January 2, 2004

Linux Advisory Watch - January 2, 2004

Author: Benjamin D. Thomas

This week, advisories were released for xsok, cvs, and proftpd. The distributors include Debian, Gentoo, and Mandrake.

One of the best parts of having a profession in information security and IT, is the opportunity to continue learning. To survive, one must constantly stay on top of changing technology. The problem with this is that most of us do not have time to read books, journals, or simply conduct adequate research on the Internet. We are constantly trying to extinguish fires and only gather enough information to do a particular job. Unfortunately, it seems there is never enough time to simply read a little deeper, just to satisfy our own curiosities.

Being the new year, many of us have made new year's resolutions. For most of us in IT, this involves learning something new. Perhaps you wish to learn a new programming language, diagramming technique, or wish to build a personal server for a particular function. Many of us have no trouble making personal goals, but following through is a different story. Something that has worked well for me in the past is starting small, and trying to accomplish the smallest tasks first. This will give you the feeling that progress is being made and the momentum will push you through the larger tasks. For example, if you have seven books you wish to read this year, read the smallest
one first.

those of you who wish to have a better understanding of cryptography in 2004,
I have found the perfect book to get you started. It is, "Cryptography: A Very Short Introduction," by Fred Piper and Sean Murphy. This book was published by Oxford press in 2002. Rather than give specific implementation examples, this book focuses on how several modern algorithms work, uses of cryptography, and key management. This book will gives the proper foundation of knowledge necessary to evaluate products and vendor claims. Also, if you are planning a large crypto software development project this year, this book is the perfect primer to other more specific cryptography related books.

The book is only 142 pages long and can fit in a shirt pocket. It is well written and easy to read. The book is filled with tables, charts, and examples to explain the concepts. This book should be read by upper management and all others down the chain. It could serve to demystify the purpose and uses of cryptography in any organization.

The book can be easily found at Amazon.com for $9.95 USD.

Until next time, cheers!
Benjamin D. Thomas

Feature Extras:

OSVDB - An Independent and Open Source Vulnerability Database

- This article outlines the origins, purpose, and future of the Open Source
Vulnerability Database project. Also, we talk to with Tyler Owen, a major

Digital Launches the First Secure Small Business Internet Productivity Solution

- Guardian Digital, the world's premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

An Introduction and Interview with Founder, James Yonan

- In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe

Distribution: Debian
  12/30/2003 xsok
privelige release

Steve Kemp discovered a problem in xsok, a single player strategy game for
X11, related to the Sokoban game, which leads a user to execute arbitrary
commands under the GID of games.


Distribution: Gentoo
  12/29/2003 cvs
escalation vulnerability

This release adds code to the CVS server to prevent it from continuing as
root after a user login, as an extra failsafe against a compromise of the
CVSROOT/passwd file.


Distribution: Mandrake
  12/31/2003 proftpd
    Root access

A vulnerability was discovered by X-Force Research at ISS in ProFTPD's handling
of ASCII translation. An attacker, by downloading a carefully crafted file,
can remotely exploit this bug to create a root shell.




  • Linux
Click Here!