Linux Advisory Watch – January 16, 2004

22

Author: Benjamin D. Thomas

This week, advisories were released for phpgroupware, kernel, jitterbug, ethereal, kdepim, cvs, kdepim, and tcpdump. The distributors include Debian, Gentoo, Mandrake, Red Hat, Slackware, SuSE, and Trustix.Implementing any large security project on the Linux operating system requires the use of cryptography. Several weeks ago, I wrote about a book by Fred Piper and Sean Murphy titled, “Cryptography: A Very Short Introduction.” It offers a very good introduction to the subject, but those wishing to implement cryptography in an open source projects need
a more in-depth understanding of the area. Another excellent resource is the “Handbook of Applied Cryptography,” by Menezes, Oorschot, and Vanstone. It has often been considered “the bible of cryptography” and offers a detailed and technical view.

The first several chapters of the book focus on the basics. It gives an overview and history of cryptography and follows with an explanation of the mathematics necessary to understand the algorithms. Midway through the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After the reader has an understanding of the algorithms, the book moves to explain how they can be used in key establishment protocols. It also offers chapters on key management and tips for efficient implementation.

For the long time manager, this book may be slightly on the technical side. However, there are clear benefits for management having an understanding of technical subjects. Cryptography today offers a very strong level of protection. It only fails in implementation. For
example, keys are not properly protected or managed. For those of you wishing to learn a little more about the fascinating subject of cryptography, I highly recommend this book.

Perhaps the best part is that the book is available fully for free on the Web:
http://www.cacr.math.uwaterloo.ca/hac/

Hard-copies of the book can also be purchased through Amazon or any other large bookseller.

When any company decides to take on a in-house software development project, it is essential to include cryptographic mechanisms. Books such as this, can give programmers the proper knowledge necessary
to understand how cryptography works and how to avoid problems.

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity
Feature Extras:

Managing
Linux Security Effectively in 2004

– This article examines the process of proper Linux security management in
2004. First, a system should be hardened and patched. Next, a security routine
should be established to ensure that all new vulnerabilities are addressed.
Linux security should be treated as an evolving process.

FEATURE:
OSVDB – An Independent and Open Source Vulnerability Database

– This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major
contributor.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 
Distribution: Debian
  1/9/2004 phpgroupware
    Multiple
vulnerabilities

Improper remote execution and SQL code injection issues.

http://www.linuxsecurity.com/advisories/debian_advisory-3938.html

 
  1/9/2004 kernel
    Priv.
Escal. additional patches

Since DSA 417-1 lacked fixed kernel image files for the alpha architecture
these are added now.

http://www.linuxsecurity.com/advisories/debian_advisory-3939.html

 
  1/12/2004 jitterbug
    Improper
input sanatizing

Allows an attacker to execute arbitary commands on server hosting bug database.


http://www.linuxsecurity.com/advisories/debian_advisory-3941.html

 
  1/12/2004 mod-auth-shadow
Account expiration not enforced
    Improper
input sanatizing

In this Apache module, expiration status of the user’s account and password
were not enforced.

http://www.linuxsecurity.com/advisories/debian_advisory-3943.html

 
  1/15/2004 cvs
    Multiple
vulnerabilities

Anyone who could modify the CVSROOT/passwd could gain access to all local
users on the CVS server, including root.

http://www.linuxsecurity.com/advisories/debian_advisory-3948.html

 
  1/15/2004 kernel-image-2.4.17-ia64
Many backported vuln fixes
    Multiple
vulnerabilities

The IA-64 maintainers fixed several security related bugs in the Linux kernel
2.4.17 used for the IA-64 architecture, mostly by backporting fixes from
2.4.18.

http://www.linuxsecurity.com/advisories/debian_advisory-3949.html

 
 
Distribution: Gentoo
  1/9/2004 kernel
    Privilege
escalation vulnerability

A critical security vulnerability has been found in recent Linux kernels
which allows for local privilege escalation.

http://www.linuxsecurity.com/advisories/gentoo_advisory-3936.html

 
 
Distribution: Mandrake
  1/13/2004 etherial
    Multiple
DoS vulernabilities

Two vulnerabilities can be exploited to make Ethereal crash.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3944.html

 
  1/15/2004 kdepim
    Permission
leak vulnerability

This vulnerability allows for a carefully crafted .VCF file to enable a
local attacker to execute arbitrary commands with the victim’s privileges.


http://www.linuxsecurity.com/advisories/mandrake_advisory-3953.html

 
 
Distribution: Red
Hat
  1/12/2004 cvs
    Chroot
breakout vulnerability

cvs can attempt to create files and directories in the root file system


http://www.linuxsecurity.com/advisories/redhat_advisory-3942.html

 
  1/14/2004 kdepim
    Buffer
overflow vulnerability

Updated kdepim packages are now available that fix a local buffer overflow
vulnerability.

http://www.linuxsecurity.com/advisories/redhat_advisory-3946.html

 
  1/14/2004 tcpdump
    Denial
of service vulnerability

Crafted remote packets can result in a denial of service, or possibly execute
arbitrary code as the ‘pcap’ user.

http://www.linuxsecurity.com/advisories/redhat_advisory-3947.html

 
 
Distribution: Slackware
  1/9/2004 kernel
    Priv.
Escal. patch for 8.1

There is a bounds-checking problem in the kernel’s mremap() call which could
be used by a local attacker to gain root privileges.

http://www.linuxsecurity.com/advisories/slackware_advisory-3937.html

 
  1/15/2004 INN
    Buffer
overflow vulnerability

Upgrade to inn-2.4.1 to fix a potentially exploitable buffer overflow.

http://www.linuxsecurity.com/advisories/slackware_advisory-3951.html

 
  1/15/2004 kdepim
    Permission
leak vulnerability

A carefully crafted .VCF file enables local attackers to execute arbitrary
commands with the victim’s privileges.

http://www.linuxsecurity.com/advisories/slackware_advisory-3952.html

 
 
Distribution: Suse
  1/14/2004 tcpdump
    Denial
of service vulnerability

There is a remote DoS condition in tcpdumps ISAKMP handling.

http://www.linuxsecurity.com/advisories/suse_advisory-3945.html

 
  1/15/2004 kernel
    Many vulnerabilities
fixed for 64bit

Fixes vulnerabilities that can be used to gain root privilages.

http://www.linuxsecurity.com/advisories/suse_advisory-3950.html

 
 
Distribution: Trustix
  1/15/2004 tcpdump
    Denial
of Service vulnerability

A problem in tcpdump was discovered, where it was possible to crash the
program by sending carefully crafted packets on the network.

http://www.linuxsecurity.com/advisories/trustix_advisory-3954.html