June 6, 2003

Linux Advisory Watch - June 6th, 2003

- by Benjamin D.

This week, advisories were released for maelstrom, apache, tomcat,
kernel, wget, file, lprng, cups, ghostscript, kon2, gnupg, squirrelmail, xinetd,lprng,
lv, and httpd. The distributors include Gentoo, Immunix, Mandrake, OpenPKG,
Red Hat, Turbolinux, and Yellow Dog. This week there were several new advisories.
Red Hat and others released several patches to their 2.4 kernel. For those of
you using PPC architecture and running Yellow Dog Linux, this is your week.
Eight new advisories were released, but most of these were fixes to known problems.
Many would argue that late is better than never.

Last week, I wrote about several choices a system administrator can
make to achieve a secure system. However, I did not discuss why someone
would want to pay particular attention to security. Perhaps it is because
your boss demands it, or because you are responsible and take special pride
in maintaining a secure system. Several industries are madated by the US
federal government to ensure privacy and security. If you are familiar
the health care industry, you have probably heard about HIPAA (The Health
Insurance Portability and Accountability Act of 1996), or if you you work
closely with the the financial industry, you've heard of the Graham-Leach-Bliley

If you have been to the doctor's office, dentist, or pharmacist in the
last few months, you should have been asked to sign several forms that
inform you of your privacy rights. This is a requirement of the HIPAA privacy
rule. Now, companies are working achieve compliance with the second part
of HIPAA, the security rule. Compliance must be met by April 21st 2005.
You may be asking yourself, "I'm not part of the heath care industry, why
should I care?" The HIPAA security rule (164.308-164.312) provides a high
level outline of what it takes to achieve security in an organization.
It outlines administrative, physical, and technical safeguards to ensure
the confidentiality, integrity, and maximum availability of data.

The Department of Health and Human Services has made a strong effort
to ensure that all mandatory and addressable rules follow industry standards.
The security requirements have been scrutinized and modified at the request
of health care industry leaders. Addressing each of the rules prescribed
by HIPAA should not be viewed as a hindrance, but as good business practice.
Although every organization has an established method for maintaining security,
a lot can be learned from HIPAA. No matter what industry you're in, you
should take a moment to review the requirements and apply the principles
to everyday operation. The final published security rule can be found in
the Federal Register, Volume 68, No. 34. Some of the major parts of the
security standards include the security management process, incident procedures,
contingency planning, workstation security, audit controls, integrity,
authentication, etc. In short, the point I am trying to make is that the
standards proposed by HIPAA can be applied to almost any organization.
Although I believe they are far from perfect, they can be quite helpful.

If you have any questions on how the HIPAA standards can be applied
to your organizations, please feel free to write.

Until next time,
  LinuxSecurity Feature Extras:

Alerting with Snort
- Real-time alerting is a feature of an IDS
or any other monitoring application that notifies a person of an event
in an acceptably short amount of time. The amount of time that is acceptable
is different for every person.

Detection Systems: An Introduction

Intrusion Detection is the process and methodology of inspecting data
for malicious, inaccurate or anomalous activity. At the most basic levels
there are two forms of Intrusion Detection Systems that you will encounter:
Host and Network based.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security

Linux Advisory Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes pointers
to updated packages and descriptions of each vulnerability.

[ Subscribe

Distribution: Gentoo
  5/30/2003 maelstrom
    buffer overflow vulnerability

A local buffer overflow exists in maelstrom.


  6/2/2003 uw-imapd buffer overflow vulnerability
    buffer overflow vulnerability

UW-imapd can also act as IMAP client, allowing user to connect to specified
server. It is disabled for anonymous users, but allowed for everyone else.


  6/2/2003 apache
    2.x denial of service vulnerability

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances.


  6/2/2003 tomcat
    file access vulnerability

Versions prior to tomcat-4.1.24 created /opt/tomcat with a directory
mode which allowed users to access files containing passwords.


Distribution: Immunix
  5/30/2003 kernel
    raceguard rules

Added patch to add raceguard cache clearing across sessions but not
across process of different privilege levels.


  6/4/2003 wget
    input vulnerability

Steven M. Christey has discovered wget did not perform sufficient input
sanitization of ftp server responses.


  6/4/2003 file
    root vulnerability

An anonymous reporter has reported to iDEFENSE a vulnerability in file
that could allow for a root compromise, should root run file on a specially
crafted file.


  6/5/2003 lprng
    insecure tmp file vulnerability

A vulnerability has been found in psbanner, which creates a temporary
file with a known filename in an insecure manner.


Distribution: Mandrake
  5/30/2003 cups
    denial of service vulnerability

A Denial of Service (DoS) vulnerability was discovered in the CUPS printing
system by Phil D'Amore of Red Hat.


  6/2/2003 apache
    2.x multiple vulnerabilities

Two vulnerabilities were discovered in the Apache web server that affect
all 2.x versions prior to 2.0.46.


Distributor Apache
  5/30/2003 2.0 multiple vulnerabilities
    2.x multiple vulnerabilities

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances.


Distributor: OpenPKG
  6/3/2003 ghostscript
    arbitrary command execution

According to a Red Hat security advisory, a flaw in versions of Ghostscript
before 7.07 allows malicious Postscript files to execute arbitrary commands
even with command line option -dSAFER enabled.


Distribution: Red
  6/2/2003 ghostscript
    arbitrary command execution vulnerability

A flaw in unpatched versions of Ghostscript before 7.07 allows malicious
postscript files to execute arbitrary commands even with -dSAFER enabled.


  6/3/2003 2.4 kernel multiple vulnerabilities
    arbitrary command execution vulnerability

These packages fix a ptrace-related vulnerability that can lead to elevated
(root) privileges.


  6/3/2003 2.4 kernel vulnerabilities and driver
    arbitrary command execution vulnerability

Several security issues have been found that affect the Linux kernel.
This update also fixes some driver issues.


  6/3/2003 kon2
    buffer overflow vulnerability

A buffer overflow in kon2 allows local users to obtain root privileges.


Distribution: Turbolinux
  5/30/2003 gnupg
    key validity bug

This bug causes keys with more than one user ID to give all user IDs
on the key the amount of validity given to the most-valid key.


Distribution: Yellow
  6/4/2003 squirrelmail
    multiple vulnerabilities

Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10
and earlier allow remote attackers to execute script as other Web users
via mailbox displays, message displays, or search results displays.


  6/4/2003 xinetd
    denial of service vulnerability

Because of a programming error, memory was allocated and never freed
if a connection was refused for any reason.


  6/4/2003 cups
    denial of service vulnerability

Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP implementation.


  6/4/2003 gnupg
    key validation vulnerability

When evaluating trust values for different UIDs assigned to a given
key, GnuPG versions earlier than 1.2.2 would incorrectly associate the
trust value of the UID with the highest trust value with every UID assigned
to that key.


  6/4/2003 lprng
    insecure tmp file vulnerability

A vulnerability has been found in psbanner, which creates a temporary
file with a known filename in an insecure manner.


  6/4/2003 lv
    arbitrary code execution vulnerability

A bug has been found in versions of lv that read a .lv file in the current


  6/4/2003 compat-gcc missing module
    arbitrary code execution vulnerability

The version of compat-gcc that comes with Yellow Dog Linux 3.0 is missing
a compatibility version of the g77 fortran compiler.


  6/4/2003 httpd
    multiple vulnerabilities

A build system problem in Apache 2.0 through 2.0.45 allows remote attackers
to cause a denial of access to authenticated content when a threaded server
is used.




  • Security
Click Here!