[ISN] Linux Advisory Watch - December 26th 2003

From: InfoSec News (isn@private)
Date: Mon Dec 29 2003 - 02:09:22 PST

  • Next message: InfoSec News: "[ISN] Romania tackles rise in cyber-crime"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  December 26th, 2003                      Volume 4, Number 51a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for ethereal, XFree86, BIND, and
    apache.  The distributors include Fedora, Mandrake, NetBSD, and Red Hat.
    
    ---
    
    >> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
    
    In this guide you will find out how to test, purchase, install and use a
    Thawte Digital Certificate on you Apache web server. Throughout, best
    practices for set-up are highlighted to help you ensure efficient ongoing
    management of your encryption keys and digital certificates.
    
    Get your copy of this new guide now:
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
    
    ---
    
    As expected, this has been a slow week for advisories.  Were there less
    vulnerabilities this week, or did people just decide to take time off?
    Probably the latter.  One observation that I made yesterday is that the
    amount of spam in my junk box was extremely low.  What could it be?  Are
    the new US spam laws starting to make a difference, or do spammers
    celebrate Christmas too?  Again, probably the latter.
    
    Face it, the amount of spam that you received in 2003 is almost at an
    unbearable point.  It is only going to get worse in 2004.  Its now time to
    do something about it, rather than just perpetually holding down the
    delete key.  Spam is costing you time, and your organization money.
    Luckily (or unluckily), the rest of the Linux community is in the same
    boat as you.  There are many open source solutions available to address
    the problem.
    
    When in thinking in terms of security, spam can affect a network's
    availability.  Having a considerable amount of spam traffic can slow down
    or in fact prevent legitimate traffic from reaching the intended
    destination.  Like all security problems, it is important to address the
    problem at multiple levels.  One of the best places to confront spam is at
    the client level.  Today, many mail clients available for the Linux
    operating system have sophisticated spam filtering abilities.  Most
    notably, the mail client included with Mozilla does an excellent job.
    
    Spam should also be taken on at the server level.  One of the mostly
    widely used spam management packages is SpamAssassin.  It is highly
    flexible software that uses several techniques for identifying
    illegitimate messages. Because it such a widely used set of software,
    there are many guides and configuration documentation available.  More
    information on SpamAssassin can be found at: http://spamassassin.org/
    
    For those of you who do not have the time and resources to properly
    configure a mail server with spam protection but need to address the
    problem, there are several solutions available. Guardian Digital offers a
    mail server and spam/virus protection package that can be setup in
    literally minutes.  Rather than spending endless hours in vi editing .conf
    files, the Guardian Digital Secure Mail suite will allow you to setup a
    mail server, set spam filtering options, and enable virus protection with
    several clicks of a mouse in your browser.  To find out more about
    Guardian Digital's solution, visit the following website:
    
    http://store.guardiandigital.com/html/eng/products/software/mail_overview.shtml
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ---
    
    FEATURE: OSVDB: An Independent and Open Source Vulnerability Database This
    article outlines the origins, purpose, and future of the Open Source
    Vulnerability Database project. Also, we talk to with Tyler Owen, a major
    contributor.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-156.html
    
    --------------------------------------------------------------------
    
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    
    --------------------------------------------------------------------
    
    Guardian Digital Customers Protected From Linux Kernel Vulnerability
    
    As a result of the planning and secure design of EnGarde Secure Linux, the
    company's flagship product, Guardian Digital customers are securely
    protected from a vulnerability that lead to the complete compromise of
    several high-profile open source projects, including those belonging to
    the Debian Project.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-155.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------------------+
    |  Distribution: Fedora           | ----------------------------//
    +---------------------------------+
    
     12/19/2003 - ethereal
       Multiple malformed packet vulerabilities
    
       Both vulnerabilities will make the Ethereal application crash. The
       Q.931 vulnerability also affects Tethereal. It is not known if either
       vulnerability can be used to make Ethereal or Tethereal run arbitrary
       code. http://www.linuxsecurity.com/advisories/fedora_advisory-3897.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     12/19/2003 - XFree86
       Unchecked authentication vulnerability
    
       A vulnerability was discovered in the XDM display manager that ships
       with XFree86.  XDM does not check for successful completion of the
       pam_setcred() call and in the case of error conditions in the installed
       PAM modules, XDM may grant local root access to any user with valid
       login credentials.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3899.html
    
    
    +---------------------------------+
    |  Distribution: NetBSD           | ----------------------------//
    +---------------------------------+
    
     12/22/2003 - BIND
       Followup on negative cache poisoning vulernability
    
       The following excerpts show that include/arpa/inet.h must be updated
       from rev 1.12 that ships with 1.6.1 to rev 1.12.2.1 which is the
       current candidate for 1.6.2.
       http://www.linuxsecurity.com/advisories/netbsd_advisory-3900.html
    
    
    +---------------------------------+
    |  Distribution: Red Hat          | ----------------------------//
    +---------------------------------+
    
     12/19/2003 - apache
       Creatable buffer overflow vulnerability
    
       A carefully-crafted configuration file can cause an exploitable buffer
       overflow and would allow the attacker to execute arbitrary code in the
       context of the server (in default configurations as the 'apache' user).
       http://www.linuxsecurity.com/advisories/redhat_advisory-3898.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 29 2003 - 04:54:35 PST