Author: Benjamin D. Thomas
released for lha, rsync, film, exim, mc, OpenSSL, heimdal, libneon, clamav,
utempter, propftd, apache2, systrace, cvs, procfs, libpng, openoffice, kernel,
sysklogd, and live. The distributors include Conectiva, Debian, Fedora, FreeBSD,
Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, and SuSE.
Why Security
As security professionals and systems
administrators we often forget exactly why we’re adding additional security.
In the daily grime of configuring firewalls, intrusion detection systems, and
other controls, we tend to loose sight of the real objective. In any organization
the purpose of information security is to support long-term growth and stability,
and ensuring confidentiality, integrity, and availability. In a business environment,
information security is critical.
A typical business objective is
to maximize profit, while having a high and sustainable rate of growth. Today,
businesses are increasingly dependent on IT to support the automation of tasks,
and e-Business functions. Email and Web access are no longer just a ‘nice thing
to have,’ they are a necessity. With this, comes increased risks.
Information is an essential resource
for all businesses, and is often a key factor for achieving business goals.
Having the right information in the hands of the right people, at the right
time is a critical success factor. It could be the difference between success
and failure. Today, businesses are so dependent on IT that if any event interrupted
service, productivity would grind to a halt. In many cases, doing a task manually
is no longer an option or even possible.
We have information security initiatives
in business to help prevent those catastrophic occurrences. We must also realize
it is impossible to prevent every incident. With that in mind, it is important
to have a plan to appropriately deal with situations as they occur, possibly
limiting any consequential damage. Information security is about maintaining
confidentiality, integrity, and availability with appropriate controls. It is
not about having the latest-and-greatest experimental technology. Although fun
to play with, it is important to keep the real objectives in mind.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Guardian
Digital Security Solutions Win Out At Real World Linux
– Enterprise Email and Small Business Solutions Impres at Linux Exposition.
Internet and network security was a consistent theme and Guardian Digital
was on hand with innovative solutions to the most common security issues.
Attending to the growing concern for cost-effective security, Guardian Digital’s
enterprise and small business applications were stand-out successes.Interview
with Siem Korteweg: System Configuration Collector
– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.Security:
MySQL and PHP
– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
| Distribution: | Conectiva | ||
| 5/10/2004 | lha | ||
| Multiple vulnerabilities Specially crafted LHarc archives, when processed by lha, may execute arbitrary |
|||
| Distribution: | Debian | ||
| 5/10/2004 | rsync | ||
| Directory traversal vulneraiblity Patch fixes issue where a remote user could cause an rsync daemon to write |
|||
| 5/10/2004 | flim | ||
| Insecure temporary file vulnerability This vulnerability could be exploited by a local user to overwrite files |
|||
| 5/10/2004 | exim | ||
| Buffer overflow vulnerabilities Neither of these stack-based buffer overflows is exploitable with the default |
|||
| 5/12/2004 | exim-tls Buffer overflow vulnerabilities |
||
| Buffer overflow vulnerabilities These can not be exploited with the default configuration from the Debian |
|||
| 5/13/2004 | mah-jong Denial of service vulnerability |
||
| Buffer overflow vulnerabilities A problem has been discovered in mah-jong that can be utilised to crash |
|||
| Distribution: | Fedora | ||
| 5/10/2004 | mc | ||
| Multiple vulnerabilities Several buffer overflows, several temporary file creation vulnerabilities, |
|||
| 5/10/2004 | OpenSSL | ||
| Denial of service vulnerability Testing uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d |
|||
| Distribution: | FreeBSD | ||
| 5/10/2004 | heimdal | ||
| Cross-realm trust vulnerability It is possible for the Key Distribution Center (KDC) of a realm to forge |
|||
| 5/10/2004 | crypto_heimdal | ||
| Heap overflow vulnerability A remote attacker may send a specially formatted message to k5admind, causing |
|||
| Distribution: | Gentoo | ||
| 5/10/2004 | LHa | ||
| Multiple vulnerabilities Patch corrects two stack-based buffer overflows and two directory traversal |
|||
| 5/10/2004 | libneon | ||
| Format string vulnerabilities Allows malicious WebDAV server to execute arbitrary code. |
|||
| 5/12/2004 | ClamAV | ||
| Privilege escalation vulnerability With a specific configuration Clam AntiVirus is vulnerable to an attack |
|||
| 5/12/2004 | OpenOffice.org Format string vulnerabilities |
||
| Privilege escalation vulnerability Several format string vulnerabilities are present in the Neon library allowing |
|||
| 5/13/2004 | utempter | ||
| Insecure temporary file vulnerability Utempter contains a vulnerability that may allow local users to overwrite |
|||
| Distribution: | Mandrake | ||
| 5/10/2004 | proftpd | ||
| Access control escape vulnerability CIDR ACLs in version 1.2.9 allow access even to files and directories that |
|||
| 5/12/2004 | rsync | ||
| Directory traversal vulnerability Rsync before 2.6.1 does not properly sanitize paths when running a read/write |
|||
| 5/12/2004 | apache2 | ||
| Denial of service vulnerability A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49 |
|||
| Distribution: | NetBSD | ||
| 5/13/2004 | systrace | ||
| Privilege escalation vulnerability A local user that is allowed to use /dev/systrace can obtain root access. |
|||
| Distribution: | OpenBSD | ||
| 5/10/2004 | cvs | ||
| Pathname validation vulnerabilities Patches for both client and server prevent file creation and modification |
|||
| 5/13/2004 | procfs | ||
| Incorrect bounds checking vulnerability Incorrect bounds checking in several procfs functions could allow an unprivileged |
|||
| Distribution: | Red Hat |
||
| 5/10/2004 | utempter | ||
| Temporary file vulnerability Utemper can be userd to overwrite privileged files with symlink. |
|||
| 5/10/2004 | libpng | ||
| Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would |
|||
| 5/10/2004 | OpenOffice | ||
| Format string vulnerability An attacker could create a malicious WebDAV server in such a way as to allow |
|||
| 5/10/2004 | mc | ||
| Multiple vulnerabilities This patch corrects many vulnerabilities of Midnight Commander. |
|||
| 5/12/2004 | kernel | ||
| Multiple vulnerabilities This patches the 2.4.x kernel for a wide variety of platforms to fix a large |
|||
| 5/12/2004 | ipsec-tools Multiple vulnerabilities |
||
| Multiple vulnerabilities This patch fixes three seperate vulnerabilities in IPSec under Red Hat. |
|||
| Distribution: | Slackware | ||
| 5/10/2004 | rsync | ||
| Improper write access vulnerability When running an rsync server without the chroot option it is possible for |
|||
| 5/10/2004 | sysklogd | ||
| Denial of service vulnerability New sysklogd packages are available for Slackware 8.1, 9.0, 9.1, and -current |
|||
| 5/10/2004 | xine-lib Arbitrary code execution vulnerability |
||
| Denial of service vulnerability Playing a specially crafted Real RTSP stream could run malicious code as |
|||
| 5/10/2004 | libpng | ||
| Denial of service vulnerability libpng could be caused to crash, creating a denial of service issue if network |
|||
| 5/10/2004 | lha | ||
| Multiple vulneraiblities Fixes buffer overflows and directory traversal vulnerabilities. |
|||
| 5/13/2004 | apache | ||
| Multiple vulnerabilities Patch corrects denial of service and shell escape vulnerabilities. |
|||
| Distribution: | Suse | ||
| 5/10/2004 | kernel | ||
| Multiple vulnerabilities This patch fixes a large number of minor vulnerabilities and bugs related |
|||
| 5/10/2004 | Live | ||
| CD 9.1 Passwordless superuser A configuration error on the Live CD allows for a passwordless, remote root |
|||
