[ISN] Linux Advisory Watch - June 3rd 2005

InfoSec News isn at c4i.org
Sat Jun 4 14:23:46 EDT 2005

|  LinuxSecurity.com                             Weekly Newsletter    |
|  June 3rd, 2005                             Volume 6, Number 22a    |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for qpopper, openssl, php4,
bzip2,  ImageMagick, bind, netpbm, gxine, imap4d, elfutils, gnutls,
and postgresql.  The distributors include Debian, Fedora, Gentoo,
and Red Hat.


## Internet Productivity Suite: Open Source Security ##
Trust Internet Productivity Suite's open source architecture to
give you the best security and productivity applications available.
Collaborating with thousands of developers, Guardian Digital
security engineers implement the most technologically advanced
ideas and methods into their design.

Click to find out more!


Importance of Information Security Management
By Benjamin D. Thomas

Organizations today rely on IT for distributed processing, automation
of repetitive tasks, and electronic commerce. Processing that would
have been done by hand years ago, is now completely executed on
computers. This has evolved so much that it is no longer feasible and
in some cases impossible to conduct business processing by hand. In
the event of only a temporary loss of IT services, results could be
catastrophic. Without a secure IT infrastructure, an organization
risks the possibility of complete operational failure. The primary
aim of information security is to preserve the confidentiality,
integrity, and availability of information from unauthorized
disclosure, unauthorized modification, destruction, or misuse.
Failure to appropriately manage information security will put an
organization at risk of loss of income, loss of competitive
advantage, or possible legal penalties if not compliant with
relevant regulations. Having the right information at the right
time in the right hands of the right people is often the
difference between profit/loss, and success/failure. It must
be understood that information is a key business asset and
preserving confidentiality, integrity, and availability to
crucial to the continued success of any organization.

Importance of Confidentiality

Proper information security management can help protect against
confidentiality breaches. In the event of an unauthorized
disclosure of proprietary information, a company could loose
millions to a competitor due to the loss of research and
development time/capital and the competitive advantage of
being first to market. Across the world, nations are passing
legislation protecting the privacy of personal information.
Failure to adequately protect against breaches in confidentiality
may result in strictpenalties or prosecution for negligence.

Importance of Integrity

Ensuring data integrity is vital to ensure that appropriate
business decisions are made with the information available.
An unauthorized modification can either be intentional or
unintentional. In either scenario, the outcome can be
catastrophic. Data that has beenimproperly modified has
the potential to result in bad information. Faulty information
can lead to bad business decisions, which can ultimately result
in business failure. At a financial institution a single
misplaced digit could result in the loss of millions. It is
extremely important that organizations have the ability to
detect any violations of integrity and mitigate any possible
damages that may occur from a breach.

Importance of Availability

Information availability is also a key aspect of information
security management. Ensuring proper information availability
will help an organization maintain its highest level of
productivity. Information security availability planning
involves contingency and disaster recovery as well as
protecting against temporary technical glitches or recovering
information from backup archives. By appropriately managing
information availability, planning and facilitating a recovery
strategy can ensure that business impact and loss of assets
is minimized in the event of an incident.


Measuring Security IT Success

In a time where budgets are constrained and Internet threats are
on the rise, it is important for organizations to invest in network
security applications that will not only provide them with powerful
functionality but also a rapid return on investment.



Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.  If the feedback is good, I'll
consider creating more complex guides for advanced users.  Please
let us know what you think and how these can be improved.

Click to view video demo:


The Tao of Network Security Monitoring: Beyond Intrusion Detection

To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New qpopper packages fix arbitrary file overwriting
  26th, May, 2005

Updated package.


* Debian: New PHP4 packages fix denial of service
  26th, May, 2005

Updated package.


* Debian: New bzip2 packages fix file unauthorised permissions
  27th, May, 2005

Updated package.


|  Distribution: Fedora           | ----------------------------//

* Fedora Core 3 Update: ImageMagick-
  26th, May, 2005

An malicious image could cause a denial-of-service in the xwd
coder. The update fixes this issue.


* Fedora Core 3 Update: system-config-netboot-0.1.16-1_FC3
  27th, May, 2005

Updated package.


* Fedora Core 3 Update: system-config-bind-4.0.0-16
  27th, May, 2005

Updated package.


* Fedora Core 3 Update: netpbm-10.27-4.FC3
  1st, June, 2005

Updated package.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: gxine Format string vulnerability
  26th, May, 2005

A format string vulnerability in gxine could allow a remote attacker
to execute arbitrary code.


* Gentoo: Mailutils Multiple vulnerabilities in imap4d
  27th, May, 2005

The imap4d server and the mail utility from GNU Mailutils contain
multiple vulnerabilities, potentially allowing a remote attacker to
execute arbitrary code with root privileges.


* Gentoo: Binutils, elfutils Buffer overflow
  1st, June, 2005

Various utilities from the GNU Binutils and elfutils packages are
vulnerable to a heap based buffer overflow, potentially resulting in
the execution of arbitrary code.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Moderate: gnutls security update
  1st, June, 2005

Updated GnuTLS packages that fix a remote denial of service
vulnerability are available for Red Hat Enterprise Linux 4.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.


* RedHat: Moderate: postgresql security update
  1st, June, 2005

Updated postgresql packages that fix several security vulnerabilities
and risks of data loss are now available. This update has been rated as
having moderate security impact by the Red Hat Security Response Team.


* RedHat: Moderate: openssl security update
  1st, June, 2005

Updated OpenSSL packages that fix security issues are now available.
This update has been rated as having moderate security impact by the
Red Hat Security Response Team.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list