July 23, 2004

Linux Advisory Watch - July 23, 2004

Author: Benjamin D. Thomas

week, advisories were released for MMDF, Mozilla, kernel, php4, webmin,
Samba, Ethereal, l2tpd, Mailman, httpd, libxml2, wv, php, Unreal,
Opera, mod_ssl, and freeswan. The distributors include SCO Group,
Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware, and

Creating New Accounts

You should make
sure to provide user accounts with only the minimal
requirements for the task they need to do. If you provide your
secretary, or another general user, with an account, you might want
them to only have access to a word processor or drawing program, but be
unable to delete data that is not his or hers.

Several good
rules of thumb when allowing other people legitimate
access to your Linux machine:

  • Limit access privileges given to new users.
  • Be aware when/where they login from, or should be
    in from.
  • Make sure to remove inactive accounts
  • The use of the same user-ID on all computers and
    is  advisable to ease account maintenance, as well as permit
    easier  analysis of log data (but I'm sure someone will dispute
    this).  However, it's practically essential if using NFS. There
    are several  other protocols that use UIDs for local and remote
    access as well.
  • The creation of group user-IDs should be
  • User accounts also provide accountability, and
    this is not
    possible  with group accounts.
  • Be sure shadow passwords are enabled. Shadow
    passwords is
    a method  for storing the actual user's password in a root-owned
    file that is  not readable by normal users, unlike the regular
    password file.  This protects the passwords from being read and
    cracked using  dictionary attacks.  Most (if not all) current
    distributions already  use shadow passwords.
  • Regularly audit user accounts for invalid or
    accounts,  expired accounts, etc.
  • Check for repeated login failures.  The
    files in
    /var/log are  invaluable resource to track potential security
  • Be sure to enable quotas on machines with many
    users, to
    prevent  denial of service attacks involving filling disk
    partitions, or  appending exploits to group-writable files.
  • Disable group accounts, and unused system
    accounts, such
    as sys  or uucp. These accounts should be locked, and given
    non-functional shells.
  • Many local user accounts that are used in
    compromises are   ones that have not been used in months or years.
    Since no one is using them they provide the ideal attack vehicle.

Written by Dave Wreski (dave@guardiandigital.com)
Additional tips are available at the following URL:
next time, cheers!
Benjamin D. Thomas

Feature Extras:

Expert Dave Wreski Discusses Open Source Security
- Dave Wreski, CEO of
Guardian Digital, Inc. and respected author of various hardened
security and Linux publications, talks about how Guardian Digital is
changing the face of IT security today. Guardian Digital is perhaps
best known for their hardened Linux solution EnGarde Secure Linux,
touted as the premier secure, open-source platform for its
comprehensive array of general purpose services, such as web, FTP,
email, DNS, IDS, routing, VPN, firewalling, and much more.

Catching up with Wietse Venema, creator of Postfix and TCP
- Duane Dunston speaks at
length with Wietse Venema on his current  research projects at the
Thomas J. Watson Research Center, including  his forensics efforts
with The Coroner's Toolkit. Wietse Venema is best  known for the
software TCP Wrapper, which is still widely used today  and is
included with almost all unix systems.  Wietse is also the 
author of the Postfix mail system and the co-author of the very cool
suite of utilities called The Coroner's Toolkit or "TCT".

[ Linux
Advisory Watch
] - [ Linux Security Week
] - [ PacketStorm
] - [ Linux
Security Documentation

Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each

Distribution: SCO Group
  7/22/2004 MMDF
    Multiple vulnerabilities

This patch addresses many buffer overflows and cuts down sharply on
unnecessary privilege.


  7/22/2004 Mozilla
    Multiple vulnerabilities

This patch resolves a large number of Mozilla vulnerabilities.

Caldera 4588

Distribution: Conectiva
  7/16/2004 kernel
    Multiple vulnerabilities

This patch addresses a large number of kernel vulnerabilities at once.

Conectiva 4564

  7/16/2004 php4
    Multiple vulnerabilities

This patch resolves two vulnerabilities, each of which can cause the
execution of arbitrary code.

Conectiva 4565

  7/17/2004 webmin
    ACL bypass vulnerability

A vulnerability in webmin that would allow unauthenticated users to
obtain read access to a module's configuration.

Conectiva 4566

  7/22/2004 samba
    Buffer overflow

This patch addresses several buffer overruns within samba.

Conectiva 4583

Distribution: Debian
  7/22/2004 ethereal
    Denial of service

Several denial of service vulnerabilities were discovered in ethereal,
one of which could be exploited by a remote attacker to crash ethereal
with an invalid SNMP packet.

Debian 4579

  7/22/2004 netkit-telnet-ssl
Format string vulnerability
    Denial of service

Vulnerability in netkit-telnet-ssl could potentially allow a remote
attacker to cause the execution of arbitrary code with the privileges
of the telnet daemon.

Debian 4580

  7/22/2004 l2tpd
    Buffer overflow

By exploting this, a remote attacker could potentially cause arbitrary
code to be executed by transmitting a specially crafted packet.

Debian 4581

  7/22/2004 php4
    Multiple vulnerabilties

Patch fixes both a vulnerability to XSS (Cross Site Scripting) and
execution of arbitrary local code.

Debian 4582

  7/22/2004 mailman
    Password leak

A flaw in Mailman 2.1.* allows a remote attacker to retrieve the
mailman password of any subscriber by sending a carefully crafted email
request to the mailman server.

Debian 4587

Distribution: Fedora
  7/16/2004 ethereal
    Denial of service

Patches resolve three different ways to crash ethereal.

Fedora 4563

  7/22/2004 httpd
    Multiple vulnerabilities

This patch fixes a remotely triggerable memory leak and a buffer
overflow vulnerability.

Fedora 4585

  7/22/2004 libxml2
    Buffer overflow

Updated libxml2 packages that fix an overflow when parsing remote
resources are now available.

Fedora 4586

Distribution: Gentoo
  7/16/2004 wv
    Buffer overflow

A buffer overflow vulnerability exists in the wv library that can allow
an attacker to execute arbitrary code with the user's privileges.

Gentoo 4560

  7/16/2004 kernel
    Denial of service

By sending a malformed TCP packet, an attacker can hang a machine
running IPTables.

Gentoo 4561

  7/16/2004 php
    Multiple vulnerabilities

Multiple security vulnerabilities, potentially allowing remote code
execution, were found and fixed in PHP.

Gentoo 4562

  7/22/2004 Unreal
    Tournament Buffer
overflow vulnerability

Game servers based on the Unreal engine are vulnerable to remote code
execution through malformed 'secure' queries.

Gentoo 4574

  7/22/2004 Opera
    Multiple spoofing

Opera contains three vulnerabilities, allowing an attacker to
impersonate legitimate websites with URI obfuscation or to spoof
websites with frame injection.

Gentoo 4575

  7/22/2004 kernel
    Multiple vulnerabilities

This patch addresses multiple DoS and permission vulnerabilities

Gentoo 4576

  7/22/2004 l2tpd
    Buffer overflow

A buffer overflow in l2tpd could lead to remote code execution. It is
not known whether this bug is exploitable.

Gentoo 4577

  7/22/2004 mod_ssl
    Format string

A bug in mod_ssl may allow a remote attacker to execute arbitrary code
when Apache is configured to use mod_ssl and mod_proxy.

Gentoo 4578

Distribution: Mandrake
  7/16/2004 php
    Multple vulnerabilities

This patch resolves an improper memory_limit trigger as well as a
possible XSS issue.

Mandrake 4557

  7/16/2004 ipsec-tools
Multiple vulnerabilities
    Multple vulnerabilities

This patch fixes both a Denial of Service attack and an ACL escape.

Mandrake 4558

  7/16/2004 freeswan
    Multiple vulnerabilities

This patch resolves a DN impersonation attack as well as a denial of

Mandrake 4559

Distribution: Red Hat
  7/22/2004 php
    Multiple vulnerabilities

Patch resolves memory_limit bug with allows execution of arbitrary code
and strip_tags bug which allows XSS (Cross Site Scripting).

Red Hat 4572

  7/22/2004 samba
    Buffer overflow

Updated samba packages that fix buffer overflows, as well as other
various bugs, are now available.

Red Hat 4573

Distribution: Slackware
  7/22/2004 php
    Multiple vulnerabilities

This patch resolves two bug that could potentially allow XSS
(Cross-Site Scripting) and the execution of arbitrary code.

Slackware 4571

Distribution: Suse
  7/16/2004 php4/mod_php4
Multiple vulnerabilities
    Multiple vulnerabilities

Fixes two vulnerabilities, one that leads to direct code execution, and
the other a possible XSS.

SUSE 4556

Click Here!