[ISN] Linux Advisory Watch - July 23rd 2004

From: InfoSec News (isn@private)
Date: Mon Jul 26 2004 - 03:28:53 PDT

|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 23, 2004                           Volume 5, Number 29a       |

  Editors:      Dave Wreski                     Benjamin Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each

This week, advisories were released for MMDF, Mozilla, kernel, php4,
webmin, samba, ethereal, l2tpd, mailman, httpd, libxml2, wv, php, Unreal,
Opera, mod_ssl and freeswan. The distributors include SCO Group,
Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware and Suse.


 >> Need to Secure Multiple Domain or Host Names? <<

Securing multiple domain or host names need not burden you with unwanted
administrative hassles. Learn more about how the cost-effective Thawte
Starter PKI program can streamline management of your digital
certificates. Click here to download our Free guide:



Creating New Accounts

You should make sure to provide user accounts with only the minimal
requirements for the task they need to do. If you provide your secretary,
or another general user, with an account, you might want them to only have
access to a word processor or drawing program, but be unable to delete
data that is not his or hers.

Several good rules of thumb when allowing other people legitimate access
to your Linux machine:

- Limit access privileges given to new users.
- Be aware when/where they login from, or should be logging in from.
- Make sure to remove inactive accounts
- The use of the same user-ID on all computers and networks is
  advisable to ease account maintenance, as well as permit easier
  analysis of log data (but I'm sure someone will dispute this).
  However, it's practically essential if using NFS. There are several
  other protocols that use UIDs for local and remote access as well.
- The creation of group user-IDs should be absolutely prohibited.
  User accounts also provide accountability, and this is not possible
  with group accounts.
- Be sure shadow passwords are enabled. Shadow passwords is a method
  for storing the actual user's password in a root-owned file that is
  not readable by normal users, unlike the regular password file.
  This protects the passwords from being read and cracked using
  dictionary attacks.  Most (if not all) current distributions already
  use shadow passwords.
- Regularly audit user accounts for invalid or unused accounts,
  expired accounts, etc.
- Check for repeated login failures.  The files in /var/log are
  invaluable resource to track potential security problems.
- Be sure to enable quotas on machines with many users, to prevent
  denial of service attacks involving filling disk partitions, or
  appending exploits to group-writable files.
- Disable group accounts, and unused system accounts, such as sys
  or uucp. These accounts should be locked, and given non-functional
- Many local user accounts that are used in security compromises are
  ones that have not been used in months or years. Since no one is
  using them they provide the ideal attack vehicle.

Security Tip Written by Dave Wreski (dave@private)
Additional tips are available at the following URL:


Security Expert Dave Wreski Discusses Open Source Security

LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian
Digital, Inc. and respected author of various hardened security and Linux
publications, to talk about how Guardian Digital is changing the face of
IT security today. Guardian Digital is perhaps best known for their
hardened Linux solution EnGarde Secure Linux, touted as the premier
secure, open-source platform for its comprehensive array of general
purpose services, such as web, FTP, email, DNS, IDS, routing, VPN,
firewalling, and much more.



Catching up with Wietse Venema, creator of Postfix and TCP Wrapper

Duane Dunston speaks at length with Wietse Venema on his current research
projects at the Thomas J. Watson Research Center, including his forensics
efforts with The Coroner's Toolkit. Wietse Venema is best known for the
software TCP Wrapper, which is still widely used today and is included
with almost all unix systems.  Wietse is also the author of the Postfix
mail system and the co-author of the very cool suite of utilities called
The Coroner's Toolkit or "TCT".



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: SCO Group        | ----------------------------//

 7/22/2004 - MMDF
   Multiple vulnerabilities

   This patch addresses many buffer overflows and cuts down sharply
   on unnecessary privilege.

 7/22/2004 - Mozilla
   Multiple vulnerabilities

   This patch resolves a large number of Mozilla vulnerabilities.

|  Distribution: Conectiva        | ----------------------------//

 7/16/2004 - kernel
   Multiple vulnerabilities

   This patch addresses a large number of kernel vulnerabilities at

 7/16/2004 - php4
   Multiple vulnerabilities

   This patch resolves two vulnerabilities, each of which can cause
   the execution of arbitrary code.

 7/17/2004 - webmin
   ACL bypass vulnerability

   A vulnerability in webmin that would allow unauthenticated users
   to obtain read access to a module's configuration.

 7/22/2004 - samba
   Buffer overflow vulnerabilities

   This patch addresses several buffer overruns within samba.

|  Distribution: Debian           | ----------------------------//

 7/22/2004 - ethereal
   Denial of service vulnerabilities

   Several denial of service vulnerabilities were discovered in
   ethereal, one of which could be exploited by a remote attacker to
   crash ethereal with an invalid SNMP packet.

 7/22/2004 - netkit-telnet-ssl Format string vulnerability
   Denial of service vulnerabilities

   Vulnerability in netkit-telnet-ssl could potentially allow a
   remote attacker to cause the execution of arbitrary code with the
   privileges of the telnet daemon.

 7/22/2004 - l2tpd
   Buffer overflow vulnerability

   By exploting this, a remote attacker could potentially cause
   arbitrary code to be executed by transmitting a specially crafted

 7/22/2004 - php4
   Multiple vulnerabilties

   Patch fixes both a vulnerability to XSS (Cross Site Scripting) and
   execution of arbitrary local code.

 7/22/2004 - mailman
   Password leak vulnerability

   A flaw in Mailman 2.1.* allows a remote attacker to retrieve the
   mailman password of any subscriber by sending a carefully crafted
   email request to the mailman server.

|  Distribution: Fedora           | ----------------------------//

 7/16/2004 - ethereal
   Denial of service vulnerabilities

   Patches resolve three different ways to crash ethereal.

 7/22/2004 - httpd
   Multiple vulnerabilities

   This patch fixes a remotely triggerable memory leak and a buffer
   overflow vulnerability.

 7/22/2004 - libxml2
   Buffer overflow vulnerability

   Updated libxml2 packages that fix an overflow when parsing remote
   resources are now available.

|  Distribution: Gentoo           | ----------------------------//

 7/16/2004 - wv
   Buffer overflow vulnerability

   A buffer overflow vulnerability exists in the wv library that can
   allow an attacker to execute arbitrary code with the user's

 7/16/2004 - kernel
   Denial of service vulnerability

   By sending a malformed TCP packet, an attacker can hang a machine
   running IPTables.

 7/16/2004 - php
   Multiple vulnerabilities

   Multiple security vulnerabilities, potentially allowing remote
   code execution, were found and fixed in PHP.

 7/22/2004 - Unreal
   Tournament Buffer overflow vulnerability

   Game servers based on the Unreal engine are vulnerable to remote
   code execution through malformed 'secure' queries.

 7/22/2004 - Opera
   Multiple spoofing vulnerabilities

   Opera contains three vulnerabilities, allowing an attacker to
   impersonate legitimate websites with URI obfuscation or to spoof
   websites with frame injection.

 7/22/2004 - kernel
   Multiple vulnerabilities

   This patch addresses multiple DoS and permission vulnerabilities

 7/22/2004 - l2tpd
   Buffer overflow vulnerability

   A buffer overflow in l2tpd could lead to remote code execution. It
   is not known whether this bug is exploitable.

 7/22/2004 - mod_ssl
   Format string vulnerability

   A bug in mod_ssl may allow a remote attacker to execute arbitrary
   code when Apache is configured to use mod_ssl and mod_proxy.

|  Distribution: Mandrake         | ----------------------------//

 7/16/2004 - php
   Multple vulnerabilities

   This patch resolves an improper memory_limit trigger as well as a
   possible XSS issue.

 7/16/2004 - ipsec-tools Multiple vulnerabilities
   Multple vulnerabilities

   This patch fixes both a Denial of Service attack and an ACL

 7/16/2004 - freeswan
   Multiple vulnerabilities

   This patch resolves a DN impersonation attack as well as a denial
   of service.

|  Distribution: Red Hat          | ----------------------------//

 7/22/2004 - php
   Multiple vulnerabilities

   Patch resolves memory_limit bug with allows execution of arbitrary
   code and strip_tags bug which allows XSS (Cross Site Scripting).

 7/22/2004 - samba
   Buffer overflow vulnerabilities

   Updated samba packages that fix buffer overflows, as well as other
   various bugs, are now available.

|  Distribution: Slackware        | ----------------------------//

 7/22/2004 - php
   Multiple vulnerabilities

   This patch resolves two bug that could potentially allow XSS
   (Cross-Site Scripting) and the execution of arbitrary code.

|  Distribution: Suse             | ----------------------------//

 7/16/2004 - php4/mod_php4 Multiple vulnerabilities
   Multiple vulnerabilities

   Fixes two vulnerabilities, one that leads to direct code
   execution, and the other a possible XSS.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Mon Jul 26 2004 - 05:33:49 PDT