February 6, 2004

Linux Advisory Watch - February 6, 2004

Author: Benjamin D. Thomas

This week, advisories were released
for perl, crawl, kernel, cvs, tcpdump, ethereal, mksnap_ffs, gaim, NetPBM, and
mc. The distributors include Debian, Fedora, FreeBSD, Mandrake, and Red Hat.

We all love the Web, but
there are parts of it that annoy us all. Pop-ups! Pop-ups! Endless banners!
Did I mention pop-ups? At this point, most of us have found ways to manage it.
However, we are always looking for something more effective.

On Monday, a new version
of Privoxy (http://www.privoxy.org) was
released. Privoxy is an open source project that begin with a software package
called Internet Juckbuster and quickly forked into its own project with the
first stable release version 3.0 in August 2002. Privoxy is a Web-based proxy
engine with filtering capabilities that help protect an individual's privacy.
The Privoxy engine can performs tasks such as modifying Web content, cookie
management, and removing banner & pop-up ads.

The most recent release of Privoxy
is 3.0.3. After installation, it can be configured quickly and easily. Most
questions can be cleared up by referencing section 4 (Quickstart), and section
2 (Installation) of the Privoxy User Manual.

Unlike many small GPL projects,
the Privoxy team is well organized. For those wishing to modify or make improvements
to the software, a developer's manual is available. This manual includes information
on how to establish a connection to the CVS repository, comment requirements,
naming conventions, testing guidelines, and many other areas of useful information.
This document could prove to be very useful.

Privoxy is available for a number
of different Linux distributions and operating systems. Those using Red Hat,
Conectiva, Debian, SuSE, and Gentoo will have no trouble installing it. Binary
packages are also available for Mac OS X, Windows, OS/2, and several flavors
of BSD.

More information about
Privoxy and the latest releases can be found at the following URL: http://www.privoxy.org

Until next time, cheers!
Benjamin D. Thomas


Feature Extras:

to Netwox and Interview with Creator Laurent Constantin

- In this article Duane Dunston gives a brief introduction to Netwox, a combination
of over 130 network auditing tools. Also, Duane interviews Laurent Constantin,
the creator of Netwox.

Linux Security Effectively in 2004

- This article examines the process of proper Linux security management in
2004. First, a system should be hardened and patched. Next, a security routine
should be established to ensure that all new vulnerabilities are addressed.
Linux security should be treated as an evolving process.

OSVDB - An Independent and Open Source Vulnerability Database

- This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe


Distribution: Debian
  2/2/2004 perl

An attacker could abuse suidperl to discover information about files that
should not be accessible to unprivileged users.


  2/3/2004 crawl
overflow vulnerability

The program applies an unchecked-length environment variable into a fixed
size buffer.


  2/4/2004 kernel
escalation MIPS patch

Integer overflow in the do_brk() function of the Linux kernel allows local
users to gain root privileges.


Distribution: Fedora
  2/2/2004 cvs

Vulnerabilities allow cvs to write to root filesystem and retain root privileges.


  2/3/2004 tcpdump
packet vulnerability

If the victim uses tcpdump, attack could result in a denial of service,
or possibly execute arbitrary code as the 'pcap' user.


  2/3/2004 ethereal
of service vulnerability

Multiple security vulnerabilities may allow attackers to make Ethereal crash
using intentionally malformed packets.


Distribution: FreeBSD
  1/30/2004 mksnap_ffs
option clearing

Possible consequences an include disabling extended access control lists
or enabling the use of setuid executables stored on an untrusted filesystem.


Distribution: Mandrake
  2/2/2004 gaim

Multiple buffer overflows exist in gaim 0.75 and earlier.


Distribution: Red
  2/3/2004 NetPBM
file vulnerabilities

A number of temporary file bugs have been found in versions of NetPBM.


  2/3/2004 mc
overflow vulnerability

A buffer overflow allows remote attackers to execute arbitrary code during
symlink conversion.


  2/3/2004 util-linux
Login data leakage
overflow vulnerability

In some situations, the login program could use a pointer that had been
freed and reallocated.


  2/3/2004 kernel

Updated kernel packages are now available that fix a few security issues.






  • Security
Click Here!