+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 14th, 2005 Volume 6, Number 42a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mason, cpio, dia, masqmail, shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play, graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player, uw-imap, openssl, thunderbird, binutils, and libuser. The distributors include Debian, Gentoo, and Red Hat. --- System Accounting By: Dave Wreski It is very important that the information that comes from syslog not be compromised. Making the files in /var/log readable and writable by only a limited number of users is a good start. Be sure to keep an eye on what gets written there, especially under the auth facility. Multiple login failures, for example, can indicate an attempted break-in. Where to look for your log file will depend on your distribution. In a Linux system that conforms to the "Linux Filesystem Standard", such as Red Hat, you will want to look in /var/log and check messages, mail.log, and others. You can find out where your distribution is logging to by looking at your /etc/syslog.conf file. This is the file that tells syslogd (the system logging daemon) where to log various messages. You might also want to configure your log-rotating script or daemon to keep logs around longer so you have time to examine them. Take a look at the logrotate package on recent Red Hat distributions. Other distributions likely have a similar process. If your log files have been tampered with, see if you can determine when the tampering started, and what sort of things appeared to be tampered with. Are there large periods of time that cannot be accounted for? Checking backup tapes (if you have any) for untampered log files is a good idea. Intruders typically modify log files in order to cover their tracks, but they should still be checked for strange happenings. You may notice the intruder attempting to gain entrance, or exploit a program in order to obtain the root account. You might see log entries before the intruder has time to modify them. You should also be sure to separate the auth facility from other log data, including attempts to switch users using su, login attempts, and other user accounting information. If possible, configure syslog to send a copy of the most important data to a secure system. This will prevent an intruder from covering his tracks by deleting his login/su/ftp/etc attempts. See the syslog.conf man page, and refer to the @ option. Finally, log files are much less useful when no one is reading them. Take some time out every once in a while to look over your log files, and get a feeling for what they look like on a normal day. Knowing this can help make unusual things stand out. Read more from the Linux Security Howto: http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ --- Review: The Book of Postfix: State-of-the-Art Message Transport I was very impressed with "The Book of Postfix" by authors Ralf Hildebrandt and Pattrick Koetter and feel that it is an incredible Postfix reference. It gives a great overall view of the operation and management of Postfix in an extremely systematic and practical format. It flows in a logical manner, is easy to follow and the authors did a great job of explaining topics with attention paid to real world applications and how to avoid many of the associated pitfalls. I am happy to have this reference in my collection. http://www.linuxsecurity.com/content/view/119027/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New mason packages fix missing init script 6th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120537 * Debian: New cpio packages fix several vulnerabilities 7th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120548 * Debian: New dia packages fix arbitrary code execution 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120550 * Debian: New masqmail packages fix several vulnerabilities 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120551 * Debian: New shorewall packages fix firewall bypass 8th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120552 * Debian: New tcpdump packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120555 * Debian: New openvpn packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120556 * Debian: New up-imapproxy packages fix arbitrary code execution 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120557 * Debian: New ethereal packages fix several vulnerabilities 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120558 * Debian: New tcpdump packages fix denial of service 9th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120559 * Debian: New weex packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120561 * Debian: New py2play packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120562 * Debian: New graphviz packages fix insecure temporary file 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120563 * Debian: New xloadimage packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120568 * Debian: New xli packages fix arbitrary code execution 10th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120570 * Debian: New Ruby packages fix safety bypass 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120571 * Debian: New uw-imap packages fix arbitrary code execution 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120572 * Debian: New Ruby 1.6 packages fix safety bypass 11th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120573 * Debian: New xine-lib packages fix arbitrary code execution 12th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120583 * Debian: New Ruby 1.8 packages fix safety bypass 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120589 * Debian: New hylafax packages fix insecure temporary files 13th, October, 2005 Updated package. http://www.linuxsecurity.com/content/view/120590 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Ruby Security bypass vulnerability 6th, October, 2005 Ruby is vulnerable to a security bypass of the safe level mechanism. http://www.linuxsecurity.com/content/view/120539 * Gentoo: Dia Arbitrary code execution through SVG import 6th, October, 2005 Improperly sanitised data in Dia allows remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120540 * Gentoo: RealPlayer, Helix Player Format string vulnerability 7th, October, 2005 RealPlayer and Helix Player are vulnerable to a format string vulnerability resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/120549 * Gentoo: xine-lib Format string vulnerability 8th, October, 2005 xine-lib contains a format string error in CDDB response handling that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/120553 * Gentoo: Weex Format string vulnerability 8th, October, 2005 Weex contains a format string error that may be exploited by malicious servers to execute arbitrary code. http://www.linuxsecurity.com/content/view/120554 * Gentoo: uw-imap Remote buffer overflow 11th, October, 2005 uw-imap is vulnerable to remote overflow of a buffer in the IMAP server leading to execution of arbitrary code. http://www.linuxsecurity.com/content/view/120575 * Gentoo: OpenSSL SSL 2.0 protocol rollback 12th, October, 2005 When using a specific option, OpenSSL can be forced to fallback to the less secure SSL 2.0 protocol. http://www.linuxsecurity.com/content/view/120586 * RedHat: Important: thunderbird security update 6th, October, 2005 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120541 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: binutils security update 11th, October, 2005 An updated binutils package that fixes minor security issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120578 * RedHat: Low: libuser security update 11th, October, 2005 Updated libuser packages that fix various security issues are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120579 * RedHat: Moderate: util-linux and mount security update 11th, October, 2005 Updated util-linux and mount packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120580 * RedHat: Moderate: ruby security update 11th, October, 2005 Updated ruby packages that fix an arbitrary command execution issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120581 * RedHat: Moderate: openssl security update 11th, October, 2005 Updated OpenSSL packages that fix various security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/120582 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Oct 16 2005 - 21:36:42 PDT