Linux Advisory Watch – February 11, 2005

23

Author: Benjamin D. Thomas

This week, advisories were released for python, squid, php, emacs,
postgres, evolution, mailman, hztty, hwbrowser, cups, hotplug,
xpdf, kdegraphics, gallery, perl, and squirrelmail. The
distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat,
and SuSE.Are Your Servers Secure?

By Blessen Cherian

In a word, No. No machine connected to the internet is 100% secure.
This doesn’t mean that you are helpless. You can take measures to
avoid hacks, but you cannot avoid them completely. This is like a
house — when the windows and doors are open then the probability of
a thief coming in is high, but if the doors and windows are closed
and locked the probability of being robbed is less, but still not
nil.

What is Information Security?

For our purposes, Information Security means the methods we use
to protect sensitive data from unauthorized users.

Why do we need Information Security?

The entire world is rapidly becoming IT enabled. Wherever you look,
computer technology has revolutionized the way things operate. Some
examples are airports, seaports, telecommunication industries, and
TV broadcasting, all of which are thriving as a result of the use
of IT. “IT is everywhere.”

A lot of sensitive information passes through the Internet, such
as credit card data, mission critical server passwords, and
important files. There is always a chance of some one viewing and/or
modifying the data while it is in transmission. There are countless
horror stories of what happens when an outsider gets someone’s
credit card or financial information. He or she can use it in any
way they like and could even destroy you and your business by
taking or destroying all your assets. As we all know “An ounce of
prevention beats a pound of cure,” so to avoid such critical
situations, it is advisable to have a good security policy and
security implementation.

Read complete feature story:
http://www.linuxsecurity.com/content/view/118211/49/

 

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
– Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

– To be honest, this was one of the best books that I’ve read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
– Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn’t have a “ps -ef” loop running in an attempt to capture
that sensitive info (though some applications mask passwords in “ps” output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline
.


   Debian
  Debian: New Python2.2 packages fix unauthorised
XML-RPC internals access
  4th, February, 2005

For the stable distribution (woody) this problem has been fixed
in version 2.2.1-4.7. No other version of Python in woody is affected.

http://www.linuxsecurity.com/content/view/118182

 
  Debian: New squid packages fix several
vulnerabilities
  4th, February, 2005

LDAP is very forgiving about spaces in search filters and this
could be abused to log in using several variants of the login name, possibly
bypassing explicit access controls or confusing accounting.

http://www.linuxsecurity.com/content/view/118184

 
  Debian: New php3 packages fix several
vulnerabilities
  7th, February, 2005

Updated packages.

http://www.linuxsecurity.com/content/view/118192

 
  Debian: New emacs20 packages fix arbitrary
code execution
  8th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118207

 
  Debian: New PostgreSQL packages fix arbitrary
library loading
  4th, February, 2005

Upgrade

http://www.linuxsecurity.com/content/view/118186

 
  Debian: New xemacs21 packages fix arbitrary
code execution
  8th, February, 2005

Updated xemacs package.

http://www.linuxsecurity.com/content/view/118210

 
  Debian: New xview packages fix potential
arbitrary code execution
  9th, February, 2005

Updated Package

http://www.linuxsecurity.com/content/view/118222

 
  Debian: New evolution packages fix arbitrary
code execution as root
  10th, February, 2005

Max Vozeler discovered an integer overflow in a helper application
inside of Evolution, a free grouware suite. A local attacker could cause
the setuid root helper to execute arbitrary code with elevated privileges.

http://www.linuxsecurity.com/content/view/118234

 
  Debian: New mailman packages fix several
vulnerabilities
  10th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118235

 
  Debian: New hztty packages fix local
utmp exploit
  10th, February, 2005

Updated package

http://www.linuxsecurity.com/content/view/118245

 
   Fedora
  Fedora Core 3 Update: system-config-printer-0.6.116.1.1-1
  4th, February, 2005

Bug-fix update.

http://www.linuxsecurity.com/content/view/118187

 
  Fedora Core 3 Update: hwbrowser-0.19-0.fc3.2
  4th, February, 2005

Upgrade

http://www.linuxsecurity.com/content/view/118188

 
  Fedora Core 3 Update: python-2.3.4-13.1
  4th, February, 2005

n object traversal bug was found in the Python SimpleXMLRPCServer.

http://www.linuxsecurity.com/content/view/118190

 
  Fedora Core 3 Update: postgresql-7.4.7-1.FC3.2
  7th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118202

 
  Fedora Core 2 Update: postgresql-7.4.7-1.FC2.2
  7th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118203

 
  Fedora Core 2 Update: cups-1.1.20-11.11
  8th, February, 2005

A problem with PDF handling was discovered by Chris Evans, and
has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org)
has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted
to correct this but the patch was incomplete.

http://www.linuxsecurity.com/content/view/118212

 
  Fedora Core 3 Update: cups-1.1.22-0.rc1.8.5
  8th, February, 2005

A problem with PDF handling was discovered by Chris Evans, and
has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org)
has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted
to correct this but the patch was incomplete.

http://www.linuxsecurity.com/content/view/118213

 
  Fedora Core 2 Update: hotplug-2004_04_01-1.1
  8th, February, 2005

This update fixes updfstab in the presence of multiple USB plug/unplug
events.

http://www.linuxsecurity.com/content/view/118214

 
  Fedora Core 3 Update: emacs-21.3-21.FC3
  8th, February, 2005

This update fixes the CAN-2005-0100 movemail vulnerability and
backports the latest bug fixes.

http://www.linuxsecurity.com/content/view/118219

 
  Fedora Core 2 Update: xpdf-3.00-3.8
  9th, February, 2005

Updated XPDF

http://www.linuxsecurity.com/content/view/118223

 
  Fedora Core 3 Update: xpdf-3.00-10.4
  9th, February, 2005

Updated XPDF

http://www.linuxsecurity.com/content/view/118224

 
  Fedora Core 3 Update: kdegraphics-3.3.1-2.4
  9th, February, 2005

Updated KDEGraphics

http://www.linuxsecurity.com/content/view/118225

 
  Fedora Core 2 Update: kdegraphics-3.2.2-1.4
  9th, February, 2005

Updated kdegraphics

http://www.linuxsecurity.com/content/view/118226

 
  Fedora Core 2 Update: gpdf-2.8.2-4.1
  9th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118230

 
  Fedora Core 3 Update: gpdf-2.8.2-4.2
  9th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118231

 
  Fedora Core 3 Update: mailman-2.1.5-30.fc3
  10th, February, 2005

There is a critical security flaw in Mailman 2.1.5 which will
allow attackers to read arbitrary files.

http://www.linuxsecurity.com/content/view/118243

 
  Fedora Core 2 Update: mailman-2.1.5-8.fc2
  10th, February, 2005

There is a critical security flaw in Mailman 2.1.5 which will
allow attackers to read arbitrary files.

http://www.linuxsecurity.com/content/view/118244

 
  Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2
  10th, February, 2005

Graham Dumpleton discovered a flaw affecting the publisher handler
of mod_python, used to make objects inside modules callable via URL.

http://www.linuxsecurity.com/content/view/118252

 
  Fedora Core 3 Update: mod_python-3.1.3-5.2
  10th, February, 2005

Graham Dumpleton discovered a flaw affecting the publisher handler
of mod_python, used to make objects inside modules callable via URL.

http://www.linuxsecurity.com/content/view/118253

 
   Gentoo
  Gentoo: pdftohtml Vulnerabilities in
included Xpdf
  9th, February, 2005

pdftohtml includes vulnerable Xpdf code to handle PDF files,
making it vulnerable to execution of arbitrary code upon converting a
malicious PDF file.

http://www.linuxsecurity.com/content/view/118221

 
  Gentoo: LessTif Multiple vulnerabilities
in libXpm
  6th, February, 2005

Multiple vulnerabilities have been discovered in libXpm, which
is included in LessTif, that can potentially lead to remote code execution.

http://www.linuxsecurity.com/content/view/118191

 
  Gentoo: PostgreSQL Local privilege escalation
  7th, February, 2005

The PostgreSQL server can be tricked by a local attacker to
execute arbitrary code.

http://www.linuxsecurity.com/content/view/118199

 
  Gentoo: OpenMotif Multiple vulnerabilities
in libXpm
  7th, February, 2005

Multiple vulnerabilities have been discovered in libXpm, which
is included in OpenMotif, that can potentially lead to remote code execution.

http://www.linuxsecurity.com/content/view/118193

 
  Gentoo: Python Arbitrary code execution
through SimpleXMLRPCServer
  8th, February, 2005

Python-based XML-RPC servers may be vulnerable to remote execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/118216

 
  Gentoo: Python Arbitrary code execution
through SimpleXMLRPCServer
  10th, February, 2005

Python-based XML-RPC servers may be vulnerable to remote execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/118240

 
  Gentoo: Mailman Directory traversal vulnerability
  10th, February, 2005

Mailman fails to properly sanitize input, leading to information
disclosure.

http://www.linuxsecurity.com/content/view/118242

 
  Gentoo: Gallery Cross-site scripting
vulnerability
  10th, February, 2005

The cross-site scripting vulnerability that Gallery 1.4.4-pl5
was intended to fix, did not actually resolve the issue. The Gallery Development
Team have released version 1.4.4-pl6 to properly solve this problem.

http://www.linuxsecurity.com/content/view/118251

 
  Mandrake: Updated perl-DBI packages
  8th, February, 2005

Javier Fernandez-Sanguino Pena disovered the perl5 DBI library
created a temporary PID file in an insecure manner, which could be exploited
by a malicious user to overwrite arbitrary files owned by the user executing
the parts of the library. The updated packages have been patched to prevent
these problems.

http://www.linuxsecurity.com/content/view/118217

 
   Mandrake
  Mandrake: Updated perl packages fix
  8th, February, 2005

Updated perl package.

http://www.linuxsecurity.com/content/view/118218

 
   Red
Hat
  RedHat: Updated Perl packages fix security
issues
  7th, February, 2005

Updated Perl packages that fix several security issues are now
available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/118195

 
  RedHat: Updated mailman packages fix
security
  10th, February, 2005

Updated mailman packages that correct a mailman security issue
are now available.

http://www.linuxsecurity.com/content/view/118239

 
  RedHat: Updated kdelibs and kdebase packages
correct
  10th, February, 2005

Updated kdelib and kdebase packages that resolve several security
issues are now available.

http://www.linuxsecurity.com/content/view/118246

 
  RedHat: Updated mod_python package fixes
security issue
  10th, February, 2005

An Updated mod_python package that fixes a security issue in
the publisher handler is now available.

http://www.linuxsecurity.com/content/view/118247

 
  RedHat: Updated emacs packages fix security
issue
  10th, February, 2005

Updated Emacs packages that fix a string format issue are now
available.

http://www.linuxsecurity.com/content/view/118248

 
  RedHat: Updated xemacs packages fix security
issue
  10th, February, 2005

Updated XEmacs packages that fix a string format issue are now
available.

http://www.linuxsecurity.com/content/view/118249

 
  RedHat: Updated Squirrelmail package
fixes security
  10th, February, 2005

An updated Squirrelmail package that fixes several security
issues is now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/118250

 
   SuSE
  SuSE: kernel bugfixes and SP1 merge
  4th, February, 2005

Two weeks ago we released the Service Pack 1 for our SUSE Linux
Enterprise Server 9 product. Due to the strict code freeze we were not
able to merge all the security fixes from the last kernel update on Jan23rd
(SUSE-SA:2005:003) into this kernel.

http://www.linuxsecurity.com/content/view/118185

 
  SuSE: squid (SUSE-SA:2005:006)
  10th, February, 2005

The last two squid updates from February the 1st and 10th fix
several vulnerabilities. The impact of them range from remote denial-of-service
over cache poisoning to possible remote command execution.

http://www.linuxsecurity.com/content/view/118241