+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 23rd, 2004 Volume 5, Number 17a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for cvs, neon, perl, logcheck, kernel, iproute, xchat, ident2, utempter, cadaver, libneon, MySQL, samba, utempter, OpenSSL, tcp, IA64, XFree86, tcpdump, and xine. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat, Slackware, and Trustix. ---- >> Free Trial SSL Certificate from Thawte << Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate 02 our easy online guide will show you how. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten04 ---- Data Classification One of the biggest problems in security today is that business managers and security administrators do not have a good idea of how much their organization's proprietary data is worth. Consider the example of a company's client details or schematics for a new product. How much money should be spent to protect it? Who should access it? If this information is leaked to competitors, how much impact would if have on the business? If you aren't asking these types of questions, you should be. One of the first steps in risk management in any organization is determining the assets. Later, a value is assigned to each asset and known risks are either accepted, transferred, or mitigated. When determining the value of an organization's information, it can very easily become infinitely complex. A technique commonly used to assist with the valuation of information is data classification. The concept involves assigning a label and in some cases a classification to a piece of information, or a document. For example, documents in any government agency will be assigned labels such as unclassified, classified, secret, or top secret. Sometimes labeling is more granular including labels such as unclassified but sensitive, or internal. Most governments implement this in slightly different ways. A security classification describes who the information is intended for. For example, a budgeting document could be labeled classified and only intended for the finance and accounting departments. This means that the document's label is classified and the classification is finance and accounting. In theory, only those individuals in the finance and accounting departments with classified clearance should be able to access that particular document. Assigning labels to information gives security administrators a logical way to create a protection strategy. Appropriately applying security controls can be easier if similar data is held in similar places. Back to the budgeting document example, because it is classified and intended only for finance or accounting, it should only be stored on a confidential, accounting or finance data-store/server. It is not always necessary to have separate servers for each label. Segmentation can be done just as easily by assigning group permissions to specific directories on a single server. Data classification allows managers to more easily determine the type and quantity of information used by an organization. Also, it can simplify the security administrator's role of providing consistent access control across all information used. Until next time, cheers! Benjamin D. Thomas ben@private ---- Guardian Digital Launches Next Generation Internet Defense & Detection System Guardian Digital has announced the first fully open source system designed to provide both intrusion detection and prevention functions. Guardian Digital Internet Defense & Detection System (IDDS) leverages best-in-class open source applications to protect networks and hosts using a unique multi-layered approach coupled with the security expertise and ongoing security vigilance provided by Guardian Digital. http://www.linuxsecurity.com/feature_stories/feature_story-163.html -------------------------------------------------------------------- Interview with Siem Korteweg: System Configuration Collector In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments. http://www.linuxsecurity.com/feature_stories/feature_story-162.html -------------------------------------------------------------------- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 4/17/2004 - cvs Multiple vulnerabilities Patch fixes bugs for both server and client which allows the creation of arbitrary files. http://www.linuxsecurity.com/advisories/debian_advisory-4243.html 4/17/2004 - neon Format string vulnerability These vulnerabilities could exploited by a malicious WebDAV server to execute arbitrary code with libneon's privileges. http://www.linuxsecurity.com/advisories/debian_advisory-4244.html 4/19/2004 - perl Information leak vulnerabilities DSA 431-1 incorporated a partial fix for this problem. This advisory includes a more complete fix which corrects some additional cases. http://www.linuxsecurity.com/advisories/debian_advisory-4245.html 4/19/2004 - logcheck Insecure temporary directory This bug may be exploited to write or read arbitrary directories to which the user has access. http://www.linuxsecurity.com/advisories/debian_advisory-4246.html 4/19/2004 - kernel 2.4.17 Multiple vulnerabilities This patch takes care of multiple kernel vulnerabilities, specifially for kernal 2.4.17 on the PowerPC/apus and S/390 architectures. http://www.linuxsecurity.com/advisories/debian_advisory-4247.html 4/19/2004 - kernel 2.4.19 Multiple vulnerabilities Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the MIPS architecture. http://www.linuxsecurity.com/advisories/debian_advisory-4248.html 4/19/2004 - zope Arbitrary code execution vulnerability A flaw in the security settings of ZCatalog allows anonymous users to call arbitrary methods of catalog indexes. The vulnerability also allows untrusted code to do the same. http://www.linuxsecurity.com/advisories/debian_advisory-4249.html 4/19/2004 - iproute Denial of service vulnerability Herbert Xu reported that local users could cause a denial of service against iproute, a set of tools for controlling networking in Linux kernels. http://www.linuxsecurity.com/advisories/debian_advisory-4250.html 4/21/2004 - xchat Buffer overflow vulnerability This bug allows an attacker to execute arbitrary code on the users' machine. http://www.linuxsecurity.com/advisories/debian_advisory-4263.html 4/22/2004 - ident2 Buffer overflow vulnerability This vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the ident2 daemon (by default, the "identd" user). http://www.linuxsecurity.com/advisories/debian_advisory-4269.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 4/21/2004 - utempter Improper directory traversal vulnerability An updated utempter package that fixes a potential symlink vulnerability is now available. http://www.linuxsecurity.com/advisories/fedora_advisory-4265.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 4/19/2004 - cadaver Multiple format string vulnerabilities There are multiple format string vulnerabilities in the neon library used in cadaver, possibly leading to execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4251.html 4/19/2004 - XChat Stack overflow vulnerability XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4252.html 4/19/2004 - monit Multiple vulnerabilities Two new vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4253.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 4/19/2004 - utempter Multiple vulnerabilities Incorrect path validation and denial of service vulnerabilities are patched here. http://www.linuxsecurity.com/advisories/mandrake_advisory-4257.html 4/20/2004 - libneon Format string vulnerabilities A number of various format string vulnerabilities were discovered in the error output handling of Neon. http://www.linuxsecurity.com/advisories/mandrake_advisory-4259.html 4/20/2004 - xine-ui Temporary file vulnerability Format string vulnerabilities This problem could allow local attackers to overwrite arbitrary files with the privileges of the user invoking the script. http://www.linuxsecurity.com/advisories/mandrake_advisory-4260.html 4/20/2004 - MySQL Temporary file vulnerabilities An attacker could create symbolic links in /tmp that could allow for overwriting of files with the privileges of the user running the scripts. http://www.linuxsecurity.com/advisories/mandrake_advisory-4261.html 4/20/2004 - samba Privilege escalation vulnerability A user can use smbmnt along with a remote suid program to gain root privileges remotely. http://www.linuxsecurity.com/advisories/mandrake_advisory-4262.html 4/22/2004 - utempter Update to patch MDKSA-2004:031 This patch corrects some small problems with the original utempter patch, released April 19th. http://www.linuxsecurity.com/advisories/mandrake_advisory-4270.html 4/22/2004 - xchat Improper execution vulnerability Successful exploitation could lead to arbitrary code execution as the user running XChat. http://www.linuxsecurity.com/advisories/mandrake_advisory-4271.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 4/21/2004 - OpenSSL Denial of service vulnerabilities This patch fixes two seperate Denial of Service vulnerabilities. http://www.linuxsecurity.com/advisories/netbsd_advisory-4267.html 4/21/2004 - tcp Denial of service vulnerability Patch modifies the TCP/IP stack to minimize the probability of a disconnection or data injection attack, even without using IPSec. http://www.linuxsecurity.com/advisories/netbsd_advisory-4268.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 4/19/2004 - kernel Multiple vulnerabiltiies Descriptions and links for the newest kernel patches. http://www.linuxsecurity.com/advisories/openwall_advisory-4256.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 4/21/2004 - kernel Multiple vulnerabilities Updated kernel packages that fix several minor security vulnerabilities are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4266.html 4/22/2004 - kernel Buffer overflow vulnerability Updated kernel packages that fix a security vulnerability which may allow local users to gain root privileges are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4272.html 4/22/2004 - IA64 kernel Multiple vulnerabilities Updated IA64 kernel packages fix a variety of security vulnerabilities. http://www.linuxsecurity.com/advisories/redhat_advisory-4273.html 4/22/2004 - XFree86 Denial of service vulnerability Flaws in XFree86 4.1.0 allows local or remote attackers who are able to connect to the X server to cause a denial of service. http://www.linuxsecurity.com/advisories/redhat_advisory-4274.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 4/19/2004 - tcpdump Denial of service vulnerability Upgraded tcpdump packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix denial-of-service issues. http://www.linuxsecurity.com/advisories/slackware_advisory-4254.html 4/19/2004 - cvs Arbitrary file creation vulnerabilities Two seperate cvs vulnerabilities, one for the client and one for the server, allow the creation of files at arbitrary paths. http://www.linuxsecurity.com/advisories/slackware_advisory-4255.html 4/20/2004 - utempter Insecure symlink vulnerability Steve Grubb has identified an issue with utempter-0.5.2 where under certain circumstances an attacker could cause it to overwrite files through a symlink. http://www.linuxsecurity.com/advisories/slackware_advisory-4258.html 4/21/2004 - xine Insecure temporary file vulnerability This release fixes a security problem where opening a malicious MRL could write to system (or other) files. http://www.linuxsecurity.com/advisories/slackware_advisory-4264.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 4/16/2004 - ppp/squid ACL escape vulnerability Insecure temporary file vulnerability The PPP fix is a simple bugfix. The Squid fix involves the ability to craft a URL to be ignored by Squid's ACLs. http://www.linuxsecurity.com/advisories/trustix_advisory-4241.html 4/16/2004 - kernel Multiple vulnerabilities This patch fixes a variety of kernel sercurity holes, some filesystem related. http://www.linuxsecurity.com/advisories/trustix_advisory-4242.html 4/22/2004 - kernel Integer overflow vulnerability A successful exploit could lead to full superuser privileges. http://www.linuxsecurity.com/advisories/trustix_advisory-4275.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Mon Apr 26 2004 - 02:21:54 PDT