+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| September 26th, 2003 Volume 4, Number 38a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@private ben@private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for vnc, krb5, php4, ipmasq, ssh, ARP,
openssh, wu-ftpd, ipmasq, sendmail, proftpd and perl. The distributors
include Conectiva, Debian, Guardian Digital's EnGarde Secure Linux,
FreeBSD, Gentoo, Red Hat, Slackware, SuSE, and TurboLinux.
>> FREE Apache SSL Guide from Thawte <<
Are you worried about your web server security? Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.
Click Command:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache
Several weeks ago, I wrote that I decided to move to England so that I
could pursue a Master's in Information Security from Royal Holloway,
University of London. Due to the complex bureaucracy, it has taken me a
while to get settled. As soon as my program begins, I will update you on
how my journey is progressing. This week, I thought that it would be best
if write about an "evergreen" topic in security, passwords!
For most, the subject of passwords is novel. However, it is important to
take a step back and analyze their strengths, weaknesses, and
alternatives.
Using only passwords as a method of authentication is often insufficient
for critical data because they fundamentally have weaknesses. Several of
those include: users pick easy to guess words, users often voluntarily
give them away in order to make work easier, and passwords are often
easily intercepted. Many applications/protocols that are still in use
send passwords in cleartext. A weak password is the equivalent of a
faulty lock on a safe. Passwords do not guarantee security, only increase
the time required to access data or information.
System administrators can improve password security for users in several
ways. First, a limit on log-in attempts should be set. For example, user
IDs should be locked after a number of failed login attempts. Next,
passwords should have strength requirements set. For example, passwords
should have a minimum length, special characters and capitalizations
should be required, and they should be checked against a dictionary file.
Password security can also be improved if there are expiration dates set
and passwords are not reused consecutively.
Biometrics and other forms of authentication in addition to passwords can
dramatically increase security. Having a second line of defense is
critical. For example, ssh security can be improved by using
key-authentication and IP based access controls. Passwords are slowly
becoming obsolete with improvements in technology, but will remain in use
for many years. Next week, I'll discuss how using single sign-on
mechanisms can improve password security and management for users.
Until next time, cheers!
Benjamin D. Thomas
ben@private
----
FEATURE: R00ting The Hacker
Dan Verton, the author of The Hacker Diaries: Confessions of Teenage
Hackers is a former intelligence officer in the U.S. Marine Corps who
currently writes for Computerworld and CNN.com, covering national
cyber-security issues and critical infrastructure protection.
http://www.linuxsecurity.com/feature_stories/feature_story-150.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
FEATURE: A Practical Approach of Stealthy Remote Administration This paper
is written for those paranoid administrators who are looking for a
stealthy technique of managing sensitive servers (like your enterprise
firewall console or IDS).
http://www.linuxsecurity.com/feature_stories/feature_story-149.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
9/22/2003 - wu-ftpd Command execution remote vulnerability
This update fixes a vulnerability in the way wu-ftpd uses the
"conversion" feature, which is used mostly to (un)compress files. The
scenario where this vulnerability can be exploited varies depending on
the server configuration.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3670.html
9/23/2003 - vnc
Multiple vulnerabilities
This update fixes two vulnerabilities found in VNC that affect the
versions distributed with Conectiva Linux 7.0 and 8:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3674.html
9/23/2003 - krb5
Multiple kerberos vulnerabilities
This update fixes pricipal name handling, cryptographic weaknesses,
faulty length checks in xdrmem_getbytes, and multiple other
vulnerabilities.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3675.html
9/24/2003 - php4
Multiple vulnerabilities
This new version includes several fixes[3] and improvements, including
fixes for potential integer overflow vulnerabilities.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3684.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
9/20/2003 - ipmasq
Insecure packet filtering rules
Due to use of certain improper filtering rules, traffic arriving on the
external interface addressed for an internal host would be forwarded,
regardless of whether it was associated with an established connection.
http://www.linuxsecurity.com/advisories/debian_advisory-3665.html
9/21/2003 - ssh-krb5 Multiple vulnerabilities
Insecure packet filtering rules
This advisory is an addition to the earlier DSA-383-1 advisory: Solar
Designer found four more bugs in OpenSSH that may be exploitable.
http://www.linuxsecurity.com/advisories/debian_advisory-3668.html
9/21/2003 - ssh
Multiple additional vulnerabilities
This advisory is an addition to the earlier DSA-382-1 and DSA-382-3
advisories: Solar Designer found four more bugs in OpenSSH that may be
exploitable.
http://www.linuxsecurity.com/advisories/debian_advisory-3669.html
+---------------------------------+
| Distribution: EnGarde | ----------------------------//
+---------------------------------+
9/24/2003 - 'WebTool-userpass' passphrase disclosure vulnerability.
Multiple additional vulnerabilities
"Shawn" discovered and reported an SSH passphrase disclosure
vulnerability in the WebTool's User Password Changer via the
engarde-users mailing list.
http://www.linuxsecurity.com/advisories/engarde_advisory-3680.html
+---------------------------------+
| Distribution: FreeBSD | ----------------------------//
+---------------------------------+
9/24/2003 - ARP
resource starvation DoS
Under certain circumstances, it is possible for an attacker to flood a
FreeBSD system with spoofed ARP requests, causing resource starvation
which eventually results in a system panic.
http://www.linuxsecurity.com/advisories/freebsd_advisory-3683.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
9/23/2003 - openssh
Multiple PAM vulnerabilities
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs is
remotely exploitable (under a non-standard configuration, with privsep
disabled).
http://www.linuxsecurity.com/advisories/gentoo_advisory-3676.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
9/22/2003 - apache/mod_ssl Multiple vulnerabilities
Multiple PAM vulnerabilities
Updated Apache and mod_ssl packages that fix several minor security
issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.
http://www.linuxsecurity.com/advisories/redhat_advisory-3666.html
9/22/2003 - perl
Multiple vulnerabilities
Updated Perl packages that fix a security issue in Safe.pm and a
cross-site scripting (XSS) vulnerability in CGI.pm are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-3667.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
9/23/2003 - 'wu-ftpd' vulnerability
Multiple vulnerabilities
Upgraded WU-FTPD packages are available for Slackware 9.0 and -current.
These fix a problem where an attacker could use a specially crafted
filename in conjunction with WU-FTPD's conversion feature to execute
arbitrary commands on the server.
http://www.linuxsecurity.com/advisories/slackware_advisory-3677.html
9/23/2003 - 'proftpd' vulnerability
Multiple vulnerabilities
Upgraded ProFTPD packages are available for Slackware 8.1, 9.0 and
-current. These fix a security issue where an attacker could gain a
root shell by downloading a specially crafted file.
http://www.linuxsecurity.com/advisories/slackware_advisory-3678.html
9/23/2003 - 'openssh' PAM vulnerability
Multiple vulnerabilities
Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0
and -current. This fixes security problems with PAM authentication.
It also includes several code cleanups from Solar Designer.
http://www.linuxsecurity.com/advisories/slackware_advisory-3679.html
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
9/20/2003 - sendmail, sendmail-tls
Multiple vulnerabilities
A remotely exploitable buffer overflow has been found in all versions
of sendmail that come with SuSE products. These versions include
sendmail-8.11 and sendmail-8.12 releases.
http://www.linuxsecurity.com/advisories/suse_advisory-3664.html
+---------------------------------+
| Distribution: TurboLinux | ----------------------------//
+---------------------------------+
9/24/2003 - 'openssh' PAM vulnerabilities
Multiple vulnerabilities
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3681.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 29 2003 - 07:59:11 PDT