+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | August 22nd, 2003 Volume 4, Number 33a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas daveat_private benat_private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for openslp, zip, netris, autorespond, unzip, eroaster, and GDM. The distributors include Conectiva, Debian, Mandrake, and Red Hat. The United States National Institute of Standards and Technology recently released the second draft of the "Guide for the Security Certification and Accreditation of Federal Information System." It is currently in the second public comment period, which ends August 31st 2003. Although the document is intended for government agency use, it is easily applicable to organizations of other types. As information security is becoming a more important function of conducting business, there is an ever increasing need for standards and methodologies. This document is an excellent starting point for those interested in creating an organization wide information security program and/or certification and accreditation procedures. The document begins with an introduction to the concept of certification and accreditation. It includes the system development life cycle, component evaluation, assessment activities, as well as other important information. Next, the document overviews the fundamentals of C&A including roles and responsibilities, information system categories, documentation, and monitoring. Overall, the first two chapters of this document provide a very overview of the base knowledge required to setup a certification and accreditation program in your organization. The final chapter of this document walks readers through the entire process of C&A. It covers initiation, certification, accreditation, and finally monitoring. This chapter gives readers a very good indication of the work required to implement and C&A program. In addition, after reading this chapter the importance of beginning the C&A process becomes apparent. In addition to clear and informative writing, the document also provides many easy to read diagrams. The illustrations provided help readers more easily visualize the authors intentions. If you haven't had a chance to take a look at this document, I highly recommend it. The information is valuable and freely available. The entire document can be found at the following URL: http://csrc.nist.gov/publications/drafts/sp800-37-Draftver2.pdf Until next time, Benjamin D. Thomas benat_private Expert vs. Expertise: Computer Forensics and the Alternative OS No longer a dark and mysterious process, computer forensics have been significantly on the scene for more than five years now. Despite this, they have only recently gained the notoriety they deserve. http://www.linuxsecurity.com/feature_stories/feature_story-147.html -------------------------------------------------------------------- >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache -------------------------------------------------------------------- REVIEW: Linux Security Cookbook There are rarely straightforward solutions to real world issues, especially in the field of security. The Linux Security Cookbook is an essential tool to help solve those real world problems. By covering situations that apply to everyone from the seasoned Systems Administrator to the security curious home user, the Linux Security Cookbook distinguishes itself as an indispensible reference for security oriented individuals. http://www.linuxsecurity.com/feature_stories/feature_story-145.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 8/15/2003 - openslp tmp file creation vulnerability There is a symbolic link vulnerability in the initscript used to control the openslp daemon. http://www.linuxsecurity.com/advisories/connectiva_advisory-3563.html 8/21/2003 - zip directory traversal vulnerability This is a reedition of the announcement CLSA-2003:672[1]. http://www.linuxsecurity.com/advisories/connectiva_advisory-3564.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 8/17/2003 - netris Buffer overflow vulnerability A netris client connectingto an untrusted netris server could be sent an unusually long datapacket, which would be copied into a fixed-length buffer withoutbounds checking. http://www.linuxsecurity.com/advisories/debian_advisory-3559.html 8/16/2003 - autorespond Buffer overflow vulnerability This vulnerability could potentiallybe exploited by a remote attacker to gain the privileges of a user whohas configured qmail to forward messages to autorespond. http://www.linuxsecurity.com/advisories/debian_advisory-3560.html 8/18/2003 - man-db denial of service vulnerability Buffer overflow vulnerability This update introduced an error in the routinethat resolves hardlinks: depending on the filenames of hardlinked manpages, that routine might itself overrun allocated memory, causing asegmentation fault. http://www.linuxsecurity.com/advisories/debian_advisory-3565.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 8/21/2003 - unzip arbitrary file overwrite vulnerability A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two "." characters. http://www.linuxsecurity.com/advisories/mandrake_advisory-3566.html 8/21/2003 - eroaster tmp file creation vulnerability A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. http://www.linuxsecurity.com/advisories/mandrake_advisory-3567.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 8/15/2003 - unzip Trojan vulnerability Updated unzip packages resolving a vulnerability allowing arbitrary filesto be overwritten are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3561.html 8/21/2003 - GDM multiple vulnerabilities Updated GDM packages are available which correct a bug allowing local usersto read any text files on the system, and a denial of service issue ifXDMCP is enabled. http://www.linuxsecurity.com/advisories/redhat_advisory-3568.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 25 2003 - 03:53:20 PDT