[ISN] Linux Advisory Watch - February 11th 2005
InfoSec News
isn at c4i.org
Mon Feb 14 05:24:30 EST 2005
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| February 11th, 2005 Volume 6, Number 6a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave at linuxsecurity.com ben at linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for python, squid, php, emacs,
postgres, evolution, mailman, hztty, hwbrowser, cups, hotplug,
xpdf, kdegraphics, gallery, perl, and squirrelmail. The
distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat,
and SuSE.
---
>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been designed
with such robust security features. Engineered with security as a main
focus, the Guardian Digital Internet Productivity Suite is the
cost-effective solution small businesses have been waiting for.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07
---
Are Your Servers Secure?
By Blessen Cherian
In a word, No. No machine connected to the internet is 100% secure.
This doesn't mean that you are helpless. You can take measures to
avoid hacks, but you cannot avoid them completely. This is like a
house when the windows and doors are open then the probability of
a thief coming in is high, but if the doors and windows are closed
and locked the probability of being robbed is less, but still not
nil.
What is Information Security?
For our purposes, Information Security means the methods we use
to protect sensitive data from unauthorized users.
Why do we need Information Security?
The entire world is rapidly becoming IT enabled. Wherever you look,
computer technology has revolutionized the way things operate. Some
examples are airports, seaports, telecommunication industries, and
TV broadcasting, all of which are thriving as a result of the use
of IT. "IT is everywhere."
A lot of sensitive information passes through the Internet, such
as credit card data, mission critical server passwords, and
important files. There is always a chance of some one viewing and/or
modifying the data while it is in transmission. There are countless
horror stories of what happens when an outsider gets someone's
credit card or financial information. He or she can use it in any
way they like and could even destroy you and your business by
taking or destroying all your assets. As we all know "An ounce of
prevention beats a pound of cure," so to avoid such critical
situations, it is advisable to have a good security policy and
security implementation.
Read complete feature story:
http://www.linuxsecurity.com/content/view/118211/49/
----------------------
Getting to Know Linux Security: File Permissions
Welcome to the first tutorial in the 'Getting to Know Linux Security'
series. The topic explored is Linux file permissions. It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod. This guide is intended for users new to Linux
security, therefore very simple. If the feedback is good, I'll
consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.
Click to view video demo:
http://www.linuxsecurity.com/content/view/118181/49/
---
The Tao of Network Security Monitoring: Beyond Intrusion Detection
To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case
studies.
http://www.linuxsecurity.com/content/view/118106/49/
---
Encrypting Shell Scripts
Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure? If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).
http://www.linuxsecurity.com/content/view/117920/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New Python2.2 packages fix unauthorised XML-RPC access
4th, February, 2005
For the stable distribution (woody) this problem has been fixed in
version 2.2.1-4.7. No other version of Python in woody is affected.
http://www.linuxsecurity.com/content/view/118182
* Debian: New squid packages fix several vulnerabilities
4th, February, 2005
LDAP is very forgiving about spaces in search filters and this
could be abused to log in using several variants of the login
name, possibly bypassing explicit access controls or confusing
accounting.
http://www.linuxsecurity.com/content/view/118184
* Debian: New php3 packages fix several vulnerabilities
7th, February, 2005
http://www.linuxsecurity.com/content/view/118192
* Debian: New emacs20 packages fix arbitrary code execution
8th, February, 2005
http://www.linuxsecurity.com/content/view/118207
* Debian: New PostgreSQL packages fix arbitrary library loading
4th, February, 2005
http://www.linuxsecurity.com/content/view/118186
* Debian: New xemacs21 packages fix arbitrary code execution
8th, February, 2005
http://www.linuxsecurity.com/content/view/118210
* Debian: New xview packages fix potential arbitrary code execution
9th, February, 2005
http://www.linuxsecurity.com/content/view/118222
* Debian: New evolution packages fix arbitrary code execution as root
10th, February, 2005
Max Vozeler discovered an integer overflow in a helper application
inside of Evolution, a free grouware suite. A local attacker could
cause the setuid root helper to execute arbitrary code with elevated
privileges.
http://www.linuxsecurity.com/content/view/118234
* Debian: New mailman packages fix several vulnerabilities
10th, February, 2005
http://www.linuxsecurity.com/content/view/118235
* Debian: New hztty packages fix local utmp exploit
10th, February, 2005
http://www.linuxsecurity.com/content/view/118245
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 3 Update: system-config-printer-0.6.116.1.1-1
4th, February, 2005
http://www.linuxsecurity.com/content/view/118187
* Fedora Core 3 Update: hwbrowser-0.19-0.fc3.2
4th, February, 2005
http://www.linuxsecurity.com/content/view/118188
* Fedora Core 3 Update: python-2.3.4-13.1
4th, February, 2005
An object traversal bug was found in the Python SimpleXMLRPCServer.
http://www.linuxsecurity.com/content/view/118190
* Fedora Core 3 Update: postgresql-7.4.7-1.FC3.2
7th, February, 2005
http://www.linuxsecurity.com/content/view/118202
* Fedora Core 2 Update: postgresql-7.4.7-1.FC2.2
7th, February, 2005
http://www.linuxsecurity.com/content/view/118203
* Fedora Core 2 Update: cups-1.1.20-11.11
8th, February, 2005
A problem with PDF handling was discovered by Chris Evans, and has
been fixed. The Common Vulnerabilities and Exposures project
(www.mitre.org) has assigned the name CAN-2004-0888 to this issue.
FEDORA-2004-337 attempted to correct this but the patch was
incomplete.
http://www.linuxsecurity.com/content/view/118212
* Fedora Core 3 Update: cups-1.1.22-0.rc1.8.5
8th, February, 2005
A problem with PDF handling was discovered by Chris Evans, and has
been fixed. The Common Vulnerabilities and Exposures project
(www.mitre.org) has assigned the name CAN-2004-0888 to this issue.
FEDORA-2004-337 attempted to correct this but the patch was
incomplete.
http://www.linuxsecurity.com/content/view/118213
* Fedora Core 2 Update: hotplug-2004_04_01-1.1
8th, February, 2005
This update fixes updfstab in the presence of multiple USB
plug/unplug events.
http://www.linuxsecurity.com/content/view/118214
* Fedora Core 3 Update: emacs-21.3-21.FC3
8th, February, 2005
This update fixes the CAN-2005-0100 movemail vulnerability
and backports the latest bug fixes.
http://www.linuxsecurity.com/content/view/118219
* Fedora Core 2 Update: xpdf-3.00-3.8
9th, February, 2005
http://www.linuxsecurity.com/content/view/118223
* Fedora Core 3 Update: xpdf-3.00-10.4
9th, February, 2005
http://www.linuxsecurity.com/content/view/118224
* Fedora Core 3 Update: kdegraphics-3.3.1-2.4
9th, February, 2005
http://www.linuxsecurity.com/content/view/118225
* Fedora Core 2 Update: kdegraphics-3.2.2-1.4
9th, February, 2005
http://www.linuxsecurity.com/content/view/118226
* Fedora Core 2 Update: gpdf-2.8.2-4.1
9th, February, 2005
http://www.linuxsecurity.com/content/view/118230
* Fedora Core 3 Update: gpdf-2.8.2-4.2
9th, February, 2005
http://www.linuxsecurity.com/content/view/118231
* Fedora Core 3 Update: mailman-2.1.5-30.fc3
10th, February, 2005
There is a critical security flaw in Mailman 2.1.5 which will allow
attackers to read arbitrary files.
http://www.linuxsecurity.com/content/view/118243
* Fedora Core 2 Update: mailman-2.1.5-8.fc2
10th, February, 2005
There is a critical security flaw in Mailman 2.1.5 which will allow
attackers to read arbitrary files.
http://www.linuxsecurity.com/content/view/118244
* Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2
10th, February, 2005
Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
http://www.linuxsecurity.com/content/view/118252
* Fedora Core 3 Update: mod_python-3.1.3-5.2
10th, February, 2005
Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
http://www.linuxsecurity.com/content/view/118253
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: pdftohtml Vulnerabilities in included Xpdf
9th, February, 2005
pdftohtml includes vulnerable Xpdf code to handle PDF files, making
it vulnerable to execution of arbitrary code upon converting a malicious
PDF file.
http://www.linuxsecurity.com/content/view/118221
* Gentoo: LessTif Multiple vulnerabilities in libXpm
6th, February, 2005
Multiple vulnerabilities have been discovered in libXpm, which is
included in LessTif, that can potentially lead to remote code
execution.
http://www.linuxsecurity.com/content/view/118191
* Gentoo: PostgreSQL Local privilege escalation
7th, February, 2005
The PostgreSQL server can be tricked by a local attacker to execute
arbitrary code.
http://www.linuxsecurity.com/content/view/118199
* Gentoo: OpenMotif Multiple vulnerabilities in libXpm
7th, February, 2005
Multiple vulnerabilities have been discovered in libXpm, which is
included in OpenMotif, that can potentially lead to remote code
execution.
http://www.linuxsecurity.com/content/view/118193
* Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer
8th, February, 2005
Python-based XML-RPC servers may be vulnerable to remote execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/118216
* Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer
10th, February, 2005
Python-based XML-RPC servers may be vulnerable to remote execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/118240
* Gentoo: Mailman Directory traversal vulnerability
10th, February, 2005
Mailman fails to properly sanitize input, leading to information
disclosure.
http://www.linuxsecurity.com/content/view/118242
* Gentoo: Gallery Cross-site scripting vulnerability
10th, February, 2005
The cross-site scripting vulnerability that Gallery 1.4.4-pl5 was
intended to fix, did not actually resolve the issue. The Gallery
Development Team have released version 1.4.4-pl6 to properly solve
this problem.
http://www.linuxsecurity.com/content/view/118251
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: Updated perl-DBI packages
8th, February, 2005
Javier Fernandez-Sanguino Pena disovered the perl5 DBI library
created
a temporary PID file in an insecure manner, which could be exploited
by a malicious user to overwrite arbitrary files owned by the user
executing the parts of the library. The updated packages have
been patched to prevent these problems.
http://www.linuxsecurity.com/content/view/118217
* Mandrake: Updated perl packages fix
8th, February, 2005
Updated perl package.
http://www.linuxsecurity.com/content/view/118218
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Updated Perl packages fix security issues
7th, February, 2005
Updated Perl packages that fix several security issues are now
available for Red Hat Enterprise Linux 3.
http://www.linuxsecurity.com/content/view/118195
* RedHat: Updated mailman packages fix security
10th, February, 2005
Updated mailman packages that correct a mailman security issue are
now available.
http://www.linuxsecurity.com/content/view/118239
* RedHat: Updated kdelibs and kdebase packages correct
10th, February, 2005
Updated kdelib and kdebase packages that resolve several security
issues are now available.
http://www.linuxsecurity.com/content/view/118246
* RedHat: Updated mod_python package fixes security issue
10th, February, 2005
An Updated mod_python package that fixes a security issue in the
publisher handler is now available.
http://www.linuxsecurity.com/content/view/118247
* RedHat: Updated emacs packages fix security issue
10th, February, 2005
Updated Emacs packages that fix a string format issue are now
available.
http://www.linuxsecurity.com/content/view/118248
* RedHat: Updated xemacs packages fix security issue
10th, February, 2005
Updated XEmacs packages that fix a string format issue are now
available.
http://www.linuxsecurity.com/content/view/118249
* RedHat: Updated Squirrelmail package fixes security
10th, February, 2005
An updated Squirrelmail package that fixes several security issues is
now available for Red Hat Enterprise Linux 3.
http://www.linuxsecurity.com/content/view/118250
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: kernel bugfixes and SP1 merge
4th, February, 2005
Two weeks ago we released the Service Pack 1 for our SUSE Linux
Enterprise Server 9 product. Due to the strict code freeze we were
not able to merge all the security fixes from the last kernel update
on Jan23rd (SUSE-SA:2005:003) into this kernel.
http://www.linuxsecurity.com/content/view/118185
* SuSE: squid (SUSE-SA:2005:006)
10th, February, 2005
The last two squid updates from February the 1st and 10th fix several
vulnerabilities. The impact of them range from remote
denial-of-service over cache poisoning to possible remote
command execution.
http://www.linuxsecurity.com/content/view/118241
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list