+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 11th, 2005 Volume 6, Number 6a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for python, squid, php, emacs, postgres, evolution, mailman, hztty, hwbrowser, cups, hotplug, xpdf, kdegraphics, gallery, perl, and squirrelmail. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Are Your Servers Secure? By Blessen Cherian In a word, No. No machine connected to the internet is 100% secure. This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil. What is Information Security? For our purposes, Information Security means the methods we use to protect sensitive data from unauthorized users. Why do we need Information Security? The entire world is rapidly becoming IT enabled. Wherever you look, computer technology has revolutionized the way things operate. Some examples are airports, seaports, telecommunication industries, and TV broadcasting, all of which are thriving as a result of the use of IT. "IT is everywhere." A lot of sensitive information passes through the Internet, such as credit card data, mission critical server passwords, and important files. There is always a chance of some one viewing and/or modifying the data while it is in transmission. There are countless horror stories of what happens when an outsider gets someone's credit card or financial information. He or she can use it in any way they like and could even destroy you and your business by taking or destroying all your assets. As we all know "An ounce of prevention beats a pound of cure," so to avoid such critical situations, it is advisable to have a good security policy and security implementation. Read complete feature story: http://www.linuxsecurity.com/content/view/118211/49/ ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Python2.2 packages fix unauthorised XML-RPC access 4th, February, 2005 For the stable distribution (woody) this problem has been fixed in version 2.2.1-4.7. No other version of Python in woody is affected. http://www.linuxsecurity.com/content/view/118182 * Debian: New squid packages fix several vulnerabilities 4th, February, 2005 LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting. http://www.linuxsecurity.com/content/view/118184 * Debian: New php3 packages fix several vulnerabilities 7th, February, 2005 http://www.linuxsecurity.com/content/view/118192 * Debian: New emacs20 packages fix arbitrary code execution 8th, February, 2005 http://www.linuxsecurity.com/content/view/118207 * Debian: New PostgreSQL packages fix arbitrary library loading 4th, February, 2005 http://www.linuxsecurity.com/content/view/118186 * Debian: New xemacs21 packages fix arbitrary code execution 8th, February, 2005 http://www.linuxsecurity.com/content/view/118210 * Debian: New xview packages fix potential arbitrary code execution 9th, February, 2005 http://www.linuxsecurity.com/content/view/118222 * Debian: New evolution packages fix arbitrary code execution as root 10th, February, 2005 Max Vozeler discovered an integer overflow in a helper application inside of Evolution, a free grouware suite. A local attacker could cause the setuid root helper to execute arbitrary code with elevated privileges. http://www.linuxsecurity.com/content/view/118234 * Debian: New mailman packages fix several vulnerabilities 10th, February, 2005 http://www.linuxsecurity.com/content/view/118235 * Debian: New hztty packages fix local utmp exploit 10th, February, 2005 http://www.linuxsecurity.com/content/view/118245 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: system-config-printer-0.6.116.1.1-1 4th, February, 2005 http://www.linuxsecurity.com/content/view/118187 * Fedora Core 3 Update: hwbrowser-0.19-0.fc3.2 4th, February, 2005 http://www.linuxsecurity.com/content/view/118188 * Fedora Core 3 Update: python-2.3.4-13.1 4th, February, 2005 An object traversal bug was found in the Python SimpleXMLRPCServer. http://www.linuxsecurity.com/content/view/118190 * Fedora Core 3 Update: postgresql-7.4.7-1.FC3.2 7th, February, 2005 http://www.linuxsecurity.com/content/view/118202 * Fedora Core 2 Update: postgresql-7.4.7-1.FC2.2 7th, February, 2005 http://www.linuxsecurity.com/content/view/118203 * Fedora Core 2 Update: cups-1.1.20-11.11 8th, February, 2005 A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete. http://www.linuxsecurity.com/content/view/118212 * Fedora Core 3 Update: cups-1.1.22-0.rc1.8.5 8th, February, 2005 A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete. http://www.linuxsecurity.com/content/view/118213 * Fedora Core 2 Update: hotplug-2004_04_01-1.1 8th, February, 2005 This update fixes updfstab in the presence of multiple USB plug/unplug events. http://www.linuxsecurity.com/content/view/118214 * Fedora Core 3 Update: emacs-21.3-21.FC3 8th, February, 2005 This update fixes the CAN-2005-0100 movemail vulnerability and backports the latest bug fixes. http://www.linuxsecurity.com/content/view/118219 * Fedora Core 2 Update: xpdf-3.00-3.8 9th, February, 2005 http://www.linuxsecurity.com/content/view/118223 * Fedora Core 3 Update: xpdf-3.00-10.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118224 * Fedora Core 3 Update: kdegraphics-3.3.1-2.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118225 * Fedora Core 2 Update: kdegraphics-3.2.2-1.4 9th, February, 2005 http://www.linuxsecurity.com/content/view/118226 * Fedora Core 2 Update: gpdf-2.8.2-4.1 9th, February, 2005 http://www.linuxsecurity.com/content/view/118230 * Fedora Core 3 Update: gpdf-2.8.2-4.2 9th, February, 2005 http://www.linuxsecurity.com/content/view/118231 * Fedora Core 3 Update: mailman-2.1.5-30.fc3 10th, February, 2005 There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. http://www.linuxsecurity.com/content/view/118243 * Fedora Core 2 Update: mailman-2.1.5-8.fc2 10th, February, 2005 There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files. http://www.linuxsecurity.com/content/view/118244 * Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2 10th, February, 2005 Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. http://www.linuxsecurity.com/content/view/118252 * Fedora Core 3 Update: mod_python-3.1.3-5.2 10th, February, 2005 Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. http://www.linuxsecurity.com/content/view/118253 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: pdftohtml Vulnerabilities in included Xpdf 9th, February, 2005 pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. http://www.linuxsecurity.com/content/view/118221 * Gentoo: LessTif Multiple vulnerabilities in libXpm 6th, February, 2005 Multiple vulnerabilities have been discovered in libXpm, which is included in LessTif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118191 * Gentoo: PostgreSQL Local privilege escalation 7th, February, 2005 The PostgreSQL server can be tricked by a local attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/118199 * Gentoo: OpenMotif Multiple vulnerabilities in libXpm 7th, February, 2005 Multiple vulnerabilities have been discovered in libXpm, which is included in OpenMotif, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118193 * Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer 8th, February, 2005 Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118216 * Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer 10th, February, 2005 Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118240 * Gentoo: Mailman Directory traversal vulnerability 10th, February, 2005 Mailman fails to properly sanitize input, leading to information disclosure. http://www.linuxsecurity.com/content/view/118242 * Gentoo: Gallery Cross-site scripting vulnerability 10th, February, 2005 The cross-site scripting vulnerability that Gallery 1.4.4-pl5 was intended to fix, did not actually resolve the issue. The Gallery Development Team have released version 1.4.4-pl6 to properly solve this problem. http://www.linuxsecurity.com/content/view/118251 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated perl-DBI packages 8th, February, 2005 Javier Fernandez-Sanguino Pena disovered the perl5 DBI library created a temporary PID file in an insecure manner, which could be exploited by a malicious user to overwrite arbitrary files owned by the user executing the parts of the library. The updated packages have been patched to prevent these problems. http://www.linuxsecurity.com/content/view/118217 * Mandrake: Updated perl packages fix 8th, February, 2005 Updated perl package. http://www.linuxsecurity.com/content/view/118218 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Updated Perl packages fix security issues 7th, February, 2005 Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/content/view/118195 * RedHat: Updated mailman packages fix security 10th, February, 2005 Updated mailman packages that correct a mailman security issue are now available. http://www.linuxsecurity.com/content/view/118239 * RedHat: Updated kdelibs and kdebase packages correct 10th, February, 2005 Updated kdelib and kdebase packages that resolve several security issues are now available. http://www.linuxsecurity.com/content/view/118246 * RedHat: Updated mod_python package fixes security issue 10th, February, 2005 An Updated mod_python package that fixes a security issue in the publisher handler is now available. http://www.linuxsecurity.com/content/view/118247 * RedHat: Updated emacs packages fix security issue 10th, February, 2005 Updated Emacs packages that fix a string format issue are now available. http://www.linuxsecurity.com/content/view/118248 * RedHat: Updated xemacs packages fix security issue 10th, February, 2005 Updated XEmacs packages that fix a string format issue are now available. http://www.linuxsecurity.com/content/view/118249 * RedHat: Updated Squirrelmail package fixes security 10th, February, 2005 An updated Squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3. http://www.linuxsecurity.com/content/view/118250 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: kernel bugfixes and SP1 merge 4th, February, 2005 Two weeks ago we released the Service Pack 1 for our SUSE Linux Enterprise Server 9 product. Due to the strict code freeze we were not able to merge all the security fixes from the last kernel update on Jan23rd (SUSE-SA:2005:003) into this kernel. http://www.linuxsecurity.com/content/view/118185 * SuSE: squid (SUSE-SA:2005:006) 10th, February, 2005 The last two squid updates from February the 1st and 10th fix several vulnerabilities. The impact of them range from remote denial-of-service over cache poisoning to possible remote command execution. http://www.linuxsecurity.com/content/view/118241 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Mon Feb 14 2005 - 04:51:53 PST