Linux Advisory Watch – March 18, 2005

35

Author: Benjamin D. Thomas

This week, advisories were released for gaim, kdenetwork, squirrelmail, luxman,
hwbrowser, at, bind, openoffice,ipsec-tools, sylpheed, koffice, qt, ImageMagick,
ethereal, udev, libXpm, Ethereal, rmtree, curl, cyrus-sasl, gnupg, openslp,
tetex, postfix, and squid. The distributors include Conectiva, Debian, Fedora,
Gentoo, Mandrake, Red Hat, and SuSE.Information Security

In today’s business world there is an ever-growing reliance on information
technology. Businesses and organizations rely on IT for distributed processing,
the automation of tasks and electronic commerce. Processing that would have
been done by hand years ago is now done completely on computers. This has evolved
so much that many tasks are no longer feasible to conduct by hand. In fact,
in some cases it would be impossible. Typical business objects include maximizing
profit, having high sustainable growth, and keeping costs low. In information
security, we are aiming to preserve the confidentiality, integrity, and availability
of information from disclosure, modification, destruction or misuse. Businesses
are at risk of loss of income, loss of competitive advantage, or possibly legal
penalties if no compliant with regulations.

Why information security? Information is an essential resource for business
today. Have the right information at the right time in the hands of the right
people is often the difference between profit/loss, and success/failure. We
must understand that information is a key business asset and preserving confidentiality,
integrity, and availability is crucial to the continued success of the business.
Once again, manual processing is no longer a feasible option. In the event of
a failure, the employees would loose productivity and it would be very costly
to the company. Information security can help protect from confidentiality breaches.
In the event of the unauthorised disclosure of schematics, a business could
loose millions to a competitor and loss of R&D time and money. Ensuring
data integrity is also essential. Information security is also important to
detect any violations that may occur, or mitigate any consequential damages
that may occur from a breach. Also, information security practice can aid in
the planning and facilitate a recovery strategy, ensuring that impact and loss
in minimized. In the event of an investigation, having proper information security
procedures in place can assist in the process of gather evidence.

If managed properly, information security can be a business enabler. Rather
than the ‘badge and gun’ attitude, information security professionals should
approach it from a business perspective. How can information security save the
organization money? How can it increase customer loyalty, etc. If information
security does not seem to help an organization, and only restrict, it will not
be a priority for executive management. Gaining top management support is crucial
to creating a security environment.

The recommended approach for information security management includes setting
a security policy, conducting a risk analysis, managing those risks, setting
appropriate policies and procedures, monitoring, and developing a secure awareness
and training program. The traditional information security mechanisms include:
access control, encipherment, authentication, policies, procedures, and training.

Information security is important, but why management? As security professionals,
we must realize that technology is only part of the solution. Security is mostly
a people problem, and people need managing. Policies, procedures, and creating
an information security centred culture in an organization can often go much
farther than technology alone can provide. Security is only as strong as the
weakest link in the system. Often, the weakest link is management. Information
security management provides managers with the appropriate information to make
decisions based on knowledge and facts, rather than feelings. Managers no longer
should make decisions based on fear, uncertainty, and doubt, but make decisions
which apply appropriate controls for the information at risk. Appropriate means
a balance between controls/convenience, and costs of control/potential loss.
Information security should not be only a set of restrictive controls, it should
be a business enabler.

Management activities such as risk analysis, ownership, policy creation/enforcement,
procedures, should all be part of an overall information security program. Often,
the best way to approach management is using well thought-out standards and
methodologies such as ISO17799 and the ISF Standards. Information security exists
in business, only to support business. We should realize that.

Written by:
Benjamin D. Thomas

 

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
– Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

– To be honest, this was one of the best books that I’ve read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
– Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn’t have a “ps -ef” loop running in an attempt to capture
that sensitive info (though some applications mask passwords in “ps” output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline
.


   Conectiva
  Conectiva: gaim Fixes for gaim’s vulnerabilities
  14th, March, 2005

Gaim[1] is a multi-protocol instant messaging (IM) client. This
announcement fixes three denial of service vulnerabilities that were encountered
in Gaim.

http://www.linuxsecurity.com/content/view/118571

 
  Conectiva: kdenetwork Fix for kppp vulnerability
  16th, March, 2005

kppp[1] is the KDE[2] internet dialer. This announcement fixes
a privileged file descriptors leak vulnerability[3,4] which could allow
local attackers to hijack a system’s domain name resolution function.

http://www.linuxsecurity.com/content/view/118617

 
   Debian
  Debian: New squirrelmail package fixes
regression
  14th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118572

 
  Debian: New luxman packages fix local
root exploit
  14th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118574

 
   Fedora
  Fedora Core 3 Update: hwbrowser-0.20-0.fc3.1
  11th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118553

 
  Fedora Core 3 Update: at-3.1.8-68_FC3
  11th, March, 2005

o Added check in at(1) to verify if atd PAM authentication will
succeed; Job submission will be denied if atd PAM authentication fails.
o Fixed PAM authentication in atd (bug 150131).

http://www.linuxsecurity.com/content/view/118554

 
  Fedora Core 3 Update: bind-9.2.5-1
  11th, March, 2005

o Upgraded to ISC BIND 9.2.5 (final release) o Added libbind
man-pages (see ‘man libbind-resolver’, ‘man libbind-irs.conf’) o Fixed
libbind h_errno handling (bug 150288)

http://www.linuxsecurity.com/content/view/118555

 
  Fedora Core 2 Update: openoffice.org-1.1.3-9.4.0.fc2
  14th, March, 2005

This update makes the Fedora Core 2 version of OpenOffice.org
equivalent to the version in Fedora Core 3.

http://www.linuxsecurity.com/content/view/118575

 
  Fedora Core 3 Update: openoffice.org-1.1.3-9.5.0.fc3
  14th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118576

 
  Fedora Core 3 Update: NetworkManager-0.3.4-1.1.0.fc3
  14th, March, 2005

Many fixes. Check the changelog for details.

http://www.linuxsecurity.com/content/view/118577

 
  Fedora Core 3 Update: at-3.1.8-68_FC3
  14th, March, 2005

Added check in at(1) to verify if atd PAM authentication will
succeed; Job submission will be denied if atd PAM authentication fails.

http://www.linuxsecurity.com/content/view/118578

 
  Fedora Core 2 Update: ipsec-tools-0.5-2.fc2
  14th, March, 2005

This update fixes a potential DoS in parsing ISAKMP headers
in racoon. (CAN-2005-0398)

http://www.linuxsecurity.com/content/view/118585

 
  Fedora Core 3 Update: ipsec-tools-0.5-2.fc3
  14th, March, 2005

This update fixes a potential DoS in parsing ISAKMP headers
in racoon. (CAN-2005-0398)

http://www.linuxsecurity.com/content/view/118586

 
  Fedora Core 3 Update: sylpheed-1.0.3-0.FC3
  15th, March, 2005

Updated pacakge.

http://www.linuxsecurity.com/content/view/118593

 
  Fedora Core 3 Update: koffice-1.3.5-0.FC3.2
  15th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118594

 
  Fedora Core 3 Update: qt-3.3.4-0.fc3.0
  15th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118595

 
  Fedora Core 3 Update: ImageMagick-6.0.7.1-5.fc3
  15th, March, 2005

The updated packages fix a bug which could cause segfaults when
writing TIFF images to the standard output.

http://www.linuxsecurity.com/content/view/118598

 
  Fedora Core 3 Update: ethereal-0.10.10-1.FC3.1
  16th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118612

 
  Fedora Core 2 Update: ethereal-0.10.10-1.FC2.1
  16th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118613

 
  Fedora Core 3 Update: system-config-samba-1.2.28-0.fc3.1
  16th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118614

 
  Fedora Core 3 Update: kdenetwork-3.3.1-3
  16th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118615

 
  Fedora Core 3 Update: udev-039-10.FC3.7
  16th, March, 2005

Fixed DRI permissions and SCSI hotplug replay in start_udev.

http://www.linuxsecurity.com/content/view/118616

 
    Gentoo
  Gentoo: X.org libXpm vulnerability
  12th, March, 2005

A new vulnerability has been discovered in libXpm, which is
included in X.org, that can potentially lead to remote code execution.

http://www.linuxsecurity.com/content/view/118556

 
  Gentoo: Ethereal Multiple vulnerabilities
  12th, March, 2005

Multiple vulnerabilities exist in Ethereal, which may allow
an attacker to run arbitrary code or crash the program.

http://www.linuxsecurity.com/content/view/118557

 
  Gentoo: libexif Buffer overflow vulnerability
  12th, March, 2005

libexif fails to validate certain inputs, making it vulnerable
to buffer overflows.

http://www.linuxsecurity.com/content/view/118558

 
  Gentoo: Ringtone Tools Buffer overflow
vulnerability
  15th, March, 2005

The Ringtone Tools utilities contain a buffer overflow vulnerability,
potentially leading to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118591

 
  Gentoo: Perl rmtree and DBI tmpfile vulnerabilities
  15th, March, 2005

The rmtree race conditions were only partly fixed in the original
GLSA. New versions of dev-lang/perl have been released to address the
remaining issues (CAN-2005-0448). The updated sections appear below.

http://www.linuxsecurity.com/content/view/118592

 
  Gentoo: Ringtone Tools Buffer overflow
vulnerability
  15th, March, 2005

The Ringtone Tools utilities contain a buffer overflow vulnerability,
potentially leading to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118597

 
  Gentoo: MySQL Multiple vulnerabilities
  16th, March, 2005

MySQL contains several vulnerabilities potentially leading to
the overwriting of local files or to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118610

 
  Gentoo: curl NTLM response buffer overflow
  16th, March, 2005

curl is vulnerable to a buffer overflow which could lead to
the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118611

 
   Mandrake
  Mandrake: Updated lvm2 packages fix
  14th, March, 2005

A bug in the lvm2 packages caused it to recurse symlinked directories
indefinitely which caused lvm commands to be really slow or timeout. A
patch has been applied to correct this problem.

http://www.linuxsecurity.com/content/view/118587

 
  Mandrake: Updated cyrus-sasl packages
  15th, March, 2005

A buffer overflow was discovered in cyrus-sasl’s digestmd5 code.
This could lead to a remote attacker executing code in the context of
the service using SASL authentication. This vulnerability was fixed upstream
in version 2.1.19. The updated packages are patched to deal with this
issue.

http://www.linuxsecurity.com/content/view/118599

 
  Mandrake: Updated gnupg packages fix
  15th, March, 2005

The OpenPGP protocol is vulnerable to a timing-attack in order
to gain plain text from cipher text. The timing difference appears as
a side effect of the so-called “quick scan” and is only exploitable on
systems that accept an arbitrary amount of cipher text for automatic decryption.

http://www.linuxsecurity.com/content/view/118600

 
  Mandrake: Updated ethereal packages
  15th, March, 2005

A number of issues were discovered in Ethereal versions prior
to 0.10.10, which is provided by this update.

http://www.linuxsecurity.com/content/view/118601

 
  Mandrake: Updated openslp packages fix
  15th, March, 2005

An audit by the SUSE Security Team of critical parts of the
OpenSLP package revealed various buffer overflow and out of bounds memory
access issues. These problems can be triggered by remote attackers by
sending malformed SLP packets. The packages have been patched to prevent
these problems.

http://www.linuxsecurity.com/content/view/118602

 
  Mandrake: Updated evolution packages
  16th, March, 2005

It was discovered that certain types of messages could be used
to crash the Evolution mail client. Fixes have been applied to correct
this behaviour.

http://www.linuxsecurity.com/content/view/118618

 
  Mandrake: Updated kdelibs packages fix
  16th, March, 2005

A vulnerability in dcopserver was discovered by Sebastian Krahmer
of the SUSE security team. A local user can lock up the dcopserver of
other users on the same machine by stalling the DCOP authentication process,
causing a local Denial of Service.

http://www.linuxsecurity.com/content/view/118619

 
   Red
Hat
  RedHat: Important: gaim security update
  10th, March, 2005

An updated gaim package that fixes various security issues as
well as a number of bugs is now available. This update has been rated
as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118548

 
  RedHat: Moderate: tetex security update
  16th, March, 2005

Updated tetex packages that resolve security issues are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118607

 
  RedHat: Low: postfix security update
  16th, March, 2005

Updated postfix packages that include a security fix and two
other bug fixes are now available for Red Hat Enterprise Linux 4. This
update has been rated as having low security impact by the Red Hat Security
Response Team

http://www.linuxsecurity.com/content/view/118608

 
  RedHat: Moderate: squid security update
  16th, March, 2005

An updated squid package that fixes a denial of service issue
is now available for Red Hat Enterprise Linux 4. This update has been
rated as having moderate security impact by the Red Hat Security Response
Team.

http://www.linuxsecurity.com/content/view/118609

 
   SuSE
  SuSE: openslp (SUSE-SA:2005:015)
  14th, March, 2005

The SUSE Security Team reviewed critical parts of the OpenSLP
package, an open source implementation of the Service Location Protocol
(SLP).

http://www.linuxsecurity.com/content/view/118573

 
  SuSE: multiple Mozilla Firefox
  16th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118606