Linux Advisory Watch - January 16th 2004

[InfoSec News <isn () c4i org>]

+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  January 16th, 2004                        Volume 5, Number 3a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave () linuxsecurity com     ben () linuxsecurity com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for phpgroupware, kernel, jitterbug,
ethereal, kdepim, cvs, kdepim, and tcpdump.  The distributors include
Debian, Gentoo, Mandrake, Red Hat, Slackware, SuSE, and Trustix.

Implementing any large security project on the Linux operating system
requires the use of cryptography.  Several weeks ago, I wrote about a book
by Fred Piper and Sean Murphy titled, "Cryptography: A Very Short
Introduction."  It offers a very good introduction to the subject, but
those wishing to implement cryptography in an open source projects need a
more in-depth understanding of the area.  Another excellent resource is
the "Handbook of Applied Cryptography," by Menezes, Oorschot, and
Vanstone.  It has often been considered "the bible of cryptography" and
offers a detailed and technical view.

The first several chapters of the book focus on the basics. It gives an
overview and history of cryptography and follows with an explanation of
the mathematics necessary to understand the algorithms.  Midway through
the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After
the reader has an understanding of the algorithms, the book moves to
explain how they can be used in key establishment protocols.  It also
offers chapters on key management and tips for efficient implementation.

For the long time manager, this book may be slightly on the technical
side.  However, there are clear benefits for management having an
understanding of technical subjects. Cryptography today offers a very
strong level of protection. It only fails in implementation.  For example,
keys are not properly protected or managed.  For those of you wishing to
learn a little more about the fascinating subject of cryptography, I
highly recommend this book.

Perhaps the best part is that the book is available fully for free on the
Web:

 http://www.cacr.math.uwaterloo.ca/hac/

Hard-copies of the book can also be purchased through Amazon or any other
large bookseller.

When any company decides to take on a in-house software development
project, it is essential to include cryptographic mechanisms.  Books such
as this, can give programmers the proper knowledge necessary to understand
how cryptography works and how to avoid problems.

Until next time, cheers!
Benjamin D. Thomas
ben () linuxsecurity com

---

Managing Linux Security Effectively in 2004

This article examines the process of proper Linux security management in
2004.  First, a system should be hardened and patched.  Next, a security
routine should be established to ensure that all new vulnerabilities are
addressed.  Linux security should be treated as an evolving process.

http://www.linuxsecurity.com/feature_stories/feature_story-157.html

--------------------------------------------------------------------

CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.

http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2

--------------------------------------------------------------------

FEATURE: OSVDB: An Independent and Open Source Vulnerability Database This
article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

http://www.linuxsecurity.com/feature_stories/feature_story-156.html

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 1/9/2004 - phpgroupware
   Multiple vulnerabilities

   Improper remote execution and SQL code injection issues.
   http://www.linuxsecurity.com/advisories/debian_advisory-3938.html

 1/9/2004 - kernel
   Priv. Escal. additional patches

   Since DSA 417-1 lacked fixed kernel image files for the alpha
   architecture these are added now.
   http://www.linuxsecurity.com/advisories/debian_advisory-3939.html

 1/12/2004 - jitterbug
   Improper input sanatizing

   Allows an attacker to execute arbitary commands on server hosting
   bug database.
   http://www.linuxsecurity.com/advisories/debian_advisory-3941.html

 1/12/2004 - mod-auth-shadow Account expiration not enforced
   Improper input sanatizing

   In this Apache module, expiration status of the user's account and
   password were not enforced.
   http://www.linuxsecurity.com/advisories/debian_advisory-3943.html

 1/15/2004 - cvs
   Multiple vulnerabilities

   Anyone who could modify the CVSROOT/passwd could gain access to
   all local users on the CVS server, including root.
   http://www.linuxsecurity.com/advisories/debian_advisory-3948.html

 1/15/2004 - kernel-image-2.4.17-ia64 Many backported vuln fixes
   Multiple vulnerabilities

   The IA-64 maintainers fixed several security related bugs in the
   Linux kernel 2.4.17 used for the IA-64 architecture, mostly by
   backporting fixes from 2.4.18.
   http://www.linuxsecurity.com/advisories/debian_advisory-3949.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 1/9/2004 - kernel
   Privilege escalation vulnerability

   A critical security vulnerability has been found in recent Linux
   kernels which allows for local privilege escalation.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-3936.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 1/13/2004 - ethereal
   Multiple DoS vulernabilities

   Two vulnerabilities can be exploited to make Ethereal crash.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3944.html

 1/15/2004 - kdepim
   Permission leak vulnerability

   This vulnerability allows for a carefully crafted .VCF file to
   enable a local attacker to execute arbitrary commands with the
   victim's privileges.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-3953.html


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

 1/12/2004 - cvs
   Chroot breakout vulnerability

   cvs can attempt to create files and directories in the root file
   system
   http://www.linuxsecurity.com/advisories/redhat_advisory-3942.html

 1/14/2004 - kdepim
   Buffer overflow vulnerability

   Updated kdepim packages are now available that fix a local buffer
   overflow vulnerability.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3946.html

 1/14/2004 - tcpdump
   Denial of service vulnerability

   Crafted remote packets can result in a denial of service, or
   possibly execute arbitrary code as the 'pcap' user.
   http://www.linuxsecurity.com/advisories/redhat_advisory-3947.html


+---------------------------------+
|  Distribution: Slackware        | ----------------------------//
+---------------------------------+

 1/9/2004 - kernel
   Priv. Escal. patch for 8.1

   There is a bounds-checking problem in the kernel's mremap() call
   which could be used by a local attacker to gain root privileges.
   http://www.linuxsecurity.com/advisories/slackware_advisory-3937.html

 1/15/2004 - INN
   Buffer overflow vulnerability

   Upgrade to inn-2.4.1 to fix a potentially exploitable buffer
   overflow.
   http://www.linuxsecurity.com/advisories/slackware_advisory-3951.html

 1/15/2004 - kdepim
   Permission leak vulnerability

   A carefully crafted .VCF file enables local attackers to execute
   arbitrary commands with the victim's privileges.
   http://www.linuxsecurity.com/advisories/slackware_advisory-3952.html


+---------------------------------+
|  Distribution: Suse             | ----------------------------//
+---------------------------------+

 1/14/2004 - tcpdump
   Denial of service vulnerability

   There is a remote DoS condition in tcpdumps ISAKMP handling.
   http://www.linuxsecurity.com/advisories/suse_advisory-3945.html

 1/15/2004 - kernel
   Many vulnerabilities fixed for 64bit

   Fixes vulnerabilities that can be used to gain root privilages.
   http://www.linuxsecurity.com/advisories/suse_advisory-3950.html


+---------------------------------+
|  Distribution: Trustix          | ----------------------------//
+---------------------------------+

 1/15/2004 - tcpdump
   Denial of Service vulnerability

   A problem in tcpdump was discovered, where it was possible to
   crash the program by sending carefully crafted packets on the
   network.
   http://www.linuxsecurity.com/advisories/trustix_advisory-3954.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.