December 19, 2003

Linux Advisory Watch - December 19, 2003

Author: Benjamin D. Thomas

This week, advisories were released for lftp, xchat, irssi, BIND, apache, and GnuPG. The distributors include Fedora, Gentoo, Immunix, Mandrake, NetBSD, Red Hat, Slackware, Suse, and Turbolinux.

It's now the holiday season and people all around the world are preparing to take time off to spend with their families. In between office parties and visions of LEDs from switches and routers dancing in your head, it is important to think about the possibility of something going wrong. I'm not talking about someone leaving the turkey in the oven too long allowing it to dry out, but one of your servers getting compromised.

You've just been attacked! Can it get worse? Of course, because the decision makers in the office have the most seniority, they're all off. You are stuck trying to sort out what happened, and how to get the critical server up as soon as possible. Your first instinct is to start contacting all of the individuals who are ultimately responsible.

Because it is the holidays, suddenly it is impossible to get in with contact
anyone. People have either turned their phones off, or are taking a vacation
someplace sunny. Because you know that the compromised server is critical to
operation, you must get it patched and back online as soon as possible. What
about preserving forensic evidence? What if the attacker planted a back door?
This obviously puts you in a very sticky situation. You know that management
would want the server to be back online, but because nothing like this has ever happened, you're unsure how to appropriately respond.

The situation above could have been
less stressful if the organization had a incident response and or contingency
plan in place. I realize that many of you are from smaller companies and a 50
page plan is simply not feasible. However, there are several lessons that can
be learned. Know where people will be over the holidays! Often, people will
not be staying home and will not be reachable at their regular numbers. It is
important to get the contact information from key individuals to ensure that
in the event of an emergency, decisions are still made at the appropriate level.

No one wants to be bothered during their time off, but more importantly no manager would want bad decisions being made on their behalf when they are away.

Collecting important phone numbers, putting them in a single email, and circulating them around the office can make a world of difference. It isn't always important to have fancy policies and plans, often a majority of problems can be minimized by setting up clear communication channels between employees. Proper communication will minimize the impact of any incident.

I want to wish everyone a warm and
safe holiday season.

Until next time, cheers!

Benjamin D. Thomas

LinuxSecurity
Feature Extras:

FEATURE:
OSVDB - An Independent and Open Source Vulnerability Database

- This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

Guardian
Digital Launches the First Secure Small Business Internet Productivity Solution

- Guardian Digital, the world's premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

OpenVPN:
An Introduction and Interview with Founder, James Yonan

- In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
Archive
] - [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 
Distribution: Fedora
  12/15/2003 lftp
    Buffer
overflow vulnerability

An attacker could create a carefully crafted directory on a website such
that, if a user connects to that directory using the lftp client and subsequently
issues a 'ls' or 'rels' command, the attacker could execute arbitrary code
on the users machine.

http://www.linuxsecurity.com/advisories/fedora_advisory-3880.html

 
 
Distribution: Gentoo
  12/12/2003 app-crypt/gnupg
Multiple vulnerabilities
    Buffer
overflow vulnerability

Two flaws have been found in GnuPG 1.2.3 including a format string vulnerability
and the compromise of ElGamal signing keys.

http://www.linuxsecurity.com/advisories/gentoo_advisory-3871.html

 
  12/15/2003 xchat
    Denial
of service vulnerability

There is a remotely exploitable bug in xchat 2.0.6 that could lead to a
denial of service attack. This is caused by sending a malformed DCC packet
to xchat 2.0.6, causing it to crash.

http://www.linuxsecurity.com/advisories/gentoo_advisory-3878.html

 
  12/18/2003 lftp
    Multiple
buffer overflow vulnerabilities

Two buffer overflow problems have been found in lftp, a multithreaded command-line
based FTP client.

http://www.linuxsecurity.com/advisories/gentoo_advisory-3894.html

 
  12/18/2003 lftp
    Multiple
buffer overflow vulnerabilities

Two buffer overflow problems have been found in lftp, a multithreaded command-line
based FTP client.

http://www.linuxsecurity.com/advisories/gentoo_advisory-3895.html

 
 
Distribution: Immunix
  12/15/2003 lftp
    Buffer
overflow vulnerability

Ulf Hrnhammar has discovered remotely triggerable buffer overflows in lftp;
this update fixes both of these problems.

http://www.linuxsecurity.com/advisories/immunix_advisory-3875.html

 
  12/16/2003 lftp
    Multiple
vulnerabilities

Advisory updated Tue Dec 16 2003; an employee at Red Hat found another bug
in lftp that causes a crash when a response from a server is a blank line.
Currently, we don't expect this to be exploitable beyond a crash.

http://www.linuxsecurity.com/advisories/immunix_advisory-3884.html

 
 
Distribution: Mandrake
  12/12/2003 net-snmp
Improper access vulnerability
    Multiple
vulnerabilities

A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an existing
user/community to gain access to data in MIB objects that were explicitly
excluded from their view.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3872.html

 
  12/15/2003 lftp
    Buffer
overflow vulnerability

A buffer overflow vulnerability was discovered by Ulf Harnhammar in the
lftp FTP client when connecting to a web server using HTTP or HTTPS and
using the "ls" or "rels" command on specially prepared directory.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3882.html

 
  12/18/2003 irssi
    Remote
crash vulnerability

A vulnerability in versions of irssi prior to 0.8.9 would allow a remote
user to crash another user's irssi client.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3896.html

 
 
Distribution: NetBSD
  12/17/2003 BIND
    Negative
cache poisoning

Several versions of the BIND 8 name server are vulnerable to cache poisoning
via negative responses. To exploit this vulnerability, an attacker must
configure a name server to return authoritative negative responses for a
given target domain.

http://www.linuxsecurity.com/advisories/netbsd_advisory-3887.html

 
 
Distribution: Red
Hat
  12/16/2003 lftp
    Buffer
overflow vulnerability

An attacker could create a carefully crafted directory on a website such
that, if a user connects to that directory using the lftp client and subsequently
issues a 'ls' or 'rels' command, the attacker could execute arbitrary code
on the users machine.

http://www.linuxsecurity.com/advisories/redhat_advisory-3883.html

 
  12/16/2003 apache
    Multiple
(minor) vulnerabilities

Updated httpd packages that fix two minor security issues in the Apache
Web server are now available for Red Hat Linux 8.0 and 9.

http://www.linuxsecurity.com/advisories/redhat_advisory-3885.html

 
 
Distribution: Slackware
  12/12/2003 lftp
    Code parsing
vunlerability

According to the NEWS file, this includes "security fixes in html parsing
code" which could cause a compromise when using lftp to access an untrusted
site.

http://www.linuxsecurity.com/advisories/slackware_advisory-3874.html

 
 
Distribution: Suse
  12/15/2003 lftp
    Buffer
overflow vulnerability

When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels'
specially prepared directories on the server can trigger a buffer overflow
in the HTTP handling functions of lftp to possibly execute arbitrary code
on the client-side.

http://www.linuxsecurity.com/advisories/suse_advisory-3876.html

 
 
Distribution: Turbolinux
  12/17/2003 GnuPG
    Key compromise
vulnerability

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead
to a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within
a few seconds.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-3886.html

 

Category:

  • Security
Click Here!