+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 25th, 2005 Volume 6, Number 8a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for emacs, gftp, bidwatcher, mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh, postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups, kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- VULNERABILITIES IN WEB APPLICATIONS By Raymond Ankobia The Internet has made the world smaller. In our routine usage we tend to overlook that "www" really does mean "world wide web" making virtually instant global communication possible. It has altered the rules of marketing and retailing. An imaginative website can give the small company as much impact and exposure as its much larger competitors. In the electronics, books, travel and banking sectors long established retail chains are increasingly under pressure from e-retailers. All this, however, has come at a price ever more inventive and potentially damaging cyber crime. This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures. The Internet has become part and parcel of the corporate agenda. But does the risk of exposing information assets get sufficient management attention? Extension of corporate portals for Business-to Business (B2B) or developments of websites for Business-to-Customer (B2C) transactions have been largely successful. But the task of risk assessing vulnerabilities and the threats to corporate information assets is still avoided by many organisations. The desire to stay ahead of the competition while minimising cost by leveraging technology means the process is driven by pressure to achieve results. What suffers in the end is the application development cycle; - this is achieved without security in mind. Section 1 of this paper introduces the world of e-business and sets the stage for further discussions. Section 2 looks at common vulnerabilities inherent in web application development. Section 3 considers countermeasures and strategies that will minimise, if not eradicate. some of the vulnerabilities. Sections 4 and 5 draw conclusions and look at current trends and future expectations. The TCP/IP protocol stack, the underlying technology is known for lack of security on many of its layers. Most applications written for use on the Internet use the application layer, traditionally using HTTP on port 80 on most web servers. The HTTP protocol is stateless and does not provide freshness mechanisms for a session between a client and server; hence, many hackers take advantage of these inherent weaknesses. TCP/IP may be reliable in providing delivery of Internet packets, but it does not provide any guarantee of confidentiality, integrity and little identification. As emphasised in [1], Internet packets may traverse several hosts between source and destination addresses. During its journey it can be intercepted by third parties, who may copy, alter or substitute them before final delivery. Failure to detect and prevent attacks in web applications is potentially catastrophic. Attacks are loosely grouped into two types, passive and active. Passive attackers [6] engage in eavesdropping on, or monitoring of, transmissions. Active attacks involve some modification of the data stream or creation of false data streams [6]. Read Entire Article: http://www.linuxsecurity.com/content/view/118427/49/ ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New emacs21 packages fix arbitrary code execution 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118356 * Debian: New gftp packages fix directory traversal vulnerability 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118362 * Debian: New bidwatcher packages fix format string vulnerability 18th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118384 * Debian: New mailman packages really fix several vulnerabilities 21st, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118391 * Debian: New squid packages fix denial of service 23rd, February, 2005 Updated packages. http://www.linuxsecurity.com/content/view/118411 * Debian: New mod_python packages fix information leak 23rd, February, 2005 Updated packages. http://www.linuxsecurity.com/content/view/118416 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: kdeedu-3.3.1-2.3 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118361 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.80 17th, February, 2005 Updated. http://www.linuxsecurity.com/content/view/118364 * Fedora Core 3 Update: policycoreutils-1.18.1-2.9 17th, February, 2005 Updated. http://www.linuxsecurity.com/content/view/118365 * Fedora Core 3 Update: gamin-0.0.24-1.FC3 18th, February, 2005 This update fixes a number of annoying bugs in gamin especially the Desktop update problem in the GNOME environment that affected a number of users. http://www.linuxsecurity.com/content/view/118386 * Fedora Core 3 Update: pcmcia-cs-3.2.7-2.2 21st, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118397 * Fedora Core 2 Update: gaim-1.1.3-1.FC2 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118404 * Fedora Core 3 Update: gaim-1.1.3-1.FC3 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118405 * Fedora Core 3 Update: openssh-3.9p1-8.0.1 22nd, February, 2005 This update changes default ssh client configuration so the trusted X11 forwarding is enabled. Untrusted X11 forwarding is not supported by X11 clients and doesn't work with Xinerama. http://www.linuxsecurity.com/content/view/118406 * Fedora Core 3 Update: postgresql-7.4.7-3.FC3.1 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118407 * Fedora Core 2 Update: postgresql-7.4.7-3.FC2.1 22nd, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118408 * Fedora Core 2 Update: squid-2.5.STABLE8-1.FC2.1 22nd, February, 2005 This update fixes CAN-2005-0446 Squid DoS from bad DNS response http://www.linuxsecurity.com/content/view/118409 * Fedora Core 3 Update: squid-2.5.STABLE8-1.FC3.1 22nd, February, 2005 This updat3 CAN-2005-0446 Squid DoS from bad DNS response http://www.linuxsecurity.com/content/view/118410 * Fedora Core 3 Update: gimp-help-2-0.1.0.7.0.fc3.1 24th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118424 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Midnight Commander Multiple vulnerabilities 17th, February, 2005 Midnight Commander contains several format string errors, buffer overflows and one buffer underflow leading to execution of arbitrary code. http://www.linuxsecurity.com/content/view/118363 * Gentoo: Squid Denial of Service through DNS responses 18th, February, 2005 Squid contains a bug in the handling of certain DNS responses resulting in a Denial of Service. http://www.linuxsecurity.com/content/view/118382 * Gentoo: GProFTPD gprostats format string vulnerability 18th, February, 2005 gprostats, distributed with GProFTPD, is vulnerable to a format string vulnerability, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118383 * Gentoo: gFTP Directory traversal vulnerability 19th, February, 2005 gFTP is vulnerable to directory traversal attacks, possibly leading to the creation or overwriting of arbitrary files. http://www.linuxsecurity.com/content/view/118388 * Gentoo: PuTTY Remote code execution 21st, February, 2005 PuTTY was found to contain vulnerabilities that can allow a malicious SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP clients. http://www.linuxsecurity.com/content/view/118395 * Gentoo: Cyrus IMAP Server Multiple overflow vulnerabilities 23rd, February, 2005 The Cyrus IMAP Server is affected by several overflow vulnerabilities which could potentially lead to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/118417 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated cups packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like cups, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118367 * Mandrake: Updated gpdf packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like gpdf, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118368 * Mandrake: Updated kdelibs packages fix 17th, February, 2005 A bug in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command was discovered. Because of this, it is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or even send unsolicited email. http://www.linuxsecurity.com/content/view/118369 * Mandrake: Updated KDE packages address 17th, February, 2005 Updated package. http://www.linuxsecurity.com/content/view/118370 * Mandrake: Updated xpdf packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118371 * Mandrake: Updated PostgreSQL packages 17th, February, 2005 A number of vulnerabilities were found. http://www.linuxsecurity.com/content/view/118372 * Mandrake: Updated tetex packages fix 17th, February, 2005 Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like tetex, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. http://www.linuxsecurity.com/content/view/118373 * Mandrake: Updated uim packages fix 24th, February, 2005 Takumi ASAKI discovered that uim always trusts environment variables which can allow a local attacker to obtain elevated privileges when libuim is linked against an suid/sgid application. This problem is only exploitable in 'immodule for Qt' enabled Qt applications. The updated packages are patched to fix the problem. http://www.linuxsecurity.com/content/view/118425 * Mandrake: Updated squid packages fix 24th, February, 2005 The squid developers discovered that a remote attacker could cause squid to crash via certain DNS responses. The updated packages are patched to fix the problem. http://www.linuxsecurity.com/content/view/118426 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: cpio security update 18th, February, 2005 An updated cpio package that fixes a umask bug and supports large files (>2GB) is now available. This update has been rated as having low security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/118378 * RedHat: Low: imap security update 18th, February, 2005 Updated imap packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118379 * RedHat: Low: vim security update 18th, February, 2005 Updated vim packages that fix a security vulnerability are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118380 * RedHat: Important: cups security update 18th, February, 2005 Updated cups packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118381 * RedHat: Important: kernel security update 18th, February, 2005 Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118385 * RedHat: Moderate: imap security update 23rd, February, 2005 Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118418 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: squid remote denial of service 22nd, February, 2005 Squid is an Open Source web proxy. A remote attacker was potentially able to crash the Squid web proxy if the log_fqdn option was set to "on" and the DNS replies were manipulated. http://www.linuxsecurity.com/content/view/118403 * SuSE: cyrus-imapd buffer overflows 24th, February, 2005 This update fixes one-byte buffer overruns in the cyrus-imapd IMAP server package. http://www.linuxsecurity.com/content/view/118423 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Mon Feb 28 2005 - 03:21:36 PST