Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Security Week, August 21, 2000 (fwd)

From: InfoSec News <isn () C4I ORG>
Date: Tue, 22 Aug 2000 02:08:41 -0500
Forwarded By: newsletter-admins () linuxsecurity com


+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  August 21, 2000                           Volume 1, Number 17      |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave () linuxsecurity com    |
|                   Benjamin Thomas         ben () linuxsecurity com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines and system advisories.

This week, advisories for xlockmore, zope, apache-ssl, cvsweb,
dhclient, perl, proftpd, and ntop were released.  Of these, proftpd,
dhclient and perl have root vulnerabilities.

-------------------
Sponsor:

Our sponsor this week is WebTrends.  Their Security Analyzer has the
most vulnerability tests available for Red Hat & VA Linux.  It uses
advanced agent-based technology, enabling you to scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.

http://www.webtrends.com/redirect/linuxsecurity1.htm

HTML Version: http://www.linuxsecurity.com/newsletter.html


---------------------
Advisories This Week:
---------------------

* Conectiva:  xlockmore vulnerabilty
August 18th, 2000

Xlock is a screensaver with locking capabilities. It is a SUID root
program, but drops its privileges as soon as possible, but the
encrypted user passwords remain in memory.

http://www.linuxsecurity.com/advisories/other_advisory-641.html


* Debian:  xlockmore vulnerability
August 17th, 2000

Xlock is a screensaver with locking capabilities. It is a SUID root
program, but drops its privileges as soon as possible, but the
encrypted user passwords remain in memory. A format bug exists in the
processing of the -d command line option that could allow an attacker
to read these encrypted passwords.

http://www.linuxsecurity.com/advisories/debian_advisory-640.html


* Mandrake:  zope vulnerability
August 16th, 2000

A problem exists in the Zope package with the getRoles method of user
objects contained in the default UserFolder implementation.  Users
with the ability to edit DTML could arrange to give themselves extra
roles for the duration of a single request by mutating the roles list
as a part of the request process.

http://www.linuxsecurity.com/advisories/mandrake_advisory-639.html


* Conectiva:  zope vulnerability
August 16th, 2000

The issue involves the fact that the getRoles method of user objects
contained in the default UserFolder implementation returns a mutable
Python type. Because the mutable object is still associated with the
persistent User object, users with the ability to edit DTML could
arrange to give themselves extra roles for the duration of a single
request by mutating the roles list as a part of the request
processing.

http://www.linuxsecurity.com/advisories/other_advisory-638.html


* Trustix:  apache-ssl vulnerability
August 15th, 2000

Due to a typo in the rpm spec file for apache-ssl, /usr/sbin/httpsd on
a Trustix system will be installed with mode 756 instead of 755,
making a binary file that will be run by root world writable. It
should not be necessary to explain why this is an extremely bad thing.

http://www.linuxsecurity.com/advisories/other_advisory-637.html


* FreeBSD:  zope vulerability
August 14th, 2000

The zope port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
nearly 3700 third-party applications in a ready-to-install format. The
ports collections shipped with FreeBSD 3.5 contains this problem, but
FreeBSD 4.1 did not ship with the proftpd package (and the port was
disabled to prevent building) because the vulnerability was known but
not yet fixed.

http://www.linuxsecurity.com/advisories/freebsd_advisory-636.html


* FreeBSD:  cvsweb vulnerability
August 14th, 2000

The cvsweb port, versions prior to 1.86, contains a vulnerability
which allows users with commit access to a CVS repository monitored by
cvsweb to execute arbitrary code as the user running the cvsweb.cgi
script, which may be located on another machine where the committer
has no direct access. The vulnerability is that cvsweb does not
correctly process input obtained from the repository and is vulnerable
to embedding of commands in committed filenames. Such an action is
however usually highly visible in the CVS repository and provides an
audit trail of sorts for such abuses unless the committer has access
to modify the repository files directly to cover his or her tracks.

http://www.linuxsecurity.com/advisories/freebsd_advisory-635.html


* Trustix:  perl and mailx vulnerability
August 14th, 2000

Exploit code for this hole is "in the wild" so all people running
Trustix Secure Linux, especially on systems with untrusted local
users, should upgrade. The hole affects both release 1.0x and 1.1 -
Users of 1.0x should use the updates from the 1.1 directory.

http://www.linuxsecurity.com/advisories/other_advisory-631.html


* FreeBSD: dhclient vulnerability
August 14th, 2000

The dhclient utility (DHCP client), versions 2.0pl2 and before (for
the version 2.x series), and versions 3.0b1pl16 and before (for the
version 3.x series) does not correctly validate input from the server,
allowing a malicious DHCP server to execute arbitrary commands as root
on the client. DHCP may be enabled if your system was initially
configured from a DHCP server at install-time, or if you have
specifically enabled it after installation.

http://www.linuxsecurity.com/advisories/freebsd_advisory-632.html


* FreeBSD:  proftpd vulnerability
August 14th, 2000

The proftpd port, versions prior to 1.2.0rc2, contains a vulnerability
which allows FTP users, both anonymous FTP users and those with a
valid account, to execute arbitrary code as root on the local machine,
by inserting string-formatting operators into command input, which are
incorrectly parsed by the FTP server.

http://www.linuxsecurity.com/advisories/freebsd_advisory-633.html


* FreeBSD:  ntop vulnerability
August 14th, 2000

The ntop software is written in a very insecure style, with many
potentially exploitable buffer overflows (including several
demonstrated ones) which could in certain conditions allow the local
or remote user to execute arbitrary code on the local system with
increased privileges.

http://www.linuxsecurity.com/advisories/freebsd_advisory-634.html


-----------------------
Top Articles This Week:
-----------------------

* Web Privacy: ActivatorDesk(tm) To Respond To Issues On CBS's 60
Minutes
August 18th, 2000

There is a new tool in the fight for web privacy. After viewing 60
Minutes Sunday August 13th, world-renowned inventor Roger Heath was
inspired to announce its pending release. It's called ActivatorDesk,
and with it you may automatically block advertisers from snooping on
you as you browse. You may also view and manage the cookies you
collect as you browse the web. "As I watched 60 Minutes I realized it
would frighten those watching, and I want everyone to know we have
been working on a solution," said Mr. Heath,"there is some light at
the end of the privacy tunnel."

http://www.linuxsecurity.com/articles/privacy_article-1398.html


* Do security holes demand full disclosure?
August 16th, 2000

Weld Pond writes "Every once in a while we need to step back and
reassess the effects of the release of detailed security information
and tools on the real world. And that's what happened recently at DEF
CON 8.0, the annual hacking conference held in Las Vegas."  Mr. Pond
offers a very good perspective.  While I for one am 100% for full
disclosure I can see both sides of the argument.

http://www.linuxsecurity.com/articles/security_sources_article-1369.html


* Tracking your every move
August 15th, 2000

Robert O'Harrow writes: "A Boston technology firm is surreptitiously
tracking computer users across the Internet on behalf of
pharmaceutical companies, a practice that demonstrates the limits of a
recent agreement to protect the privacy of Web surfers."

http://www.linuxsecurity.com/articles/privacy_article-1361.html


* GAO calls for proactive Internet Security
August 18th, 2000

The Internet will never be fully secure, but diligence and a number of
safeguards applied by businesses and government could curb hackers'
access to proprietary information, a General Accounting Office
official said Wednesday.  "The Internet is not secure for a reason,"
said Rahul Gupta, assistant director in the Office of the Chief
Technologist at GAO. "It was designed to share information, not
protect it from something." Gupta addressed the American Institute of
Certified Public Accountants' national auditing update conference.

http://www.linuxsecurity.com/articles/general_article-1381.html


* Securing The Corporate Network
August 18th, 2000

Another security paper? That might be your initial response, but this
will not be just "another" expose of the ever increasing problems with
technological security in the computerized world. This is the final
word on how to maintain your sanity and save your organization from
feeling like a tennis ball at Wimbledon.

http://www.linuxsecurity.com/articles/general_article-1382.html


* Security : A daft assertion, or the insecurity of security
August 16th, 2000

An article appeared on the Silicon.com website in March in which a
"security expert" claimed that Linux was insecure because of the open
source nature of the code, a surprising if not astonishing claim. The
expert went on to claim that Unix in general was less secure than
other operating systems because of its more open nature, which, given
the modern history of computing, is curious to say the least. One has
to ask, are these experts serious?

http://www.linuxsecurity.com/articles/general_article-1362.html


* VPNs take center stage
August 15th, 2000

Virtual private networks merge IP technology with encryption to offer
significant cost savings on WAN traffic.Sure you want a VPN.  It can
save you money. It can give you a better-meshed network. It can let
more people share your enterprise resources securely.

http://www.linuxsecurity.com/articles/network_security_article-1355.html


* Stupid, Stupid Protocols: Telnet, FTP, rsh/rcp/rlogin
August 14th, 2000

In this article, I start by discussing the weaknesses of each of the
these absolutely horrid protocols. I then introduce secure shell (ssh)
and provide an in-depth guide to using it. Before some of you write
this off, realize that if you're still using passwords, you're not
using ssh's strongest method of authentication. User-level
public/private key authentication, somewhat similar to PGP signatures,
is powerful and safe. Combine this with ssh-agent, which implements
"single-signon," and you can save yourself hours a week, while
remaining secure.

http://www.linuxsecurity.com/articles/network_security_article-1343.html


* Is a Firewall Enough?
August 14th, 2000

Erick Lee writes:  "Is a firewall enough to provide security to your
network? The answer is no. A common misconception is that firewalls
recognize attacks and block them.  In fact, firewalls perform only
limited, specific functions in network security."

http://www.linuxsecurity.com/articles/network_security_article-1344.html


* Feds certify lab to test security apps
August 18th, 2000

The government has certified CygnaCom Solutions Inc.'s Security
Evaluation Laboratory to test information security software to assure
users that security products perform the functions that vendors claim.

http://www.linuxsecurity.com/articles/government_article-1386.html


* Guardian Digital Introduces The Linux Lockbox Secure E-Business
Solution
August 16th, 2000

Guardian Digital, Inc.(tm), the expert in open source security
solutions, today announced the availability of the Linux Lockbox(tm),
a secure turnkey e-business server. With the release of the Linux
Lockbox, Guardian Digital has become the first company to market a
complete open-source alternative to proprietary security solutions for
e-business.

http://www.linuxsecurity.com/articles/vendors_products_article-1367.html


* OpenSales Announces Open Source E-Commerce Security Alliance with
Guardian Digital
August 16th, 2000

OpenSales, Inc., the leading provider of open source e-commerce
applications, today announced that its freely available OpenSales
AllCommerce(tm) application suite has been bundled with the Linux
LockBox(tm), a secure, turnkey e-business server manufactured by
Guardian Digital, Inc.(tm), the expert in open source security
solutions.

http://www.linuxsecurity.com/articles/vendors_products_article-1368.html


* Crypto-Gram August 15, 2000
August 15th, 2000

In this months newsletter, Bruce Schneier covers digital security in a
networked world, java security, quantum cryptography, and Bluetooth.
I'm a very big fan of Bluetooth and what it has to offer the technical
community but am a little bit concerned about all of my data going
wireless.  If you don't know anything about cryptography or are a
crypto professional this newsletter is always a very good read.

http://www.linuxsecurity.com/articles/cryptography_article-1349.html


* Wireless Web privacy hole still wide open
August 18th, 2000

Mobile phone Web surfers from several service providers discovered
last March that their wireless Web services were distributing their
phone numbers to Web sites without telling them. The disclosure
enraged privacy advocates and prompted at least one company--Sprint
PCS--to promise quick changes.

http://www.linuxsecurity.com/articles/privacy_article-1383.html


* Open source to change the face of software says report
August 18th, 2000

Proprietary software vendors are "mercenary developers" versus open
source revolutionaries according to Forrester.  Open source ideas will
change the face of the software industry by the year 2004, according
to new research published by research company Forrester.

http://www.linuxsecurity.com/articles/general_article-1385.html


* Democrats champion privacy
August 17th, 2000

Honing in on the controversy now surrounding privacy, Democratic
operatives on Wednesday at the Los Angeles convention will aim to
point out the difference between the two political parties on the
hot-button issue.  Although offering few details ahead of the
scheduled discussion, U.S. Rep. Jay Inslee, of Washington, announced
that he -- along with Washington's Attorney General Christine Gregoire
and others -- will host a discussion on privacy.

http://www.linuxsecurity.com/articles/privacy_article-1377.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: