Linux Advisory Watch - December 19, 2003

This week, advisories were released for lftp, xchat, irssi, BIND, apache, and GnuPG. The distributors include Fedora, Gentoo, Immunix, Mandrake, NetBSD, Red Hat, Slackware, Suse, and Turbolinux.

It’s now the holiday season and people all around the world are preparing to take time off to spend with their families. In between office parties and visions of LEDs from switches and routers dancing in your head, it is important to think about the possibility of something going wrong. I’m not talking about someone leaving the turkey in the oven too long allowing it to dry out, but one of your servers getting compromised.

You’ve just been attacked! Can it get worse? Of course, because the decision makers in the office have the most seniority, they’re all off. You are stuck trying to sort out what happened, and how to get the critical server up as soon as possible. Your first instinct is to start contacting all of the individuals who are ultimately responsible.

Because it is the holidays, suddenly it is impossible to get in with contact
anyone. People have either turned their phones off, or are taking a vacation
someplace sunny. Because you know that the compromised server is critical to
operation, you must get it patched and back online as soon as possible. What
about preserving forensic evidence? What if the attacker planted a back door?
This obviously puts you in a very sticky situation. You know that management
would want the server to be back online, but because nothing like this has ever happened, you’re unsure how to appropriately respond.

The situation above could have been
less stressful if the organization had a incident response and or contingency
plan in place. I realize that many of you are from smaller companies and a 50
page plan is simply not feasible. However, there are several lessons that can
be learned. Know where people will be over the holidays! Often, people will
not be staying home and will not be reachable at their regular numbers. It is
important to get the contact information from key individuals to ensure that
in the event of an emergency, decisions are still made at the appropriate level.

No one wants to be bothered during their time off, but more importantly no manager would want bad decisions being made on their behalf when they are away.

Collecting important phone numbers, putting them in a single email, and circulating them around the office can make a world of difference. It isn’t always important to have fancy policies and plans, often a majority of problems can be minimized by setting up clear communication channels between employees. Proper communication will minimize the impact of any incident.

I want to wish everyone a warm and
safe holiday season.

Until next time, cheers!

Benjamin D. Thomas

LinuxSecurity
Feature Extras:

FEATURE:
OSVDB – An Independent and Open Source Vulnerability Database
– This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

Guardian
Digital Launches the First Secure Small Business Internet Productivity Solution
– Guardian Digital, the world’s premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

OpenVPN:
An Introduction and Interview with Founder, James Yonan
– In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]


Distribution:			Fedora
	12/15/2003	lftp
		Buffer overflow vulnerability An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a ‘ls’ or ‘rels’ command, the attacker could execute arbitrary code on the users machine. http://www.linuxsecurity.com/advisories/fedora_advisory-3880.html


Distribution:			Gentoo
	12/12/2003	app-crypt/gnupg Multiple vulnerabilities
		Buffer overflow vulnerability Two flaws have been found in GnuPG 1.2.3 including a format string vulnerability and the compromise of ElGamal signing keys. http://www.linuxsecurity.com/advisories/gentoo_advisory-3871.html

	12/15/2003	xchat
		Denial of service vulnerability There is a remotely exploitable bug in xchat 2.0.6 that could lead to a denial of service attack. This is caused by sending a malformed DCC packet to xchat 2.0.6, causing it to crash. http://www.linuxsecurity.com/advisories/gentoo_advisory-3878.html

	12/18/2003	lftp
		Multiple buffer overflow vulnerabilities Two buffer overflow problems have been found in lftp, a multithreaded command-line based FTP client. http://www.linuxsecurity.com/advisories/gentoo_advisory-3894.html

	12/18/2003	lftp
		Multiple buffer overflow vulnerabilities Two buffer overflow problems have been found in lftp, a multithreaded command-line based FTP client. http://www.linuxsecurity.com/advisories/gentoo_advisory-3895.html


Distribution:			Immunix
	12/15/2003	lftp
		Buffer overflow vulnerability Ulf Hrnhammar has discovered remotely triggerable buffer overflows in lftp; this update fixes both of these problems. http://www.linuxsecurity.com/advisories/immunix_advisory-3875.html

	12/16/2003	lftp
		Multiple vulnerabilities Advisory updated Tue Dec 16 2003; an employee at Red Hat found another bug in lftp that causes a crash when a response from a server is a blank line. Currently, we don’t expect this to be exploitable beyond a crash. http://www.linuxsecurity.com/advisories/immunix_advisory-3884.html


Distribution:			Mandrake
	12/12/2003	net-snmp Improper access vulnerability
		Multiple vulnerabilities A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view. http://www.linuxsecurity.com/advisories/mandrake_advisory-3872.html

	12/15/2003	lftp
		Buffer overflow vulnerability A buffer overflow vulnerability was discovered by Ulf Harnhammar in the lftp FTP client when connecting to a web server using HTTP or HTTPS and using the “ls” or “rels” command on specially prepared directory. http://www.linuxsecurity.com/advisories/mandrake_advisory-3882.html

	12/18/2003	irssi
		Remote crash vulnerability A vulnerability in versions of irssi prior to 0.8.9 would allow a remote user to crash another user’s irssi client. http://www.linuxsecurity.com/advisories/mandrake_advisory-3896.html


Distribution:			NetBSD
	12/17/2003	BIND
		Negative cache poisoning Several versions of the BIND 8 name server are vulnerable to cache poisoning via negative responses. To exploit this vulnerability, an attacker must configure a name server to return authoritative negative responses for a given target domain. http://www.linuxsecurity.com/advisories/netbsd_advisory-3887.html


Distribution:			Red Hat
	12/16/2003	lftp
		Buffer overflow vulnerability An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a ‘ls’ or ‘rels’ command, the attacker could execute arbitrary code on the users machine. http://www.linuxsecurity.com/advisories/redhat_advisory-3883.html

	12/16/2003	apache
		Multiple (minor) vulnerabilities Updated httpd packages that fix two minor security issues in the Apache Web server are now available for Red Hat Linux 8.0 and 9. http://www.linuxsecurity.com/advisories/redhat_advisory-3885.html


Distribution:			Slackware
	12/12/2003	lftp
		Code parsing vunlerability According to the NEWS file, this includes “security fixes in html parsing code” which could cause a compromise when using lftp to access an untrusted site. http://www.linuxsecurity.com/advisories/slackware_advisory-3874.html


Distribution:			Suse
	12/15/2003	lftp
		Buffer overflow vulnerability When using lftp via HTTP or HTTPS to execute commands like ‘ls’ or ‘rels’ specially prepared directories on the server can trigger a buffer overflow in the HTTP handling functions of lftp to possibly execute arbitrary code on the client-side. http://www.linuxsecurity.com/advisories/suse_advisory-3876.html


Distribution:			Turbolinux
	12/17/2003	GnuPG
		Key compromise vulnerability Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3886.html

RELATED ARTICLESMORE FROM AUTHOR

Maintainer Confidential: Challenges and Opportunities One Year On

Bridging Design and Runtime Gaps: AsyncAPI in Event-Driven Architecture

Implementing OpenTelemetry Natively in an Event Broker

Innovation as a Catalyst in Telecommunications

Linux 6.8 Brings More Sound Hardware Support For Intel & AMD, Including The Steam Deck

RELATED ARTICLES MORE FROM AUTHOR