[ISN] Linux Advisory Watch - April 23rd 2004

From: InfoSec News (isn@private)
Date: Sun Apr 25 2004 - 23:32:36 PDT

  • Next message: InfoSec News: "[ISN] Hackers: Under the hood - Peiter Mudge Zatko"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  April 23rd, 2004                         Volume 5, Number 17a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for cvs, neon, perl, logcheck, kernel,
    iproute, xchat, ident2, utempter, cadaver, libneon, MySQL, samba,
    utempter, OpenSSL, tcp, IA64, XFree86, tcpdump, and xine.  The
    distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Red Hat,
    Slackware, and Trustix.
    
    ----
    
    >> Free Trial SSL Certificate from Thawte <<
    
    Take your first step towards giving your online business a competitive
    advantage. Test-drive a Thawte SSL certificate 02 our easy online guide
    will show you how.
    
    http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten04
    
    ----
    
    Data Classification
    
    One of the biggest problems in security today is that business managers
    and security administrators do not have a good idea of how much their
    organization's proprietary data is worth.  Consider the example of a
    company's client details or schematics for a new product.  How much money
    should be spent to protect it?  Who should access it?  If this information
    is leaked to competitors, how much impact would if have on the business?
    If you aren't asking these types of questions, you should be.
    
    One of the first steps in risk management in any organization is
    determining the assets.  Later, a value is assigned to each asset and
    known risks are either accepted, transferred, or mitigated. When
    determining the value of an organization's information, it can very easily
    become infinitely complex.
    
    A technique commonly used to assist with the valuation of information is
    data classification.  The concept involves assigning a label and in some
    cases a classification to a piece of information, or a document.  For
    example, documents in any government agency will be assigned labels such
    as unclassified, classified, secret, or top secret.  Sometimes labeling is
    more granular including labels such as unclassified but sensitive, or
    internal.  Most governments implement this in slightly different ways.  A
    security classification describes who the information is intended for.
    For example, a budgeting document could be labeled classified and only
    intended for the finance and accounting departments.  This means that the
    document's label is classified and the classification is finance and
    accounting.  In theory, only those individuals in the finance and
    accounting departments with classified clearance should be able to access
    that particular document.
    
    Assigning labels to information gives security administrators a logical
    way to create a protection strategy.  Appropriately applying security
    controls can be easier if similar data is held in similar places.  Back to
    the budgeting document example, because it is classified and intended only
    for finance or accounting, it should only be stored on a confidential,
    accounting or finance data-store/server.  It is not always necessary to
    have separate servers for each label.  Segmentation can be done just as
    easily by assigning group permissions to specific directories on a single
    server.
    
    Data classification allows managers to more easily determine the type and
    quantity of information used by an organization. Also, it can simplify the
    security administrator's role of providing consistent access control
    across all information used.
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ----
    
    Guardian Digital Launches Next Generation Internet
    Defense & Detection System
    
    Guardian Digital has announced the first fully open source system designed
    to provide both intrusion detection and prevention functions. Guardian
    Digital Internet Defense & Detection System (IDDS) leverages best-in-class
    open source applications to protect networks and hosts using a unique
    multi-layered approach coupled with the security expertise and ongoing
    security vigilance provided by Guardian Digital.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-163.html
    
    --------------------------------------------------------------------
    
    Interview with Siem Korteweg: System Configuration Collector
    
    In this interview we learn how the System Configuration Collector (SCC)
    project began, how the software works, why Siem chose to make it open
    source, and information on future developments.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-162.html
    
    --------------------------------------------------------------------
    
    >> Internet Productivity Suite:  Open Source Security <<
    
    Trust Internet Productivity Suite's open source architecture to give you
    the best security and productivity applications available. Collaborating
    with thousands of developers, Guardian Digital security engineers
    implement the most technologically advanced ideas and methods into their
    design.
    
    
    http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------------------+
    |  Distribution: Debian           | ----------------------------//
    +---------------------------------+
    
     4/17/2004 - cvs
       Multiple vulnerabilities
    
       Patch fixes bugs for both server and client which allows the
       creation of arbitrary files.
       http://www.linuxsecurity.com/advisories/debian_advisory-4243.html
    
     4/17/2004 - neon
       Format string vulnerability
    
       These vulnerabilities could exploited by a malicious WebDAV server
       to execute arbitrary code with libneon's privileges.
       http://www.linuxsecurity.com/advisories/debian_advisory-4244.html
    
     4/19/2004 - perl
       Information leak vulnerabilities
    
       DSA 431-1 incorporated a partial fix for this problem.  This
       advisory includes a more complete fix which corrects some
       additional cases.
       http://www.linuxsecurity.com/advisories/debian_advisory-4245.html
    
     4/19/2004 - logcheck
       Insecure temporary directory
    
       This bug may be exploited to write or read arbitrary directories
       to which the user has access.
       http://www.linuxsecurity.com/advisories/debian_advisory-4246.html
    
     4/19/2004 - kernel
       2.4.17 Multiple vulnerabilities
    
       This patch takes care of multiple kernel vulnerabilities,
       specifially for kernal 2.4.17 on the PowerPC/apus and S/390
       architectures.
       http://www.linuxsecurity.com/advisories/debian_advisory-4247.html
    
     4/19/2004 - kernel
       2.4.19 Multiple vulnerabilities
    
       Several serious problems have been discovered in the Linux kernel.
       This update takes care of Linux 2.4.17 for the MIPS architecture.
       http://www.linuxsecurity.com/advisories/debian_advisory-4248.html
    
     4/19/2004 - zope
       Arbitrary code execution vulnerability
    
       A flaw in the security settings of ZCatalog allows anonymous users
       to call arbitrary methods of catalog indexes.  The vulnerability
       also allows untrusted code to do the same.
       http://www.linuxsecurity.com/advisories/debian_advisory-4249.html
    
     4/19/2004 - iproute
       Denial of service vulnerability
    
       Herbert Xu reported that local users could cause a denial of
       service against iproute, a set of tools for controlling networking
       in Linux kernels.
       http://www.linuxsecurity.com/advisories/debian_advisory-4250.html
    
     4/21/2004 - xchat
       Buffer overflow vulnerability
    
       This bug allows an attacker to execute arbitrary code on the
       users' machine.
       http://www.linuxsecurity.com/advisories/debian_advisory-4263.html
    
     4/22/2004 - ident2
       Buffer overflow vulnerability
    
       This vulnerability could be exploited by a remote attacker to
       execute arbitrary code with the privileges of the ident2 daemon
       (by default, the "identd" user).
       http://www.linuxsecurity.com/advisories/debian_advisory-4269.html
    
    
    +---------------------------------+
    |  Distribution: Fedora           | ----------------------------//
    +---------------------------------+
    
     4/21/2004 - utempter
       Improper directory traversal vulnerability
    
       An updated utempter package that fixes a potential symlink
       vulnerability is now available.
       http://www.linuxsecurity.com/advisories/fedora_advisory-4265.html
    
    
    +---------------------------------+
    |  Distribution: Gentoo           | ----------------------------//
    +---------------------------------+
    
     4/19/2004 - cadaver
       Multiple format string vulnerabilities
    
       There are multiple format string vulnerabilities in the neon
       library used in cadaver, possibly leading to execution of
       arbitrary code.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-4251.html
    
     4/19/2004 - XChat
       Stack overflow vulnerability
    
       XChat is vulnerable to a stack overflow that may allow a remote
       attacker to run arbitrary code.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-4252.html
    
     4/19/2004 - monit
       Multiple vulnerabilities
    
       Two new vulnerabilities have been found in the HTTP interface of
       monit, possibly leading to denial of service or execution of
       arbitrary code.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-4253.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     4/19/2004 - utempter
       Multiple vulnerabilities
    
       Incorrect path validation and denial of service vulnerabilities
       are patched here.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4257.html
    
     4/20/2004 - libneon
       Format string vulnerabilities
    
       A number of various format string vulnerabilities were discovered
       in the error output handling of Neon.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4259.html
    
     4/20/2004 - xine-ui Temporary file vulnerability
       Format string vulnerabilities
    
       This problem could allow  local attackers to overwrite arbitrary
       files with the privileges  of the user invoking the script.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4260.html
    
     4/20/2004 - MySQL
       Temporary file vulnerabilities
    
       An attacker could create symbolic links in /tmp that could allow
       for overwriting of files with the privileges of the user running
       the scripts.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4261.html
    
     4/20/2004 - samba
       Privilege escalation vulnerability
    
       A user can use smbmnt along with a remote suid program to gain
       root privileges remotely.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4262.html
    
    
     4/22/2004 - utempter
       Update to patch MDKSA-2004:031
    
       This patch corrects some small problems with the original utempter
       patch, released April 19th.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4270.html
    
    
     4/22/2004 - xchat
       Improper execution vulnerability
    
       Successful exploitation could lead to arbitrary code execution as
       the user running XChat.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4271.html
    
    
    +---------------------------------+
    |  Distribution: NetBSD           | ----------------------------//
    +---------------------------------+
    
     4/21/2004 - OpenSSL
       Denial of service vulnerabilities
    
       This patch fixes two seperate Denial of Service vulnerabilities.
       http://www.linuxsecurity.com/advisories/netbsd_advisory-4267.html
    
     4/21/2004 - tcp
       Denial of service vulnerability
    
       Patch modifies the TCP/IP stack to minimize the probability of a
       disconnection or data injection attack, even without using IPSec.
       http://www.linuxsecurity.com/advisories/netbsd_advisory-4268.html
    
    
    +---------------------------------+
    |  Distribution: Openwall         | ----------------------------//
    +---------------------------------+
    
     4/19/2004 - kernel
       Multiple vulnerabiltiies
    
       Descriptions and links for the newest kernel patches.
       http://www.linuxsecurity.com/advisories/openwall_advisory-4256.html
    
    
    +---------------------------------+
    |  Distribution: Red Hat          | ----------------------------//
    +---------------------------------+
    
     4/21/2004 - kernel
       Multiple vulnerabilities
    
       Updated kernel packages that fix several minor security
       vulnerabilities are now available.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4266.html
    
     4/22/2004 - kernel
       Buffer overflow vulnerability
    
       Updated kernel packages that fix a security vulnerability which
       may allow local users to gain root privileges are now available.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4272.html
    
     4/22/2004 - IA64
       kernel Multiple vulnerabilities
    
       Updated IA64 kernel packages fix a variety of security
       vulnerabilities.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4273.html
    
     4/22/2004 - XFree86
       Denial of service vulnerability
    
       Flaws in XFree86 4.1.0 allows local or remote attackers who are
       able to connect to the X server to cause a denial of service.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4274.html
    
    
    +---------------------------------+
    |  Distribution: Slackware        | ----------------------------//
    +---------------------------------+
    
     4/19/2004 - tcpdump
       Denial of service vulnerability
    
       Upgraded tcpdump packages are available for Slackware 8.1, 9.0,
       9.1, and -current to fix denial-of-service issues.
       http://www.linuxsecurity.com/advisories/slackware_advisory-4254.html
    
     4/19/2004 - cvs
       Arbitrary file creation vulnerabilities
    
       Two seperate cvs vulnerabilities, one for the client and one for
       the server, allow the creation of files at arbitrary paths.
       http://www.linuxsecurity.com/advisories/slackware_advisory-4255.html
    
     4/20/2004 - utempter
       Insecure symlink vulnerability
    
       Steve Grubb has identified an issue with utempter-0.5.2 where
       under certain circumstances an attacker could cause it to
       overwrite files through a symlink.
       http://www.linuxsecurity.com/advisories/slackware_advisory-4258.html
    
     4/21/2004 - xine
       Insecure temporary file vulnerability
    
       This release fixes a security problem where opening a malicious
       MRL could write to system (or other) files.
       http://www.linuxsecurity.com/advisories/slackware_advisory-4264.html
    
    
    +---------------------------------+
    |  Distribution: Trustix          | ----------------------------//
    +---------------------------------+
    
     4/16/2004 - ppp/squid ACL escape vulnerability
       Insecure temporary file vulnerability
    
       The PPP fix is a simple bugfix. The Squid fix involves the ability
       to craft a URL to be ignored by Squid's ACLs.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4241.html
    
     4/16/2004 - kernel
       Multiple vulnerabilities
    
       This patch fixes a variety of kernel sercurity holes, some
       filesystem related.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4242.html
    
     4/22/2004 - kernel
       Integer overflow vulnerability
    
       A successful exploit could lead to full superuser privileges.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4275.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Mon Apr 26 2004 - 02:21:54 PDT