+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 25th, 2005 Volume 6, Number 48a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@private ben@private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for phpgroupware, egroupware,
fetchmail, gnump3d, common-lisp-controller, xmail, unzip, netpbm,
mantis, fetchmail-ssl, sylpheed, ipmenu, horde3, zope, Smb4k, mtab,
phpSysInfo, eix, php, drakxtools, binutils, and fuse. The
distributors include Debian, Gentoo, Mandriva.
----
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec
----
Administration Notes
Knowing that your servers are up-to-date is a good way to help
ensure that you will have an uninterrupted holidays. What else can
assure you that operations will run smoothly during time off? There
are many pieces to the equation that are important. One of the most
significant aspects is using servers that are properly configured
and hardened. In addition, proper server administration procedures
must be followed. While many intrusions are a result of vulnerable
packages, a large number of them can also be attributed to improper
software configuration and administration. This burden falls on the
administrator. What can be done to reduce the risk of improper
software configuration?
The easiest way, is to look for a pre configured or specialized
security distribution. Because I am a long time contributor to
EnGarde Secure Linux, I am biased in this recommendation. However,
I personally feel that using a distribution such as EnGarde will
dramatically improve your organization's security stance with very
little time, effort, and money invested. You'll find that with
EnGarde, administration becomes easy. I have used it for years
and now I find myself becoming lazy when it comes to using other
systems. I find myself not wanting to do anything manually.
Administration has become easy and now it is possible to
concentrate on more intellectually stimulating projects. A
specialized distribution is ideal for administrators with
multiple systems to maintain in a critical environment. More
information can be found out about EnGarde at:
www.engardelinux.org
If you've only installed Linux and Apache to host a personal Web
site, or you are just looking to learn the inter workings of
security and administration. I recommend finding a good Linux
security book. An interesting book that I recently had the
pleasure of reading is titled Linux Security Toolkit, by David
Bandel. It covers host security, network security, firewalls &
specialized security software, and Linux security auditing. It
is easy to read and suitable for administrators wishing to
concentrate on security. Like most books published today, it
is not suitable for the seasoned administrator. Although the
book is well written, it is not full of cutting edge knowledge.
If you're looking to learn more about security, I recommend
taking a look. It is available used through Amazon.com at a
very reasonable price.
----------------------
Linux File & Directory Permissions Mistakes
One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.
http://www.linuxsecurity.com/content/view/119415/49/
---
Buffer Overflow Basics
A buffer overflow occurs when a program or process tries to
store more data in a temporary data storage area than it was
intended to hold. Since buffers are created to contain a finite
amount of data, the extra information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.
http://www.linuxsecurity.com/content/view/119087/49/
---
Review: The Book of Postfix: State-of-the-Art Message Transport
I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.
http://www.linuxsecurity.com/content/view/119027/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New phpgroupware packages fix several vulnerabilities
17th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120833
* Debian: New egroupware packages fix several vulnerabilities
17th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120842
* Debian: New fetchmail packages fix potential information leak
18th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120845
* Debian: New gnump3d packages fix several vulnerabilities
19th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120855
* Debian: New common-lisp-controller packages fix arbitrary code
injection
21st, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120859
* Debian: New xmail packages fix arbitrary code execution
21st, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120860
* Debian: New fetchmail packages fix potential information leak
21st, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120861
* Debian: New unzip packages fix unauthorised permissions
modification
21st, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120862
* Debian: New netpbm packages fix arbitrary code execution
21st, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120865
* Debian: New mantis packages fix several vulnerabilities
22nd, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120866
* Debian: New fetchmail-ssl packages fix potential information leak
22nd, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120870
* Debian: New sylpheed packages fix arbitrary code execution
22nd, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120873
* Debian: New ipmenu packages fix insecure temporary file creation
23rd, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120877
* Debian: New sylpheed-claws packages fix arbitrary code execution
23rd, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120878
* Debian: New horde3 packages fix cross-site scripting
23rd, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120879
* Debian: New zope2.7 packages fix arbitrary file inclusion
24th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120884
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: Smb4k Local unauthorized file access
18th, November, 2005
A vulnerability has been identified that allows unauthorized access
to the contents of /etc/sudoers and /etc/super.tab files.
http://www.linuxsecurity.com/content/view/120849
* Gentoo: GNUMP3d Directory traversal and insecure temporary
21st, November, 2005
Two vulnerabilities have been identified in GNUMP3d allowing for
limited directory traversal and insecure temporary file creation.
http://www.linuxsecurity.com/content/view/120864
* Gentoo: FUSE mtab corruption through fusermount
22nd, November, 2005
The fusermount utility from FUSE can be abused to corrupt the
/etc/mtab file contents, potentially allowing a local attacker to set
unauthorized mount options.
http://www.linuxsecurity.com/content/view/120872
* Gentoo: phpSysInfo Multiple vulnerabilities
22nd, November, 2005
phpSysInfo is vulnerable to multiple issues, including a local file
inclusion leading to information disclosure and the potential
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/120874
* Gentoo: eix Insecure temporary file creation
22nd, November, 2005
eix has an insecure temporary file creation vulnerability,
potentially allowing a local user to overwrite arbitrary files.
http://www.linuxsecurity.com/content/view/120875
* Gentoo: Horde Application Framework XSS vulnerability
22nd, November, 2005
The Horde Application Framework is vulnerable to a cross-site
scripting vulnerability which could lead to the compromise of the
victim's browser content.
http://www.linuxsecurity.com/content/view/120876
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated php packages fix multiple vulnerabilities
17th, November, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120832
* Mandriva: Updated file package fixes segfault
18th, November, 2005
A bug in the file program would cause it to segfault on the x86_64
architecture on certain files. This update corrects the problem.
http://www.linuxsecurity.com/content/view/120852
* Mandriva: Updated drakxtools packages fix various bugs
18th, November, 2005
A number of bugs have been fixed in this new drakxtools package.
http://www.linuxsecurity.com/content/view/120853
* Mandriva: Updated gdk-pixbuf/gtk+2.0 packages fix vulnerability
18th, November, 2005
A heap overflow vulnerability in the GTK+ gdk-pixbuf XPM image
rendering library could allow for arbitrary code execution.
http://www.linuxsecurity.com/content/view/120854
* Mandriva: Updated binutils packages fix vulnerabilities
23rd, November, 2005
Integer overflows in various applications in the binutils package
may allow attackers to execute arbitrary code via a carefully crafted
object file. The updated packages have been patched to help address
these problems.
http://www.linuxsecurity.com/content/view/120883
* Mandriva: Updated fuse packages fix vulnerability
24th, November, 2005
Thomas Beige found that fusermount failed to securely handle special
characters specified in mount points, which could allow a local
attacker to corrupt the contents of /etc/mtab by mounting over a
maliciously-named directory using fusermount.
http://www.linuxsecurity.com/content/view/120891
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Mon Nov 28 2005 - 01:58:19 PST