Linux Advisory Watch – August 22nd 2003

– by Benjamin D. Thomas –
This week, advisories were released for openslp, zip, netris, autorespond, unzip,
eroaster, and GDM. The distributors include Conectiva, Debian, Mandrake, and Red
Hat.

The United States National Institute of Standards and Technology recently released
the second draft of the “Guide
for the Security Certification and Accreditation of Federal Information System.”
It is currently in the second public comment period, which ends August 31st
2003. Although the document is intended for government agency use, it is easily
applicable to organizations of other types. As information security is becoming
a more important function of conducting business, there is an ever increasing
need for standards and methodologies. This document is an excellent starting
point for those interested in creating an organization wide information security
program and/or certification and accreditation procedures.

The document begins with an introduction to the concept of certification and
accreditation. It includes the system development life cycle, component evaluation,
assessment activities, as well as other important information. Next, the document
overviews the fundamentals of C&A including roles and responsibilities, information
system categories, documentation, and monitoring. Overall, the first two chapters
of this document provide a very overview of the base knowledge required to setup
a certification and accreditation program in your organization.

The final chapter of this document walks readers through the entire process
of C&A. It covers initiation, certification, accreditation, and finally monitoring.
This chapter gives readers a very good indication of the work required to implement
and C&A program. In addition, after reading this chapter the importance of beginning
the C&A process becomes apparent.

In addition to clear and informative writing, the document also provides many
easy to read diagrams. The illustrations provided help readers more easily visualize
the authors intentions. If you haven’t had a chance to take a look at this document,
I highly recommend it. The information is valuable and freely available. The
entire document can be found at the following URL:

http://csrc.nist.gov/publications/drafts/sp800-37-Draftver2.pdf

Until next time,
Benjamin D. Thomas

 

LinuxSecurity Feature
Extras:

Expert
vs. Expertise: Computer Forensics and the Alternative OS – No longer
a dark and mysterious process, computer forensics have been significantly
on the scene for more than five years now. Despite this, they have only recently
gained the notoriety they deserve.

REVIEW:
Linux Security Cookbook – There are rarely straightforward solutions
to real world issues, especially in the field of security. The Linux Security
Cookbook is an essential tool to help solve those real world problems. By
covering situations that apply to everyone from the seasoned Systems Administrator
to the security curious home user, the Linux Security Cookbook distinguishes
itself as an indispensible reference for security oriented individuals.

[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]

 

Distribution:			Conectiva
	8/15/2003	openslp
		tmp file creation vulnerability There is a symbolic link vulnerability in the initscript used to control the openslp daemon. http://www.linuxsecurity.com/advisories/connectiva_advisory-3563.html
	8/21/2003	zip
		directory traversal vulnerability This is a reedition of the announcement CLSA-2003:672[1]. http://www.linuxsecurity.com/advisories/connectiva_advisory-3564.html
Distribution:			Debian
	8/17/2003	netris
		Buffer overflow vulnerability A netris client connectingto an untrusted netris server could be sent an unusually long datapacket, which would be copied into a fixed-length buffer withoutbounds checking. http://www.linuxsecurity.com/advisories/debian_advisory-3559.html
	8/16/2003	autorespond
		Buffer overflow vulnerability This vulnerability could potentiallybe exploited by a remote attacker to gain the privileges of a user whohas configured qmail to forward messages to autorespond. http://www.linuxsecurity.com/advisories/debian_advisory-3560.html
	8/18/2003	man-db denial of service vulnerability
		Buffer overflow vulnerability This update introduced an error in the routinethat resolves hardlinks: depending on the filenames of hardlinked manpages, that routine might itself overrun allocated memory, causing asegmentation fault. http://www.linuxsecurity.com/advisories/debian_advisory-3565.html
Distribution:			Mandrake
	8/21/2003	unzip
		arbitrary file overwrite vulnerability A vulnerability was discovered in unzip 5.50 and earlier that allows attackers to overwrite arbitrary files during archive extraction by placing non-printable characters between two “.” characters. http://www.linuxsecurity.com/advisories/mandrake_advisory-3566.html
	8/21/2003	eroaster
		tmp file creation vulnerability A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. http://www.linuxsecurity.com/advisories/mandrake_advisory-3567.html
Distribution:			Red Hat
	8/15/2003	unzip
		Trojan vulnerability Updated unzip packages resolving a vulnerability allowing arbitrary filesto be overwritten are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3561.html
	8/21/2003	GDM
		multiple vulnerabilities Updated GDM packages are available which correct a bug allowing local usersto read any text files on the system, and a denial of service issue ifXDMCP is enabled. http://www.linuxsecurity.com/advisories/redhat_advisory-3568.html