+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 24th, 2003 Volume 4, Number 42a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@private ben@private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for ircd, gdm, fileutils, sane,
fetchmail, gdm, and fetchmail. The distributors include Conectiva,
Immunix, Mandrake, and Turbolinux.
---
>> FREE Apache SSL Guide from Thawte <<
Are you worried about your web server security? Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.
Click Command:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache
---
This week, Ballmer's comments comparing Windows and Linux Security have
been all over the press. As you might suspect, the GNU/Linux community
instantly fired back rebutting all of his points. Personally, I believe he
was comparing apples and oranges and exploiting the ignorance people have
for security. Fear, uncertainty, and doubt is a common theme that we
should come to expect. Unfortunately, some believe everything they are
being told without any verification of the facts.
The point of this commentary is not to make any arguments for or against
the security of Linux, but to re-emphasize the point that the ultimate
responsibility of security relies on the person(s) that has chosen to
implement a particular piece of software. For instance, by choosing to
setup a Linux based Web server, that means you take the responsibility of
ensuring that the bare minimum is installed, access is strictly
controlled, and the system is patched as much as necessary.
Unfortunately, there will always be vulnerabilities in software due to
sloppy programming. I am not trying to discount the responsibility of
software makers, I am merely suggesting that security isn't something that
is controlled at a single point. Security is everyone's responsibility.
When choosing to implement a piece of software, security should be one of
the most significant factors. Does the vendor provide timely updates?
If something goes horribly wrong, can I fix it myself? What is the
security-history of this software? All questions are important and should
be addressed. I just wanted to emphasize that security shouldn't be a game
of "my OS has less vulnerabilities than yours," the point should be "how
easily can the problem be fixed, and/or how long do I have to wait for an
update." Security is the responsibility of all at many levels and we
shouldn't forget that.
Until next time, cheers!
Benjamin D. Thomas
ben@private
---
EnGarde GDSN Subscription Price Reduction -
Guardian Digital, the world's premier open source security company,
announced today that they will be reducing the annual subscription cost of
the Guardian Digital Secure Network for EnGarde Community users from $229
to $60 for a limited time.
http://www.linuxsecurity.com/feature_stories/feature_story-151.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
10/17/2003 - ircd
DoS vulnerability
A buffer overflow vulnerability has been discovered that may allow an
attacker to crash the ircd server, thus causing a denial of service
condition. The package released with this advisory includes a patch
that fixes the problem.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3736.html
10/17/2003 - gdm
DoS Vulnerabilities
Jarno Gassenbauer found two local denial of service vulnerabilites in
GDM, both fixed in the versions 2.4.4.4, 2.4.1.7 and in the packages
released with this advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3737.html
10/22/2003 - fileutils
denial of service vulnerability
There is a memory starvation denial of service vulnerability in the ls
program. It is possible to make ls allocate a huge amount of memory by
calling it with the parameters "-w X -C" (where X is an arbitrary
large number).
http://www.linuxsecurity.com/advisories/connectiva_advisory-3741.html
10/22/2003 - sane
tmp file vulnerabilities
This update fixes several vulnerabilities in the sane package.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3742.html
+---------------------------------+
| Distribution: Immunix | ----------------------------//
+---------------------------------+
10/20/2003 - fetchmail
Multiple vulnerabilities
This update fixes several bugs in fetchmail, including a broken
boundary condition check in the multidrop code, a header overflow that
neglected to account for '@' signs in email addresses, a
header-rewriting bug, and a head-reading bug.
http://www.linuxsecurity.com/advisories/immunix_advisory-3738.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
10/17/2003 - gdm
multiple vulnerabilities
Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that
would allow a local attacker to cause gdm to crash or freeze.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3734.html
10/17/2003 - fetchmail
denial of service vulnerability
A bug was discovered in fetchmail 6.2.4 where a specially crafted
email message can cause fetchmail to crash.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3735.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
10/20/2003 - kernel/kdebase Multiple updates
denial of service vulnerability
Multiple issues in the Linux kernel and KDM have been resolved.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3739.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 27 2003 - 03:07:24 PST