+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 18th, 2005 Volume 6, Number 11a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gaim, kdenetwork, squirrelmail, luxman, hwbrowser, at, bind, openoffice,ipsec-tools, sylpheed, koffice, qt, ImageMagick, ethereal, udev, libXpm, Ethereal, rmtree, curl, cyrus-sasl, gnupg, openslp, tetex, postfix, and squid. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Information Security In today's business world there is an ever-growing reliance on information technology. Businesses and organizations rely on IT for distributed processing, the automation of tasks and electronic commerce. Processing that would have been done by hand years ago is now done completely on computers. This has evolved so much that many tasks are no longer feasible to conduct by hand. In fact, in some cases it would be impossible. Typical business objects include maximizing profit, having high sustainable growth, and keeping costs low. In information security, we are aiming to preserve the confidentiality, integrity, and availability of information from disclosure, modification, destruction or misuse. Businesses are at risk of loss of income, loss of competitive advantage, or possibly legal penalties if no compliant with regulations. Why information security? Information is an essential resource for business today. Have the right information at the right time in the hands of the right people is often the difference between profit/loss, and success/failure. We must understand that information is a key business asset and preserving confidentiality, integrity, and availability is crucial to the continued success of the business. Once again, manual processing is no longer a feasible option. In the event of a failure, the employees would loose productivity and it would be very costly to the company. Information security can help protect from confidentiality breaches. In the event of the unauthorized disclosure of schematics, a business could loose millions to a competitor and loss of R&D time and money. Ensuring data integrity is also essential. Information security is also important to detect any violations that may occur, or mitigate any consequential damagers that may occur from a breach. Also, information security practice can aid in the planning and facilitate a recovery strategy, ensuring that impact and loss in minimized. In the event of an investigation, having proper information security procedures in place can assist in the process of gather evidence. If managed properly, information security can be a business enabler. Rather than the 'badge and gun' attitude, information security professionals should approach it from a business perspective. How can information security save the organization money? How can it increase customer loyalty, etc. If information security does not seem to help an organization, and only restrict, it will not be a priority for executive management. Gaining top management support is crucial to creating a security environment. The recommended approach for information security management includes setting a security policy, conducting a risk analysis, managing those risks, setting appropriate policies and procedures, monitoring, and developing a secure awareness and training program. The traditional information security mechanisms include: access control, encipherment, authentication, policies, procedures, and training. Information security is important, but why management? As security professionals, we must realize that technology is only part of the solution. Security is mostly a people problem, and people need managing. Policies, procedures, and creating an information security centered culture in an organization can often go much farther than technology alone can provide. Security is only as strong as the weakest link in the system. Often, the weakest link is management. Information security management provides managers with the appropriate information to make decisions based on knowledge and facts, rather than feelings. Managers no longer should make decisions based on fear, uncertainty, and doubt, but make decisions which apply appropriate controls for the information at risk. Appropriate means a balance between controls/convinience, and costs of control/potential loss. Information security should not be only a set of restrictive controls, it should be a business enabler. Management activities such as risk analysis, ownership, policy creation/enforcement, procedures, should all be part of an overall information security program. Often, the best way to approach management is using well thought-out standards and methodologies such as ISO-17799 and the ISF Standards. Information security exists in business, only to support business. We should realize that. Benjamin D. Thomas ben@private ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: gaim Fixes for gaim's vulnerabilities 14th, March, 2005 Gaim[1] is a multi-protocol instant messaging (IM) client. This announcement fixes three denial of service vulnerabilities that were encountered in Gaim. http://www.linuxsecurity.com/content/view/118571 * Conectiva: kdenetwork Fix for kppp vulnerability 16th, March, 2005 kppp[1] is the KDE[2] internet dialer. This announcement fixes a privileged file descriptors leak vulnerability[3,4] which could allow local attackers to hijack a system's domain name resolution function. http://www.linuxsecurity.com/content/view/118617 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New squirrelmail package fixes regression 14th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118572 * Debian: New luxman packages fix local root exploit 14th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118574 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 3 Update: hwbrowser-0.20-0.fc3.1 11th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118553 * Fedora Core 3 Update: at-3.1.8-68_FC3 11th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118554 * Fedora Core 3 Update: bind-9.2.5-1 11th, March, 2005 Upgraded to ISC BIND 9.2.5 (final release) o Added libbind man-pages (see 'man libbind-resolver', 'man libbind-irs.conf') o Fixed libbind h_errno handling (bug 150288) http://www.linuxsecurity.com/content/view/118555 * Fedora Core 2 Update: openoffice.org-1.1.3-9.4.0.fc2 14th, March, 2005 This update makes the Fedora Core 2 version of OpenOffice.org equivalent to the version in Fedora Core 3. http://www.linuxsecurity.com/content/view/118575 * Fedora Core 3 Update: openoffice.org-1.1.3-9.5.0.fc3 14th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118576 * Fedora Core 3 Update: NetworkManager-0.3.4-1.1.0.fc3 14th, March, 2005 Many fixes. Check the changelog for details. http://www.linuxsecurity.com/content/view/118577 * Fedora Core 3 Update: at-3.1.8-68_FC3 14th, March, 2005 Added check in at(1) to verify if atd PAM authentication will succeed; Job submission will be denied if atd PAM authentication fails. http://www.linuxsecurity.com/content/view/118578 * Fedora Core 2 Update: ipsec-tools-0.5-2.fc2 14th, March, 2005 This update fixes a potential DoS in parsing ISAKMP headers in racoon. (CAN-2005-0398) http://www.linuxsecurity.com/content/view/118585 * Fedora Core 3 Update: ipsec-tools-0.5-2.fc3 14th, March, 2005 This update fixes a potential DoS in parsing ISAKMP headers in racoon. (CAN-2005-0398) http://www.linuxsecurity.com/content/view/118586 * Fedora Core 3 Update: sylpheed-1.0.3-0.FC3 15th, March, 2005 Updated pacakge. http://www.linuxsecurity.com/content/view/118593 * Fedora Core 3 Update: koffice-1.3.5-0.FC3.2 15th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118594 * Fedora Core 3 Update: qt-3.3.4-0.fc3.0 15th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118595 * Fedora Core 3 Update: ImageMagick-6.0.7.1-5.fc3 15th, March, 2005 The updated packages fix a bug which could cause segfaults when writing TIFF images to the standard output. http://www.linuxsecurity.com/content/view/118598 * Fedora Core 3 Update: ethereal-0.10.10-1.FC3.1 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118612 * Fedora Core 2 Update: ethereal-0.10.10-1.FC2.1 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118613 * Fedora Core 3 Update: system-config-samba-1.2.28-0.fc3.1 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118614 * Fedora Core 3 Update: kdenetwork-3.3.1-3 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118615 * Fedora Core 3 Update: udev-039-10.FC3.7 16th, March, 2005 Fixed DRI permissions and SCSI hotplug replay in start_udev. http://www.linuxsecurity.com/content/view/118616 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: X.org libXpm vulnerability 12th, March, 2005 A new vulnerability has been discovered in libXpm, which is included in X.org, that can potentially lead to remote code execution. http://www.linuxsecurity.com/content/view/118556 * Gentoo: Ethereal Multiple vulnerabilities 12th, March, 2005 Multiple vulnerabilities exist in Ethereal, which may allow an attacker to run arbitrary code or crash the program. http://www.linuxsecurity.com/content/view/118557 * Gentoo: libexif Buffer overflow vulnerability 12th, March, 2005 libexif fails to validate certain inputs, making it vulnerable to buffer overflows. http://www.linuxsecurity.com/content/view/118558 * Gentoo: Ringtone Tools Buffer overflow vulnerability 15th, March, 2005 The Ringtone Tools utilities contain a buffer overflow vulnerability, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118591 * Gentoo: Perl rmtree and DBI tmpfile vulnerabilities 15th, March, 2005 The rmtree race conditions were only partly fixed in the original GLSA. New versions of dev-lang/perl have been released to address the remaining issues (CAN-2005-0448). The updated sections appear below. http://www.linuxsecurity.com/content/view/118592 * Gentoo: Ringtone Tools Buffer overflow vulnerability 15th, March, 2005 The Ringtone Tools utilities contain a buffer overflow vulnerability, potentially leading to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118597 * Gentoo: MySQL Multiple vulnerabilities 16th, March, 2005 MySQL contains several vulnerabilities potentially leading to the overwriting of local files or to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118610 * Gentoo: curl NTLM response buffer overflow 16th, March, 2005 curl is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118611 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated lvm2 packages fix 14th, March, 2005 A bug in the lvm2 packages caused it to recurse symlinked directories indefinitely which caused lvm commands to be really slow or timeout. A patch has been applied to correct this problem. http://www.linuxsecurity.com/content/view/118587 * Mandrake: Updated cyrus-sasl packages 15th, March, 2005 A buffer overflow was discovered in cyrus-sasl's digestmd5 code. This could lead to a remote attacker executing code in the context of the service using SASL authentication. This vulnerability was fixed upstream in version 2.1.19. The updated packages are patched to deal with this issue. http://www.linuxsecurity.com/content/view/118599 * Mandrake: Updated gnupg packages fix 15th, March, 2005 The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called "quick scan" and is only exploitable on systems that accept an arbitrary amount of cipher text for automatic decryption. http://www.linuxsecurity.com/content/view/118600 * Mandrake: Updated ethereal packages 15th, March, 2005 A number of issues were discovered in Ethereal versions prior to 0.10.10, which is provided by this update. http://www.linuxsecurity.com/content/view/118601 * Mandrake: Updated openslp packages fix 15th, March, 2005 An audit by the SUSE Security Team of critical parts of the OpenSLP package revealed various buffer overflow and out of bounds memory access issues. These problems can be triggered by remote attackers by sending malformed SLP packets. The packages have been patched to prevent these problems. http://www.linuxsecurity.com/content/view/118602 * Mandrake: Updated evolution packages 16th, March, 2005 It was discovered that certain types of messages could be used to crash the Evolution mail client. Fixes have been applied to correct this behaviour. http://www.linuxsecurity.com/content/view/118618 * Mandrake: Updated kdelibs packages fix 16th, March, 2005 A vulnerability in dcopserver was discovered by Sebastian Krahmer of the SUSE security team. A local user can lock up the dcopserver of other users on the same machine by stalling the DCOP authentication process, causing a local Denial of Service. http://www.linuxsecurity.com/content/view/118619 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: gaim security update 10th, March, 2005 An updated gaim package that fixes various security issues as well as a number of bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118548 * RedHat: Moderate: tetex security update 16th, March, 2005 Updated tetex packages that resolve security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118607 * RedHat: Low: postfix security update 16th, March, 2005 Updated postfix packages that include a security fix and two other bug fixes are now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team http://www.linuxsecurity.com/content/view/118608 * RedHat: Moderate: squid security update 16th, March, 2005 An updated squid package that fixes a denial of service issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118609 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: openslp (SUSE-SA:2005:015) 14th, March, 2005 The SUSE Security Team reviewed critical parts of the OpenSLP package, an open source implementation of the Service Location Protocol (SLP). http://www.linuxsecurity.com/content/view/118573 * SuSE: multiple Mozilla Firefox 16th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118606 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Sat Mar 19 2005 - 00:31:57 PST