Linux Advisory Watch – March 12, 2004

18

Author: Benjamin D. Thomas

This week, advisories were
released for the Linux kernel, sysstat, mailman, coreutils, libxml2, mozilla,
and kdelibs. The distributors include Debian, Fedora, Gentoo, Mandrake, OpenBSD,
Red Hat, and Trustix.

Lies, Damn Lies,
and Statistics

The recent study released by a British
security firm has caused a lot of controversy. The report concluded that Linux
is the “most-breached” operating system, OS X was the least, and Windows somewhere
floated in the middle. Like clockwork, many IT journalists used the report as
a basis for articles. Headlines such as “Apple OS X Server is most secure system”
and “Apple Servers The Most Secure” tend to distort the truth. Most took the
report literally and failed to question the methods used to gather the statistics.
In the mean time, the security firm that released the report has gained a lot
of exposure because of its controversial findings.

I’m not writing this to dispute
or agree with the conclusions. The debate has been going on for a while and
it would be pointless to rehash the arguments already out there. My biggest
concern is realized when technologically naive management gets ahold of this
information. Rather than fully understanding the information presented, decisions
are made using distorted headlines. This week, platform X is most secure, next
week it will be platform Y. This type of analysis seems to imply that there
is a magic security silver bullet. Rather than responsible administration, it
implies that security is wholly attributed to choice of software.

Security is extremely hard to measure.
Quantifying security in terms of ‘most-breached’ or ‘most hacked’ is flawed
because it does not take administration faults into account. Some administrators
are very pro-active and can keep a server from being compromised, others are
negligent a leave vulnerabilities open.

As security practitioners
or system administrators we should not focus on flawed reports, but rather concentrate
on security best practices. In the real world, statistics of this sort provide
little benefit because we all have legacy systems to maintain. Appropriate time
should be spend applying security patches and verifying each system is configured
properly. Rather than asking, “Which system is more secure?” Administrators
should ask, “Which system will provide the most security flexibility?” “Which
operating system provides the fastest updates?”

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity
Feature Extras:

Innovative
Open Source Approach to Combating Email Threats

– Guardian Digital, the world’s premier open source security company, has
introduced Content and Policy Enforcement (CAPE) technology, an innovative
open source software system for securing enterprise email operations.

Interview
with Vincenzo Ciaglia, Founder of Netwosix

– In this article, a brief introduction of Netwosix is given and the project
founder Vincenzo Ciaglia is interviewed. Netwosix is light Linux distribution
for system administrators and advanced users.

Introduction
to Netwox and Interview with Creator Laurent Constantin

– In this article Duane Dunston gives a brief introduction to Netwox, a combination
of over 130 network auditing tools. Also, Duane interviews Laurent Constantin,
the creator of Netwox.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 

 
Distribution: Debian
  3/8/2004 kernel
    2.2.19
Privilege escalation vulnerability

This is the Kernel 2.2.19 backported version of the mremap fix that prevents
a local root exploit.

Advisory

 
  3/9/2004 wu-ftpd
Multiple vulnerabilities
    2.2.19
Privilege escalation vulnerability

These vulnerabilities allow a malicious user to bypass directory access
restrictions and execute arbitrary code.

Advisory

 
  3/10/2004 python2.2
Buffer overflow vulnerability
    2.2.19
Privilege escalation vulnerability

A crafted IPv6 address can overwrite memory in the stack.

Advisory

 
  3/10/2004 sysstat
    Insecure
temporary file vulnerabilty

Crafted symlinks can be used to make systat write to/read from arbitrary
files.

Advisory

 
 
Distribution: Fedora
  3/5/2004 mailman
    Cross
posting vulnerability

A cross-site scripting bug in the ‘create’ CGI script affects versions of
Mailman 2.1 before 2.1.3.

Advisory

 
  3/5/2004 util-linux
Information leak vulnerability
    Cross
posting vulnerability

Fixed information leak in login program.

Advisory

 
  3/11/2004 coreutils
    Integer
overflow vulnerability

An integer overflow in ls in the fileutils or coreutils packages may allow
local users to cause a denial of service or execute arbitrary code.

Advisory

 
 
Distribution: Gentoo
  3/8/2004 libxml2
    Buffer
overflow vulnerability

Bug may be exploited by an attacker allowing the execution of arbitrary
code.

Advisory

 
  3/8/2004 kernel
    2.4.x
Privilege escalation vulnerabilty

Exploitation of this bug can allow a local user to run arbitrary code as
root.

Advisory

 
 
Distribution: Mandrake
  3/10/2004 python2.2
Buffer overflow vulnerability
    2.4.x
Privilege escalation vulnerabilty

A crafted IPv6 address can overwrite stack memory with executable code.


Advisory

 
  3/10/2004 gdk-pixbuf
Denial of service vulneraiblity
    2.4.x
Privilege escalation vulnerabilty

A malicious BMP file can crash the Evolution mail client.

Advisory

 
  3/10/2004 mozilla
    Multiple
vulnerabilities

Various serious vulnerabilities allow remote code execution and the reading
of authentication information with one’s proxy.

Advisory

 
  3/10/2004 kdelibs
    Path restriction
escape vulnerability

Exploitation of this bug allows attacker to escape path restrictions specified
by cookie originator.

Advisory

 
 
Distribution: OpenBSD
  3/9/2004 tcp/ip
Denial of service vulnerability
    Path restriction
escape vulnerability

Vulnerability allows remotely triggered denial of service.

Advisory

 
 
Distribution: Red
Hat
  3/9/2004 wu-ftpd
Multiple vulnerabilities
    Path restriction
escape vulnerability

These vulnerabilities allow the escape of home-directory restrictions and
the execution of arbitrary code.

Advisory

 
  3/10/2004 kdelibs
    Path restriction
escape vulnerability

Attacker can escape path restrictions set by cookie originator.

Advisory

 
  3/10/2004 Sysstat
    Insecure
temporary file vulnerability

Using symlinks, this bug can be exploited to cause Sysstat to write to/read
from arbitrary files.

Advisory

 
  3/10/2004 gdk-pixbuf
Denial of service vulnerability
    Insecure
temporary file vulnerability

Malformed BMP file can segfault mail reader.

Advisory

 
 
Distribution: Trustix
  3/8/2004 nfs-utils
Denial of service vulnerability
    Insecure
temporary file vulnerability

Certain incorrect DNS setups would cause rpc.mountd to crash, resulting
in a remote DoS of the DNS client at mount time.

Advisory

 
  3/8/2004 libxml2
    Buffer
overflow vulnerability

URLs longer than 4096 bytes would cause an overflow while using nanohttp
in libxml2.

Advisory