[ISN] Linux Advisory Watch - January 2nd 2004

From: InfoSec News (isn@private)
Date: Mon Jan 05 2004 - 00:27:57 PST

  • Next message: InfoSec News: "[ISN] Defences lacking at social network sites"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  January 2nd, 2004                         Volume 5, Number 1a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for xsok, cvs, and proftpd.  The
    distributors include Debian, Gentoo, and Mandrake.
    
    ---
    
    >> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
    
    In this guide you will find out how to test, purchase, install and use a
    Thawte Digital Certificate on you Apache web server. Throughout, best
    practices for set-up are highlighted to help you ensure efficient ongoing
    management of your encryption keys and digital certificates.
    
    Get your copy of this new guide now:
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
    
    ---
    
    One of the best parts of having a profession in information security and
    IT, is the opportunity to continue learning.  To survive, one must
    constantly stay on top of changing technology.  The problem with this is
    that most of us do not have time to read books, journals, or simply
    conduct adequate research on the Internet.  We are constantly trying to
    extinguish fires and only gather enough information to do a particular
    job.  Unfortunately, it seems there is never enough time to simply read a
    little deeper, just to satisfy our own curiosities.
    
    Being the new year, many of us have made new year's resolutions. For most
    of us in IT, this involves learning something new. Perhaps you wish to
    learn a new programming language, diagramming technique, or wish to build
    a personal server for a particular function.  Many of us have no trouble
    making personal goals, but following through is a different story.
    Something that has worked well for me in the past is starting small, and
    trying to accomplish the smallest tasks first.  This will give you the
    feeling that progress is being made and the momentum will push you through
    the larger tasks.  For example, if you have seven books you wish to read
    this year, read the smallest one first.
    
    For those of you who wish to have a better understanding of cryptography
    in 2004, I have found the perfect book to get you started.  It is,
    "Cryptography: A Very Short Introduction," by Fred Piper and Sean Murphy.
    This book was published by Oxford press in 2002.  Rather than give
    specific implementation examples, this book focuses on how several modern
    algorithms work, uses of cryptography, and key management.  This book will
    gives the proper foundation of knowledge necessary to evaluate products
    and vendor claims. Also, if you are planning a large crypto software
    development project this year, this book is the perfect primer to other
    more specific cryptography related books.
    
    The book is only 142 pages long and can fit in a shirt pocket. It is well
    written and easy to read.  The book is filled with tables, charts, and
    examples to explain the concepts.  This book should be read by upper
    management and all others down the chain.  It could serve to demystify the
    purpose and uses of cryptography in any organization.
    
    The book can be easily found at Amazon.com for $9.95 USD.
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ---
    
    FEATURE: OSVDB: An Independent and Open Source Vulnerability Database This
    article outlines the origins, purpose, and future of the Open Source
    Vulnerability Database project. Also, we talk to with Tyler Owen, a major
    contributor.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-156.html
    
    --------------------------------------------------------------------
    
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    
    --------------------------------------------------------------------
    
    Guardian Digital Customers Protected From Linux Kernel Vulnerability
    
    As a result of the planning and secure design of EnGarde Secure Linux, the
    company's flagship product, Guardian Digital customers are securely
    protected from a vulnerability that lead to the complete compromise of
    several high-profile open source projects, including those belonging to
    the Debian Project.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-155.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------------------+
    |  Distribution: Debian           | ----------------------------//
    +---------------------------------+
    
     12/30/2003 - xsok
       Missing privelige release
    
       Steve Kemp discovered a problem in xsok, a single player strategy game
       for X11, related to the Sokoban game, which leads a user to execute
       arbitrary commands under the GID of games.
       http://www.linuxsecurity.com/advisories/debian_advisory-3902.html
    
    
    +---------------------------------+
    |  Distribution: Gentoo           | ----------------------------//
    +---------------------------------+
    
     12/29/2003 - cvs
       Privilege escalation vulnerability
    
       This release adds code to the CVS server to prevent it from continuing
       as root after a user login, as an extra failsafe against a compromise
       of the CVSROOT/passwd file.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-3901.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     12/31/2003 - proftpd
       Root access vulnerability
    
       A vulnerability was discovered by X-Force Research at ISS in ProFTPD's
       handling of ASCII translation.  An attacker, by downloading a carefully
       crafted file, can remotely exploit this bug to create a root shell.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3903.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 05 2004 - 02:55:49 PST