+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 11th, 2005 Volume 6, Number 46a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released OpenSSL, httpd, Horde3,
OpenVPN, chmlib, ClamAV, libungif4, gpsdrive, awstats, kdelibs,
giflib, fetchmail, ImageMagick, scim-qtimm, e2fsprogs, drakxtools,
emacs, w3c-libwww, libungif, and flash-plugin. The distributors
include Debian, Gentoo, Mandriva, and Red Hat.
----
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec
----
SELinux Administration
By: Pax Dickinson
Hi, and welcome to the third in a series of articles on Security
Enhanced Linux. My first SELinux article detailed the background
of SELinux, while my second article in the series discussed how
SELinux makes access decisions. This week, I'll talk about how
an SELinux system differs from a standard Linux system in terms
of administration. Most of what you already know about Linux
system administration will still apply to an SELinux system,
but there are some additions and changes that are critical to
understand when using SELinux.
Permissive mode vs. Enforcing mode
There will be times when you have run into difficulty and need
to determine whether your problem stems from SELinux or not.
For just this eventuality, SELinux includes the capability of
setting its mode from enforcing to permissive and back again.
Enforcing mode is just what it sounds like, a mode that allows
SELinux to enforce policy access decisions. This is the
standard operating mode of SELinux. Permissive mode, on the
other hand, is a mode designed for development and
troubleshooting. It will still check the security policy
to see whether an attempted operation should be allowed,
and log denials to the system logs, but it will not actually
deny any operation.
To change into permissive mode, be sure you are logged in
to the sysadm_r role (see my previous article for details).
Issuing a setenforce 0 command will put the system into
permissive mode, while a setenforce 1 command will return
you to enforcing mode. To determine the current SELinux mode,
use the getenforce command.
If you want to completely disable SELinux, you can pass
selinux=0 to the kernel command line at startup, but this
is not advisable since it disables SELinux entirely and any
new files will not be labeled with the correct file context,
forcing you to relabel when you re-enable SELinux. It's
better to use permissive mode, and you can set your system
to always start up in permissive mode by editing your
/etc/selinux/config file.
File Context Labeling
SELinux file types are attched to each file on your SELinux
system using extended file attributes. The use of these
attributes is integral and required by SELinux, and has
some system administration ramifications you should be aware
of.
When formatting a new filesystem for use with SELinux, you
must use a filesystem that supports these extended attributes.
The ext2 and ext3 filesystems support extended attributes,
and the xfs filesystem also is known to work, but reiserfs
does not currently include extended attribute support.
When backing up files on an SELinux system, you need to use
a backup method that is aware of and backs up these extended
attributes. For example, the standard tar command will not
back them up, so you need to use star as a substitute. star
is an extension of the tar command, so you shouldn't run
into serious problems here, but this could have
ramifications with any backup scripts you may have
written that call the tar command.
A common cause of SELinux problems is caused by mislabeled
files. If you run into strange errors or see files that are
mislabeled, the best, most reliable way of fixing them is
to issue a touch /.autorelabel command followed by a
reboot. This will trigger a relabel upon startup of the
system, before files are opened and services are started.
The restorecon command can also be used to restore files
to their proper context, but it won't change the running
context of processes that were launched by a mislabeled
binary, so you may still run into problems.
The chcon command can be used to change the context of
a file, but if the file has a default context set in the
policy it will be reset to that default if the entire
filesystem is relabeled. chcon is most useful for testing
new file contexts before making a change permanent in
the policy, if your system depends on contexts set using
chcon you may run into trouble if you ever need to
perform a global relabeling.
Finally, it is important to be aware of the differences
between copying and moving files using the cp or mv
commands. When moving a file using mv, the destination
file will retain its original context. When copying a
file using cp, the file will inherit a new context based
on the destination directory it was copied to. This is
an important distinction that can result in trouble if
it is overlooked.
Read Entire Article:
http://www.linuxsecurity.com/content/view/120700/49/
----------------------
Linux File & Directory Permissions Mistakes
One common mistake Linux administrators make is having file and directory
permissions that are far too liberal and allow access beyond that which
is needed for proper system operations. A full explanation of unix file
permissions is beyond the scope of this article, so I'll assume you are
familiar with the usage of such tools as chmod, chown, and chgrp. If
you'd like a refresher, one is available right here on linuxsecurity.com.
http://www.linuxsecurity.com/content/view/119415/49/
---
Buffer Overflow Basics
A buffer overflow occurs when a program or process tries to store more
data in a temporary data storage area than it was intended to hold. Since
buffers are created to contain a finite amount of data, the extra
information can overflow into adjacent buffers, corrupting or overwriting
the valid data held in them.
http://www.linuxsecurity.com/content/view/119087/49/
---
Review: The Book of Postfix: State-of-the-Art Message Transport
I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.
http://www.linuxsecurity.com/content/view/119027/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New OpenSSL 0.9.6 packages fix cryptographic weakness
4th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120726
* Debian: New OpenSSL packages fix cryptographic weakness
4th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120728
* Debian: New thttpd packages fix insecure temporary file
4th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120731
* Debian: New Horde3 packages fix insecure default installation
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120741
* Debian: New OpenVPN packages fix several vulnerabilities
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120742
* Debian: New squid packages fix regression
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120743
* Debian: New chmlib packages fix several vulnerabilities
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120746
* Debian: New ClamAV packages fix several vulnerabilities
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120747
* Debian: New OpenSSL packages fix cryptographic weakness
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120748
* Debian: New enigmail packages fix information disclosure
8th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120751
* Debian: New libungif4 packages fix several vulnerabilities
9th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120761
* Debian: New gpsdrive packages fix arbitrary code execution
9th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120762
* Debian: New awstats packages fix arbitrary command execution
10th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120778
* Debian: New kdelibs packages fix backup file information leak
10th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120779
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: giflib Multiple vulnerabilities
4th, November, 2005
giflib may dereference NULL or write out of bounds when processing
malformed images, potentially resulting in Denial of Service or
arbitrary code execution.
http://www.linuxsecurity.com/content/view/120727
* Gentoo: ClamAV Multiple vulnerabilities
6th, November, 2005
ClamAV has many security flaws which make it vulnerable to remote
execution of arbitrary code and a Denial of Service.
http://www.linuxsecurity.com/content/view/120732
* Gentoo: GNUMP3d Directory traversal and XSS vulnerabilities
6th, November, 2005
GNUMP3d is vulnerable to directory traversal and cross-site scripting
attacks that may result in information disclosure or the compromise
of a browser.
http://www.linuxsecurity.com/content/view/120733
* Gentoo: fetchmail Password exposure in fetchmailconf
6th, November, 2005
fetchmailconf fails to properly handle file permissions, temporarily
exposing sensitive information to other local users.
http://www.linuxsecurity.com/content/view/120734
* Gentoo: OpenVPN Multiple vulnerabilities
6th, November, 2005
The OpenVPN client is potentially vulnerable to the execution of
arbitrary code and the OpenVPN server is vulnerable to a Denial of
Service issue.
http://www.linuxsecurity.com/content/view/120735
* Gentoo: QDBM, ImageMagick, GDAL RUNPATH issues
8th, November, 2005
Multiple packages suffer from RUNPATH issues that may allow users in
the "portage" group to escalate privileges.
http://www.linuxsecurity.com/content/view/120759
* Gentoo: libgda Format string vulnerabilities
8th, November, 2005
Two format string vulnerabilities in libgda may lead to the execution
of arbitrary code.
http://www.linuxsecurity.com/content/view/120760
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated mandriva-release packages provide updated
information
7th, November, 2005
The updated mandriva-release packages provides a fixed CREDITS file.
http://www.linuxsecurity.com/content/view/120749
* Mandriva: Updated clamav packages fix multiple vulnerabilities
7th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120750
* Mandriva: Updated openvpn packages fix multiple vulnerabilities
8th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120758
* Mandriva: Updated scim-qtimm packages fix incorrect requires for
x86_64
9th, November, 2005
Due to a bug in the RPM requires for the scim-qtimm package, it was
only installable on i586 platforms, and not on x86_64 due to
differences in the naming for libqt3 (vs. lib64qt3). This update
corrects the requires allowing the package to be installed on
Mandriva Linux 2006/x86_64.
http://www.linuxsecurity.com/content/view/120769
* Mandriva: Updated e2fsprogs packages fix segfault
9th, November, 2005
The mklost+found program was segfaulting on Mandriva Linux 2006. This
update corrects the problem.
http://www.linuxsecurity.com/content/view/120770
* Mandriva: Updated ldetect-lst packages provide updated PCI
information
9th, November, 2005
The updated ldetect-lst packages provide five new PCI modem
definitions in the hardware database.
http://www.linuxsecurity.com/content/view/120771
* Mandriva: Updated drakxtools packages fix various bugs
9th, November, 2005
The updated ldetect-lst packages provide five new PCI modem
definitions in the hardware database.
http://www.linuxsecurity.com/content/view/120772
* Mandriva: Updated libungif packages fix various vulnerabilities
9th, November, 2005
Several bugs have been discovered in the way libungif decodes GIF
images.
http://www.linuxsecurity.com/content/view/120773
* Mandriva: Updated emacs packages fix Lisp vulnerability
9th, November, 2005
Emacs 21.2 does not prompt or warn the user before executing Lisp
code in the local variables section of a text file, which allows
user-complicit attackers to execute arbitrary commands, as
demonstrated using the mode-name variable.
http://www.linuxsecurity.com/content/view/120774
* Mandriva: Updated fetchmail packages fixes fetchmailconf
vulnerability
9th, November, 2005
Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program.
http://www.linuxsecurity.com/content/view/120775
* Mandriva: Updated w3c-libwww packages fixes DoS vulnerability.
9th, November, 2005
Sam Varshavchik discovered the HTBoundary_put_block function in
HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause
a denial of service (segmentation fault) via a crafted
multipart/byteranges MIME message that triggers an out-of-bounds
read.
http://www.linuxsecurity.com/content/view/120776
* Mandriva: Updated drakxtools packages fix various bugs
9th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120777
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: libungif security update
3rd, November, 2005
Updated libungif packages that fix two security issues are now
available. This update has been rated as having important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120721
* RedHat: Critical: flash-plugin security update
9th, November, 2005
Updated Macromedia Flash Player packages that fix a security issue
are now available. This update has been rated as having critical
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120768
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
