Author: Benjamin D. Thomas
released for gnupg, kernel, mc, mutt, slocate, XFree86, gaim, freeradius, samba,
phpMyAdmin, clamav, mailman, metamail, racoon, shmat, OpenSSL, and PWLib. The
distributors include Debian, Fedora, Gentoo, Immunix, Mandrake, NetBSD, OpenBSD,
Red Hat, Slackware, SuSE, Trustix, and Turbolinux.
Where Does Security Belong?
In most organizations security is
an extension of the IT department. The security staff may be under networking,
system administration, or even the helpdesk. Why not? The security team is responsible
for solving security problems and a large percentage of the controls that are
put in place are technical. Traditionally, security has to do with user accounts,
access control lists, and occasionally a firewall or two. The environment is
changing. Proper information security today requires risk analysis, security
awareness training, and maintenance of the security policy.
Do you really think someone working
as a security analyst, which is an extension of the helpdesk is going to be
able to influence the decisions of the CIO or Director of Networking? Who will
enforce the security policy? Someone four job-levels away from executive management
can not be expected to properly enforce a security policy. Interoffice politics
is too much of a problem.
There are several schools of thought
on this subject. Some believe that security should be its own department in
an organization, which is independent of IT. This way of thinking includes merging
both physical and information security. Others believe that information security
should be an extension of a risk management, or internal audit group. What advantages
do both of these have? First, the security team may have better access to executive
management. Also, improved access and department segmentation will help the
political situation. To get an IT control implemented, rather than going through
the typical interoffice political channels, a simple directive from a member
of executive management can get the job done.
Information security is much broader
than IT. To properly mitigate or transfer unacceptable business risks, a coordinated
team is required across the organization. It is time that IT, HR, Finance, Audit,
R&D, and others begin working together. What does this have to do with Linux?
Linux administrators should be aware of the changing environment. In the near
future, security will be part of everyone’s job.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Interview
with Vincenzo Ciaglia, Founder of Netwosix
– In this article, a brief introduction of Netwosix is given and the project
founder Vincenzo Ciaglia is interviewed. Netwosix is light Linux distribution
for system administrators and advanced users.Introduction
to Netwox and Interview with Creator Laurent Constantin
– In this article Duane Dunston gives a brief introduction to Netwox, a combination
of over 130 network auditing tools. Also, Duane interviews Laurent Constantin,
the creator of Netwox.Managing
Linux Security Effectively in 2004
– This article examines the process of proper Linux security management in
2004. First, a system should be hardened and patched. Next, a security routine
should be established to ensure that all new vulnerabilities are addressed.
Linux security should be treated as an evolving process.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
| Distribution: | Debian | ||
| 2/18/2004 | gnupg | ||
| Crytographic weakness Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal |
|||
| 2/18/2004 | kernel | ||
| Privilege escalation vulnerability Due to missing function return value check of internal functions a local |
|||
| 2/18/2004 | kernel | ||
| Multiple vulnerabilities This is actually several related advisories, broken down by platform, but |
|||
| 2/19/2004 | kernel | ||
| Many patches for s390 Several security related problems have been fixed in the Linux kernel 2.4.17 |
|||
| Distribution: | Fedora | ||
| 2/18/2004 | mc | ||
| Buffer overflow vulernability update CAN-2003-1023 fix to still make vfs symlinks relative, but with bounds |
|||
| 2/18/2004 | kernel | ||
| Heap overflow vulernability R128 DRI limits checking. (CAN-2004-0003) |
|||
| 2/18/2004 | mutt | ||
| Denial of service vulnerability This package fixes CAN-2004-0078, where a specifc message could cause mutt |
|||
| 2/18/2004 | slocate | ||
| Privilege leak vulnerability A local user could exploit this vulnerability to gain “slocate” group privileges |
|||
| 2/18/2004 | XFree86 | ||
| Privilege escalation vulnerability Updated XFree86 packages that fix a privilege escalation vulnerability are |
|||
| 2/18/2004 | gaim | ||
| Buffer overflow vulnerability This update fixes recent gaim security problems as discussed on both the |
|||
| 2/18/2004 | freeradius | ||
| Denial of service vulnerability This version corrects a flaw in 0.9.2 (and all earlier versions of the server) |
|||
| 2/18/2004 | samba | ||
| Improper account enabling vuln. Under some circumstances, Samba 3.0.0 and 3.0.1 could overwrite the password |
|||
| 2/18/2004 | kernel | ||
| Privilege escalation vulnerability Paul Starzetz discovered a flaw in return value checking in mremap() in |
|||
| 2/19/2004 | kernel | ||
| Bug in previous patch The previous security errata (2.4.22-1.2173) unfortunatly contained a bug |
|||
| Distribution: | Gentoo | ||
| 2/18/2004 | phpMyAdmin | ||
| Directory traversal vulernability A vulnerability in phpMyAdmin which was not properly verifying user generated |
|||
| 2/18/2004 | kernel | ||
| Privilege escalation vulnerability A vulnerability has been discovered by in the ptrace emulation code for |
|||
| 2/19/2004 | clamav | ||
| Denial of service vulnerability Exploit by a malformed uuencoded message would cause a denial of service |
|||
| Distribution: | Immunix | ||
| 2/13/2004 | XFree86 | ||
| Multiple buffer overflows Greg MacManus, of iDEFENSE Labs, reports finding several potentially exploitable |
|||
| 2/18/2004 | XFree86 | ||
| Multiple buffer overflows Greg MacManus, of iDEFENSE Labs, reports finding several potentially exploitable |
|||
| Distribution: | Mandrake | ||
| 2/18/2004 | XFree86 | ||
| Multiple buffer overflows Two buffer overflow vulnerabilities were found by iDEFENSE in XFree86’s |
|||
| 2/18/2004 | mailman | ||
| Cross-site scripting vulnerabilities A cross-site scripting vulnerability was discovered in mailman’s administration |
|||
| 2/19/2004 | metamail | ||
| Multiple vulnerabilities Two format string and two buffer overflow vulnerabilities were discovered |
|||
| Distribution: | NetBSD | ||
| 2/19/2004 | racoon | ||
| Remote deletion of SA IPsec SA/ISAKMP SA may be deleted remotely by malicious third party |
|||
| 2/19/2004 | kernel | ||
| Denial of service vulnerability A malicious party can cause a remote kernel panic by using ICMPv6 “too big” |
|||
| 2/19/2004 | shmat | ||
| Privilege escalation vulnerability A programming error in the shmat(2) system call can result in a shared memory |
|||
| Distribution: | OpenBSD | ||
| 2/19/2004 | OpenSSL | ||
| Denial of service vulnerability OpenSSL 0.9.6k ASN.1 parser had a possible denial-of-service vulnerability. |
|||
| Distribution: | Red Hat |
||
| 2/13/2004 | XFree86 | ||
| Multiple buffer overflows A local attacker could exploit this vulnerability by creating a carefully-crafted |
|||
| 2/13/2004 | PWLib | ||
| Denial of service vulnerability The effects of such an attack can vary depending on the application, but |
|||
| 2/18/2004 | XFree86 | ||
| Multiple buffer overflows Updated XFree86 packages that fix a privilege escalation vulnerability are now available. |
|||
| 2/18/2004 | samba | ||
| Improper account enabling vuln. If an account for a user is created, but marked as disabled using the mksmbpasswd |
|||
| 2/18/2004 | kernel | ||
| Privilege escalation vulnerability Updated kernel packages that fix security vulnerabilities which may allow |
|||
| 2/18/2004 | metamail | ||
| Multiple vulnerabilities
Ulf Harnhammar discovered two integer overflow bugs and two buffer overflow |
|||
| Distribution: | Slackware | ||
| 2/13/2004 | mutt | ||
| Buffer overflow vulnerability Upgrade to version 1.4.2i to fix a buffer overflow that could lead to a |
|||
| 2/13/2004 | XFree86 | ||
| Multiple buffer overflows These fix overflows which could possibly be exploited to gain unauthorized |
|||
| 2/18/2004 | kernel | ||
| Privilege escalation vulnerability A bounds-checking problem in the kernel’s mremap() call could be used by |
|||
| 2/18/2004 | metamail | ||
| Multiple vulnerabilities These fix two format string bugs and two buffer overflows which could lead |
|||
| Distribution: | Suse | ||
| 2/19/2004 | kernel | ||
| Privilege escalation vulernability Local attacker can gain write access to previous read-only pages in memory, |
|||
| Distribution: | Trustix | ||
| 2/13/2004 | mutt | ||
| Denial of service vulnerability It was discovered that certain messages would cause mutt to crash. Mutt |
|||
| 2/18/2004 | kernel | ||
| Privilege escalation vulnerability A hole was discovered in the mremap. Through this hole, it is possible for |
|||
| Distribution: | Turbolinux | ||
| 2/18/2004 | XFree86 | ||
| and slocate Multiple vulnerabilities (1) XFree86 -> Font file buffer overlows (2) slocate -> Buffer overlows |
|||
