+---------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 18, 2004 Volume 5, Number 25a | +---------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes point This week, advisories were released for cvs, krb5, kernel, subversion, ethereal, squirrelmail, gallery, Webmin, squid, aspell and tripwire The distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse, and Trustix. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn10 ----- Open Source Vulnerability Database The open source community has long been fueled by the drive and inspiration of those wishing to produce software for the good of everyone. Open source allows its users to achieve things that would have otherwise not been possible. Often, proprietary software is too expensive, not flexible, and full of bugs. Users of proprietary software work at the mercy of their vendors with little to no influence on features or functionality. Those organizations who demand security often have trouble getting proprietary software vendors to comply. Open source is a great solution for those wishing to have complete control including over security, flexibility, and functionality. Open source thrives on those wishing to share their work for the benefit of the community. To have a successful open source project, it must be backed by individuals who are ultimately committed to the project. Contributors must be willing donate time and money for the advancement of the cause. Often, open source projects are not properly funded until they are already well established. Recently, I have had the great pleasure of talking with Tyler Owen, a contributor to the Open Source Vulnerability Database project. He, and others associated with the project have shown a lot of initiative. Although it has been slow getting off the ground, there has been a renewed commitment to provide the open source community with a database that indexes security vulnerabilities. Rather than individual open source users being burdened with keep track of them, OSVDB is striving for it to be a more collaborative process so that work is not duplicated and everyone can benefit. Full Interview Text Available: http://www.linuxsecurity.com/feature_stories/feature_story-156.html Until next time, cheers! Benjamin D. Thomas ben@private ----- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.=C3=8AHe is also the founder of knowngoods.org, an online database of known good file signatures.=C3=8A Bri= an is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/17/2004 - cvs Multiple vulnerabilities Sebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server during a code audit. http://www.linuxsecurity.com/advisories/debian_advisory-4483.html 6/17/2004 - krb5 Buffer overflow vulnerability This overflow only applies if aname_to_localname is enabled in the configuration (not default). http://www.linuxsecurity.com/advisories/debian_advisory-4484.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 6/17/2004 - kernel 2.6.6 Security enchancement This upgrade is not specifically secuity; it fixes many kernel bugs and adds support for stack non-execution on some systems, which is important in guarding against buffer overflows. http://www.linuxsecurity.com/advisories/fedora_advisory-4478.html 6/17/2004 - cvs Multiple vulnerabilities Many vulnerabilities, discovered in a recent audit of cvs, are fixed. http://www.linuxsecurity.com/advisories/fedora_advisory-4479.html 6/17/2004 - subversion Heap overflow vulnerability If using the svnserve daemon, an unauthenticated client may be able execute arbitrary code as the daemon's user. http://www.linuxsecurity.com/advisories/fedora_advisory-4480.html 6/17/2004 - kernel 2.6.6 Denial of service vulnerability This update includes a fix for the local denial of service as described in linuxreviews.org. http://www.linuxsecurity.com/advisories/fedora_advisory-4481.html 6/17/2004 - ethereal Security patch correction These new packages fix a bug in the last errata where the actual security patch didn't get applied. http://www.linuxsecurity.com/advisories/fedora_advisory-4482.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/17/2004 - subversion Heap overflow vulnerability Subversion is vulnerable to a remote Denial of Service that may be exploitable to execute arbitrary code http://www.linuxsecurity.com/advisories/gentoo_advisory-4470.html 6/17/2004 - squirrelmail Cross site scripting vulnerability Squirrelmail fails to properly sanitize user input, which could lead to a compromise of webmail accounts. http://www.linuxsecurity.com/advisories/gentoo_advisory-4471.html 6/17/2004 - Horde-Chora Code injection vulnerability Cross site scripting vulnerability A vulnerability in Chora allows remote code execution and file upload. http://www.linuxsecurity.com/advisories/gentoo_advisory-4472.html 6/17/2004 - gallery Privilege escalation vulnerability Vulnerability may allow an attacker to gain administrator privileges within Gallery. http://www.linuxsecurity.com/advisories/gentoo_advisory-4473.html 6/17/2004 - Horde-IMP Input validation vulnerability Privilege escalation vulnerability Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4474.html 6/17/2004 - Webmin Multiple vulnerabilities Webmin contains two security vulnerabilities which could lead to a denial of service attack and information disclosure. http://www.linuxsecurity.com/advisories/gentoo_advisory-4475.html 6/17/2004 - squid Buffer overflow vulnerability Squid contains a bug where it fails to properly check bounds of the 'pass' variable. http://www.linuxsecurity.com/advisories/gentoo_advisory-4476.html 6/17/2004 - aspell Buffer overflow vulnerability A bug in the aspell utility word-list-compress can allow an attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-4477.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 6/17/2004 - squirrelmail Multiple vulnerabilities This patch resolves cross-site scripting and SQL injection vulnerabilities. http://www.linuxsecurity.com/advisories/redhat_advisory-4467.html 6/17/2004 - tripwire Format string vulnerability If Tripwire is configured to send reports via email, a local user could gain privileges by creating a carefully crafted file. http://www.linuxsecurity.com/advisories/redhat_advisory-4468.html 6/17/2004 - httpd,mod_ssl Buffer overflow vulnerability Format string vulnerability Updated httpd and mod_ssl packages that fix minor security issues in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. http://www.linuxsecurity.com/advisories/redhat_advisory-4469.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 6/15/2004 - kernel 2.4.26 Denial of service vulnerability Patch resolves ability of local user to crash the kernel. http://www.linuxsecurity.com/advisories/slackware_advisory-4463.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 6/17/2004 - kernel Denial of service vulnerability The Linux kernel is vulnerable to a local denial-of-service attack by non-privileged users. http://www.linuxsecurity.com/advisories/suse_advisory-4465.html 6/17/2004 - subversion Heap overflow vulnerability This heap overflow is exploitable even before authentication of users. http://www.linuxsecurity.com/advisories/suse_advisory-4466.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 6/17/2004 - kernel Denial of service vulnerability Stian Skjelstad discovered a bug whereby a non-privileged user can crash the kernel. http://www.linuxsecurity.com/advisories/trustix_advisory-4464.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 02:54:55 PDT