedora Core 4 Update: sudo-1.6.8p8-2.1
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119364
* Fedora Core 4 Update: gawk-3.1.4-5.2
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119365
* Fedora Core 3 Update: util-linux-2.12a-24.3
17th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119366
* Fedora Core 4 Update: mc-4.6.1a-0.10.FC4
20th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119373
* Fedora Core 4 Update: pilot-link-0.12.0-0.pre3.0.fc4.1
20th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119374
* Fedora Core 4 Update: selinux-policy-targeted-1.23.18-12
20th, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119375
* Fedora Core 4 Update: alsa-lib-1.0.9rf-2.FC4
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119377
* Fedora Core 4 Update: alsa-utils-1.0.9rf-2.FC4
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119378
* Fedora Core 4 Update: system-config-soundcard-1.2.12-2
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119379
* Fedora Core 4 Update: jpilot-0.99.8-0.pre9.fc4.1
21st, June, 2005
This is new upstream version which is compatible with new fc4
pilot-link version.
http://www.linuxsecurity.com/content/view/119380
* Fedora Core 3 Update: ruby-1.8.2-1.fc3.3
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119385
* Fedora Core 4 Update: ruby-1.8.2-7.fc4.2
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119386
* Fedora Core 4 Update: ImageMagick-6.2.2.0-3.fc4.0
21st, June, 2005
The package version numbers of the ImageMagick package could
cause upgrades from FC3 to FC4 to miss the newer ImageMagick
package in FC4.
http://www.linuxsecurity.com/content/view/119387
* Fedora Core 3 Update: sudo-1.6.7p5-30.3
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119388
* Fedora Core 4 Update: sudo-1.6.8p8-2.2
21st, June, 2005
Updated package.
http://www.linuxsecurity.com/content/view/119389
* Fedora Core 4 Update: hwdata-0.158.1-1
22nd, June, 2005
This update adds the hisax modules to the hotplug blacklist; this
ensures they aren't loaded at boot, so that the ISDN script can load
them. This works around the problems created by the ISDN module
configuration parameters being written to /etc/sysconfig/isdncard
instead of /etc/modprobe.conf.
http://www.linuxsecurity.com/content/view/119399
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: webapp-config Insecure temporary file handling
17th, June, 2005
The webapp-config utility insecurely creates temporary files in a
world writable directory, potentially allowing the execution of
arbitrary commands.
http://www.linuxsecurity.com/content/view/119341
* Gentoo: Sun and Blackdown Java Applet privilege escalation
19th, June, 2005
Sun's and Blackdown's JDK or JRE may allow untrusted applets to
elevate their privileges.
http://www.linuxsecurity.com/content/view/119367
* Gentoo: PeerCast Format string vulnerability
19th, June, 2005
PeerCast suffers from a format string vulnerability that could allow
arbitrary code execution.
http://www.linuxsecurity.com/content/view/119368
* Gentoo: cpio Directory traversal vulnerability
19th, June, 2005
cpio contains a flaw which may allow a specially crafted cpio archive
to extract files to an arbitrary directory.
http://www.linuxsecurity.com/content/view/119370
* Gentoo: SpamAssassin 3, Vipul's Razor Denial of Service
vulnerability
21st, June, 2005
SpamAssassin and Vipul's Razor are vulnerable to a Denial of Service
attack when handling certain malformed messages.
http://www.linuxsecurity.com/content/view/119376
* Gentoo: Tor Information disclosure
21st, June, 2005
A flaw in Tor may allow the disclosure of arbitrary memory portions.
http://www.linuxsecurity.com/content/view/119390
* Gentoo: SquirrelMail Several XSS vulnerabilities
21st, June, 2005
Squirrelmail is vulnerable to several cross-site scripting
vulnerabilities which could lead to a compromise of webmail accounts.
http://www.linuxsecurity.com/content/view/119391
* Gentoo: Cacti Several vulnerabilities
22nd, June, 2005
Cacti is vulnerable to several SQL injection and file inclusion
vulnerabilities.
http://www.linuxsecurity.com/content/view/119396
* Gentoo: Trac File upload vulnerability
22nd, June, 2005
Trac may allow remote attackers to upload files, possibly leading to
the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/119398
* Gentoo: sudo Arbitrary command execution
23rd, June, 2005
A vulnerability in sudo may allow local users to elevate privileges.
http://www.linuxsecurity.com/content/view/119400
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Low: bzip2 security update
16th, June, 2005
Updated bzip2 packages that fix multiple issues are now available.
This update has been rated as having low security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/119329
* RedHat: Moderate: mc security update
16th, June, 2005
Updated mc packages that fix several security issues are now
available for Red Hat Enterprise Linux 2.1. This update has
been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/119330
* RedHat: Moderate: gaim security update
16th, June, 2005
An updated gaim package that fixes two denial of service issues is
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/119331
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
