This week, advisories were released for openslp, zip, netris, autorespond, unzip,
eroaster, and GDM. The distributors include Conectiva, Debian, Mandrake, and Red
The United States National Institute of Standards and Technology recently released
the second draft of the "Guide
for the Security Certification and Accreditation of Federal Information System."
It is currently in the second public comment period, which ends August 31st
2003. Although the document is intended for government agency use, it is easily
applicable to organizations of other types. As information security is becoming
a more important function of conducting business, there is an ever increasing
need for standards and methodologies. This document is an excellent starting
point for those interested in creating an organization wide information security
program and/or certification and accreditation procedures.
The document begins with an introduction to the concept of certification and
accreditation. It includes the system development life cycle, component evaluation,
assessment activities, as well as other important information. Next, the document
overviews the fundamentals of C&A including roles and responsibilities, information
system categories, documentation, and monitoring. Overall, the first two chapters
of this document provide a very overview of the base knowledge required to setup
a certification and accreditation program in your organization.
The final chapter of this document walks readers through the entire process
of C&A. It covers initiation, certification, accreditation, and finally monitoring.
This chapter gives readers a very good indication of the work required to implement
and C&A program. In addition, after reading this chapter the importance of beginning
the C&A process becomes apparent.
In addition to clear and informative writing, the document also provides many
easy to read diagrams. The illustrations provided help readers more easily visualize
the authors intentions. If you haven't had a chance to take a look at this document,
I highly recommend it. The information is valuable and freely available. The
entire document can be found at the following URL:
Until next time,
Benjamin D. Thomas
vs. Expertise: Computer Forensics and the Alternative OS - No longer
a dark and mysterious process, computer forensics have been significantly
on the scene for more than five years now. Despite this, they have only recently
gained the notoriety they deserve.
Linux Security Cookbook - There are rarely straightforward solutions
to real world issues, especially in the field of security. The Linux Security
Cookbook is an essential tool to help solve those real world problems. By
covering situations that apply to everyone from the seasoned Systems Administrator
to the security curious home user, the Linux Security Cookbook distinguishes
itself as an indispensible reference for security oriented individuals.
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
There is a symbolic link vulnerability in the initscript used to control
the openslp daemon.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3563.html 8/21/2003zip directory traversal vulnerability
This is a reedition of the announcement CLSA-2003:672.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3564.html Distribution:Debian 8/17/2003netris Buffer overflow vulnerability
A netris client connectingto an untrusted netris server could be sent an
unusually long datapacket, which would be copied into a fixed-length buffer
http://www.linuxsecurity.com/advisories/debian_advisory-3559.html 8/16/2003autorespond Buffer overflow vulnerability
This vulnerability could potentiallybe exploited by a remote attacker to
gain the privileges of a user whohas configured qmail to forward messages
http://www.linuxsecurity.com/advisories/debian_advisory-3560.html 8/18/2003man-db denial of service vulnerability Buffer overflow vulnerability
This update introduced an error in the routinethat resolves hardlinks: depending
on the filenames of hardlinked manpages, that routine might itself overrun
allocated memory, causing asegmentation fault.
http://www.linuxsecurity.com/advisories/debian_advisory-3565.html Distribution:Mandrake 8/21/2003unzip arbitrary file overwrite vulnerability
A vulnerability was discovered in unzip 5.50 and earlier that allows attackers
to overwrite arbitrary files during archive extraction by placing non-printable
characters between two "." characters.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3566.html 8/21/2003eroaster tmp file creation vulnerability
A vulnerability was discovered in eroaster where it does not take any security
precautions when creating a temporary file for the lockfile.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3567.html Distribution:Red Hat 8/15/2003unzip Trojan vulnerability
Updated unzip packages resolving a vulnerability allowing arbitrary filesto
be overwritten are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-3561.html 8/21/2003GDM multiple vulnerabilities
Updated GDM packages are available which correct a bug allowing local usersto
read any text files on the system, and a denial of service issue ifXDMCP