+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 22nd, 2003 Volume 4, Number 33a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave_at_linuxsecurity.com ben_at_linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for openslp, zip, netris, autorespond,
unzip, eroaster, and GDM. The distributors include Conectiva, Debian,
Mandrake, and Red Hat.
The United States National Institute of Standards and Technology recently
released the second draft of the "Guide for the Security Certification and
Accreditation of Federal Information System." It is currently in the
second public comment period, which ends August 31st 2003. Although the
document is intended for government agency use, it is easily applicable to
organizations of other types. As information security is becoming a more
important function of conducting business, there is an ever increasing
need for standards and methodologies. This document is an excellent
starting point for those interested in creating an organization wide
information security program and/or certification and accreditation
procedures.
The document begins with an introduction to the concept of certification
and accreditation. It includes the system development life cycle,
component evaluation, assessment activities, as well as other important
information. Next, the document overviews the fundamentals of C&A
including roles and responsibilities, information system categories,
documentation, and monitoring. Overall, the first two chapters of this
document provide a very overview of the base knowledge required to setup a
certification and accreditation program in your organization.
The final chapter of this document walks readers through the entire
process of C&A. It covers initiation, certification, accreditation, and
finally monitoring. This chapter gives readers a very good indication of
the work required to implement and C&A program. In addition, after
reading this chapter the importance of beginning the C&A process becomes
apparent.
In addition to clear and informative writing, the document also provides
many easy to read diagrams. The illustrations provided help readers more
easily visualize the authors intentions. If you haven't had a chance to
take a look at this document, I highly recommend it. The information is
valuable and freely available. The entire document can be found at the
following URL:
http://csrc.nist.gov/publications/drafts/sp800-37-Draftver2.pdf
Until next time,
Benjamin D. Thomas
ben_at_linuxsecurity.com
Expert vs. Expertise: Computer Forensics and the Alternative OS
No longer a dark and mysterious process, computer forensics have been
significantly on the scene for more than five years now. Despite this,
they have only recently gained the notoriety they deserve.
http://www.linuxsecurity.com/feature_stories/feature_story-147.html
--------------------------------------------------------------------
>> FREE Apache SSL Guide from Thawte <<
Are you worried about your web server security? Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.
Click Command:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache
--------------------------------------------------------------------
REVIEW: Linux Security Cookbook
There are rarely straightforward solutions to real world issues,
especially in the field of security. The Linux Security Cookbook is an
essential tool to help solve those real world problems. By covering
situations that apply to everyone from the seasoned Systems Administrator
to the security curious home user, the Linux Security Cookbook
distinguishes itself as an indispensible reference for security oriented
individuals.
http://www.linuxsecurity.com/feature_stories/feature_story-145.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
8/15/2003 - openslp
tmp file creation vulnerability
There is a symbolic link vulnerability in the initscript used to
control the openslp daemon.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3563.html
8/21/2003 - zip
directory traversal vulnerability
This is a reedition of the announcement CLSA-2003:672[1].
http://www.linuxsecurity.com/advisories/connectiva_advisory-3564.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
8/17/2003 - netris
Buffer overflow vulnerability
A netris client connectingto an untrusted netris server could be
sent an unusually long datapacket, which would be copied into a
fixed-length buffer withoutbounds checking.
http://www.linuxsecurity.com/advisories/debian_advisory-3559.html
8/16/2003 - autorespond
Buffer overflow vulnerability
This vulnerability could potentiallybe exploited by a remote
attacker to gain the privileges of a user whohas configured qmail
to forward messages to autorespond.
http://www.linuxsecurity.com/advisories/debian_advisory-3560.html
8/18/2003 - man-db denial of service vulnerability
Buffer overflow vulnerability
This update introduced an error in the routinethat resolves
hardlinks: depending on the filenames of hardlinked manpages, that
routine might itself overrun allocated memory, causing
asegmentation fault.
http://www.linuxsecurity.com/advisories/debian_advisory-3565.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
8/21/2003 - unzip
arbitrary file overwrite vulnerability
A vulnerability was discovered in unzip 5.50 and earlier that
allows attackers to overwrite arbitrary files during archive
extraction by placing non-printable characters between two "."
characters.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3566.html
8/21/2003 - eroaster
tmp file creation vulnerability
A vulnerability was discovered in eroaster where it does not take
any security precautions when creating a temporary file for the
lockfile.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3567.html
+---------------------------------+
| Distribution: RedHat | ----------------------------//
+---------------------------------+
8/15/2003 - unzip
Trojan vulnerability
Updated unzip packages resolving a vulnerability allowing
arbitrary filesto be overwritten are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-3561.html
8/21/2003 - GDM
multiple vulnerabilities
Updated GDM packages are available which correct a bug allowing
local usersto read any text files on the system, and a denial of
service issue ifXDMCP is enabled.
http://www.linuxsecurity.com/advisories/redhat_advisory-3568.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request_at_linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo_at_attrition.org with 'unsubscribe isn'
in the BODY of the mail.
Received on Aug 25 2003
Intro
