Author: Benjamin D. Thomas
LinuxSecurity.com:This week,
advisories were released for cvs, krb5, kernel, subversion, ethereal,
squirrelmail, gallery, Webmin, squid, aspell and tripwire The
distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse,
and Trustix.
Open Source Vulnerability Database
The open source community has long been fueled by the drive and
inspiration of those wishing to produce software for the good of
everyone. Open source allows its users to achieve things that would
have otherwise not been possible. Often, proprietary software is too
expensive, not flexible, and full of bugs. Users of proprietary
software work at the mercy of their vendors with little to no influence
on features or functionality. Those organizations who demand security
often have trouble getting proprietary software vendors to comply. Open
source is a great solution for those wishing to have complete control
including over security, flexibility, and functionality.
Open source thrives on those wishing to share their work for the
benefit of the community. To have a successful open source project, it
must be backed by individuals who are ultimately committed to the
project. Contributors must be willing donate time and money for the
advancement of the cause. Often, open source projects are not properly
funded until they are already well established.
Recently, I
have had the great pleasure of talking with Tyler Owen, a contributor
to the Open Source Vulnerability Database project. He, and others
associated with the project have shown a lot of initiative. Although it
has been slow getting off the ground, there has been a renewed
commitment to provide the open source community with a database that
indexes security vulnerabilities. Rather than individual open source
users being burdened with keep track of them, OSVDB is striving for it
to be a more collaborative process so that work is not duplicated and
everyone can benefit.
Full
Interview Text Available:
http://www.linuxsecurity.com/feature_stories/feature_story-156.html
Until next
time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Interview with Brian
Wotring, Lead Developer for the Osiris Project – Brian Wotring is
currently the lead developer for the Osiris project and president of
Host Integrity, Inc. He is also the founder of knowngoods.org, an
online database of known good file signatures. Brian is the co-author
of Mac OS X Security and a long-standing member of the Shmoo Group, an
organization of security and cryptography professionals.Guardian
Digital Launches Next Generation Secure Mail Suite –
Guardian Digital, the premier open source security company, announced
the availability of the next generation Secure Mail Suite, the
industry’s most secure open source corporate email system. This latest
edition has been optimized to support the changing needs of enterprise
and small business customers while continually providing protection
from the latest in email security threats.Linux
and National Security – As the open source industry grows
and becomes more widely accepted, the use of Linux as a secure
operating system is becoming a prominent choice among corporations,
educational institutions and government sectors. With national security
concerns at an all time high, the question remains: Is Linux secure
enough to successfully operate the government and military’s most
critical IT applications?[ Linux
Advisory Watch ] – [ Linux Security Week
] – [ PacketStorm
Archive ] – [ Linux
Security Documentation ]
Linux Advisory
Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability. [ Subscribe
]
| Distribution: | Debian | ||
| 6/17/2004 | cvs | ||
| Multiple vulnerabilities
Sebastian Krahmer and Stefan Esser discovered several vulnerabilities |
|||
| 6/17/2004 | krb5 | ||
| Buffer overflow vulnerability This overflow only applies if aname_to_localname is enabled in the |
|||
| Distribution: | Fedora |
||
| 6/17/2004 | kernel | ||
| 2.6.6 Security enchancement This upgrade is not specifically secuity; it fixes many kernel bugs and |
|||
| 6/17/2004 | cvs | ||
| Multiple vulnerabilities
Many vulnerabilities, discovered in a recent audit of cvs, are fixed. |
|||
| 6/17/2004 | subversion | ||
| Heap overflow vulnerability If using the svnserve daemon, an unauthenticated client may be able |
|||
| 6/17/2004 | kernel | ||
| 2.6.6 Denial of service vulnerability This update includes a fix for the local denial of service as described |
|||
| 6/17/2004 | ethereal | ||
| Security patch correction
These new packages fix a bug in the last errata where the actual |
|||
| Distribution: | Gentoo | ||
| 6/17/2004 | subversion | ||
| Heap overflow vulnerability Subversion is vulnerable to a remote Denial of Service that may be |
|||
| 6/17/2004 | squirrelmail | ||
| Cross site scripting vulnerability Squirrelmail fails to properly sanitize user input, which could lead to |
|||
| 6/17/2004 | Horde-Chora Code injection vulnerability |
||
| Cross site scripting vulnerability A vulnerability in Chora allows remote code execution and file upload. |
|||
| 6/17/2004 | gallery | ||
| Privilege escalation vulnerability Vulnerability may allow an attacker to gain administrator privileges |
|||
| 6/17/2004 | Horde-IMP Input validation vulnerability |
||
| Privilege escalation vulnerability Horde-IMP fails to properly sanitize email messages that contain |
|||
| 6/17/2004 | Webmin | ||
| Multiple vulnerabilities
Webmin contains two security vulnerabilities which could lead to a |
|||
| 6/17/2004 | squid | ||
| Buffer overflow vulnerability Squid contains a bug where it fails to properly check bounds of the |
|||
| 6/17/2004 | aspell | ||
| Buffer overflow vulnerability A bug in the aspell utility word-list-compress can allow an attacker to |
|||
| Distribution: | Red Hat |
||
| 6/17/2004 | squirrelmail | ||
| Multiple vulnerabilities
This patch resolves cross-site scripting and SQL injection |
|||
| 6/17/2004 | tripwire | ||
| Format string vulnerability If Tripwire is configured to send reports via email, a local user could |
|||
| 6/17/2004 | httpd,mod_ssl Buffer overflow vulnerability |
||
| Format string vulnerability Updated httpd and mod_ssl packages that fix minor security issues in |
|||
| Distribution: | Slackware | ||
| 6/15/2004 | kernel | ||
| 2.4.26 Denial of service vulnerability Patch resolves ability of local user to crash the kernel. |
|||
| Distribution: | Suse | ||
| 6/17/2004 | kernel | ||
| Denial of service vulnerability The Linux kernel is vulnerable to a local denial-of-service attack by |
|||
| 6/17/2004 | subversion | ||
| Heap overflow vulnerability This heap overflow is exploitable even before authentication of users. |
|||
| Distribution: | Trustix | ||
| 6/17/2004 | kernel | ||
| Denial of service vulnerability Stian Skjelstad discovered a bug whereby a non-privileged user can |
|||
