[ISN] Linux Advisory Watch - March 18th 2005

From: InfoSec News (isn@private)
Date: Fri Mar 18 2005 - 23:17:00 PST

|  LinuxSecurity.com                             Weekly Newsletter    |
|  March 18th, 2005                           Volume 6, Number 11a    |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for gaim, kdenetwork, squirrelmail,
luxman, hwbrowser, at, bind, openoffice,ipsec-tools, sylpheed, koffice,
qt, ImageMagick, ethereal, udev, libXpm, Ethereal, rmtree, curl,
cyrus-sasl, gnupg, openslp, tetex, postfix, and squid. The distributors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE.


>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been designed
with such robust security features.  Engineered with security as a main
focus, the Guardian Digital Internet Productivity Suite is the
cost-effective solution small businesses have been waiting for.



Information Security

In today's business world there is an ever-growing reliance on
information technology. Businesses and organizations rely on IT for
distributed processing, the automation of tasks and electronic
commerce. Processing that would have been done by hand years ago is
now done completely on computers. This has evolved so much that many
tasks are no longer feasible to conduct by hand. In fact, in some
cases it would be impossible. Typical business objects include
maximizing profit, having high sustainable growth, and keeping costs
low. In information security, we are aiming to preserve the
confidentiality, integrity, and availability of information from
disclosure, modification, destruction or misuse. Businesses are
at risk of loss of income, loss of competitive advantage, or
possibly legal penalties if no compliant with regulations.

Why information security? Information is an essential resource
for business today. Have the right information at the right time
in the hands of the right people is often the difference between
profit/loss, and success/failure. We must understand that
information is a key business asset and preserving confidentiality,
integrity, and availability is crucial to the continued success
of the business. Once again, manual processing is no longer a
feasible option. In the event of a failure, the employees would
loose productivity and it would be very costly to the company.
Information security can help protect from confidentiality breaches.
In the event of the unauthorized disclosure of schematics, a
business could loose millions to a competitor and loss of R&D time
and money. Ensuring data integrity is also essential. Information
security is also important to detect any violations that may occur,
or mitigate any consequential damagers that may occur from a breach.
Also, information security practice can aid in the planning and
facilitate a recovery strategy, ensuring that impact and loss in
minimized. In the event of an investigation, having proper
information security procedures in place can assist in the process
of gather evidence.

If managed properly, information security can be a business enabler.
Rather than the 'badge and gun' attitude, information security
professionals should approach it from a business perspective. How
can information security save the organization money? How can it
increase customer loyalty, etc. If information security does not
seem to help an organization, and only restrict, it will not be a
priority for executive management. Gaining top management support
is crucial to creating a security environment.

The recommended approach for information security management includes
setting a security policy, conducting a risk analysis, managing
those risks, setting appropriate policies and procedures, monitoring,
and developing a secure awareness and training program. The traditional
information security mechanisms include: access control, encipherment,
authentication, policies, procedures, and training.

Information security is important, but why management? As security
professionals, we must realize that technology is only part of the
solution. Security is mostly a people problem, and people need
managing. Policies, procedures, and creating an information security
centered culture in an organization can often go much farther than
technology alone can provide. Security is only as strong as the weakest
link in the system. Often, the weakest link is management. Information
security management provides managers with the appropriate information
to make decisions based on knowledge and facts, rather than feelings.
Managers no longer should make decisions based on fear, uncertainty,
and doubt, but make decisions which apply appropriate controls for
the information at risk. Appropriate means a balance between
controls/convinience, and costs of control/potential loss. Information
security should not be only a set of restrictive controls, it should
be a business enabler.

Management activities such as risk analysis, ownership, policy
creation/enforcement, procedures, should all be part of an overall
information security program. Often, the best way to approach management
is using well thought-out standards and methodologies such as ISO-17799
and the ISF Standards. Information security exists in business, only
to support business. We should realize that.

Benjamin D. Thomas


Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.  If the feedback is good, I'll
consider creating more complex guides for advanced users.  Please
let us know what you think and how these can be improved.

Click to view video demo:


The Tao of Network Security Monitoring: Beyond Intrusion Detection

To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case



Encrypting Shell Scripts

Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure?  If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Conectiva        | ----------------------------//

* Conectiva: gaim Fixes for gaim's vulnerabilities
  14th, March, 2005

Gaim[1] is a multi-protocol instant messaging (IM) client.
This announcement fixes three denial of service vulnerabilities that
were encountered in Gaim.


* Conectiva: kdenetwork Fix for kppp vulnerability
  16th, March, 2005

kppp[1] is the KDE[2] internet dialer. This announcement fixes a
privileged file descriptors leak vulnerability[3,4] which could
allow local attackers to hijack a system's domain name
resolution function.


|  Distribution: Debian           | ----------------------------//

* Debian: New squirrelmail package fixes regression
  14th, March, 2005

Updated package.


* Debian: New luxman packages fix local root exploit
  14th, March, 2005

Updated package.


|  Distribution: Fedora           | ----------------------------//

* Fedora Core 3 Update: hwbrowser-0.20-0.fc3.1
  11th, March, 2005

Updated package.


* Fedora Core 3 Update: at-3.1.8-68_FC3
  11th, March, 2005

Updated package.


* Fedora Core 3 Update: bind-9.2.5-1
  11th, March, 2005

Upgraded to ISC BIND 9.2.5 (final release) o Added libbind man-pages
(see 'man libbind-resolver', 'man libbind-irs.conf') o Fixed libbind
h_errno handling (bug 150288)


* Fedora Core 2 Update: openoffice.org-1.1.3-9.4.0.fc2
  14th, March, 2005

This update makes the Fedora Core 2 version of OpenOffice.org
equivalent to the version in Fedora Core 3.


* Fedora Core 3 Update: openoffice.org-1.1.3-9.5.0.fc3
  14th, March, 2005

Updated package.


* Fedora Core 3 Update: NetworkManager-0.3.4-1.1.0.fc3
  14th, March, 2005

Many fixes.  Check the changelog for details.


* Fedora Core 3 Update: at-3.1.8-68_FC3
  14th, March, 2005

Added check in at(1) to verify if atd PAM authentication will
succeed; Job submission will be denied if atd PAM authentication


* Fedora Core 2 Update: ipsec-tools-0.5-2.fc2
  14th, March, 2005

This update fixes a potential DoS in parsing ISAKMP headers in
racoon. (CAN-2005-0398)


* Fedora Core 3 Update: ipsec-tools-0.5-2.fc3
  14th, March, 2005

This update fixes a potential DoS in parsing ISAKMP headers in
racoon. (CAN-2005-0398)


* Fedora Core 3 Update: sylpheed-1.0.3-0.FC3
  15th, March, 2005

Updated pacakge.


* Fedora Core 3 Update: koffice-1.3.5-0.FC3.2
  15th, March, 2005

Updated package.


* Fedora Core 3 Update: qt-3.3.4-0.fc3.0
  15th, March, 2005

Updated package.


* Fedora Core 3 Update: ImageMagick-
  15th, March, 2005

The updated packages fix a bug which could cause segfaults when
writing TIFF images to the standard output.


* Fedora Core 3 Update: ethereal-0.10.10-1.FC3.1
  16th, March, 2005

Updated package.


* Fedora Core 2 Update: ethereal-0.10.10-1.FC2.1
  16th, March, 2005

Updated package.


* Fedora Core 3 Update: system-config-samba-1.2.28-0.fc3.1
  16th, March, 2005

Updated package.


* Fedora Core 3 Update: kdenetwork-3.3.1-3
  16th, March, 2005

Updated package.


* Fedora Core 3 Update: udev-039-10.FC3.7
  16th, March, 2005

Fixed DRI permissions and SCSI hotplug replay in start_udev.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: X.org libXpm vulnerability
  12th, March, 2005

A new vulnerability has been discovered in libXpm, which is included
in X.org, that can potentially lead to remote code execution.


* Gentoo: Ethereal Multiple vulnerabilities
  12th, March, 2005

Multiple vulnerabilities exist in Ethereal, which may allow an
attacker to run arbitrary code or crash the program.


* Gentoo: libexif Buffer overflow vulnerability
  12th, March, 2005

libexif fails to validate certain inputs, making it vulnerable to
buffer overflows.


* Gentoo: Ringtone Tools Buffer overflow vulnerability
  15th, March, 2005

The Ringtone Tools utilities contain a buffer overflow vulnerability,
potentially leading to the execution of arbitrary code.


* Gentoo: Perl rmtree and DBI tmpfile vulnerabilities
  15th, March, 2005

The rmtree race conditions were only partly fixed in the original
GLSA. New versions of dev-lang/perl have been released to address the
remaining issues (CAN-2005-0448). The updated sections appear below.


* Gentoo: Ringtone Tools Buffer overflow vulnerability
  15th, March, 2005

The Ringtone Tools utilities contain a buffer overflow vulnerability,
potentially leading to the execution of arbitrary code.


* Gentoo: MySQL Multiple vulnerabilities
  16th, March, 2005

MySQL contains several vulnerabilities potentially leading to the
overwriting of local files or to the execution of arbitrary code.


* Gentoo: curl NTLM response buffer overflow
  16th, March, 2005

curl is vulnerable to a buffer overflow which could lead to the
execution of arbitrary code.


|  Distribution: Mandrake         | ----------------------------//

* Mandrake: Updated lvm2 packages fix
  14th, March, 2005

A bug in the lvm2 packages caused it to recurse symlinked directories
indefinitely which caused lvm commands to be really slow or timeout.
A patch has been applied to correct this problem.


* Mandrake: Updated cyrus-sasl packages
  15th, March, 2005

A buffer overflow was discovered in cyrus-sasl's digestmd5 code.
This could lead to a remote attacker executing code in the context of
the service using SASL authentication.  This vulnerability was fixed
upstream in version 2.1.19. The updated packages are patched to deal
with this issue.


* Mandrake: Updated gnupg packages fix
  15th, March, 2005

The OpenPGP protocol is vulnerable to a timing-attack in order to
gain plain text from cipher text.  The timing difference appears as a
side effect of the so-called "quick scan" and is only exploitable on
systems that accept an arbitrary amount of cipher text for automatic


* Mandrake: Updated ethereal packages
  15th, March, 2005

A number of issues were discovered in Ethereal versions prior to
0.10.10, which is provided by this update.


* Mandrake: Updated openslp packages fix
  15th, March, 2005

An audit by the SUSE Security Team of critical parts of the OpenSLP
package revealed various buffer overflow and out of bounds memory
access issues.	These problems can be triggered by remote attackers
by sending malformed SLP packets.  The packages have been patched
to prevent these problems.


* Mandrake: Updated evolution packages
  16th, March, 2005

It was discovered that certain types of messages could be used to
crash the Evolution mail client.  Fixes have been applied to correct
this behaviour.


* Mandrake: Updated kdelibs packages fix
  16th, March, 2005

A vulnerability in dcopserver was discovered by Sebastian Krahmer of
the SUSE security team.  A local user can lock up the dcopserver of
other users on the same machine by stalling the DCOP authentication
process, causing a local Denial of Service.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Important: gaim security update
  10th, March, 2005

An updated gaim package that fixes various security issues as well as
a number of bugs is now available. This update has been rated as having
important security impact by the Red Hat Security Response Team.


* RedHat: Moderate: tetex security update
  16th, March, 2005

Updated tetex packages that resolve security issues are now available
for Red Hat Enterprise Linux 4. This update has been rated as
having moderate security impact by the Red Hat Security Response


* RedHat: Low: postfix security update
  16th, March, 2005

Updated postfix packages that include a security fix and two other
bug fixes are now available for Red Hat Enterprise Linux 4.
This update has been rated as having low security impact by the
Red Hat Security Response Team


* RedHat: Moderate: squid security update
  16th, March, 2005

An updated squid package that fixes a denial of service issue is now
available for Red Hat Enterprise Linux 4. This update has been rated
as having moderate security impact by the Red Hat Security Response


|  Distribution: SuSE             | ----------------------------//

* SuSE: openslp (SUSE-SA:2005:015)
  14th, March, 2005

The SUSE Security Team reviewed critical parts of the OpenSLP
package, an open source implementation of the Service Location
Protocol (SLP).


* SuSE: multiple Mozilla Firefox
  16th, March, 2005

Updated package.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Sat Mar 19 2005 - 00:31:57 PST