[ISN] Linux Advisory Watch - August 22nd 2003

From: InfoSec News (isnat_private)
Date: Mon Aug 25 2003 - 00:37:30 PDT

  • Next message: InfoSec News: "[ISN] Cybersecurity agency to improve patching"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  August 22nd, 2003                        Volume 4, Number 33a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilitiaes that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for openslp, zip, netris, autorespond,
    unzip, eroaster, and GDM.  The distributors include Conectiva, Debian,
    Mandrake, and Red Hat.
    
    The United States National Institute of Standards and Technology recently
    released the second draft of the "Guide for the Security Certification and
    Accreditation of Federal Information System." It is currently in the
    second public comment period, which ends August 31st 2003.  Although the
    document is intended for government agency use, it is easily applicable to
    organizations of other types.  As information security is becoming a more
    important function of conducting business, there is an ever increasing
    need for standards and methodologies.  This document is an excellent
    starting point for those interested in creating an organization wide
    information security program and/or certification and accreditation
    procedures.
    
    The document begins with an introduction to the concept of certification
    and accreditation.  It includes the system development life cycle,
    component evaluation, assessment activities, as well as other important
    information.  Next, the document overviews the fundamentals of C&A
    including roles and responsibilities, information system categories,
    documentation, and monitoring.  Overall, the first two chapters of this
    document provide a very overview of the base knowledge required to setup a
    certification and accreditation program in your organization.
    
    The final chapter of this document walks readers through the entire
    process of C&A.  It covers initiation, certification, accreditation, and
    finally monitoring.  This chapter gives readers a very good indication of
    the work required to implement and C&A program.  In addition, after
    reading this chapter the importance of beginning the C&A process becomes
    apparent.
    
    In addition to clear and informative writing, the document also provides
    many easy to read diagrams.  The illustrations provided help readers more
    easily visualize the authors intentions.  If you haven't had a chance to
    take a look at this document, I highly recommend it.  The information is
    valuable and freely available.  The entire document can be found at the
    following URL:
    
    http://csrc.nist.gov/publications/drafts/sp800-37-Draftver2.pdf
    
    Until next time,
    Benjamin D. Thomas
    benat_private
    
    
    
    Expert vs. Expertise: Computer Forensics and the Alternative OS
    
    No longer a dark and mysterious process, computer forensics have been
    significantly on the scene for more than five years now. Despite this,
    they have only recently gained the notoriety they deserve.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-147.html
    
    --------------------------------------------------------------------
    
    >> FREE Apache SSL Guide from Thawte  <<
    
    Are you worried about your web server security?  Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
    
     Click Command:
     http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache
    
    --------------------------------------------------------------------
    
    REVIEW: Linux Security Cookbook
    
    There are rarely straightforward solutions to real world issues,
    especially in the field of security. The Linux Security Cookbook is an
    essential tool to help solve those real world problems. By covering
    situations that apply to everyone from the seasoned Systems Administrator
    to the security curious home user, the Linux Security Cookbook
    distinguishes itself as an indispensible reference for security oriented
    individuals.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-145.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    
    +---------------------------------+
    |  Distribution: Conectiva        | ----------------------------//
    +---------------------------------+
    
     8/15/2003 - openslp
       tmp file creation vulnerability
    
       There is a symbolic link vulnerability in the initscript used to
       control the openslp daemon.
       http://www.linuxsecurity.com/advisories/connectiva_advisory-3563.html
    
     8/21/2003 - zip
       directory traversal vulnerability
    
       This is a reedition of the announcement CLSA-2003:672[1].
       http://www.linuxsecurity.com/advisories/connectiva_advisory-3564.html
    
    
    +---------------------------------+
    |  Distribution: Debian           | ----------------------------//
    +---------------------------------+
    
     8/17/2003 - netris
       Buffer overflow vulnerability
    
       A netris client connectingto an untrusted netris server could be
       sent an unusually long datapacket, which would be copied into a
       fixed-length buffer withoutbounds checking.
       http://www.linuxsecurity.com/advisories/debian_advisory-3559.html
    
     8/16/2003 - autorespond
       Buffer overflow vulnerability
    
       This vulnerability could potentiallybe exploited by a remote
       attacker to gain the privileges of a user whohas configured qmail
       to forward messages to autorespond.
       http://www.linuxsecurity.com/advisories/debian_advisory-3560.html
    
     8/18/2003 - man-db denial of service vulnerability
       Buffer overflow vulnerability
    
       This update introduced an error in the routinethat resolves
       hardlinks: depending on the filenames of hardlinked manpages, that
       routine might itself overrun allocated memory, causing
       asegmentation fault.
       http://www.linuxsecurity.com/advisories/debian_advisory-3565.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     8/21/2003 - unzip
       arbitrary file overwrite vulnerability
    
       A vulnerability was discovered in unzip 5.50 and earlier that
       allows attackers to overwrite arbitrary files during archive
       extraction by placing non-printable characters between two "."
       characters.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3566.html
    
     8/21/2003 - eroaster
       tmp file creation vulnerability
    
       A vulnerability was discovered in eroaster where it does not take
       any security precautions when creating a temporary file for the
       lockfile.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3567.html
    
    
    +---------------------------------+
    |  Distribution: RedHat           | ----------------------------//
    +---------------------------------+
    
     8/15/2003 - unzip
       Trojan vulnerability
    
       Updated unzip packages resolving a vulnerability allowing
       arbitrary filesto be overwritten are now available.
       http://www.linuxsecurity.com/advisories/redhat_advisory-3561.html
    
     8/21/2003 - GDM
       multiple vulnerabilities
    
       Updated GDM packages are available which correct a bug allowing
       local usersto read any text files on the system, and a denial of
       service issue ifXDMCP is enabled.
       http://www.linuxsecurity.com/advisories/redhat_advisory-3568.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Aug 25 2003 - 03:53:20 PDT