[ISN] Linux Advisory Watch - March 12th 2004

From: InfoSec News (isn@private)
Date: Sun Mar 14 2004 - 23:02:00 PST

  • Next message: InfoSec News: "[ISN] Security considerations for Web-based mail"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  March 12th, 2004                         Volume 5, Number 11a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for the Linux kernel, sysstat,
    mailman, coreutils, libxml2, mozilla, and kdelibs.  The distributors
    include Debian, Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, and Trustix.
    
    ----
    
    >> Internet Productivity Suite:  Open Source Security <<
    Trust Internet Productivity Suites open source architecture to give you
    the best security and productivity applications available. Collaborating
    with thousands of developers, Guardian Digital security engineers
    implement the most technologically advanced ideas and methods into their
    design.
    
      http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
    
    ----
    
    Lies, Damn Lies, and Statistics
    
    The recent study released by a British security firm has caused a lot of
    controversy.  The report concluded that Linux is the "most-breached"
    operating system, OS X was the least, and Windows somewhere floated in the
    middle.  Like clockwork, many IT journalists used the report as a basis
    for articles.  Headlines such as "Apple OS X Server is most secure system"
    and "Apple Servers The Most Secure" tend to distort the truth.  Most took
    the report literally and failed to question the methods used to gather the
    statistics.  In the mean time, the security firm that released the report
    has gained a lot of exposure because of its controversial findings.
    
    I'm not writing this to dispute or agree with the conclusions.  The debate
    has been going on for a while and it would be pointless to rehash the
    arguments already out there.  My biggest concern is realized when
    technologically naive management gets ahold of this information.  Rather
    than fully understanding the information presented, decisions are made
    using distorted headlines.  This week, platform X is most secure, next
    week it will be platform Y.  This type of analysis seems to imply that
    there is a magic security silver bullet.  Rather than responsible
    administration, it implies that security is wholly attributed to choice of
    software.
    
    Security is extremely hard to measure.  Quantifying security in terms of
    'most-breached' or 'most hacked' is flawed because it does not take
    administration faults into account.  Some administrators are very
    pro-active and can keep a server from being compromised, others are
    negligent a leave vulnerabilities open.
    
    As security practitioners or system administrators we should not focus on
    flawed reports, but rather concentrate on security best practices.  In the
    real world, statistics of this sort provide little benefit because we all
    have legacy systems to maintain. Appropriate time should be spend applying
    security patches and verifying each system is configured properly.
    Rather than asking, "Which system is more secure?"  Administrators should
    ask, "Which system will provide the most security flexibility?"  "Which
    operating system provides the fastest updates?"
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ----
    
    Guardian Digital Introduces Innovative Open Source
    Approach to Combating Email Threats
    
    Guardian Digital, the world's premier open source security company, has
    introduced Content and Policy Enforcement (CAPE) technology, an innovative
    open source software system for securing enterprise email operations.
    Unique in its approach, CAPE technology powers the email security
    operations of Secure Mail Suite v3.0, the company's enterprise email and
    productivity platform.
    
    http://www.guardiandigital.com/company/press/2004/emailthreats.html
    
    --------------------------------------------------------------------
    
    Introduction to Netwox and Interview with Creator Laurent Constantin
    
    In this article Duane Dunston gives a brief introduction to Netwox, a
    combination of over 130 network auditing tools.  Also, Duane interviews
    Laurent Constantin, the creator of Netwox.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-158.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------------------+
    |  Distribution: Debian           | ----------------------------//
    +---------------------------------+
    
     3/8/2004 - kernel
       2.2.19 Privilege escalation vulnerability
    
       This is the Kernel 2.2.19 backported version of the mremap fix
       that prevents a local root exploit.
       http://www.linuxsecurity.com/advisories/debian_advisory-4113.html
    
     3/9/2004 - wu-ftpd Multiple vulnerabilities
       2.2.19 Privilege escalation vulnerability
    
       These vulnerabilities allow a malicious user to bypass directory
       access restrictions and execute arbitrary code.
       http://www.linuxsecurity.com/advisories/debian_advisory-4120.html
    
     3/10/2004 - python2.2 Buffer overflow vulnerability
       2.2.19 Privilege escalation vulnerability
    
       A crafted IPv6 address can overwrite memory in the stack.
       http://www.linuxsecurity.com/advisories/debian_advisory-4121.html
    
     3/10/2004 - sysstat
       Insecure temporary file vulnerabilty
    
       Crafted symlinks can be used to make systat write to/read from
       arbitrary files.
       http://www.linuxsecurity.com/advisories/debian_advisory-4129.html
    
    
    +---------------------------------+
    |  Distribution: Fedora           | ----------------------------//
    +---------------------------------+
    
     3/5/2004 - mailman
       Cross posting vulnerability
    
       A cross-site scripting bug in the 'create' CGI script affects
       versions of Mailman 2.1 before 2.1.3.
       http://www.linuxsecurity.com/advisories/fedora_advisory-4111.html
    
     3/5/2004 - util-linux Information leak vulnerability
       Cross posting vulnerability
    
       Fixed information leak in login program.
       http://www.linuxsecurity.com/advisories/fedora_advisory-4112.html
    
     3/11/2004 - coreutils
       Integer overflow vulnerability
    
       An integer overflow in ls in the fileutils or coreutils packages
       may allow local users to cause a denial of service or execute
       arbitrary code.
       http://www.linuxsecurity.com/advisories/fedora_advisory-4130.html
    
    
    +---------------------------------+
    |  Distribution: Gentoo           | ----------------------------//
    +---------------------------------+
    
     3/8/2004 - libxml2
       Buffer overflow vulnerability
    
       Bug may be exploited by an attacker allowing the execution of
       arbitrary code.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-4114.html
    
     3/8/2004 - kernel
       2.4.x Privilege escalation vulnerabilty
    
       Exploitation of this bug can allow a local user to run arbitrary
       code as root.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-4115.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     3/10/2004 - python2.2 Buffer overflow vulnerability
       2.4.x Privilege escalation vulnerabilty
    
       A crafted IPv6 address can overwrite stack memory with executable
       code.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4122.html
    
     3/10/2004 - gdk-pixbuf Denial of service vulneraiblity
       2.4.x Privilege escalation vulnerabilty
    
       A malicious BMP file can crash the Evolution mail client.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4123.html
    
     3/10/2004 - mozilla
       Multiple vulnerabilities
    
       Various serious vulnerabilities allow remote code execution and
       the reading of authentication information with one's proxy.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4124.html
    
     3/10/2004 - kdelibs
       Path restriction escape vulnerability
    
       Exploitation of this bug allows attacker to escape path
       restrictions specified by cookie originator.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4125.html
    
    
    +---------------------------------+
    |  Distribution: OpenBSD          | ----------------------------//
    +---------------------------------+
    
     3/9/2004 - tcp/ip Denial of service vulnerability
       Path restriction escape vulnerability
    
       Vulnerability allows remotely triggered denial of service.
       http://www.linuxsecurity.com/advisories/openbsd_advisory-4119.html
    
    
    +---------------------------------+
    |  Distribution: Red Hat          | ----------------------------//
    +---------------------------------+
    
     3/9/2004 - wu-ftpd Multiple vulnerabilities
       Path restriction escape vulnerability
    
       These vulnerabilities allow the escape of home-directory
       restrictions and the execution of arbitrary code.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4118.html
    
     3/10/2004 - kdelibs
       Path restriction escape vulnerability
    
       Attacker can escape path restrictions set by cookie originator.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4126.html
    
     3/10/2004 - Sysstat
       Insecure temporary file vulnerability
    
       Using symlinks, this bug can be exploited to cause Sysstat to
       write to/read from arbitrary files.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4127.html
    
     3/10/2004 - gdk-pixbuf Denial of service vulnerability
       Insecure temporary file vulnerability
    
       Malformed BMP file can segfault mail reader.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4128.html
    
    
    +---------------------------------+
    |  Distribution: Trustix          | ----------------------------//
    +---------------------------------+
    
     3/8/2004 - nfs-utils Denial of service vulnerability
       Insecure temporary file vulnerability
    
       Certain incorrect DNS setups would cause rpc.mountd to crash,
       resulting in a remote DoS of the DNS client at mount time.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4116.html
    
     3/8/2004 - libxml2
       Buffer overflow vulnerability
    
       URLs longer than 4096 bytes would cause an overflow while using
       nanohttp in libxml2.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4117.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 15 2004 - 02:12:10 PST