+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 25th, 2005 Volume 6, Number 12a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for cyrus-imapd, curl, xloadimage, xli, PERL, slypheed, libgal2, libsoup, evolution, gimp, procps, lsof, lockdev, xloadimage, mailman, boost, kdelibs, firefox, thunderbird, mozilla, devhelp, epiphany, rxvt, LTris, MySQL, ethereal, ipsec-tools, and ImageMagick. The distributors include Conectiva, Debian, Fedora, Genotoo, Mandrake, Red Hat, and SuSE. --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- Authentication: Passwords For most, the subject of passwords is novel. However, it is important to take a step back and analyze their strengths, weaknesses, and alternatives. Using only passwords as a method of authentication is often insufficient for critical data because they fundamentally have weaknesses. Several of those include: users pick easy to guess words, users often voluntarily give them away in order to make work easier, and passwords are often easily intercepted. Many applications/protocols that are still in use send passwords in cleartext. A weak password is the equivalent of a faulty lock on a safe. Passwords do not guarantee security, only increase the time required to access data or information. System administrators can improve password security for users in several ways. First, a limit on log-in attempts should be set. For example, user ids should be locked after a number of failed login attempts. Next, passwords should have strength requirements set. For example, passwords should have a minimum length, special characters and capitalizations should be required, and they should be checked against a dictionary file. Password security can also be improved if there are expiration dates set and passwords are not reused consecutively. Biometrics and other forms of authentication in addition to passwords can dramatically increase security. Having a second line of defense is critical. For example, ssh security can be improved by using key-authentication and IP based access controls. Passwords are slowly becoming obsolete with improvements in technology, but will remain in use for many years. Next week, I'll discuss how using single sign-on mechanisms can improve password security and management for users. Until next time, cheers! Benjamin D. Thomas ---------------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved. Click to view video demo: http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ * Conectiva: cyrus-imapd Fix for multiple cyrus-imapd 17th, March, 2005 cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced features such as SASL authentication, server-side mail filtering, mailbox ACLs and others. http://www.linuxsecurity.com/content/view/118624 * Conectiva: curl Fix for cURL vulnerability 21st, March, 2005 cURL[1] is a client to get/put files from/to servers, using any of the supported protocols. http://www.linuxsecurity.com/content/view/118655 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New xloadimage packages fix several vulnerabilities 21st, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118650 * Debian: New xli packages fix several vulnerabilities 21st, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118656 * Debian: New perl packages fix privilege escalation 22nd, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118663 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 2 Update: sylpheed-1.0.3-0.FC2 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118626 * Fedora Core 3 Update: libgal2-2.2.5-1 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118627 * Fedora Core 3 Update: libsoup-2.2.2-1.FC3 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118628 * Fedora Core 3 Update: evolution-data-server-1.0.4-3 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118629 * Fedora Core 3 Update: evolution-2.0.4-1 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118630 * Fedora Core 3 Update: evolution-connector-2.0.4-1 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118631 * Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.89 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118632 * Fedora Core 3 Update: policycoreutils-1.18.1-2.10 17th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118633 * Fedora Core 3 Update: gimp-2.2.4-0.fc3.3 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118640 * Fedora Core 3 Update: procps-3.2.3-5.2 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118641 * Fedora Core 3 Update: lsof-4.72-2.1 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118642 * Fedora Core 3 Update: lockdev-1.0.1-4.1 18th, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118643 * Fedora Core 2 Update: xloadimage-4.1-34.FC2 18th, March, 2005 This update fixes CAN-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. http://www.linuxsecurity.com/content/view/118644 * Fedora Core 3 Update: xloadimage-4.1-34.FC3 18th, March, 2005 This update fixes CAN-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. http://www.linuxsecurity.com/content/view/118645 * Fedora Core 2 Update: mailman-2.1.5-10.fc2 22nd, March, 2005 A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. http://www.linuxsecurity.com/content/view/118667 * Fedora Core 3 Update: mailman-2.1.5-32.fc3 22nd, March, 2005 A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities. http://www.linuxsecurity.com/content/view/118668 * Fedora Core 3 Update: boost-1.32.0-5.fc3 22nd, March, 2005 This is a bugfix release. http://www.linuxsecurity.com/content/view/118669 * Fedora Core 2 Update: kdelibs-3.2.2-14.FC2 23rd, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118683 * Fedora Core 3 Update: firefox-1.0.2-1.3.1 23rd, March, 2005 A buffer overflow bug was found in the way Firefox processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118684 * Fedora Core 3 Update: kdelibs-3.3.1-2.9.FC3 23rd, March, 2005 Updated package. http://www.linuxsecurity.com/content/view/118685 * Fedora Core 3 Update: thunderbird-1.0.2-1.3.1 23rd, March, 2005 A buffer overflow bug was found in the way Thunderbird processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118686 * Fedora Core 3 Update: mozilla-1.7.6-1.3.2 23rd, March, 2005 A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118687 * Fedora Core 3 Update: devhelp-0.9.2-2.3.1 23rd, March, 2005 There were several security flaws found in the mozilla package, which devhelp depends on. Users of devhelp are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118688 * Fedora Core 3 Update: epiphany-1.4.4-4.3.1 23rd, March, 2005 There were several security flaws found in the mozilla package, which epiphany depends on. Users of epiphany are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118689 * Fedora Core 3 Update: evolution-2.0.4-2 23rd, March, 2005 There were several security flaws found in the mozilla package, which evolution depends on. Users of evolution are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118690 * Gentoo: Grip CDDB response overflow 17th, March, 2005 Grip contains a buffer overflow that can be triggered by a large CDDB response, potentially allowing the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118625 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: KDE Local Denial of Service 19th, March, 2005 KDE is vulnerable to a local Denial of Service attack. http://www.linuxsecurity.com/content/view/118646 * Gentoo: rxvt-unicode Buffer overflow 20th, March, 2005 rxvt-unicode is vulnerable to a buffer overflow that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118647 * Gentoo: LTris Buffer overflow 20th, March, 2005 LTris is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118648 * Gentoo: Sylpheed, Sylpheed-claws Message reply overflow 20th, March, 2005 Sylpheed and Sylpheed-claws contain a vulnerability that can be triggered when replying to specially crafted messages. http://www.linuxsecurity.com/content/view/118649 +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ * Mandrake: Updated KDE packages address 21st, March, 2005 New KDE packages are available to address various bugs. The details are as follows. http://www.linuxsecurity.com/content/view/118661 * Mandrake: Updated MySQL packages fix 21st, March, 2005 If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CAN-2005-0709). http://www.linuxsecurity.com/content/view/118662 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: ethereal security update 18th, March, 2005 Updated Ethereal packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118636 * RedHat: Important: sylpheed security update 18th, March, 2005 An updated sylpheed package that fixes a buffer overflow issue is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118635 * RedHat: Important: mailman security update 21st, March, 2005 An updated mailman package that corrects a cross-site scripting flaw is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118658 * RedHat: Important: realplayer security update 21st, March, 2005 Updated realplayer packages that fix a number of security issues are now available for Red Hat Enterprise Linux 3 Extras. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118659 * RedHat: Low: libexif security update 21st, March, 2005 Updated libexif packages that fix a buffer overflow issue are now available. This update has been rated as having low security impact by the RedHat Security Response Team. http://www.linuxsecurity.com/content/view/118660 * RedHat: Moderate: ImageMagick security update 23rd, March, 2005 Updated ImageMagick packages that fix a heap based buffer overflow are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118670 * RedHat: Moderate: ipsec-tools security update 23rd, March, 2005 An updated ipsec-tools package that fixes a bug in parsing of ISAKMP headers is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118671 * RedHat: Moderate: ImageMagick security update 23rd, March, 2005 Updated ImageMagick packages that fix a format string bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118672 * RedHat: Important: kdelibs security update 23rd, March, 2005 Updated kdelibs packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118673 * RedHat: Critical: mozilla security update 23rd, March, 2005 Updated mozilla packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118679 * RedHat: Critical: mozilla security update 23rd, March, 2005 Updated mozilla packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118680 * RedHat: Critical: firefox security update 23rd, March, 2005 Updated firefox packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118681 * RedHat: Critical: thunderbird security update 23rd, March, 2005 Updated thunderbird packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118682 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: ImageMagick problems 23rd, March, 2005 A format string vulnerability was found in the display program which could lead to a remote attacker being to able to execute code as the user running display by providing handcrafted filenames of images. This is tracked by the Mitre CVE ID CAN-2005-0397. http://www.linuxsecurity.com/content/view/118678 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Network Security -http://www.auditmypc.com Free vulnerability test - How secure is your computer?
This archive was generated by hypermail 2.1.3 : Mon Mar 28 2005 - 05:27:00 PST