Information Security News mailing list archives
Linux Advisory Watch - July 25th 2003
From: InfoSec News <isn () c4i org>
Date: Mon, 28 Jul 2003 05:33:34 -0500 (CDT)
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 25th, 2003 Volume 4, Number 29a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for apache, kernel, nfs-utils, cups,
phpgroupware, fdclone, several, gnupg, phpgroupware, mpg123, mozilla,
semi, ethereal, and xpdf. The distributors include Conectiva, Debian,
Guardian Digital's EnGarde Linux, Gentoo, Mandrake, Red Hat, Trustix,
TurboLinux, and YellowDog Linux.
When a child wants to get a candy bar at a local market, what normally
happens? Most often, the child pleads a case to his/her parents and hopes
for the best. If he/she is well behaved, the child may get the candy bar.
However, if the child has recently been disobedient, the parent would
probably refuse to buy it. How does this relate to information security?
A healthy security budget can be considered your candy bar. It can be
difficult to lock down a security budget. In today.s sluggish economy,
all money spent must be fully justified and approved. How can decision
makers in an organization be persuaded to spend adequate money on
security?
Decision makers in an organization need justification for every project.
Rather than using FUD for persuasion, it can be more effective to prepare
a business case for each project. For example, if an upgrade to the
current email server farm is seriously needed to better manage Spam and
Viruses, a business case would be helpful to provide proper justification.
Writing one forces the proper amount of research and consideration of
alternatives.
What is normally found in a business case? Generally, an executive
summary is the first major section included. It should be no more than a
single type written page, and summarize all information found in the
remaining portion of the document. It is advisable to write the executive
summary last. Next, it is logical to include an introduction section.
This section should provide background information, the purpose of the
particular business case, and information regarding the subject matter.
It is a good idea to provide a bulleted list with key goals & objectives,
and discuss organizational environmental factors. The analysis portion of
the newsletter should follow. It should include an explanation of the
project goals & objectives, the scope, justification of business risks,
and alternative solutions. Finally, the business case should include a
section on business impact. This should include benefits, a high-level
ROI analysis, proposed time frame, and a listing of project risks.
Business cases can be written many different ways. It is most important
that the audience is considered. More information can on writing business
cases can be found on Google. Also, if you contact me, I can point you to
several helpful resources.
Until next time,
Benjamin D. Thomas
ben () linuxsecurity com
==> INTRODUCING: Secure Mail Suite from Guardian Digital <==
Unparalleled E-Mail Security. Secure Mail Suite is the most Dynamic,
Rigorous Protection for Your Email System on the market today. It Clobbers
Spam. Detects and Disables Viruses. And its Killer Firewall Keeps Your
Data -- and Your System and Safe and Secure. All in an Easy-to-Manage
Application that's Simple to Administer and Maintain.
Secure Mail Suite is Guardian Digital's Optimum Solution to Mail Security.
It's based on Open-Source Engineering, so it's constantly Improving. And
with Guardian Digital Engarde Support, Secure Mail Suite Stays On Guard
for You -- for Many Reliable Years.
Secure Mail Suite. Sweet!
From the First Name in Open-Source Security. Guardian Digital.
--> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2
REVIEW: Linux Security Cookbook
There are rarely straightforward solutions to real world issues,
especially in the field of security. The Linux Security Cookbook is an
essential tool to help solve those real world problems. By covering
situations that apply to everyone from the seasoned Systems Administrator
to the security curious home user, the Linux Security Cookbook
distinguishes itself as an indispensible reference for security oriented
individuals.
http://www.linuxsecurity.com/feature_stories/feature_story-145.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
--------------------------------------------------------------------
FREE Apache SSL Guide from Thawte <<
Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte25 -------------------------------------------------------------------- FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 7/22/2003 - nfs-utils buffer overflow vulnerability denial of service vulnerability http://www.linuxsecurity.com/advisories/connectiva_advisory-3482.html 7/22/2003 - kernel multiple vulnerabilities http://www.linuxsecurity.com/advisories/connectiva_advisory-3483.html 7/22/2003 - cups multiple vulnerabilities http://www.linuxsecurity.com/advisories/connectiva_advisory-3484.html 7/24/2003 - phpgroupware XSS vulnerability http://www.linuxsecurity.com/advisories/connectiva_advisory-3486.html 7/24/2003 - apache denial of service vulnerability http://www.linuxsecurity.com/advisories/connectiva_advisory-3487.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 7/24/2003 - fdclone insecure tmp file vulnerability http://www.linuxsecurity.com/advisories/debian_advisory-3488.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 7/24/2003 - several local 'kernel' vulnerabilities http://www.linuxsecurity.com/advisories/engarde_advisory-3485.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 7/19/2003 - gnupg Unauthorized acess http://www.linuxsecurity.com/advisories/gentoo_advisory-3475.html 7/19/2003 - nfs-utils Denial of service Unauthorized acess http://www.linuxsecurity.com/advisories/gentoo_advisory-3476.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 7/24/2003 - phpgroupware multiple vulnerabilities http://www.linuxsecurity.com/advisories/mandrake_advisory-3489.html 7/24/2003 - xpdf arbitrary command execution vulnerability http://www.linuxsecurity.com/advisories/mandrake_advisory-3490.html 7/24/2003 - mpg123 denial of service vulnerability http://www.linuxsecurity.com/advisories/mandrake_advisory-3491.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 7/21/2003 - 2.4 kernel mulitple vulnerabilities denial of service vulnerability http://www.linuxsecurity.com/advisories/redhat_advisory-3477.html 7/21/2003 - mozilla heap overflow vulnerability http://www.linuxsecurity.com/advisories/redhat_advisory-3478.html 7/24/2003 - semi arbitrary code execution vulnerability http://www.linuxsecurity.com/advisories/redhat_advisory-3493.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 7/18/2003 - 'nfs-utils' Denial of Service arbitrary code execution vulnerability http://www.linuxsecurity.com/advisories/trustix_advisory-3472.html +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ 7/24/2003 - nfs-utils off-by-one vulnerability arbitrary code execution vulnerability http://www.linuxsecurity.com/advisories/turbolinux_advisory-3492.html +---------------------------------+ | Distribution: YDL | ----------------------------// +---------------------------------+ 7/18/2003 - nfs-utils Buffer overflow vulnerability arbitrary code execution vulnerability http://www.linuxsecurity.com/advisories/yellowdog_advisory-3473.html 7/18/2003 - ethereal Multiple vulnerabilities http://www.linuxsecurity.com/advisories/yellowdog_advisory-3474.html 7/24/2003 - semi arbitrary code execution vulnerability http://www.linuxsecurity.com/advisories/yellowdog_advisory-3494.html 7/24/2003 - xpdf arbitrary command execution vulnerability http://www.linuxsecurity.com/advisories/yellowdog_advisory-3495.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Linux Advisory Watch - July 25th 2003 InfoSec News (Jul 28)