Linux Advisory Watch – March 25, 2005

51

Author: Benjamin D. Thomas

This week, advisories were released for cyrus-imapd, curl, xloadimage, xli,
PERL, slypheed, libgal2, libsoup, evolution, gimp, procps, lsof, lockdev, xloadimage,
mailman, boost, kdelibs, firefox, thunderbird, mozilla, devhelp, epiphany, rxvt,
LTris, MySQL, ethereal, ipsec-tools, and ImageMagick. The distributors include
Conectiva, Debian, Fedora, Genotoo, Mandrake, Red Hat, and SuSE.Authentication: Passwords

For most, the subject of passwords is novel. However, it is important to take
a step back and analyze their strengths, weaknesses, and alternatives.

Using only passwords as a method of authentication is often
insufficient for critical data because they fundamentally have
weaknesses. Several of those include: users pick easy to guess
words, users often voluntarily give them away in order to make
work easier, and passwords are often easily intercepted. Many
applications/protocols that are still in use send passwords in
cleartext. A weak password is the equivalent of a faulty lock
on a safe. Passwords do not guarantee security, only increase
the time required to access data or information.

System administrators can improve password security for users
in several ways. First, a limit on log-in attempts should be
set. For example, user ids should be locked after a number of
failed login attempts. Next, passwords should have strength
requirements set. For example, passwords should have a minimum
length, special characters and capitalizations should be
required, and they should be checked against a dictionary
file. Password security can also be improved if there are
expiration dates set and passwords are not reused
consecutively.

Biometrics and other forms of authentication in addition to
passwords can dramatically increase security. Having a
second line of defense is critical. For example, ssh security
can be improved by using key-authentication and IP based
access controls. Passwords are slowly becoming obsolete with
improvements in technology, but will remain in use for many
years. Next week, I’ll discuss how using single sign-on
mechanisms can improve password security and management
for users.

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
– Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

– To be honest, this was one of the best books that I’ve read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
– Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn’t have a “ps -ef” loop running in an attempt to capture
that sensitive info (though some applications mask passwords in “ps” output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline
.


   Contectiva
  Conectiva: cyrus-imapd Fix for multiple
cyrus-imapd vulnerabilities
  17th, March, 2005

cyrus-imapd[1] is an IMAP and POP3 mail server with several
advanced features such as SASL authentication, server-side mail filtering,
mailbox ACLs and others.

http://www.linuxsecurity.com/content/view/118624

 
  Conectiva: curl Fix for cURL vulnerability
  21st, March, 2005

cURL[1] is a client to get/put files from/to servers, using
any of the supported protocols.

http://www.linuxsecurity.com/content/view/118655

 
   Debian
  Debian: New xloadimage packages fix several
vulnerabilities
  21st, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118650

 
  Debian: New xli packages fix several
vulnerabilities
  21st, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118656

 
  Debian: New perl packages fix privilege
escalation
  22nd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118663

 
   Fedora
  Fedora Core 2 Update: sylpheed-1.0.3-0.FC2
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118626

 
  Fedora Core 3 Update: libgal2-2.2.5-1
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118627

 
  Fedora Core 3 Update: libsoup-2.2.2-1.FC3
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118628

 
  Fedora Core 3 Update: evolution-data-server-1.0.4-3
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118629

 
  Fedora Core 3 Update: evolution-2.0.4-1
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118630

 
  Fedora Core 3 Update: evolution-connector-2.0.4-1
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118631

 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.89
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118632

 
  Fedora Core 3 Update: policycoreutils-1.18.1-2.10
  17th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118633

 
  Fedora Core 3 Update: gimp-2.2.4-0.fc3.3
  18th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118640

 
  Fedora Core 3 Update: procps-3.2.3-5.2
  18th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118641

 
  Fedora Core 3 Update: lsof-4.72-2.1
  18th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118642

 
  Fedora Core 3 Update: lockdev-1.0.1-4.1
  18th, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118643

 
  Fedora Core 2 Update: xloadimage-4.1-34.FC2
  18th, March, 2005

This update fixes CAN-2005-0638, a problem in the parsing of
shell metacharacters in filenames. It also fixes bugs in handling of malformed
TIFF and PBM/PNM/PPM issues.

http://www.linuxsecurity.com/content/view/118644

 
  Fedora Core 3 Update: xloadimage-4.1-34.FC3
  18th, March, 2005

This update fixes CAN-2005-0638, a problem in the parsing of
shell metacharacters in filenames. It also fixes bugs in handling of malformed
TIFF and PBM/PNM/PPM issues.

http://www.linuxsecurity.com/content/view/118645

 
  Fedora Core 2 Update: mailman-2.1.5-10.fc2
  22nd, March, 2005

A cross-site scripting (XSS) flaw in the driver script of mailman
prior to version 2.1.5 could allow remote attackers to execute scripts
as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-1177 to this issue. Users of mailman should
update to this erratum package, which corrects this issue by turning on
STEALTH_MODE by default and using Utils.websafe() to quote the html.

http://www.linuxsecurity.com/content/view/118667

 
  Fedora Core 3 Update: mailman-2.1.5-32.fc3
  22nd, March, 2005

A cross-site scripting (XSS) flaw in the driver script of mailman
prior to version 2.1.5 could allow remote attackers to execute scripts
as other web users. The Common Vulnerabilities.

http://www.linuxsecurity.com/content/view/118668

 
  Fedora Core 3 Update: boost-1.32.0-5.fc3
  22nd, March, 2005

This is a bugfix release.

http://www.linuxsecurity.com/content/view/118669

 
  Fedora Core 2 Update: kdelibs-3.2.2-14.FC2
  23rd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118683

 
  Fedora Core 3 Update: firefox-1.0.2-1.3.1
  23rd, March, 2005

A buffer overflow bug was found in the way Firefox processes
GIF images. It is possible for an attacker to create a specially crafted
GIF image, which when viewed by a victim will execute arbitrary code as
the victim.

http://www.linuxsecurity.com/content/view/118684

 
  Fedora Core 3 Update: kdelibs-3.3.1-2.9.FC3
  23rd, March, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118685

 
  Fedora Core 3 Update: thunderbird-1.0.2-1.3.1
  23rd, March, 2005

A buffer overflow bug was found in the way Thunderbird processes
GIF images. It is possible for an attacker to create a specially crafted
GIF image, which when viewed by a victim will execute arbitrary code as
the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0399 to this issue.

http://www.linuxsecurity.com/content/view/118686

 
  Fedora Core 3 Update: mozilla-1.7.6-1.3.2
  23rd, March, 2005

A buffer overflow bug was found in the way Mozilla processes
GIF images. It is possible for an attacker to create a specially crafted
GIF image, which when viewed by a victim will execute arbitrary code as
the victim.

http://www.linuxsecurity.com/content/view/118687

 
  Fedora Core 3 Update: devhelp-0.9.2-2.3.1
  23rd, March, 2005

There were several security flaws found in the mozilla package,
which devhelp depends on. Users of devhelp are advised to upgrade to this
updated package which has been rebuilt against a later version of mozilla
which is not vulnerable to these flaws.

http://www.linuxsecurity.com/content/view/118688

 
  Fedora Core 3 Update: epiphany-1.4.4-4.3.1
  23rd, March, 2005

There were several security flaws found in the mozilla package,
which epiphany depends on. Users of epiphany are advised to upgrade to
this updated package which has been rebuilt against a later version of
mozilla which is not vulnerable to these flaws.

http://www.linuxsecurity.com/content/view/118689

 
  Fedora Core 3 Update: evolution-2.0.4-2
  23rd, March, 2005

There were several security flaws found in the mozilla package,
which evolution depends on. Users of evolution are advised to upgrade
to this updated package which has been rebuilt against a later version
of mozilla which is not vulnerable to these flaws.

http://www.linuxsecurity.com/content/view/118690

 
   Gentoo
  Gentoo: Grip CDDB response overflow
  17th, March, 2005

Grip contains a buffer overflow that can be triggered by a large
CDDB response, potentially allowing the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118625

 
  Gentoo: KDE Local Denial of Service
  19th, March, 2005

KDE is vulnerable to a local Denial of Service attack.

http://www.linuxsecurity.com/content/view/118646

 
  Gentoo: rxvt-unicode Buffer overflow
  20th, March, 2005

rxvt-unicode is vulnerable to a buffer overflow that could lead
to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118647

 
  Gentoo: LTris Buffer overflow
  20th, March, 2005

LTris is vulnerable to a buffer overflow which could lead to
the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118648

 
  Gentoo: Sylpheed, Sylpheed-claws Message
reply overflow
  20th, March, 2005

Sylpheed and Sylpheed-claws contain a vulnerability that can
be triggered when replying to specially crafted messages.

http://www.linuxsecurity.com/content/view/118649

 
   Mandrake
  Mandrake: Updated KDE packages address
  21st, March, 2005

New KDE packages are available to address various bugs. The
details are as follows.

http://www.linuxsecurity.com/content/view/118661

 
  Mandrake: Updated MySQL packages fix
  21st, March, 2005

A number of vulnerabilities were discovered by Stefano Di Paola
in the MySQL server: If an authenticated user had INSERT privileges on
the ‘mysql’ database, the CREATE FUNCTION command allowed that user to
use libc functions to execute arbitrary code with the privileges of the
user running the database server (mysql) (CAN-2005-0709).

http://www.linuxsecurity.com/content/view/118662

 
   Red
Hat
  RedHat: Moderate: ethereal security update
  18th, March, 2005

Updated Ethereal packages that fix various security vulnerabilities
are now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118636

 
  RedHat: Important: sylpheed security
update
  18th, March, 2005

An updated sylpheed package that fixes a buffer overflow issue
is now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118635

 
  RedHat: Important: mailman security update
  21st, March, 2005

An updated mailman package that corrects a cross-site scripting
flaw is now available. This update has been rated as having important
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118658

 
  RedHat: Important: realplayer security
update
  21st, March, 2005

Updated realplayer packages that fix a number of security issues
are now available for Red Hat Enterprise Linux 3 Extras. This update has
been rated as having important security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/118659

 
  RedHat: Low: libexif security update
  21st, March, 2005

Updated libexif packages that fix a buffer overflow issue are
now available. This update has been rated as having low security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118660

 
  RedHat: Moderate: ImageMagick security
update
  23rd, March, 2005

Updated ImageMagick packages that fix a heap based buffer overflow
are now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118670

 
  RedHat: Moderate: ipsec-tools security
update
  23rd, March, 2005

An updated ipsec-tools package that fixes a bug in parsing of
ISAKMP headers is now available. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118671

 
  RedHat: Moderate: ImageMagick security
update
  23rd, March, 2005

Updated ImageMagick packages that fix a format string bug are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118672

 
  RedHat: Important: kdelibs security update
  23rd, March, 2005

Updated kdelibs packages that fix several security issues are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118673

 
  RedHat: Critical: mozilla security update
  23rd, March, 2005

Updated mozilla packages that fix various bugs are now available.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118679

 
  RedHat: Critical: mozilla security update
  23rd, March, 2005

Updated mozilla packages that fix various bugs are now available.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118680

 
  RedHat: Critical: firefox security update
  23rd, March, 2005

Updated firefox packages that fix various bugs are now available.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118681

 
  RedHat: Critical: thunderbird security
update
  23rd, March, 2005

Updated thunderbird packages that fix various bugs are now available.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118682

 
   SuSE
  SuSE: ImageMagick problems
  23rd, March, 2005

This update fixes several security issues in the ImageMagick
program suite: – A format string vulnerability was found in the display
program which could lead to a remote attacker being to able to execute
code as the user running display by providing handcrafted filenames of
images. This is tracked by the Mitre CVE ID CAN-2005-0397.

http://www.linuxsecurity.com/content/view/118678