[ISN] Linux Advisory Watch - June 18, 2004

From: InfoSec News (isn@private)
Date: Sun Jun 20 2004 - 23:20:16 PDT

  • Next message: Yves.Roudier@private: "[ISN] ESORICS 2004 - Call for Participation"

    |  LinuxSecurity.com                    Linux Advisory Watch    |
    |  June 18, 2004                        Volume 5, Number 25a    |
      Editors:      Dave Wreski               Benjamin Thomas
                    dave@private    ben@private
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes point
    This week, advisories were released for cvs, krb5, kernel, subversion,
    ethereal, squirrelmail, gallery, Webmin, squid, aspell and tripwire The
    distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse, and
    >> Internet Productivity Suite:  Open Source Security <<
    Trust Internet Productivity Suite's open source architecture to give you
    the best security and productivity applications available.  Collaborating
    with thousands of developers, Guardian Digital security engineers
    implement the most technologically advanced ideas and methods into their
    Open Source Vulnerability Database
    The open source community has long been fueled by the drive and
    inspiration of those wishing to produce software for the good of everyone.
    Open source allows its users to achieve things that would have otherwise
    not been possible. Often, proprietary software is too expensive, not
    flexible, and full of bugs. Users of proprietary software work at the
    mercy of their vendors with little to no influence on features or
    functionality. Those organizations who demand security often have trouble
    getting proprietary software vendors to comply. Open source is a great
    solution for those wishing to have complete control including over
    security, flexibility, and functionality.
    Open source thrives on those wishing to share their work for the benefit
    of the community. To have a successful open source project, it must be
    backed by individuals who are ultimately committed to the project.
    Contributors must be willing donate time and money for the advancement of
    the cause. Often, open source projects are not properly funded until they
    are already well established.
    Recently, I have had the great pleasure of talking with Tyler Owen, a
    contributor to the Open Source Vulnerability Database project. He, and
    others associated with the project have shown a lot of initiative.
    Although it has been slow getting off the ground, there has been a renewed
    commitment to provide the open source community with a database that
    indexes security vulnerabilities. Rather than individual open source users
    being burdened with keep track of them, OSVDB is striving for it to be a
    more collaborative process so that work is not duplicated and everyone can
    Full Interview Text Available:
    Until next time, cheers!
    Benjamin D. Thomas
    Interview with Brian Wotring, Lead Developer for the Osiris Project
    Brian Wotring is currently the lead developer for the Osiris project and
    president of Host Integrity, Inc.=C3=8AHe is also the founder of
    knowngoods.org, an online database of known good file signatures.=C3=8A Bri=
    is the co-author of Mac OS X Security and a long-standing member of the
    Shmoo Group, an organization of security and cryptography professionals.
    Guardian Digital Launches Next Generation Secure Mail Suite
    Guardian Digital, the premier open source security company, announced the
    availability of the next generation Secure Mail Suite, the industry's most
    secure open source corporate email system. This latest edition has been
    optimized to support the changing needs of enterprise and small business
    customers while continually providing protection from the latest in email
    security threats.
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    |  Distribution: Debian           | ----------------------------//
     6/17/2004 - cvs
       Multiple vulnerabilities
       Sebastian Krahmer and Stefan Esser discovered several
       vulnerabilities in the CVS server during a code audit.
     6/17/2004 - krb5
       Buffer overflow vulnerability
       This overflow only applies if aname_to_localname is enabled in the
       configuration (not default).
    |  Distribution: Fedora           | ----------------------------//
     6/17/2004 - kernel
       2.6.6 Security enchancement
       This upgrade is not specifically secuity; it fixes many kernel
       bugs and adds support for stack non-execution on some systems,
       which is important in guarding against buffer overflows.
     6/17/2004 - cvs
       Multiple vulnerabilities
       Many vulnerabilities, discovered in a recent audit of cvs, are
     6/17/2004 - subversion
       Heap overflow vulnerability
       If using the svnserve daemon, an unauthenticated client may be
       able execute arbitrary code as the daemon's user.
     6/17/2004 - kernel
       2.6.6 Denial of service vulnerability
       This update includes a fix for the local denial of service as
       described in linuxreviews.org.
     6/17/2004 - ethereal
       Security patch correction
       These new packages fix a bug in the last errata where the actual
       security patch didn't get applied.
    |  Distribution: Gentoo           | ----------------------------//
     6/17/2004 - subversion
       Heap overflow vulnerability
       Subversion is vulnerable to a remote Denial of Service that may be
       exploitable to execute arbitrary code
     6/17/2004 - squirrelmail
       Cross site scripting vulnerability
       Squirrelmail fails to properly sanitize user input, which could
       lead to a compromise of webmail accounts.
     6/17/2004 - Horde-Chora Code injection vulnerability
       Cross site scripting vulnerability
       A vulnerability in Chora allows remote code execution and file
     6/17/2004 - gallery
       Privilege escalation vulnerability
       Vulnerability may allow an attacker to gain administrator
       privileges within Gallery.
     6/17/2004 - Horde-IMP Input validation vulnerability
       Privilege escalation vulnerability
       Horde-IMP fails to properly sanitize email messages that contain
       malicious HTML or script code.
     6/17/2004 - Webmin
       Multiple vulnerabilities
       Webmin contains two security vulnerabilities which could lead to a
       denial of service attack and information disclosure.
     6/17/2004 - squid
       Buffer overflow vulnerability
       Squid contains a bug where it fails to properly check bounds of
       the 'pass' variable.
     6/17/2004 - aspell
       Buffer overflow vulnerability
       A bug in the aspell utility word-list-compress can allow an
       attacker to execute arbitrary code.
    |  Distribution: Red Hat          | ----------------------------//
     6/17/2004 - squirrelmail
       Multiple vulnerabilities
       This patch resolves cross-site scripting and SQL injection
     6/17/2004 - tripwire
       Format string vulnerability
       If Tripwire is configured to send reports via email, a local user
       could gain privileges by creating a carefully crafted file.
     6/17/2004 - httpd,mod_ssl Buffer overflow vulnerability
       Format string vulnerability
       Updated httpd and mod_ssl packages that fix minor security issues
       in the Apache Web server are now available for Red Hat Enterprise
       Linux 2.1.
    |  Distribution: Slackware        | ----------------------------//
     6/15/2004 - kernel
       2.4.26 Denial of service vulnerability
       Patch resolves ability of local user to crash the kernel.
    |  Distribution: Suse             | ----------------------------//
     6/17/2004 - kernel
       Denial of service vulnerability
       The Linux kernel is vulnerable to a local denial-of-service attack
       by non-privileged users.
     6/17/2004 - subversion
       Heap overflow vulnerability
       This heap overflow is exploitable even before authentication of
    |  Distribution: Trustix          | ----------------------------//
     6/17/2004 - kernel
       Denial of service vulnerability
       Stian Skjelstad discovered a bug whereby a non-privileged user can
       crash the kernel.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 02:54:55 PDT