Linux Advisory Watch – April 23, 2004

31

Author: Benjamin D. Thomas

This week, advisories were
released for cvs, neon, perl, logcheck, kernel, iproute, xchat, ident2, utempter,
cadaver, XChat, libneon, MySQL, samba, utempter, OpenSSL, tcp, IA64, XFree86,
tcpdump, and xine. The distributors include Debian, Fedora, Gentoo, Mandrake,
NetBSD, Red Hat, Slackware, and Trustix.

Data Classification

One of the biggest problems in security
today is that business managers and security administrators do not have a good
idea of how much their organization’s proprietary data is worth. Consider the
example of a company’s client details or schematics for a new product. How much
money should be spent to protect it? Who should access it? If this information
is leaked to competitors, how much impact would if have on the business? If
you aren’t asking these types of questions, you should be.

One of the first steps in risk management
in any organization is determining the assets. Later, a value is assigned to
each asset and known risks are either accepted, transferred, or mitigated. When
determining the value of an organization’s information, it can very easily become
infinitely complex.

A technique commonly used to assist
with the valuation of information is data classification. The concept involves
assigning a label and in some cases a classification to a piece of information,
or a document. For example, documents in any government agency will be assigned
labels such as unclassified, classified, secret, or top secret. Sometimes labeling
is more granular including labels such as unclassified but sensitive, or internal.
Most governments implement this in slightly different ways. A security classification
describes who the information is intended for. For example, a budgeting document
could be labeled classified and only intended for the finance and accounting
departments. This means that the document’s label is classified and the classification
is finance and accounting. In theory, only those individuals in the finance
and accounting departments with classified clearance should be able to access
that particular document.

Assigning labels to information
gives security administrators a logical way to create a protection strategy.
Appropriately applying security controls can be easier if similar data is held
in similar places. Back to the budgeting document example, because it is classified
and intended only for finance or accounting, it should only be stored on a confidential,
accounting or finance data-store/server. It is not always necessary to have
separate servers for each label. Segmentation can be done just as easily by
assigning group permissions to specific directories on a single server.

Data classification allows
managers to more easily determine the type and quantity of information used
by an organization. Also, it can simplify the security administrator’s role
of providing consistent access control across all information used.

Until next time, cheers!
Benjamin D. Thomas

 

LinuxSecurity
Feature Extras:

Next
Generation Internet Defense & Detection System

– Guardian Digital has announced the first fully open source system designed
to provide both intrusion detection and prevention functions. Guardian Digital
Internet Defense & Detection System (IDDS) leverages best-in-class open
source applications to protect networks and hosts using a unique multi-layered
approach coupled with the security expertise and ongoing security vigilance
provided by Guardian Digital.

Interview
with Siem Korteweg: System Configuration Collector

– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.

Security:
MySQL and PHP

– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 

 
Distribution: Debian
  4/17/2004 cvs
    Multiple
vulnerabilities

Patch fixes bugs for both server and client which allows the creation of
arbitrary files.

Debian advisory 4243

 
  4/17/2004 neon
    Format
string vulnerability

These vulnerabilities could exploited by a malicious WebDAV server to execute
arbitrary code with libneon’s privileges.

Debian advisory-4244

 
  4/19/2004 perl
    Information
leak vulnerabilities

DSA 431-1 incorporated a partial fix for this problem. This advisory includes
a more complete fix which corrects some additional cases.

Debian advisory 4245

 
  4/19/2004 logcheck
    Insecure
temporary directory

This bug may be exploited to write or read arbitrary directories to which
the user has access.

Debian advisory 4246

 
  4/19/2004 kernel
    2.4.17
Multiple vulnerabilities

This patch takes care of multiple kernel vulnerabilities, specifially for
kernal 2.4.17 on the PowerPC/apus and S/390 architectures.

Debian advisory 4247

 
  4/19/2004 kernel
    2.4.19
Multiple vulnerabilities

Several serious problems have been discovered in the Linux kernel. This
update takes care of Linux 2.4.17 for the MIPS architecture.

Debian advisory 4248

 
  4/19/2004 zope
    Arbitrary
code execution vulnerability

A flaw in the security settings of ZCatalog allows anonymous users to call
arbitrary methods of catalog indexes. The vulnerability also allows untrusted
code to do the same.

Debian advisory 4249

 
  4/19/2004 iproute
    Denial
of service vulnerability

Herbert Xu reported that local users could cause a denial of service against
iproute, a set of tools for controlling networking in Linux kernels.

Debian advisory 4250

 
  4/21/2004 xchat
    Buffer
overflow vulnerability

This bug allows an attacker to execute arbitrary code on the users’ machine.


Debian advisory 4263

 
  4/22/2004 ident2
    Buffer
overflow vulnerability

This vulnerability could be exploited by a remote attacker to execute arbitrary
code with the privileges of the ident2 daemon (by default, the “identd”
user).

Debian advisory 4269

 
 
Distribution: Fedora
  4/21/2004 utempter
    Improper
directory traversal vulnerability

An updated utempter package that fixes a potential symlink vulnerability
is now available.

Fedora advisory 4265

 
 
Distribution: Gentoo
  4/19/2004 cadaver
    Multiple
format string vulnerabilities

There are multiple format string vulnerabilities in the neon library used
in cadaver, possibly leading to execution of arbitrary code.

Gentoo advisory 4251

 
  4/19/2004 XChat
    Stack
overflow vulnerability

XChat is vulnerable to a stack overflow that may allow a remote attacker
to run arbitrary code.

Gentoo advisory 4252

 
  4/19/2004 monit
    Multiple
vulnerabilities

Two new vulnerabilities have been found in the HTTP interface of monit,
possibly leading to denial of service or execution of arbitrary code.

Gentoo advisory 4253

 
 
Distribution: Mandrake
  4/19/2004 utempter
    Multiple
vulnerabilities

Incorrect path validation and denial of service vulnerabilities are patched
here.

Mandrake advisory 4257

 
  4/20/2004 libneon
    Format
string vulnerabilities

A number of various format string vulnerabilities were discovered in the
error output handling of Neon.

Mandrake advisory 4259

 
  4/20/2004 xine-ui
Temporary file vulnerability
    Format
string vulnerabilities

This problem could allow local attackers to overwrite arbitrary files with
the privileges of the user invoking the script.

Mandrake advisory 4260

 
  4/20/2004 MySQL
    Temporary
file vulnerabilities

An attacker could create symbolic links in /tmp that could allow for overwriting
of files with the privileges of the user running the scripts.

Mandrake advisory 4261

 
  4/20/2004 samba
    Privilege
escalation vulnerability

A user can use smbmnt along with a remote suid program to gain root privileges
remotely.

Mandrake advisory 4262

 
  4/22/2004 utempter
    Update
to patch MDKSA-2004:031

This patch corrects some small problems with the original utempter patch,
released April 19th.

Mandrake advisory 4270

 
  4/22/2004 xchat
    Improper
execution vulnerability

Successful exploitation could lead to arbitrary code execution as the user
running XChat.

Mandrake advisory 4271

 
 
Distribution: NetBSD
  4/21/2004 OpenSSL
    Denial
of service vulnerabilities

This patch fixes two seperate Denial of Service vulnerabilities.

NetBSD advisory 4267

 
  4/21/2004 tcp
    Denial
of service vulnerability

Patch modifies the TCP/IP stack to minimize the probability of a disconnection
or data injection attack, even without using IPSec.

NetBSD advisory 4268

 
 
Distribution: Openwall
  4/19/2004 kernel
    Multiple
vulnerabiltiies

Descriptions and links for the newest kernel patches.

Openwall advisory 4256

 
 
Distribution: Red
Hat
  4/21/2004 kernel
    Multiple
vulnerabilities

Updated kernel packages that fix several minor security vulnerabilities
are now available.

Red Hat advisory 4266

 
  4/22/2004 kernel
    Buffer
overflow vulnerability

Updated kernel packages that fix a security vulnerability which may allow
local users to gain root privileges are now available.

Red Hat advisory 4272

 
  4/22/2004 IA64
    kernel
Multiple vulnerabilities

Updated IA64 kernel packages fix a variety of security vulnerabilities.


Red Hat advisory 4273

 
  4/22/2004 XFree86
    Denial
of service vulnerability

Flaws in XFree86 4.1.0 allows local or remote attackers who are able to
connect to the X server to cause a denial of service.

Red Hat advisory 4274

 
 
Distribution: Slackware
  4/19/2004 tcpdump
    Denial
of service vulnerability

Upgraded tcpdump packages are available for Slackware 8.1, 9.0, 9.1, and
-current to fix denial-of-service issues.

Slackware advisory 4254

 
  4/19/2004 cvs
    Arbitrary
file creation vulnerabilities

Two seperate cvs vulnerabilities, one for the client and one for the server,
allow the creation of files at arbitrary paths.

Slackware advisory 4255

 
  4/20/2004 utempter
    Insecure
symlink vulnerability

Steve Grubb has identified an issue with utempter-0.5.2 where under certain
circumstances an attacker could cause it to overwrite files through a symlink.


Slackware advisory 4258

 
  4/21/2004 xine
    Insecure
temporary file vulnerability

This release fixes a security problem where opening a malicious MRL could
write to system (or other) files.

Slackware advisory 4264

 
 
Distribution: Trustix
  4/16/2004 ppp/squid
ACL escape vulnerability
    Insecure
temporary file vulnerability

The PPP fix is a simple bugfix. The Squid fix involves the ability to craft
a URL to be ignored by Squid’s ACLs.

Trustix advisory 4241

 
  4/16/2004 kernel
    Multiple
vulnerabilities

This patch fixes a variety of kernel sercurity holes, some filesystem related.


Trustix advisory 4242

 
  4/22/2004 kernel
    Integer
overflow vulnerability

A successful exploit could lead to full superuser privileges.

Trustix advisory 4275

 

Category:

  • Linux