Linux Advisory Watch – May 28, 2004

21

Author: Benjamin D. Thomas

This week, advisories were
released for libneon, mailman, kde, xpcd, kdepim, httpd, SquirrelMail, cvs,
neon, subversion, cadaver, metamail, firebird, opera, mysql, mc, apache, heimdal,
kernel, utempter, and LHA. The distributors include Conectiva, Debian, Fedora,
FreeBSD, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware, SuSE, and TurboLinux.

Internal and External Audit

One of the most important but overlooked
aspects of information security is auditing. All servers have been hardened,
all patches installed, access is regularly monitored, but can one be sure all
of those countermeasures are effective? Auditing is an independent review to
form an opinion. It can provide assurance that the security controls in place
are doing their job. It is important to conduct both internal and external,
each having their own advantages. Auditing is increasingly becoming top-management
priority because of the increased reliance on IT, increased system complexity,
and increased concern for security. Also, many laws are requiring it as a necessary
business function to achieve compliance.

Internal audit is a tool that can
be used to give assurance to managers and other personnel. It provides the ability
to compare the security policies, procedures, and practices being used with
those in a standard or best practices. It gives management the ability to make
comparisons between different departments and divisions. From an IT security
point of view, it identifies areas that need attention and can provide information
on how to improve overall security. It is always better to identify and fix
problems found internally, rather than in external audits.

External audits are conducted by
third parties and can be used to give assurance to other parties such as share-holders,
the board of directors, or partner companies. External audits can provide the
information necessary to make comparisons between other companies (if the data
is available) or industry standards. The process of auditing produces reports
that are issued to management and are written in a way that they can understand
and address. It involves translating technical risks into business language.
Generally, audit reports summarize the current situation, compare that with
what the standards say, and provide direction on how to achieve compliance.
Auditing can provide the information required for implementing new security
controls, conducting a risk analysis, and special internal investigations.

Pentesting and vulnerability assessments
are another essential aspect of auditing. It is necessary to check system security
from an intruder’s perspective. Auditors should ask who, what, when, where,
and how. Timelines should be compiled, system logs should be reviewed, and personnel
should be interviewed. Rather than only hoping a system is secure, auditing
can provide a level of assurance that will help you sleep better at night.

Until next time, cheers!
Benjamin D. Thomas

 

LinuxSecurity
Feature Extras:

Guardian
Digital Security Solutions Win Out At Real World Linux

– Enterprise Email and Small Business Solutions Impres at Linux Exposition.
Internet and network security was a consistent theme and Guardian Digital
was on hand with innovative solutions to the most common security issues.
Attending to the growing concern for cost-effective security, Guardian Digital’s
enterprise and small business applications were stand-out successes.

Interview
with Siem Korteweg: System Configuration Collector

– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.

Security:
MySQL and PHP

– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 
Distribution: Conectiva
  5/25/2004 libneon
    Heap overflow
vulnerability

libneon library which could be abused by remote WebDAV servers to execute
arbitrary code on the client accessing these servers.

Conectiva 4397

 
  5/27/2004 mailman
    Multiple
vulnerabilities

Fixes cross site scripting and remote password retrieval vulnerabilities,
plus a denial of service.

Conectiva advisory 4409

 
  5/27/2004 kde
    Insufficient
input sanitation

The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for
‘-‘ at the beginning of the hostname passed.

Conectiva advisory 4410

 
 
Distribution: Debian
  5/25/2004 xpcd
    Buffer
overflow vulnerability

Bug allows copy of user-supplied data of arbitrary length into a fixed-size
buffer in the pcd_open function.

Debian advisory 4396

 
 
Distribution: Fedora
  5/25/2004 kdepim
    Buffer
overflow vulnerability

An attacker could construct a VCF file so that when it was opened by a victim
it would execute arbitrary commands.

Fedora advisory 4394

 
  5/25/2004 httpd
    Multiple
vulnerabilities

Fixes an exploitable memory leak and escapable error-log output.

Fedora advisory 4395

 
 
Distribution: FreeBSD
  5/27/2004 sys
Buffer cache invalidation vulnerability
    Multiple
vulnerabilities

In some situations, a user with read access to a file may be able to prevent
changes to that file from being committed to disk.

FreeBSD advisory 4408

 
 
Distribution: Gentoo
  5/25/2004 SquirrelMail
    Cross-site
scripting vulnerabilities

SquirrelMail is subject to several XSS and one SQL injection vulnerability.


Gentoo advisory 4381

 
  5/25/2004 cvs
    Heap overflow
vulnerability

CVS is subject to a heap overflow vulnerability allowing source repository
compromise.

Gentoo advisory 4382

 
  5/25/2004 neon
    Heap overflow
vulnerability

A vulnerability potentially allowing remote execution of arbitrary code
has been discovered in the neon library.

Gentoo advisory 4383

 
  5/25/2004 Subversion
    Format
string vulnerability

There is a vulnerability in the Subversion date parsing code which may lead
to denial of service attacks, or execution of arbitrary code.

Gentoo advisory 4384

 
  5/25/2004 cadaver
    Heap overflow
vulnerability

There is a heap-based buffer overflow, possibly leading to execution of
arbitrary code when connected to a malicious server.

Gentoo advisory 4385

 
  5/25/2004 metamail
    Multiple
vulnerabilities

Several format string bugs and buffer overflows were discovered in metamail,
potentially allowing execution of arbitrary code remotely.

Gentoo advisory 4386

 
  5/25/2004 Firebird
    Buffer
overflow vulnerability

A buffer overflow may allow a local user to manipulate or destroy local
databases and trojan the Firebird binaries.

Gentoo advisory 4387

 
  5/25/2004 Opera
    Insufficient
input sanitation

A vulnerability exists in Opera’s telnet URI handler that may allow a remote
attacker to overwrite arbitrary files.

Gentoo advisory 4388

 
  5/27/2004 MySQL
    Symlink
vulnerability

Two MySQL utilities create temporary files with hardcoded paths, allowing
an attacker to use a symlink to trick MySQL into overwriting important data.


Gentoo advisory 4404

 
  5/27/2004 mc
    Multiple
vulnerabilities

Multiple security issues have been discovered in Midnight Commander including
several buffer overflows and string format vulnerabilities.

Gentoo advisory 4405

 
  5/27/2004 Apache
    1.3 Multiple
vulnerabilities

Several security vulnerabilites have been fixed in the latest release of
Apache 1.3.

Gentoo advisory 4406

 
  5/27/2004 Heimdal
    Buffer
overflow vulnerability

A possible buffer overflow in the Kerberos 4 component of Heimdal has been
discovered.

Gentoo advisory 4407

 
 
Distribution: Mandrake
  5/25/2004 apache-mod_perl
Multiple vulnerabilities
    Buffer
overflow vulnerability

Four security vulnerabilities were fixed with the 1.3.31 release of Apache.
All of these issues have been backported and applied to the provided packages.


Mandrake advisory 4392

 
  5/25/2004 kernel
    2.6 Multiple
vulnerabilities

Several kernel 2.6 vulnerabilities have been fixed in this update.

Mandrake advisory 4393

 
  5/27/2004 mailman
    Password
leak vulnerability

Mailman versions >= 2.1 have an issue where 3rd parties can retrieve member
passwords from the server.

Mandrake advisory 4402

 
  5/27/2004 kolab-server
Plain text passwords
    Password
leak vulnerability

The affected versions store OpenLDAP passwords in plain text.

Mandrake advisory 4403

 
 
Distribution: OpenBSD
  5/25/2004 cvs
    Heap overflow
vulnerability

Malignant clients can run arbitrary code on CVS servers.

OpenBSD advisory 4391

 
 
Distribution: Red
Hat
  5/27/2004 utempter
    Symlink
vulnerability

An updated utempter package that fixes a potential symlink vulnerability
is now available.

Red Hat advisory 4399

 
  5/27/2004 LHA
    Multiple
vulnerabilities

Ulf Harnhammar discovered two stack buffer overflows and two directory traversal
flaws in LHA.

Red Hat advisory 4400

 
  5/27/2004 tcpdump,libpcap,arpwatch
Denial of service vulnerability
    Multiple
vulnerabilities

Upon receiving specially crafted ISAKMP packets, TCPDUMP would crash.

Red Hat advisory 4401

 
 
Distribution: Slackware
  5/25/2004 cvs
    Heap overflow
vulnerability

Carefully crafted server requests to run arbitrary programs on the CVS server
machine.

Slackware advisory 4390

 
 
Distribution: Suse
  5/27/2004 kdelibs/kdelibs3
Insufficient input sanitation
    Heap overflow
vulnerability

The URI handler of the kdelibs3 and kdelibs class library contains a flaw
which allows remote attackers to create arbitrary files as the user utilizing
the kdelibs3/kdelibs package.

SUSE advisory 4398

 
 
Distribution: Turbolinux
  5/25/2004 kernel
    Multiple
vulnerabilities

The vulnerabilities may allow an attacker to cause a denial of service to
the kernel and gain sensitive information from your system.

TurboLinux advisory 4389