|
Information Security News
mailing list archives
LinuxSecurity Weekly Newsletter, August 28, 2000
From: InfoSec News <isn () C4I ORG>
Date: Mon, 28 Aug 2000 23:46:13 -0500
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 28, 2000 Volume 1, Number 18 |
| |
| Editorial Team: Dave Wreski dave () linuxsecurity com |
| Benjamin Thomas ben () linuxsecurity com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines and system
advisories.
This week, multiple vendors released advisories for xchat, ld.so,
xlockmore, Netscape, zope, and Helix GNOME. We recommend updating
these packages immediately.
Our feature this week is written by Eric Hines. It is a comprehensive
guide to setting up secure remote log servers. The article covers many
topics ranging from building and configuring syslogd, to securing the
server. If you have considered adding a remote log server to your
network, this guide will prove to be extremely helpful.
http://www.linuxsecurity.com/feature_stories/feature_story-64.html
Privacy is still a major concern among Internet users. An interesting
article titled "Protect your Internet privacy by Lying," discusses how
"privacy warriors" provide fake names, addresses, and other contact
information to remain anonymous. Also this week, the FBI's carnivore
remains to be a hot topic. Anti-carnivore advocates are now using
this potential breach of privacy as a platform to encourage the use
of encryption.
Our sponsor this week is WebTrends. Their Security Analyzer has the most
vulnerability tests available for Red Hat & VA Linux. It uses advanced
agent-based technology, enabling you to scan your Linux servers from your
Windows NT/2000 console and protect them against potential threats. Now
with over 1,000 tests available.
http://www.webtrends.com/redirect/linuxsecurity1.htm
HTML Version available:
http://www.linuxsecurity.com/newsletter.html
---------------------
Advisories This Week:
---------------------
* Mandrake: dhcp vulnerability
August 25th, 2000
All versions of the ISC DHCP client program, dhclient, are vulnerable
to a root attack by a corrupt DHCP server. This version fixes the
vulnerability. Versions of Linux Mandrake prior to 7.0, while
including the ISC DHCP server, do not include the DHCP client and are
therefore not subject to this vulnerability.
http://www.linuxsecurity.com/advisories/mandrake_advisory-659.html
* Conectiva: Updated 'xchat' packages available
August 25th, 2000
The IRC client Xchat allows one to right-click an URL and open many
different browsers with it. This is done by opening the broswer via
the shell, and commands inside the URL could be expanded by the shell
and executed.
http://www.linuxsecurity.com/advisories/other_advisory-658.html
* Mandrake: Updated 'xchat' packages available.
August 24th, 2000
This update changes the functionality of XChat to bypass the shell
and execute the browser directly.
http://www.linuxsecurity.com/advisories/mandrake_advisory-656.html
* Caldera: ld.so vulnerability
August 24th, 2000
A bug has been discovered in ld.so that could allow local users to
obtain super user privilege. The bug causes these environment
variables to not be removed completely under some circumstances.
While setuid programs themselves are not vulnerable, external
programs they execute can be affected by this problem.
http://www.linuxsecurity.com/advisories/caldera_advisory-657.html
* Mandrake: Updated xlockmore packages
August 24th, 2000
A bug exists in previous versions of xlockmore with display name
passing "%d" as the display name. This bug is corrected in this
version.
http://www.linuxsecurity.com/advisories/mandrake_advisory-655.html
* RedHat: XChat vulnerability
August 23rd, 2000
XChat allows users to right-click on a URL appearing in an IRC
discussion and select "Open in Browser." To open the URL in a
browser, XChat passes it to /bin/sh. So, a malicious URL could
execute arbitrary shell commands as the user running XChat. This
errata changes XChat to bypass the shell and execute the browser
directly.
http://www.linuxsecurity.com/advisories/redhat_advisory-654.html
* SuSE: Netscape vulnerability [updated]
August 23rd, 2000
Two security problems exist in the netscape package as shipped with
SuSE Linux distributions.
http://www.linuxsecurity.com/advisories/suse_advisory-652.html
* Conectiva: netscape vulnerability
August 21st, 2000
Netscape version 4.74 to 4.0 allows remote access to any file
acessible through the UID of Netscape process, by using a
vulnerability in the Java machine know as Brown Orifice
http://www.linuxsecurity.com/advisories/other_advisory-645.html
* Conectiva: Zope vulnerability
August 21st, 2000
Xlock is a screensaver with locking capabilities. It is a SUID root
program, but drops its privileges as soon as possible, but the
encrypted user passwords remain in memory.
http://www.linuxsecurity.com/advisories/other_advisory-650.html
* Helix GNOME: Installer /tmp vulnerability
August 21st, 2000
Xlock is a screensaver with locking capabilities. It is a SUID root
program, but drops its privileges as soon as possible, but the
encrypted user passwords remain in memory.
http://www.linuxsecurity.com/advisories/other_advisory-651.html
* Caldera: Netscape java security bug
August 21st, 2000
Recently, a problem in netscape's java libraries was discovered that
allows an applet to act as a web server on your machine, exposing all
files on your system to the world.
http://www.linuxsecurity.com/advisories/caldera_advisory-649.html
* RedHat: New zope packages available.
August 21st, 2000
Vulnerabilities exist with all Zope-2.0 releases. This advisory
supercedes the advisory issued on 2000-08-11. Please use the
packages listed in this advisory instead of the packages refered to
previously.
http://www.linuxsecurity.com/advisories/redhat_advisory-644.html
* RedHat: New netscape packages available
August 21st, 2000
New Netscape packages are available to fix a serious security problem
with Java. It is recommended that all netscape users update to the
new packages. Users of Red Hat Linux 6.0 and 6.1 should use the
packages for Red Hat Linux 6.2.
http://www.linuxsecurity.com/advisories/redhat_advisory-646.html
* Redhat: New mailx and perl packages available
August 21st, 2000
Updated perl and mailx package are now available which fix a
potential exploit made possible by incorrect assumptions made in
suidperl.
http://www.linuxsecurity.com/advisories/redhat_advisory-647.html
* Debian: New Version of zope released
August 21st, 2000
Debian 2.2 (potato) does include zope and is vulnerable to this
issue. A fixed package for Debian 2.2 (potato) is available in zope
2.1.6-5.2.
http://www.linuxsecurity.com/advisories/debian_advisory-642.html
* Mandrake: netscape vulnerability
August 21st, 2000
There exists a problem in all versions of Netscape from 4.0 to 4.74
with Java enabled. Under certain conditions, Netscape can be turned
into a server that serves files on your local hard drive that
Netscape has read access to and remote people can access it by
connecting their web client to port 8080 on your machine if they know
the IP address.
http://www.linuxsecurity.com/advisories/mandrake_advisory-648.html
-----------------------
Top Articles This Week:
-----------------------
Host Security News:
-------------------
* How to create a Secure Install
August 26th, 2000
It's important to be aware that when you're installing Linux, you're
installing a powerful server operating system. As a home user, you
probably won't use much of what's installed by default, and anything
you don't use is a security risk you don't have to take.
http://www.linuxsecurity.com/articles/host_security_article-1442.html
* OpenBSD's Good Example
August 24th, 2000
Last week I installed OpenBSD for the first time. I found that
OpenBSD has done a lot of things right and that there are some things
that the Linux community should study and emulate. Principles the
OpenBSD developers are following such as "Secure by Default mode" and
code auditing are things that we should be doing to Linux.
http://www.linuxsecurity.com/articles/host_security_article-1431.html
* Logging with Apache--Understanding Your access_log
August 21st, 2000
Apache comes with built-in mechanisms for logging activity on your
server. In this series of articles, I'll talk about the standard way
that Apache writes log files, and some of the tricks for getting more
useful information and statistics out of your server.
http://www.linuxsecurity.com/articles/network_security_article-1412.html
Network Security News:
----------------------
* Organised exploitation of the information super-highway
August 24th, 2000
It has long been held that, in terms of a threat to IT systems, the
protagonist would be an individual, skilled and knowledgeable, but at
odds with the society surrounding them: typically, a
college-educated, twenty-something male who found the challenge of
accessing otherwise secure IT networks motivation enough.
http://www.linuxsecurity.com/articles/network_security_article-1432.html
* Meet PAM
August 24th, 2000
Pluggable authentication modules (PAM) were originally developed by
Sun Microsystems and released as an undocumented feature in Solaris
2.3. Since then, Sun has done little with PAM, compared to the open
source community, and most specifically, the Linux community. In this
article, we will explore the general role of Linux-PAM, its
components, configuration and a few general examples of its use.
http://www.linuxsecurity.com/articles/host_security_article-1430.html
* Security Techniques and Survivability
August 23rd, 2000
I've seen a lot of discussion recently of various computer security
techniques. It seems everyone has their own favorite solution, which
they feel is the correct one, and all other solutions are of course
flawed and inferior. But the truth is even simpler: all security
techniques are flawed.
http://www.linuxsecurity.com/articles/general_article-1419.html
* Linux not ready for DOD prime time
August 23rd, 2000
Linux does not meet the Defense Information Infrastructure's Common
Operating Environment Kernel Platform Compliance requirements for a
Posix-compliant application programming interface, Posix-compliant
commands and utilities, the Motif X Window System interface, the
Common Desktop Environment and Network File System sockets.
http://www.linuxsecurity.com/articles/government_article-1422.html
* Linux for Security Applications
August 22nd, 2000
In this article I go "all the way" and discuss how Linux can be used
in areas where you need absolute control over what happens on a
network, a firewall.
http://www.linuxsecurity.com/articles/host_security_article-1418.html
Cryptography News:
------------------
* Yahoo to offer encrypted email option
August 25th, 2000
Yahoo plans to let its email account holders use data encryption to
protect the privacy of their messages, marking a potentially
significant advance for the mainstream use of encryption.
http://www.linuxsecurity.com/articles/cryptography_article-1439.html
* Pretty Good Privacy flaw reported
August 25th, 2000
A GERMAN RESEARCHER has discovered a major security flaw in the
latest versions of the PGP free e-mail encryption software that could
allow someone to read another person's encrypted e-mail if he or she
was able to intercept it.
http://www.linuxsecurity.com/articles/cryptography_article-1441.html
* Will You be Having a Party When the RSA Patent Expires?
August 24th, 2000
In late September, 2000, the RSA Patent expires. Rivest, Shamir, and
Adelman, Public Key Cryptography's most famous supergroup, developed
this algorithm about 20 years ago.
http://www.linuxsecurity.com/articles/cryptography_article-1350.html
* PGP Vulnerability
August 24th, 2000
A very serious PGP vulnerability was just discovered. Using this
vulnerability, an attacker can create a modified version of someone's
public key that will force a sender to encrypt messages to that
person AND to the attacker.
http://www.linuxsecurity.com/articles/cryptography_article-1434.html
* Installing Command Line PGP
August 23rd, 2000
The following is a description of how I got a Linux version of the
PGP encryption program, how I installed it, and a few observations
about quirks in the program. The Linux version of PGP that I got is
PGPcmdfw_6.5.2_Linux.i386.rpm and it offers the options of 1024 or
2048 bit encryption. The 2048 bit option is compatible with people
using PGP 2.6.2 with an extra command that will be noted later in
REMARKS and QUIRKS.
http://www.linuxsecurity.com/articles/cryptography_article-1425.html
Vendor/Product/Tools News:
--------------------------
* Security: From wristwatches to handhelds
August 23rd, 2000
Ensure Technologies Inc., which makes a wireless access system, aims
to make PC security even handier through a new partnership with
wristwatch maker Golden State International.
http://www.linuxsecurity.com/articles/general_article-1426.html
* Secure messaging offered
August 23rd, 2000
VERISIGN AND SLAM Dunk Networks are teaming up to offer a message
delivery infrastructure that will guarantee business-to-business
transaction participants that their messages will be protected,
delivered, and properly accepted at their rightful destinations.
http://www.linuxsecurity.com/articles/vendors_products_article-1420.html
General News:
-------------
* US to Detail Plans on Review of Web Wiretap
August 25th, 2000
US Attorney General Janet Reno said on Wednesday that details for a
planned review of the FBI computer program designed to capture email
messages for criminal investigations will be released on
Thursday.
http://www.linuxsecurity.com/articles/government_article-1440.html
* Free Speech On The Web? Don't Even Talk About It
August 24th, 2000
If you weren't paying attention, U.S. District Court Judge Lewis
Kaplan last week slapped hacker site 2600.com with a major defeat. He
ruled that source code doesn't get the protection of free speech.
The ruling is just another shot in the battle over copyright and free
speech on the Net.
http://www.linuxsecurity.com/articles/privacy_article-1437.html
* Security group says major privacy organization tracks users
August 24th, 2000
TRUSTe, a privacy advocate organization that runs a privacy
seal-of-approval program for retail Web sites and shows companies
how to write effective privacy policies, itself has tracked users
with means not mentioned in its own privacy policy, a security
group says.
http://www.linuxsecurity.com/articles/privacy_article-1436.html
* Protect your Internet privacy by lying
August 24th, 2000
The battle over Internet privacy has a new faction: the Web privacy
hawk using guerilla tactics such as lying about their identities when
trading profile information for free services, the Pew Charitable
Trust found in its latest survey.
http://www.linuxsecurity.com/articles/privacy_article-1433.html
* Infosec Experts: Carnivore Bite Too Big?
August 23rd, 2000
Surveillance technology called Carnivore has the Internet community
on the look out. Used by the FBI, Carnivore raises a variety of legal
and privacy issues. One group, the Electronic Privacy Information
Center (EPIC), sought a court order to get the operational details
behind this surveillance system.
http://www.linuxsecurity.com/articles/privacy_article-1423.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
 By Date 
By Thread
Current thread:
- LinuxSecurity Weekly Newsletter, August 28, 2000 InfoSec News (Aug 29)
|
Intro
