Linux Advisory Watch - December 26, 2003

This week, advisories were released for ethereal, XFree86, BIND, and apache. The distributors include Fedora, Mandrake, NetBSD, and Red Hat.

As expected, this has been a slow week for advisories. Were there less vulnerabilities this week, or did people just decide to take time off? Probably the latter. One observation that I made yesterday is that the amount of spam in my junk box was extremely low. What could it be? Are the new US spam laws starting to make a difference, or do spammers celebrate Christmas too? Again, probably the latter.

Face it, the amount of spam that you received in 2003 is almost at an unbearable point. It is only going to get worse in 2004. Its now time to do something about it, rather than just perpetually holding down the delete key. Spam is costing you time, and your organization money. Luckily (or unluckily), the rest of the Linux community is in the same boat as you. There are many open source solutions available to address the problem.

When in thinking in terms of security, spam can affect a network’s availability. Having a considerable amount of spam traffic can slow down or in fact prevent legitimate traffic from reaching the intended destination. Like all security problems, it is important to address the problem at multiple levels. One of the best places to confront spam is at the client level. Today, many mail clients available for the Linux operating
system have sophisticated spam filtering abilities. Most notably, the mail client included with Mozilla does an excellent job.

Spam should also be taken on at the server level. One of the mostly widely used spam management packages is SpamAssassin. It is highly flexible software that uses several techniques for identifying illegitimate messages. Because it such a widely used set of software, there are many guides and configuration documentation available. More information on SpamAssassin can be found at: http://spamassassin.org/

For those of you who do not have the time and resources to properly configure a mail server with spam protection but need to address the problem, there are several solutions available. Guardian Digital offers a mail server and spam/virus protection package that can be setup in literally minutes. Rather than spending endless hours in vi editing .conf files, the Guardian Digital Secure Mail suite will allow you to setup a mail server, set spam filtering options, and enable virus protection with several clicks of a mouse in your browser. To find out more about Guardian Digital’s solution, visit the following website:

http://store.guardiandigital.com/html/eng/products/software/mail_overview.shtml

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity
Feature Extras:

FEATURE:
OSVDB – An Independent and Open Source Vulnerability Database
– This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

Guardian
Digital Launches the First Secure Small Business Internet Productivity Solution
– Guardian Digital, the world’s premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

OpenVPN:
An Introduction and Interview with Founder, James Yonan
– In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]


Distribution:			Fedora
	12/19/2003	etherial
		Multiple malformed packet vulerabilities Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. http://www.linuxsecurity.com/advisories/fedora_advisory-3897.html


Distribution:			Mandrake
	12/19/2003	XFree86
		Unchecked authentication vulnerability A vulnerability was discovered in the XDM display manager that ships with XFree86. XDM does not check for successful completion of the pam_setcred() call and in the case of error conditions in the installed PAM modules, XDM may grant local root access to any user with valid login credentials. http://www.linuxsecurity.com/advisories/mandrake_advisory-3899.html


Distribution:			NetBSD
	12/22/2003	BIND
		Followup on negative cache poisoning vulernability The following excerpts show that include/arpa/inet.h must be updated from rev 1.12 that ships with 1.6.1 to rev 1.12.2.1 which is the current candidate for 1.6.2. http://www.linuxsecurity.com/advisories/netbsd_advisory-3900.html


Distribution:			Red Hat
	12/19/2003	apache
		Creatable buffer overflow vulnerability A carefully-crafted configuration file can cause an exploitable buffer overflow and would allow the attacker to execute arbitrary code in the context of the server (in default configurations as the ‘apache’ user). http://www.linuxsecurity.com/advisories/redhat_advisory-3898.html

RELATED ARTICLESMORE FROM AUTHOR

Maintainer Confidential: Challenges and Opportunities One Year On

Bridging Design and Runtime Gaps: AsyncAPI in Event-Driven Architecture

Implementing OpenTelemetry Natively in an Event Broker

Innovation as a Catalyst in Telecommunications

Linux 6.8 Brings More Sound Hardware Support For Intel & AMD, Including The Steam Deck

RELATED ARTICLES MORE FROM AUTHOR