+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 16th, 2005 Volume 6, Number 51a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for courier, osh, curl, ethereal, phpMyAdmin, Openswan, Xmail, Ethereal, perl, openvpn, thunderbird, xmovie, mplayer, and ffmpeg. The distributors include Debian, Gentoo, Mandriva. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- SELinux Policy Development: Modifying Policy Once you have your list of all your allow statements, examine them carefully and try to understand what you are allowing before adding them to policy. One weakness of audit2allow is that it is unaware of macros contained in the policy, so grep through your policy sources for allow statements close to the ones you'd like to add and try to find appropriate macros to use instead. If you're planning on doing a lot of policy customization it's a good idea to familiarize yourself with the existing policy sources so you're aware what macros are available. The $policy/policy/support/obj_perm_sets.spt is one good place to start, it contains macros that expand out to useful permissions groupings. For example, rather than allowing a domain the ioctl, read, getattr, lock, write, and append permissions to a given type, you can simply assign it the rw_file_perms macro instead. This helps keep policy readable later on. Once you have generated your needed allow statements, add them to the $policy/policy/modules/admin/local.te file and recompile the policy. If your application still won't work in enforcing mode, just repeat the process until you can run it with no SELinux audit errors. Always keep your policy changes in the: $policy/policy/modules/admin/local.* files. T hese files are included in the package empty and intended for local policy customization. If you change a file that belongs to a service and contains rules already your changes will be lost when the policy is upgraded, so keep local changes in the local.te and local.fc files where they belong. If you find a problem in existing policy, add your changes to local.* but provide a patch to the policy maintainers so they can include it in a later build. Most SELinux policies are being constantly developed and revised since the technology is still fairly new, and your upstream maintainers will thank you for your help. Policy development can be difficult at the beginning, but I think you'll find that as you make progress you'll be learning not only about SELinux but about the details of what your applications are really doing under the hood. You'll not only be making your system more secure, you'll be learning about the low level details of your system and its services. SELinux development has already resulted in upstream patches to many applications that had hidden bugs that were only found because SELinux alerted policy developers to the kernel level actions the applications were attempting. I hope you enjoyed reading this SELinux series as much as I enjoyed writing it. Until next time, stay secure and keep your policy locked down tight. Read Entire Aricle: http://www.linuxsecurity.com/content/view/120837/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New courier packages fix unauthorised access 8th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120959 * Debian: New osh packages fix privilege escalation 9th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120969 * Debian: New curl packages fix potential security problem 12th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120980 * Debian: New ethereal packages fix arbitrary code execution 13th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120987 * Debian: New Linux 2.4.27 packages fix several vulnerabilities 14th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/121004 * Debian: New Linux 2.6.8 packages fix several vulnerabilities 14th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/121005 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: phpMyAdmin Multiple vulnerabilities 11th, December, 2005 Multiple flaws in phpMyAdmin may lead to several XSS issues and local and remote file inclusion vulnerabilities. http://www.linuxsecurity.com/content/view/120975 * Gentoo: Openswan, IPsec-Tools Vulnerabilities in ISAKMP 12th, December, 2005 Openswan and IPsec-Tools suffer from an implementation flaw which may allow a Denial of Service attack. http://www.linuxsecurity.com/content/view/120981 * Gentoo: Xmail Privilege escalation through sendmail 14th, December, 2005 The sendmail program in Xmail is vulnerable to a buffer overflow, potentially resulting in local privilege escalation. http://www.linuxsecurity.com/content/view/121002 * Gentoo: Ethereal Buffer overflow in OSPF protocol dissector 14th, December, 2005 Ethereal is missing bounds checking in the OSPF protocol dissector that could lead to abnormal program termination or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121003 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated curl package fixes format string vulnerability 8th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/120966 * Mandriva: Updated perl package fixes format string vulnerability 8th, December, 2005 Jack Louis discovered a new way to exploit format string errors in the Perl programming language that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120967 * Mandriva: Updated openvpn packages fix multiple vulnerabilities 10th, December, 2005 Two Denial of Service vulnerabilities exist in OpenVPN. The first allows a malicious or compromised server to execute arbitrary code on the client (CVE-2005-3393). The second DoS can occur if when in TCP server mode, OpenVPN received an error on accept(2) and the resulting exception handler causes a segfault (CVE-2005-3409). The updated packages have been patched to correct these problems.<P> http://www.linuxsecurity.com/content/view/120974 * Mandriva: Updated mozilla-thunderbird package fix vulnerability in enigmail 13th, December, 2005 A bug in enigmail, the GPG support extension for Mozilla MailNews and Mozilla Thunderbird was discovered that could lead to the encryption of an email with the wrong public key. This could potentially disclose confidential data to unintended recipients. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/120986 * Mandriva: Updated ethereal packages fix vulnerability 14th, December, 2005 A stack-based buffer overflow was discovered in the OSPF dissector in Ethereal. This could potentially be abused to allow remote attackers to execute arbitrary code via crafted packets. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/121010 * Mandriva: Updated xine-lib packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121011 * Mandriva: Updated xmovie packages fix buffer overflow vulnerability 14th, December, 2005 Updated package. http://www.linuxsecurity.com/content/view/121012 * Mandriva: Updated gstreamer-ffmpeg packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121013 * Mandriva: Updated mplayer packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121014 * Mandriva: Updated ffmpeg packages fix buffer overflow vulnerability 14th, December, 2005 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/121015 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------