June 4, 2004

Linux Advisory Watch - June 4, 2004

Author: Benjamin D. Thomas

This week, advisories were
released for mailman, kde, MySQL, mc, Apache, Heimdal, utempter, and LHA. The
distributors include Conectiva, FreeBSD, Gentoo, Mandrake, Red Hat, and SuSE.

Incident Response

One of the most overlooked
aspects of information security is incident response. Often system administrators
and management only take action after a compromise or critical failure. Incident
response includes much more than sorting out problems after they occur. It includes
incident preparation, detection mechanisms, containment, eradication, restoration,
and review.

In preparation for a security
incident, it is important to establish a security policy & plan of action and
identify a security response team that is available 24 hours. Software to be
used during an incident should be installed, tested, and configured during the
preparation phase. During the adrenaline rush of an incident, it is impossible
to learn new software.

Administrators should also
take appropriate steps to ensure event detection. This includes scanning and
reviewing system log files, installing host and network based intrusion detection
systems, and implementing a remote notification system to notify members of
the security response team via pager or mobile phone.

Upon detection of an incident,
it is important to have containment procedures. Is the threat a network user?
It is important that the staff has the knowledge and tools necessary to address
the problem at the firewall level. If there is a system compromise, is tripwire
configured properly to report exactly what files were modified? After containment,
the next step is eradication. How can the problem be eliminated? The primary
purpose of containment and eradication is limiting damage and stopping the problem
from further damage.

After an incident has commenced,
the next step is system restoration. It is important to assess the actual damage
that took place and restore the system to its original condition. This may only
include fixing a few files, or restoring completely from a tape-backup. Finally,
after restoration is important to review how well the incident was handled.

Until next time, cheers!
Benjamin D. Thomas


Feature Extras:

Digital Security Solutions Win Out At Real World Linux

- Enterprise Email and Small Business Solutions Impres at Linux Exposition.
Internet and network security was a consistent theme and Guardian Digital
was on hand with innovative solutions to the most common security issues.
Attending to the growing concern for cost-effective security, Guardian Digital's
enterprise and small business applications were stand-out successes.

with Siem Korteweg: System Configuration Collector

- In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.


- This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe

Distribution: Conectiva
  5/27/2004 mailman

Fixes cross site scripting and remote password retrieval vulnerabilities,
plus a denial of service.

Conectiva advisory 4409

  5/27/2004 kde
input sanitation

The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for
'-' at the beginning of the hostname passed.

Conectiva advisory 4410

Distribution: FreeBSD:
  5/27/2004 core:sys
Buffer cache invalidation vulnerability
input sanitation

In some situations, a user with read access to a file may be able to prevent
changes to that file from being committed to disk.

FreeBSD advisory 4408

Distribution: Gentoo
  5/27/2004 MySQL

Two MySQL utilities create temporary files with hardcoded paths, allowing
an attacker to use a symlink to trick MySQL into overwriting important data.

Gentoo advisory 4404

  5/27/2004 mc

Multiple security issues have been discovered in Midnight Commander including
several buffer overflows and string format vulnerabilities.

Gentoo advisory 4405

  5/27/2004 Apache
    1.3 Multiple

Several security vulnerabilites have been fixed in the latest release of
Apache 1.3.

Gentoo advisory 4406

  5/27/2004 Heimdal
overflow vulnerability

A possible buffer overflow in the Kerberos 4 component of Heimdal has been

Gentoo advisory 4407

Distribution: Mandrake
  5/27/2004 mailman
leak vulnerability

Mailman versions >= 2.1 have an issue where 3rd parties can retrieve member
passwords from the server.

Mandrake advisory 4402

  5/27/2004 kolab-server
Plain text passwords
leak vulnerability

The affected versions store OpenLDAP passwords in plain text.

Mandrake advisory 4403

Distribution: Red
  5/27/2004 utempter

An updated utempter package that fixes a potential symlink vulnerability
is now available.

Red Hat advisory 4399

  5/27/2004 LHA

Ulf Harnhammar discovered two stack buffer overflows and two directory traversal
flaws in LHA.

Red Hat advisory 4400

  5/27/2004 tcpdump,libpcap,arpwatch
Denial of service vulnerability

Upon receiving specially crafted ISAKMP packets, TCPDUMP would crash.

Red Hat advisory 4401

Distribution: SuSE
  5/27/2004 kdelibs/kdelibs3
Insufficient input sanitation

The URI handler of the kdelibs3 and kdelibs class library contains a flaw
which allows remote attackers to create arbitrary files as the user utilizing
the kdelibs3/kdelibs package.

SUSE advisory 4398



  • Linux
Click Here!