Linux Advisory Watch – October 28, 2005

25

Author: Benjamin D. Thomas

This week, advisories were released for mozilla, module-assistant, eric, sudo, libgda2, imlib, koffice, net-snmp, lynx, RTF, Netpbm, cURL, Zope, phpMyAdmin, ethereal, pam, and fetchmail. The distributors include Debian, Gentoo, and Red Hat.

Security Compromise Underway?
By: Dave Wreski

Spotting a security compromise under way can be a tense
undertaking. How you react can have large consequences.

If the compromise you are seeing is a physical one, odds are you
have spotted someone who has broken into your home, office or lab.
You should notify your local authorities. In a lab, you might have
spotted someone trying to open a case or reboot a machine.
Depending on your authority and procedures, you might ask them to
stop, or contact your local security people.

If you have detected a local user trying to compromise your
security, the first thing to do is confirm they are in fact who you
think they are. Check the site they are logging in from. Is it the
site they normally log in from? No? Then use a non-electronic means
of getting in touch. For instance, call them on the phone or walk
over to their office/house and talk to them. If they agree that
they are on, you can ask them to explain what they were doing or
tell them to cease doing it. If they are not on, and have no idea
what you are talking about, odds are this incident requires further
investigation. Look into such incidents , and have lots of
information before making any accusations.

If you have detected a network compromise, the first thing to do
(if you are able) is to disconnect your network. If they are
connected via modem, unplug the modem cable; if they are connected
via Ethernet, unplug the Ethernet cable. This will prevent them
from doing any further damage, and they will probably see it as a
network problem rather than detection.

If you are unable to disconnect the network (if you have a busy
site, or you do not have physical control of your machines), the
next best step is to use something like tcp_wrappers or ipfwadm to
deny access from the intruder’s site.

If you can’t deny all people from the same site as the intruder,
locking the user’s account will have to do. Note that locking an
account is not an easy thing. You have to keep in mind .rhosts
files, FTP access, and a host of possible backdoors.

After you have done one of the above (disconnected the network,
denied access from their site, and/or disabled their account), you
need to kill all their user processes and log them off.

You should monitor your site well for the next few minutes, as
the attacker will try to get back in. Perhaps using a different
account, and/or from a different network address.

Read more from the Linux Security Howto:
http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/


   Debian
  Debian: New Mozilla packages
fix several vulnerabilities
  20th, October, 2005

Updated package.
 
  Debian: New module-assistant
package fixes insecure temporary file
  20th, October, 2005

Updated package.
 
  Debian: New Mozilla
Thunderbird packages fix several vulnerabilities
  20th, October, 2005

Updated package.
 
  Debian: New eric packages fix
arbitrary code execution
  21st, October, 2005

Updated Package.
 
  Debian: New sudo packages fix
arbitrary command execution
  25th, October, 2005

Updated package.
 
  Debian: New libgda2 packages
fix arbitrary code execution
  25th, October, 2005

Updated package.
 
  Debian: New libgda2 packages
fix arbitrary code execution
  25th, October, 2005

Updated package.
 
  Debian: New imlib packages fix
arbitrary code execution
  26th, October, 2005

Upgrade package.
 
  Debian: New koffice packages
fix arbitrary code execution
  26th, October, 2005

Upgraded package.
 
  Debian: New net-snmp packages
fix denial of service
  26th, October, 2005

Updated package.
 
  Debian: New lynx packages fix
arbitrary code execution
  27th, October, 2005

Updated package.
 
  Debian: New OpenSSL packages
fix cryptographic weakness
  27th, October, 2005

Updated package.
 
   Gentoo
  Gentoo: AbiWord New RTF import
buffer overflows
  20th, October, 2005

AbiWord is vulnerable to an additional set of buffer
overflows during RTF import, making it vulnerable to the execution
of arbitrary code.
 
  Gentoo: Netpbm Buffer overflow
in pnmtopng
  20th, October, 2005

The pnmtopng utility, part of the Netpbm tools,
contains a vulnerability which can potentially result in the
execution of arbitrary code.
 
  Gentoo: cURL NTLM username
stack overflow
  22nd, October, 2005

cURL is vulnerable to a buffer overflow which could
lead to the execution of arbitrary code.
 
  Gentoo: Zope File inclusion
through RestructuredText
  25th, October, 2005

Zope is vulnerable to a file inclusion vulnerability
when exposing RestructuredText functionalities to untrusted users.
 
  Gentoo: phpMyAdmin Local file
inclusion and XSS vulnerabilities
  25th, October, 2005

phpMyAdmin contains a local file inclusion
vulnerability that may lead to the execution of arbitrary code,
along with several cross-site scripting issues.
 
   Red Hat
  RedHat: Moderate: ethereal
security update
  25th, October, 2005

Updated Ethereal packages that fix various security
vulnerabilities are now available. This update has been rated as
having moderate security impact by the Red Hat Security Response
Team.
 
  RedHat: Low: pam security
update
  26th, October, 2005

An updated pam package that fixes a security weakness
is now available for Red Hat Enterprise Linux 4. This update has
been rated as having low security impact by the Red Hat Security
Response Team.
 
  RedHat: Low: fetchmail
security update
  26th, October, 2005

Updated fetchmail packages that fix insecure
configuration file creation is now available. This update has been
rated as having low security impact by the Red Hat Security
Response Team.