[ISN] Linux Advisory Watch - June 10th 2005

InfoSec News isn at c4i.org
Mon Jun 13 04:04:06 EDT 2005

|  LinuxSecurity.com                             Weekly Newsletter    |
|  June 10th, 2005                            Volume 6, Number 23a    |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for krb4, mailutils, traversal,
Wordpress, SilverCity, kdbg, ImageMagick, openssh, dbus, rsh, and the
Red Hat kernel.  The distributors include Debian, Gentoo, and Red Hat.


## Internet Productivity Suite: Open Source Security ##
Trust Internet Productivity Suite's open source architecture to
give you the best security and productivity applications available.
Collaborating with thousands of developers, Guardian Digital
security engineers implement the most technologically advanced
ideas and methods into their design.

Click to find out more!


Business Case for Security
By: Benjamin D. Thomas

Establishing a business case is perhaps the first phase in any
project initiation. Organizations that are successful maintain full
justification for all business expenditure. An information security
project is no different. An effective information security program
requires visible support from executive management. To gain support,
a persuasive business case is often necessary. An information
security program will have numerous tangible and intangible benefits
to any organization. It is the role of a business case to document

To build a persuasive case for information security, it is important
for practitioners to "to become more managerial in outlook, speech, and

perspectives." (Information Security Management Handbook 4th Edition,
Volume 2.) Stressing the technical benefits of information security
is no longer sufficient because of the size and expenditure of
information security programs. When making a case for information
security, an emphasis should be placed on how proactive security
mechanisms ensure that senior management will not be held liable
for negligence. As IT has become more prominent in organizations,
so have compliance and regulatory requirements. Today, senior
management personnel are expected to demonstrate due care and due
diligence in relation to information security. With this, information
security must become an essential aspect of management.

Addressing the overall benefits of information security is important
as well. A business case should stress how information security can
become a business enabler. It can be a company differentiator by
offering increased levels of customer satisfaction and contributing
overall to total quality management. Information security also
provides a means to ensure against unauthorized behavior. Often
trusting that internal employees will "do the right thing" is not
enough. Information security related business cases should be
written in a way that emphasizes all benefits of information


Measuring Security IT Success

In a time where budgets are constrained and Internet threats are
on the rise, it is important for organizations to invest in network
security applications that will not only provide them with powerful
functionality but also a rapid return on investment.



Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.  If the feedback is good, I'll
consider creating more complex guides for advanced users.  Please
let us know what you think and how these can be improved.

Click to view video demo:


The Tao of Network Security Monitoring: Beyond Intrusion Detection

To be honest, this was one of the best books that I've read on network
security. Others books often dive so deeply into technical discussions,
they fail to provide any relevance to network engineers/administrators
working in a corporate environment. Budgets, deadlines, and flexibility
are issues that we must all address. The Tao of Network Security
Monitoring is presented in such a way that all of these are still
relevant. One of the greatest virtues of this book is that is offers
real-life technical examples, while backing them up with relevant case



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New krb4 packages fix arbitrary code execution
  2nd, June, 2005

Updated package.


* Debian: New mailutils packages fix several vulnerabilities
  3rd, June, 2005

Updated package.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: Mailutils SQL Injection
  6th, June, 2005

GNU Mailutils is vulnerable to SQL command injection attacks.


* Gentoo: Dzip Directory traversal vulnerability
  6th, June, 2005

Dzip is vulnerable to a directory traversal attack.


* Gentoo: Wordpress Multiple vulnerabilities
  6th, June, 2005

Wordpress contains SQL injection and XSS vulnerabilities.


* Gentoo: SilverCity Insecure file permissions
  8th, June, 2005

Executable files with insecure permissions can be modified causing an
unsuspecting user to run arbitrary code.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Low: kdbg security update
  2nd, June, 2005

An updated kdbg package that fixes a minor security issue is now
available for Red Hat Enterprise Linux 2.1. This update has been
rated as having low security impact by the Red Hat Security Response


* RedHat: Moderate: ImageMagick security update
  2nd, June, 2005

Updated ImageMagick packages that fix a denial of service issue are
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.


* RedHat: Low: openssh security update
  2nd, June, 2005

Updated openssh packages that fix a potential security vulnerability
and various other bugs are now available for Red Hat Enterprise Linux 2.1.
This update has been rated as having low security impact by the Red Hat
Security Response Team.


* RedHat: Low: dbus security update.
  8th, June, 2005

Updated dbus packages that fix a security issue are now available for
Red Hat Enterprise Linux 4. This update has been rated as having low
security impact by the Red Hat Security Response Team.


* RedHat: Low: rsh security update
  8th, June, 2005

Updated rsh packages that fix various bugs and a theoretical security
issue are now available. This update has been rated as having low
security impact by the Red Hat Security Response Team


* RedHat: Moderate: xorg-x11 security update
  8th, June, 2005

Updated xorg-x11 packages that fix a security issue as well as
various bugs are now available for Red Hat Enterprise Linux 4.
This update has been rated as having moderate security impact
by the Red Hat Security Response Team.


* RedHat: Updated kernel packages available for Red Hat
  8th, June, 2005

Updated kernel packages are now available as part of ongoing support
and maintenance of Red Hat Enterprise Linux version 4.	This is the
first regular update.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list