[ISN] Linux Advisory Watch - September 26th 2003

From: InfoSec News (isn@private)
Date: Mon Sep 29 2003 - 04:06:15 PDT

  • Next message: InfoSec News: "[ISN] Hacker Arrested in San Diego"

    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  September 26th, 2003                     Volume 4, Number 38a |
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    This week, advisories were released for vnc, krb5, php4, ipmasq, ssh, ARP,
    openssh, wu-ftpd, ipmasq, sendmail, proftpd and perl.  The distributors
    include Conectiva, Debian, Guardian Digital's EnGarde Secure Linux,
    FreeBSD, Gentoo, Red Hat, Slackware, SuSE, and TurboLinux.
    >> FREE Apache SSL Guide from Thawte  <<
    Are you worried about your web server security?  Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
     Click Command:
    Several weeks ago, I wrote that I decided to move to England so that I
    could pursue a Master's in Information Security from Royal Holloway,
    University of London.  Due to the complex bureaucracy, it has taken me a
    while to get settled. As soon as my program begins, I will update you on
    how my journey is progressing.  This week, I thought that it would be best
    if write about an "evergreen" topic in security, passwords!
    For most, the subject of passwords is novel.  However, it is important to
    take a step back and analyze their strengths, weaknesses, and
    Using only passwords as a method of authentication is often insufficient
    for critical data because they fundamentally have weaknesses.  Several of
    those include: users pick easy to guess words, users often voluntarily
    give them away in order to make work easier, and passwords are often
    easily intercepted.  Many applications/protocols that are still in use
    send passwords in cleartext.  A weak password is the equivalent of a
    faulty lock on a safe.  Passwords do not guarantee security, only increase
    the time required to access data or information.
    System administrators can improve password security for users in several
    ways.  First, a limit on log-in attempts should be set.  For example, user
    IDs should be locked after a number of failed login attempts.  Next,
    passwords should have strength requirements set.  For example, passwords
    should have a minimum length, special characters and capitalizations
    should be required, and they should be checked against a dictionary file.
    Password security can also be improved if there are expiration dates set
    and passwords are not reused consecutively.
    Biometrics and other forms of authentication in addition to passwords can
    dramatically increase security.  Having a second line of defense is
    critical.  For example, ssh security can be improved by using
    key-authentication and IP based access controls.  Passwords are slowly
    becoming obsolete with improvements in technology, but will remain in use
    for many years. Next week, I'll discuss how using single sign-on
    mechanisms can improve password security and management for users.
    Until next time, cheers!
    Benjamin D. Thomas
    FEATURE: R00ting The Hacker
    Dan Verton, the author of The Hacker Diaries: Confessions of Teenage
    Hackers is a former intelligence officer in the U.S. Marine Corps who
    currently writes for Computerworld and CNN.com, covering national
    cyber-security issues and critical infrastructure protection.
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    FEATURE: A Practical Approach of Stealthy Remote Administration This paper
    is written for those paranoid administrators who are looking for a
    stealthy technique of managing sensitive servers (like your enterprise
    firewall console or IDS).
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    |  Distribution: Conectiva        | ----------------------------//
     9/22/2003 - wu-ftpd Command execution remote vulnerability
       This update fixes a vulnerability in the way wu-ftpd uses the
       "conversion" feature, which is used mostly to (un)compress files. The
       scenario where this vulnerability can be exploited varies depending on
       the server configuration.
     9/23/2003 - vnc
       Multiple vulnerabilities
       This update fixes two vulnerabilities found in VNC that affect the
       versions distributed with Conectiva Linux 7.0 and 8:
     9/23/2003 - krb5
       Multiple kerberos vulnerabilities
       This update fixes pricipal name handling, cryptographic weaknesses,
       faulty length checks in xdrmem_getbytes, and multiple other
     9/24/2003 - php4
       Multiple vulnerabilities
       This new version includes several fixes[3] and improvements, including
       fixes for potential integer overflow vulnerabilities.
    |  Distribution: Debian           | ----------------------------//
     9/20/2003 - ipmasq
       Insecure packet filtering rules
       Due to use of certain improper filtering rules, traffic arriving on the
       external interface addressed for an internal host would be forwarded,
       regardless of whether it was associated with an established connection.
     9/21/2003 - ssh-krb5 Multiple vulnerabilities
       Insecure packet filtering rules
       This advisory is an addition to the earlier DSA-383-1 advisory: Solar
       Designer found four more bugs in OpenSSH that may be exploitable.
     9/21/2003 - ssh
       Multiple additional vulnerabilities
       This advisory is an addition to the earlier DSA-382-1 and DSA-382-3
       advisories: Solar Designer found four more bugs in OpenSSH that may be
    |  Distribution: EnGarde          | ----------------------------//
     9/24/2003 - 'WebTool-userpass' passphrase disclosure vulnerability.
       Multiple additional vulnerabilities
       "Shawn"  discovered and reported an SSH passphrase disclosure
       vulnerability in the WebTool's User Password Changer via the
       engarde-users mailing list.
    |  Distribution: FreeBSD          | ----------------------------//
     9/24/2003 - ARP
       resource starvation DoS
       Under certain circumstances, it is possible for an attacker to flood a
       FreeBSD system with spoofed ARP requests, causing resource starvation
       which eventually results in a system panic.
    |  Distribution: Gentoo           | ----------------------------//
     9/23/2003 - openssh
       Multiple PAM vulnerabilities
       Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
       vulnerabilities in the new PAM code. At least one of these bugs is
       remotely exploitable (under a non-standard configuration, with privsep
    |  Distribution: Red Hat          | ----------------------------//
     9/22/2003 - apache/mod_ssl Multiple vulnerabilities
       Multiple PAM vulnerabilities
       Updated Apache and mod_ssl packages that fix several minor security
       issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.
     9/22/2003 - perl
       Multiple vulnerabilities
       Updated Perl packages that fix a security issue in Safe.pm and a
       cross-site scripting (XSS) vulnerability in CGI.pm are now available.
    |  Distribution: Slackware        | ----------------------------//
     9/23/2003 - 'wu-ftpd' vulnerability
       Multiple vulnerabilities
       Upgraded WU-FTPD packages are available for Slackware 9.0 and -current.
       These fix a problem where an attacker could use a specially crafted
       filename in conjunction with WU-FTPD's conversion feature to execute
       arbitrary commands on the server.
     9/23/2003 - 'proftpd' vulnerability
       Multiple vulnerabilities
       Upgraded ProFTPD packages are available for Slackware 8.1, 9.0 and
       -current.  These fix a security issue where an attacker could gain a
       root shell by downloading a specially crafted file.
     9/23/2003 - 'openssh' PAM vulnerability
       Multiple vulnerabilities
       Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0
       and -current.  This fixes security problems with PAM authentication.
       It also includes several code cleanups from Solar Designer.
    |  Distribution: SuSE             | ----------------------------//
     9/20/2003 - sendmail, sendmail-tls
       Multiple vulnerabilities
       A remotely exploitable buffer overflow has been found in all versions
       of sendmail that come with SuSE products. These versions include
       sendmail-8.11 and sendmail-8.12 releases.
    |  Distribution: TurboLinux       | ----------------------------//
     9/24/2003 - 'openssh' PAM vulnerabilities
       Multiple vulnerabilities
       Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
       vulnerabilities in the new PAM code.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 29 2003 - 07:59:11 PDT