[ISN] Linux Advisory Watch - May 7th 2004

From: InfoSec News (isn@private)
Date: Sun May 09 2004 - 23:49:15 PDT

  • Next message: InfoSec News: "[ISN] [Vmyths.com ALERT] Will U.S. try to extradite Sasser's creator?"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  May 7th, 2004                            Volume 5, Number 19a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for mc, libpng, LHA, httpd, and rsync.
    The distributors include Debian, Mandrake, Red Hat, and Trustix.
    
    ----
    
    >> Certify your Software Integrity <<
    
    As a software developer you know that the product you make available on
    the Internet can be tampered with if it is not secured. Our Free Guide
    will show you how to securely distribute your code over the Internet and
    how these certificates operate with different software platforms:
    
    Download a guide to learn more:
    http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawten06
    
    ----
    
    Security Benefit
    
    In today's business world, there is an ever-increasing reliance on
    information technology.  With this, businesses are discovering new ways to
    produce products and offer services with greater efficiency. New business
    opportunities are created by the production of digital products and
    service.  However, with every business opportunity comes increased risks.
    IT systems are now a huge target.  If a business is not properly prepared,
    a single system failure could result in a catastrophic outcome.  Security
    is greatly important and a necessary part of keeping IT systems in
    operation.
    
    Traditionally, security has been viewed as a 'badge and gun' operation.
    The most important part is protecting the confidentiality, integrity, and
    availability of a system. In the process of improvement, security
    practitioners increase the number of firewall rules, increase password
    complexity, and impose additional limitations on each user's ability to
    access the information they need to conduct daily business.  How do non-
    security types react to this?  Of course, they don't like it! Security is
    not seen as a business benefit, but a hinderance. Rather than supporting
    business functions, it is making it more difficult to do even the simplest
    tasks.  Sadly, increasing a security budget may be viewed as increasing
    the difficulty to conduct daily business.
    
    Today, security is changing.  Managers are starting to realize that
    security only exists to support business.  If the business did not exist,
    the security department protecting it wouldn't exist.  As a security
    manager, it is important to deliver value to the business.  This can be
    done a number of ways.  First, create a security awareness program that
    educates others on the importance of protecting information.  Next, only
    choose controls that are in line and appropriate for the information it is
    protecting.  For example, military-grade security may not be appropriate
    for internal employee manuals.  However, financial documents may require
    the tightest security.  Secure appropriately!  Finally, metrics are
    important.  Report to superiors the effectiveness of current security
    controls. Report the number of incidents and types from least significant
    to most.  Demonstrate with numbers how the current security is protecting
    the information assets.  How many times was your network scanned in the
    last month?  How many connections did the firewall reject/drop?  How much
    spam did the filters keep out of inboxes?  Good security goes unnoticed
    and ignored.  It is important to remind management how well you are doing!
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ----
    
    Guardian Digital Launches Next Generation Internet
    Defense & Detection System
    
    Guardian Digital has announced the first fully open source system designed
    to provide both intrusion detection and prevention functions. Guardian
    Digital Internet Defense & Detection System (IDDS) leverages best-in-class
    open source applications to protect networks and hosts using a unique
    multi-layered approach coupled with the security expertise and ongoing
    security vigilance provided by Guardian Digital.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-163.html
    
    --------------------------------------------------------------------
    
    Interview with Siem Korteweg: System Configuration Collector
    
    In this interview we learn how the System Configuration Collector (SCC)
    project began, how the software works, why Siem chose to make it open
    source, and information on future developments.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-162.html
    
    --------------------------------------------------------------------
    
    >> Internet Productivity Suite:  Open Source Security <<
    Trust Internet Productivity Suite's open source architecture to give you
    the best security and productivity applications available. Collaborating
    with thousands of developers, Guardian Digital security engineers
    implement the most technologically advanced ideas and methods into their
    design.
    
    http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------------------+
    |  Distribution: Debian           | ----------------------------//
    +---------------------------------+
    
     4/30/2004 - libpng, libpng3 Out of bounds access vulnerability
    
    
       This problem could cause the program to crash if a defective or
       intentionally prepared PNG image file is handled by libpng.
       http://www.linuxsecurity.com/advisories/debian_advisory-4292.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     4/30/2004 - mc
       Multiple vulnerabilities
    
       Several vulnerabilities in Midnight Commander were found by Jacub
       Jelinek.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4296.html
    
     4/30/2004 - libpng
       Out of bounds access vulnerability
    
       Bug could potentially lead to a DoS (Denial of Service) condition
       in a daemon that  uses libpng to process PNG imagaes.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-4297.html
    
    
    +---------------------------------+
    |  Distribution: Red Hat          | ----------------------------//
    +---------------------------------+
    
     4/30/2004 - X-Chat Buffer overflow vulnerability
       Out of bounds access vulnerability
    
       An updated X-Chat package fixes a vulnerability which could be
       exploited by a malicious Socks-5 proxy is now available.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4293.html
    
     4/30/2004 - LHA
       Multiple vulnerabilities
    
       Ulf Harnhammar discovered two stack buffer overflows and two
       directory traversal flaws in LHA.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4294.html
    
     4/30/2004 - httpd
       Denial of service vulnerability
    
       Updated httpd packages are now available that fix a denial of
       service vulnerability in mod_ssl and include various other bug
       fixes.
       http://www.linuxsecurity.com/advisories/redhat_advisory-4295.html
    
    
    +---------------------------------+
    |  Distribution: Trustix          | ----------------------------//
    +---------------------------------+
    
     4/30/2004 - rsync
       Path escape vulnerability
    
       Please either enable chroot or upgrade to 2.6.1.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4298.html
    
     4/30/2004 - libpng, proftpd Multiple vulnerabilities
       Path escape vulnerability
    
       Patches for a DoS using libpng and a ACL escape for proftpd.
       http://www.linuxsecurity.com/advisories/trustix_advisory-4299.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Mon May 10 2004 - 02:17:23 PDT