February 25, 2005

Linux Advisory Watch - February 25, 2005

Author: Benjamin D. Thomas

This week, advisories were released for emacs, gftp, bidwatcher,
mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh,
postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups,
kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian,
Fedora, Gentoo, Mandrake, Red Hat, and SuSE.The Internet has made the world smaller. In our routine usage we
tend to overlook that "www" really does mean "world wide web" making
virtually instant global communication possible. It has altered the
rules of marketing and retailing. An imaginative website can give the
small company as much impact and exposure as its much larger competitors.
In the electronics, books, travel and banking sectors long established
retail chains are increasingly under pressure from e-retailers. All this,
however, has come at a price ­ ever more inventive and potentially
damaging cyber crime. This paper aims to raise awareness by discussing
common vulnerabilities and mistakes in web application development. It
also considers mitigating factors, strategies and corrective measures.

The Internet has become part and parcel of the corporate agenda. But
does the risk of exposing information assets get sufficient management
attention? Extension of corporate portals for Business-to Business (B2B)
or developments of websites for Business-to-Customer (B2C) transactions
have been largely successful. But the task of risk assessing
vulnerabilities and the threats to corporate information assets is still
avoided by many organisations. The desire to stay ahead of the competition
while minimising cost by leveraging technology means the process is driven
by pressure to achieve results. What suffers in the end is the application
development cycle; - this is achieved without security in mind. Section 1
of this paper introduces the world of e-business and sets the stage for
further discussions. Section 2 looks at common vulnerabilities inherent
in web application development. Section 3 considers countermeasures and
strategies that will minimise, if not eradicate. some of the
vulnerabilities. Sections 4 and 5 draw conclusions and look at current
trends and future expectations.

The TCP/IP protocol stack, the underlying technology is known for lack of
security on many of its layers. Most applications written for use on the
Internet use the application layer, traditionally using HTTP on port 80
on most web servers. The HTTP protocol is stateless and does not provide
freshness mechanisms for a session between a client and server; hence,
many hackers take advantage of these inherent weaknesses. TCP/IP may be
reliable in providing delivery of Internet packets, but it does not
provide any guarantee of confidentiality, integrity and little
identification. As emphasised in [1], Internet packets may traverse
several hosts between source and destination addresses. During its
journey it can be intercepted by third parties, who may copy, alter or
substitute them before final delivery. Failure to detect and prevent
attacks in web applications is potentially catastrophic. Attacks are
loosely grouped into two types, passive and active. Passive attackers
[6] engage in eavesdropping on, or monitoring of, transmissions. Active
attacks involve some modification of the data stream or creation of
false data streams [6].

Read full feature:
http://www.linuxsecurity.com/content/view/118427/49/

 

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
- Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I'll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

- To be honest, this was one of the best books that I've read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
- Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn't have a "ps -ef" loop running in an attempt to capture
that sensitive info (though some applications mask passwords in "ps" output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline
.


   Debian
  Debian: New emacs21 packages fix arbitrary
code execution
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118356

 
  Debian: New gftp packages fix directory
traversal vulnerability
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118362

 
  Debian: New bidwatcher packages fix format
string vulnerability
  18th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118384

 
  Debian: New mailman packages really fix
several vulnerabilities
  21st, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118391

 
  Debian: New squid packages fix denial
of service
  23rd, February, 2005

Updated packages.

http://www.linuxsecurity.com/content/view/118411

 
  Debian: New mod_python packages fix information
leak
  23rd, February, 2005

Updated packages.

http://www.linuxsecurity.com/content/view/118416

 
   Fedora
  Fedora Core 3 Update: kdeedu-3.3.1-2.3
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118361

 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.80
  17th, February, 2005

Updated.

http://www.linuxsecurity.com/content/view/118364

 
  Fedora Core 3 Update: policycoreutils-1.18.1-2.9
  17th, February, 2005

Updated.

http://www.linuxsecurity.com/content/view/118365

 
  Fedora Core 3 Update: gamin-0.0.24-1.FC3
  18th, February, 2005

This update fixes a number of annoying bugs in gamin especially
the Desktop update problem in the GNOME environment that affected a number
of users.

http://www.linuxsecurity.com/content/view/118386

 
  Fedora Core 3 Update: pcmcia-cs-3.2.7-2.2
  21st, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118397

 
  Fedora Core 2 Update: gaim-1.1.3-1.FC2
  22nd, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118404

 
  Fedora Core 3 Update: gaim-1.1.3-1.FC3
  22nd, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118405

 
  Fedora Core 3 Update: openssh-3.9p1-8.0.1
  22nd, February, 2005

This update changes default ssh client configuration so the
trusted X11 forwarding is enabled. Untrusted X11 forwarding is not supported
by X11 clients and doesn't work with Xinerama.

http://www.linuxsecurity.com/content/view/118406

 
  Fedora Core 3 Update: postgresql-7.4.7-3.FC3.1
  22nd, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118407

 
  Fedora Core 2 Update: postgresql-7.4.7-3.FC2.1
  22nd, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118408

 
  Fedora Core 2 Update: squid-2.5.STABLE8-1.FC2.1
  22nd, February, 2005

This update fixes CAN-2005-0446 Squid DoS from bad DNS response

http://www.linuxsecurity.com/content/view/118409

 
  Fedora Core 3 Update: squid-2.5.STABLE8-1.FC3.1
  22nd, February, 2005

This update fixes CAN-2005-0446 Squid DoS from bad DNS response

http://www.linuxsecurity.com/content/view/118410

 
  Fedora Core 3 Update: gimp-help-2-0.1.0.7.0.fc3.1
  24th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118424

 
   Gentoo
  Gentoo: Midnight Commander Multiple vulnerabilities
  17th, February, 2005

Midnight Commander contains several format string errors, buffer
overflows and one buffer underflow leading to execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118363

 
  Gentoo: Squid Denial of Service through
DNS responses
  18th, February, 2005

Squid contains a bug in the handling of certain DNS responses
resulting in a Denial of Service.

http://www.linuxsecurity.com/content/view/118382

 
  Gentoo: GProFTPD gprostats format string
vulnerability
  18th, February, 2005

gprostats, distributed with GProFTPD, is vulnerable to a format
string vulnerability, potentially leading to the execution of arbitrary
code.

http://www.linuxsecurity.com/content/view/118383

 
  Gentoo: gFTP Directory traversal vulnerability
  19th, February, 2005

gFTP is vulnerable to directory traversal attacks, possibly
leading to the creation or overwriting of arbitrary files.

http://www.linuxsecurity.com/content/view/118388

 
  Gentoo: PuTTY Remote code execution
  21st, February, 2005

PuTTY was found to contain vulnerabilities that can allow a
malicious SFTP server to execute arbitrary code on unsuspecting PSCP and
PSFTP clients.

http://www.linuxsecurity.com/content/view/118395

 
  Gentoo: Cyrus IMAP Server Multiple overflow
vulnerabilities
  23rd, February, 2005

The Cyrus IMAP Server is affected by several overflow vulnerabilities
which could potentially lead to the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118417

 
   Mandrake
  Mandrake: Updated cups packages fix
  17th, February, 2005

Previous updates to correct integer overflow issues affecting
xpdf overlooked certain conditions when built for a 64 bit platform. (formerly
CAN-2004-0888). This also affects applications like cups, that use embedded
versions of xpdf. The updated packages are patched to deal with these
issues.

http://www.linuxsecurity.com/content/view/118367

 
  Mandrake: Updated gpdf packages fix
  17th, February, 2005

Previous updates to correct integer overflow issues affecting
xpdf overlooked certain conditions when built for a 64 bit platform. (formerly
CAN-2004-0888). This also affects applications like gpdf, that use embedded
versions of xpdf. The updated packages are patched to deal with these
issues.

http://www.linuxsecurity.com/content/view/118368

 
  Mandrake: Updated kdelibs packages fix
  17th, February, 2005

A bug in the way kioslave handles URL-encoded newline (%0a)
characters before the FTP command was discovered. Because of this, it
is possible that a specially crafted URL could be used to execute any
ftp command on a remote server, or even send unsolicited email.

http://www.linuxsecurity.com/content/view/118369

 
  Mandrake: Updated KDE packages address
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118370

 
  Mandrake: Updated xpdf packages fix
  17th, February, 2005

Previous updates to correct integer overflow issues affecting
xpdf overlooked certain conditions when built for a 64 bit platform. (formerly
CAN-2004-0888). This also affects applications that use embedded versions
of xpdf. The updated packages are patched to deal with these issues.

http://www.linuxsecurity.com/content/view/118371

 
  Mandrake: Updated PostgreSQL packages
  17th, February, 2005

A number of vulnerabilities were found.

http://www.linuxsecurity.com/content/view/118372

 
  Mandrake: Updated tetex packages fix
  17th, February, 2005

Previous updates to correct integer overflow issues affecting
xpdf overlooked certain conditions when built for a 64 bit platform. (formerly
CAN-2004-0888). This also affects applications like tetex, that use embedded
versions of xpdf. The updated packages are patched to deal with these
issues.

http://www.linuxsecurity.com/content/view/118373

 
  Mandrake: Updated uim packages fix
  24th, February, 2005

Takumi ASAKI discovered that uim always trusts environment variables
which can allow a local attacker to obtain elevated privileges when libuim
is linked against an suid/sgid application. This problem is only exploitable
in 'immodule for Qt' enabled Qt applications. The updated packages are
patched to fix the problem.

http://www.linuxsecurity.com/content/view/118425

 
  Mandrake: Updated squid packages fix
  24th, February, 2005

The squid developers discovered that a remote attacker could
cause squid to crash via certain DNS responses. The updated packages are
patched to fix the problem.

http://www.linuxsecurity.com/content/view/118426

 
   Red
Hat
  RedHat: Low: cpio security update
  18th, February, 2005

An updated cpio package that fixes a umask bug and supports
large files (>2GB) is now available. This update has been rated as having
low security impact by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118378

 
  RedHat: Low: imap security update
  18th, February, 2005

Updated imap packages that fix a security issue are now available
for Red Hat Enterprise Linux 2.1. This update has been rated as having
low security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118379

 
  RedHat: Low: vim security update
  18th, February, 2005

Updated vim packages that fix a security vulnerability are now
available. This update has been rated as having low security impact by
the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118380

 
  RedHat: Important: cups security update
  18th, February, 2005

Updated cups packages that fix a security issue are now available.
This update has been rated as having important security impact by the
Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118381

 
  RedHat: Important: kernel security update
  18th, February, 2005

Updated kernel packages that fix several security issues are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118385

 
  RedHat: Moderate: imap security update
  23rd, February, 2005

Updated imap packages to correct a security vulnerability in
CRAM-MD5 authentication are now available for Red Hat Enterprise Linux
3. This update has been rated as having moderate security impact by the
Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118418

 
   SuSE
  SuSE: squid remote denial of service
  22nd, February, 2005

Squid is an Open Source web proxy. A remote attacker was potentially
able to crash the Squid web proxy if the log_fqdn option was set to "on"
and the DNS replies were manipulated.

http://www.linuxsecurity.com/content/view/118403

 
  SuSE: cyrus-imapd buffer overflows
  24th, February, 2005

This update fixes one-byte buffer overruns in the cyrus-imapd
IMAP server package.

http://www.linuxsecurity.com/content/view/118423

 
Click Here!