This week, advisories were released for lynx, zblast, perl, kernel,
signal, iBCS2, ddskk, konquerer, man-db, xpcd, stunnel, postfix,
and php. The distributors include Conectiva, Debian, FreeBSD,
Gentoo, Red Hat, SuSe, Trustix, and TurboLinux.
For many, it has been an eventful week. Blaster has affected nearly every windows
users on the net. Although I’m sure many Linux administrators smirked while
saying “not my servers,� an equal number had “to deal with it.� Whether you
maintain Windows boxes or not, there are several lessons to be learned. First,
as most readers of this newsletter are already aware, patching is critical.
Also, incident preparation is extremely important. It is important to develop
a weekly schedule where time can be allocated for regular server maintenance.
Also, a documented set of incident procedures should be written. It is important
to have emergency contacts and system procedures documented before an incident
so that damage can be minimized.
Last week I reviewed the O’Reilly book, Secure Coding: Principles & Practices. I received several emails about the book including one from David Wheeler, author of the “Secure Programming for Linux and Unix HOWTO.� Because I’ve found this document helpful in the past, I thought that I should share it with you. The latest PDF version of the document is 168 pages, written in twelve chapters. It is distributed under the GNU Free Documentation License, therefore copying and distributing is perfectly legal. In the past, I’ve sent previous versions of this document to friends who are full time software developers. Everyone that has read this document has been impressed.
The HOWTO includes chapters on input validation, avoiding buffer overflows, using system resources, as well as special topics include passwords, random numbers, cryptography, and authentication. The book also includes a chapter with specific information for popular languages such as C/C++, PERL, python, shell, Ada, Java, Tcl, and PHP.
This HOWTO is worth the bandwidth! Download
it! It is a great addition to last week’s book because it focuses
on many specific issues. If you have a problem related to secure program to
solve, this is definitely one of the first places you should check.
Until next time,
Benjamin D. Thomas
LinuxSecurity Feature
Extras:
Expert
vs. Expertise: Computer Forensics and the Alternative OS – No longer
a dark and mysterious process, computer forensics have been significantly
on the scene for more than five years now. Despite this, they have only recently
gained the notoriety they deserve.REVIEW:
Linux Security Cookbook – There are rarely straightforward solutions
to real world issues, especially in the field of security. The Linux Security
Cookbook is an essential tool to help solve those real world problems. By
covering situations that apply to everyone from the seasoned Systems Administrator
to the security curious home user, the Linux Security Cookbook distinguishes
itself as an indispensible reference for security oriented individuals.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability. [ Subscribe
]
| Distribution: | Conectiva | |||
| 8/11/2003 | lynx | |||
| CRLF injection vulnerability
Ulf Harnhammar reported a CRLF injection vulnerability in lynx. |
||||
| Distribution: | Debian | |||
| 8/8/2003 | ‘man-db’ vulnerability | |||
| CRLF injection vulnerability
The previous man-db update (DSA-364-1) introduced an error whichresulted |
||||
| 8/8/2003 | ‘xtokkaetama’ buffer overflow | |||
| CRLF injection vulnerability
Another buffer overflow was discovered in xtokkaetama, involving the”-nickname” |
||||
| 8/8/2003 | ‘xpcd’ buffer overflow | |||
| CRLF injection vulnerability
Steve Kemp discovered a buffer overflow in xpcd-svga which can betriggered |
||||
| 8/11/2003 | zblast | |||
| buffer overflow vulnerability
Steve Kemp discovered a buffer overflow in zblast-svgalib, when savingthe |
||||
| 8/11/2003 | pam-pgsql format string vulnerability | |||
| buffer overflow vulnerability
There is a vulnerability in pam-pgsql whereby theusername to be used for |
||||
| 8/9/2003 | kdelibs-crypto multiple vulnerabilities | |||
| buffer overflow vulnerability
There are multiple vulnerabilities in kdelibs. |
||||
| 8/11/2003 | perl | |||
| CGI.pm XSS vulnerability
A cross-site scripting vulnerability exists in the start_form()function |
||||
| 8/14/2003 | kernel | |||
| oops
This advisory provides a correction to the previous kernel updates,which |
||||
| Distribution: | FreeBSD | |||
| 8/11/2003 | signal | |||
| kernel vulnerability
Some mechanisms for causing a signal to be sent did not properlyvalidate |
||||
| 8/11/2003 | iBCS2 | |||
| kernel vulnerability
The iBCS2 system call translator for statfs erroneously used theuser-supplied |
||||
| 8/12/2003 | kernel | |||
| signal vulnerability
Some mechanisms for causing a signal to be sent did not properlyvalidate |
||||
| Distribution: | Gentoo | |||
| 8/14/2003 | multiple | |||
| vulnerabilities
There are multiple vulnerabilities in Gentoo Linux source tree. |
||||
| Distribution: | Red Hat | |||
| 8/8/2003 | ‘up2date’ gpg signature verification vulnerability | |||
| vulnerabilities
up2date versions 3.0.7 and 3.1.23 incorrectly check RPM GPG signatures. |
||||
| 8/11/2003 | ddskk | |||
| tmp file vulnerability
ddskk does not take appropriate security precautions when creatingtemporary |
||||
| 8/11/2003 | konquerer | |||
| information disclosure vulnerability
Konqueror may inadvertently sendauthentication credentials to websites other |
||||
| Distribution: | SuSe | |||
| 8/12/2003 | kernel | |||
| multiple vulnerabilities
There are multiple vulnerabilities in the kernel. |
||||
| Distribution: | Trustix | |||
| 8/8/2003 | ‘stunnel’ DoS vulnerability | |||
| multiple vulnerabilities
Stunnel prior to 3.25 and 4.04 has an error in the SIGCHILD handling code |
||||
| 8/8/2003 | ‘postfix’ DoS vulnerability | |||
| multiple vulnerabilities
This patch fixes a denial of service condition in the Postfix smtpd, qmgr, |
||||
| Distribution: | TurboLinux | |||
| 8/13/2003 | php | |||
| XSS vulnerability
An attacker could use this vulnerability to execute embedded scripts within |
||||
Category:
- Security
