Linux Advisory Watch – May 7, 2004


Author: Benjamin D. Thomas

This week, advisories were released
for mc, libpng, LHA, httpd, and rsync. The distributors include Debian, Mandrake,
Red Hat, and Trustix.

Security Benefit

In today’s business world, there
is an ever-increasing reliance on information technology. With this, businesses
are discovering new ways to produce products and offer services with greater
efficiency. New business opportunities are created by the production of digital
products and service. However, with every business opportunity comes increased
risks. IT systems are now a huge target. If a business is not properly prepared,
a single system failure could result in a catastrophic outcome. Security is
greatly important and a necessary part of keeping IT systems in operation.

Traditionally, security has been
viewed as a ‘badge and gun’ operation. The most important part is protecting
the confidentiality, integrity, and availability of a system. In the process
of improvement, security practitioners increase the number of firewall rules,
increase password complexity, and impose additional limitations on each user’s
ability to access the information they need to conduct daily business. How do
non- security types react to this? Of course, they don’t like it! Security is
not seen as a business benefit, but a hinderance. Rather than supporting business
functions, it is making it more difficult to do even the simplest tasks. Sadly,
increasing a security budget may be viewed as increasing the difficulty to conduct
daily business.

Today, security is changing. Managers
are starting to realize that security only exists to support business. If the
business did not exist, the security department protecting it wouldn’t exist.
As a security manager, it is important to deliver value to the business. This
can be done a number of ways. First, create a security awareness program that
educates others on the importance of protecting information. Next, only choose
controls that are in line and appropriate for the information it is protecting.
For example, military-grade security may not be appropriate for internal employee
manuals. However, financial documents may require the tightest security. Secure
appropriately! Finally, metrics are important. Report to superiors the effectiveness
of current security controls. Report the number of incidents and types from
least significant to most. Demonstrate with numbers how the current security
is protecting the information assets. How many times was your network scanned
in the last month? How many connections did the firewall reject/drop? How much
spam did the filters keep out of inboxes? Good security goes unnoticed and ignored.
It is important to remind management how well you are doing!

Until next time, cheers!
Benjamin D. Thomas


Feature Extras:

Generation Internet Defense & Detection System

– Guardian Digital has announced the first fully open source system designed
to provide both intrusion detection and prevention functions. Guardian Digital
Internet Defense & Detection System (IDDS) leverages best-in-class open
source applications to protect networks and hosts using a unique multi-layered
approach coupled with the security expertise and ongoing security vigilance
provided by Guardian Digital.

with Siem Korteweg: System Configuration Collector

– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.


– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
] – [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe


Distribution: Debian
  4/30/2004 libpng,
libpng3 Out of bounds access vulnerability

This problem could cause the program to crash if a defective or intentionally
prepared PNG image file is handled by libpng.

Debian advisory 4292

Distribution: Mandrake
  4/30/2004 mc

Several vulnerabilities in Midnight Commander were found by Jacub Jelinek.

Mandrake advisory 4296

  4/30/2004 libpng
    Out of
bounds access vulnerability

Bug could potentially lead to a DoS (Denial of Service) condition in a daemon
that uses libpng to process PNG imagaes.

Mandrake advisory 4297

Distribution: Red
  4/30/2004 X-Chat
Buffer overflow vulnerability
    Out of
bounds access vulnerability

An updated X-Chat package fixes a vulnerability which could be exploited
by a malicious Socks-5 proxy is now available.

Red Hat advisory 4293

  4/30/2004 LHA

Ulf Harnhammar discovered two stack buffer overflows and two directory traversal
flaws in LHA.

Red Hat advisory 4294

  4/30/2004 httpd
of service vulnerability

Updated httpd packages are now available that fix a denial of service vulnerability
in mod_ssl and include various other bug fixes.

Distribution: Trustix
  4/30/2004 rsync
    Path escape

Please either enable chroot or upgrade to 2.6.1.

Trustix advisory 4298

  4/30/2004 libpng,
proftpd Multiple vulnerabilities
    Path escape

Patches for a DoS using libpng and a ACL escape for proftpd.

Trustix advisory 4299