+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | September 26th, 2003 Volume 4, Number 38a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for vnc, krb5, php4, ipmasq, ssh, ARP, openssh, wu-ftpd, ipmasq, sendmail, proftpd and perl. The distributors include Conectiva, Debian, Guardian Digital's EnGarde Secure Linux, FreeBSD, Gentoo, Red Hat, Slackware, SuSE, and TurboLinux. >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache Several weeks ago, I wrote that I decided to move to England so that I could pursue a Master's in Information Security from Royal Holloway, University of London. Due to the complex bureaucracy, it has taken me a while to get settled. As soon as my program begins, I will update you on how my journey is progressing. This week, I thought that it would be best if write about an "evergreen" topic in security, passwords! For most, the subject of passwords is novel. However, it is important to take a step back and analyze their strengths, weaknesses, and alternatives. Using only passwords as a method of authentication is often insufficient for critical data because they fundamentally have weaknesses. Several of those include: users pick easy to guess words, users often voluntarily give them away in order to make work easier, and passwords are often easily intercepted. Many applications/protocols that are still in use send passwords in cleartext. A weak password is the equivalent of a faulty lock on a safe. Passwords do not guarantee security, only increase the time required to access data or information. System administrators can improve password security for users in several ways. First, a limit on log-in attempts should be set. For example, user IDs should be locked after a number of failed login attempts. Next, passwords should have strength requirements set. For example, passwords should have a minimum length, special characters and capitalizations should be required, and they should be checked against a dictionary file. Password security can also be improved if there are expiration dates set and passwords are not reused consecutively. Biometrics and other forms of authentication in addition to passwords can dramatically increase security. Having a second line of defense is critical. For example, ssh security can be improved by using key-authentication and IP based access controls. Passwords are slowly becoming obsolete with improvements in technology, but will remain in use for many years. Next week, I'll discuss how using single sign-on mechanisms can improve password security and management for users. Until next time, cheers! Benjamin D. Thomas ben@private ---- FEATURE: R00ting The Hacker Dan Verton, the author of The Hacker Diaries: Confessions of Teenage Hackers is a former intelligence officer in the U.S. Marine Corps who currently writes for Computerworld and CNN.com, covering national cyber-security issues and critical infrastructure protection. http://www.linuxsecurity.com/feature_stories/feature_story-150.html -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- FEATURE: A Practical Approach of Stealthy Remote Administration This paper is written for those paranoid administrators who are looking for a stealthy technique of managing sensitive servers (like your enterprise firewall console or IDS). http://www.linuxsecurity.com/feature_stories/feature_story-149.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 9/22/2003 - wu-ftpd Command execution remote vulnerability This update fixes a vulnerability in the way wu-ftpd uses the "conversion" feature, which is used mostly to (un)compress files. The scenario where this vulnerability can be exploited varies depending on the server configuration. http://www.linuxsecurity.com/advisories/connectiva_advisory-3670.html 9/23/2003 - vnc Multiple vulnerabilities This update fixes two vulnerabilities found in VNC that affect the versions distributed with Conectiva Linux 7.0 and 8: http://www.linuxsecurity.com/advisories/connectiva_advisory-3674.html 9/23/2003 - krb5 Multiple kerberos vulnerabilities This update fixes pricipal name handling, cryptographic weaknesses, faulty length checks in xdrmem_getbytes, and multiple other vulnerabilities. http://www.linuxsecurity.com/advisories/connectiva_advisory-3675.html 9/24/2003 - php4 Multiple vulnerabilities This new version includes several fixes[3] and improvements, including fixes for potential integer overflow vulnerabilities. http://www.linuxsecurity.com/advisories/connectiva_advisory-3684.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 9/20/2003 - ipmasq Insecure packet filtering rules Due to use of certain improper filtering rules, traffic arriving on the external interface addressed for an internal host would be forwarded, regardless of whether it was associated with an established connection. http://www.linuxsecurity.com/advisories/debian_advisory-3665.html 9/21/2003 - ssh-krb5 Multiple vulnerabilities Insecure packet filtering rules This advisory is an addition to the earlier DSA-383-1 advisory: Solar Designer found four more bugs in OpenSSH that may be exploitable. http://www.linuxsecurity.com/advisories/debian_advisory-3668.html 9/21/2003 - ssh Multiple additional vulnerabilities This advisory is an addition to the earlier DSA-382-1 and DSA-382-3 advisories: Solar Designer found four more bugs in OpenSSH that may be exploitable. http://www.linuxsecurity.com/advisories/debian_advisory-3669.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 9/24/2003 - 'WebTool-userpass' passphrase disclosure vulnerability. Multiple additional vulnerabilities "Shawn" discovered and reported an SSH passphrase disclosure vulnerability in the WebTool's User Password Changer via the engarde-users mailing list. http://www.linuxsecurity.com/advisories/engarde_advisory-3680.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 9/24/2003 - ARP resource starvation DoS Under certain circumstances, it is possible for an attacker to flood a FreeBSD system with spoofed ARP requests, causing resource starvation which eventually results in a system panic. http://www.linuxsecurity.com/advisories/freebsd_advisory-3683.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 9/23/2003 - openssh Multiple PAM vulnerabilities Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). http://www.linuxsecurity.com/advisories/gentoo_advisory-3676.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 9/22/2003 - apache/mod_ssl Multiple vulnerabilities Multiple PAM vulnerabilities Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3. http://www.linuxsecurity.com/advisories/redhat_advisory-3666.html 9/22/2003 - perl Multiple vulnerabilities Updated Perl packages that fix a security issue in Safe.pm and a cross-site scripting (XSS) vulnerability in CGI.pm are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3667.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 9/23/2003 - 'wu-ftpd' vulnerability Multiple vulnerabilities Upgraded WU-FTPD packages are available for Slackware 9.0 and -current. These fix a problem where an attacker could use a specially crafted filename in conjunction with WU-FTPD's conversion feature to execute arbitrary commands on the server. http://www.linuxsecurity.com/advisories/slackware_advisory-3677.html 9/23/2003 - 'proftpd' vulnerability Multiple vulnerabilities Upgraded ProFTPD packages are available for Slackware 8.1, 9.0 and -current. These fix a security issue where an attacker could gain a root shell by downloading a specially crafted file. http://www.linuxsecurity.com/advisories/slackware_advisory-3678.html 9/23/2003 - 'openssh' PAM vulnerability Multiple vulnerabilities Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0 and -current. This fixes security problems with PAM authentication. It also includes several code cleanups from Solar Designer. http://www.linuxsecurity.com/advisories/slackware_advisory-3679.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 9/20/2003 - sendmail, sendmail-tls Multiple vulnerabilities A remotely exploitable buffer overflow has been found in all versions of sendmail that come with SuSE products. These versions include sendmail-8.11 and sendmail-8.12 releases. http://www.linuxsecurity.com/advisories/suse_advisory-3664.html +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ 9/24/2003 - 'openssh' PAM vulnerabilities Multiple vulnerabilities Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3681.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 29 2003 - 07:59:11 PDT