Linux Advisory Watch – July 9, 2004

44

Author: Benjamin D. Thomas

This
week,
advisories were released for webmin, pavuk, kernel, mailman, rsync,
Esearch, Apache, XFree86, libpng, Shorewall, tripwire and httpd. 
The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red
Hat and Suse.

Kerberos, Part I

Introduction

Kerberos
is an authentication system developed by the Athena Project at MIT.
When a user logs in, Kerberos authenticates that user (using a
password), and provides the user with a way to prove her identity to
other servers and hosts scattered around the network.

This
authentication is then used by programs such as rlogin to allow the
user to login to other hosts without a password (in place of the
.rhosts file). This authentication method can also used by the mail
system in order to guarantee that mail is delivered to the correct
person, as well as to guarantee that the sender is who he claims to be.

The
overall effect of installing Kerberos and the numerous other programs
that go with it is to virtually eliminate the ability of users to
“spoof” the system into believing they are someone else. Unfortunately,
installing Kerberos is very intrusive, requiring the modification or
replacement of numerous standard programs.

Implementation

Implementing
Kerberos on the client isn’t too difficult, however, it’s a different
story implementing a server. The document The Moron’s Guide to Kerberos
does a good job of explaining Kerberos in more detail, as well as
guiding users and administrators through the process of creating and
using the server. It is available at the following URL:

http://www.isi.edu/gost/brian/security/kerberos.html

Most
distributions include support for Kerberos. Distributions that use PAM
are much easier to configure. Applications normally require recompiling
to support using Kerberos as the authentication mechanism, but PAM
resolves those issues by allowing you to ‘plug-in’ a Kerberos
authentication module.

Kerberos
isn’t for everyone. Install the client support for your distribution if
you require it to connect to a Kerberos server on your network. Install
the Kerberos server if you have to support a large number of
distributed clients and require the extra authentication.

Generally,
using the Secure Shell is a fine alternative for authenticating users
before logging into remote machines or transferring files.

Next
week, we will explore how Kerberos actually works.

Security
Tip Written by Dave Wreski (ben@guardiandigital.com)
Additional tips are available at the following URL:
http://www.linuxsecurity.com/tips/

—–

LinuxSecurity
Feature Extras:

Open
Source Leaving Microsoft Sitting on the Fence?
The open source
model, with special regard to Linux, has no doubt become a formidable
competitor to the once sole giant of the software industry,
Microsoft. It is expected when the market share of an industry leader
becomes threatened, retaliation with new product or service offerings
and marketing campaigns refuting the claims of the new found
competition are inevitable. However, in the case of
Microsoft, it seems they have not taken a solid or plausible position
on the use of open source applications as an alternative to Windows.

Interview with Brian
Wotring, Lead Developer for the Osiris Project
– Brian Wotring is
currently the lead developer for the Osiris project and president of
Host Integrity, Inc. He is also the founder of knowngoods.org, an
online database of known good file signatures. Brian is the co-author
of Mac OS X Security and a long-standing member of the Shmoo Group, an
organization of security and cryptography professionals.

Guardian
Digital Launches Next Generation Secure Mail Suite

Guardian Digital, the premier open source security company, announced
the availability of the next generation Secure Mail Suite, the
industry’s most secure open source corporate email system. This latest
edition has been optimized to support the changing needs of enterprise
and small business customers while continually providing protection
from the latest in email security threats.

[ Linux
Advisory Watch
] – [ Linux Security Week
] – [ PacketStorm
Archive
] – [ Linux
Security Documentation
]


Linux
Advisory
Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
[ Subscribe
]

 
Distribution: Debian
  7/8/2004 webmin
    Multiple vulnerabilities

This patch addresses an ACL bypass and the ability to use brute force
to get IDs and passwords.

Debian 4548

 
  7/8/2004 pavuk
    Buffer overflow
vulnerability

An oversized HTTP 305 response sent by a malicious server could cause
arbitrary code to be executed with the privileges of the pavuk process.


Debian 4549

 
 
Distribution: Fedora
  7/2/2004 kernel
    Privilege change
vulnerability

During an audit of the Linux kernel, SUSE discovered a flaw in the
Linux kernel that inappropriately allows an unprivileged user to change
the group ID of a file to his/her own group ID.

Fedora 4532

 
  7/2/2004 mailman
    Password leak
vulnerability

Mailman subscriber passwords could be retrieved by a remote attacker.

Fedora 4533

 
  7/2/2004 rsync
    Path escape vulnerability

A writing, non-chrooted rsync daemon could write outside of a module’s
path.

Fedora 4534

 
  7/8/2004 kernel
    Corrected md5 sums

This posting gives the correct md5 sums for the previous kernel update.


Fedora 4547

 
 
Distribution: FreeBSD
  7/2/2004 kernel
    Improper memory access
vulnerability

It may be possible for a local attacker to read and/or overwrite
portions of kernel memory, resulting in disclosure of sensitive
information or potential privilege escalation.

FreeBSD 4531

 
 
Distribution: Gentoo
  7/2/2004 Esearch
    Insecure temp file
vulnerability

Non-check for symlinks makes it possible for any user to create
arbitrary files.

Gentoo 4530

 
  7/8/2004 kernel
    Multiple vulnerabilities

This patch addresses a large number of kernel vulnerabilities.

Gentoo 4541

 
  7/8/2004 Apache
    2 Denial of service
vulnerability

A remote attacker to perform a Denial of Service attack and possible
heap based buffer overflow.

Gentoo 4542

 
  7/8/2004 Pure-FTPd
Denial of service
vulnerability
    2 Denial of service
vulnerability

Pure-FTPd contains a bug potentially allowing a Denial of Service
attack when the maximum number of connections is reached.

Gentoo 4543

 
  7/8/2004 XFree86
    Improper access
vulnerability

This bug may allow authorized users to access a machine remotely via X,
even if the administrator has configured XDM to refuse such
connections.

Gentoo 4544

 
  7/8/2004 libpng
    Buffer overflow
vulnerability

Vulnerability allows attacker to perform a Denial of Service attack or
even execute arbitrary code.

Gentoo 4545

 
  7/8/2004 Shorewall
    Insecure temp file
vulnerability

This can allow a non-root user to overwrite arbitrary system files.

Gentoo 4546

 
 
Distribution: Mandrake
  7/8/2004 tripwire
    Format string
vulnerability

A format string vulnerability in tripwire could allow a local user to
execute arbitrary code with the rights of the user running tripwire
(typically root).

Mandrake 4539

 
  7/8/2004 kernel
    Multiple vulnerabilities

This patch addresses a large number of vulnerabilities, uncluding the
ability for a user to set the gid of arbitrary files.

Mandrake 4540

 
 
Distribution: Red Hat
  7/8/2004 kernel
    (e-3) File metadata
change vulnerability

Using NFS, a user could make unauthrized changes to files’ GID.

Red Hat 4536

 
  7/8/2004 kernel
    (e-2.1) File metadata
change vulnerability

Using NFS, a user could make unauthrized changes to files’ GID.

Red Hat 4537

 
  7/8/2004 httpd
    Multiple vulnerabilities

Updated httpd packages that fix a buffer overflow in mod_ssl and a
remotely triggerable memory leak are now available.

Red Hat 4538

 
 
Distribution: Suse
  7/8/2004 kernel
   
Multiple vulnerabilities

Multiple security vulnerabilities are being addressed with this
security update of the Linux kernel.

SUSE 4535