[ISN] Linux Advisory Watch - October 28th 2005

[InfoSec News]

+---------------------------------------------------------------------+
|  LinuxSecurity.com                             Weekly Newsletter    |
|  October 28th, 2005                         Volume 6, Number 44a    |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for mozilla, module-assistant,
eric, sudo, libgda2, imlib, koffice, net-snmp, lynx, RTF, Netpbm,
cURL, Zope, phpMyAdmin, ethereal, pam, and fetchmail.  The
distributors include Debian, Gentoo, and Red Hat.

----

Security Compromise Underway?
By: Dave Wreski

Spotting a security compromise under way can be a tense undertaking.
How you react can have large consequences.

If the compromise you are seeing is a physical one, odds are you
have spotted someone who has broken into your home, office or lab.
You should notify your local authorities. In a lab, you might have
spotted someone trying to open a case or reboot a machine. Depending
on your authority and procedures, you might ask them to stop, or
contact your local security people.

If you have detected a local user trying to compromise your security,
the first thing to do is confirm they are in fact who you think they
are. Check the site they are logging in from. Is it the site they
normally log in from? No? Then use a non-electronic means of getting
in touch. For instance, call them on the phone or walk over to their
office/house and talk to them. If they agree that they are on, you
can ask them to explain what they were doing or tell them to cease
doing it. If they are not on, and have no idea what you are talking
about, odds are this incident requires further investigation. Look
into such incidents , and have lots of information before making
any accusations.

If you have detected a network compromise, the first thing to do
(if you are able) is to disconnect your network. If they are
connected via modem, unplug the modem cable; if they are connected
via Ethernet, unplug the Ethernet cable. This will prevent them from
doing any further damage, and they will probably see it as a network
problem rather than detection.

If you are unable to disconnect the network (if you have a busy site,
or you do not have physical control of your machines), the next best
step is to use something like tcp_wrappers or ipfwadm to deny access
from the intruder's site.

If you can't deny all people from the same site as the intruder,
locking the user's account will have to do. Note that locking an
account is not an easy thing. You have to keep in mind .rhosts
files, FTP access, and a host of possible backdoors.

After you have done one of the above (disconnected the network,
denied access from their site, and/or disabled their account),
you need to kill all their user processes and log them off.

You should monitor your site well for the next few minutes, as
the attacker will try to get back in. Perhaps using a different
account, and/or from a different network address.


Read more from the Linux Security Howto:
http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/

----------------------

Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and directory
permissions that are far too liberal and allow access beyond that which
is needed for proper system operations. A full explanation of unix file
permissions is beyond the scope of this article, so I'll assume you are
familiar with the usage of such tools as chmod, chown, and chgrp. If
you'd like a refresher, one is available right here on linuxsecurity.com.

http://www.linuxsecurity.com/content/view/119415/49/

---

Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to store more
data in a temporary data storage area than it was intended to hold. Since
buffers are created to contain a finite amount of data, the extra
information can overflow into adjacent buffers, corrupting or overwriting
the valid data held in them.

http://www.linuxsecurity.com/content/view/119087/49/

---

Review: The Book of Postfix: State-of-the-Art Message Transport

I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.

http://www.linuxsecurity.com/content/view/119027/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New Mozilla packages fix several vulnerabilities
  20th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120623


* Debian: New module-assistant package fixes insecure temporary file
  20th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120624


* Debian: New Mozilla Thunderbird packages fix several
vulnerabilities
  20th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120630


* Debian: New eric packages fix arbitrary code execution
  21st, October, 2005

Updated Package.

http://www.linuxsecurity.com/content/view/120638


* Debian: New sudo packages fix arbitrary command execution
  25th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120648


* Debian: New libgda2 packages fix arbitrary code execution
  25th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120655


* Debian: New libgda2 packages fix arbitrary code execution
  25th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120659


* Debian: New imlib packages fix arbitrary code execution
  26th, October, 2005

Upgrade package.

http://www.linuxsecurity.com/content/view/120660


* Debian: New koffice packages fix arbitrary code execution
  26th, October, 2005

Upgraded package.

http://www.linuxsecurity.com/content/view/120661


* Debian: New net-snmp packages fix denial of service
  26th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120668


* Debian: New lynx packages fix arbitrary code execution
  27th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120671


* Debian: New OpenSSL packages fix cryptographic weakness
  27th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120672


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: AbiWord New RTF import buffer overflows
  20th, October, 2005

AbiWord is vulnerable to an additional set of buffer overflows during
RTF import, making it vulnerable to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120625


* Gentoo: Netpbm Buffer overflow in pnmtopng
  20th, October, 2005

The pnmtopng utility, part of the Netpbm tools, contains a
vulnerability which can potentially result in the execution of
arbitrary code.

http://www.linuxsecurity.com/content/view/120626


* Gentoo: cURL NTLM username stack overflow
  22nd, October, 2005

cURL is vulnerable to a buffer overflow which could lead to the
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120640


* Gentoo: Zope File inclusion through RestructuredText
  25th, October, 2005

Zope is vulnerable to a file inclusion vulnerability when exposing
RestructuredText functionalities to untrusted users.

http://www.linuxsecurity.com/content/view/120652


* Gentoo: phpMyAdmin Local file inclusion and XSS vulnerabilities
  25th, October, 2005

phpMyAdmin contains a local file inclusion vulnerability that may
lead to the execution of arbitrary code, along with several
cross-site scripting issues.

http://www.linuxsecurity.com/content/view/120653


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Moderate: ethereal security update
  25th, October, 2005

Updated Ethereal packages that fix various security vulnerabilities
are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120658


* RedHat: Low: pam security update
  26th, October, 2005

An updated pam package that fixes a security weakness is now
available for Red Hat Enterprise Linux 4. This update has been rated
as having low security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120666


* RedHat: Low: fetchmail security update
  26th, October, 2005

Updated fetchmail packages that fix insecure configuration file
creation is now available. This update has been rated as having low
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120667


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------