November 28, 2003

Linux Advisory Watch - November 28th 2003

Author: Benjamin D. Thomas

This week, advisories were
released for BIND, Ethereal, Glibc, Libnids, phpSysInfo, Stunnel, EPIC, iproute,
Pan, and XFree86. The distributors include Guardian Digital's EnGarde Linux,
Gentoo, Mandrake, and Red Hat.Business and IT centers today are
controlled by the growth of the Internet. Just in ten years, technology has
changed so rapidly that the old rules no longer apply. Today, businesses are
forced to comply with the momentum of the Internet, or face extinction. Change
is always difficult, but now more than ever it is necessary. With every change
in business, security must constantly be re- evaluated.

In a typical corporate IT environment,
new business requirements arise each day. The application development team is
constantly being asked to add new features to software, the networking team
is increasingly being asked to provide access at anywhere, anytime and managers
have the opinion, "make it work now, and no you can't have a budget." Well,
it's usually not that bad, but you get the idea. Everyone is being stretched
to the limit and it puts a great strain on the organization. In the middle of
adding more features, access points, and bandwidth, security is often forgotten.
That's okay, isn't it? "We'll just add security later once we get the system

That is exactly the problem all
of us have today when working in security. It is typical to receive a memo at
the end of the day stating that ten new servers is going to be deployed tomorrow
morning, then at the end it asks, "Is this ok with security?" Of course not!
The typical problem that we all face does not have to do with technology, it
is simply a people problem. Unfortunately, attitudes can't be changed over night.
Sometimes, they may not be able to be changed or years. The only way to address
this is through a security awareness program. The smaller the organization,
the easier it should be . People must be reminded daily that security is important
to the organization, and is a high priority. The quickest way to get results,
is to get top management on board. If you see that key management figures are
unwilling to comply, and the organization is large enough, total security awareness
may be an impossible task.

Security is everyone's problem.
One administrator simply patching a server each week is a good start, but it
shouldn't stop there. Having adequate business security depends on many. Often,
it is your job to let those people know. I realize that this task harder than
it sounds, but hopefully I've given you some inspiration to begin getting others
on board. Don't face the fire alone!

Until next time, cheers!
Benjamin D. Thomas

Feature Extras:

Digital Launches the First Secure Small Business Internet Productivity Solution

- Guardian Digital, the world's premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

An Introduction and Interview with Founder, James Yonan

- In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and, covering national cyber-security
issues and critical infrastructure

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe


Distribution: EnGarde
  11/26/2003 BIND
poisoning vulnerability

A cache poisoning vulnerability exists in the version of BIND shipped with
all versions of EnGarde Secure Linux. Successful exploitation of this vulnerability
may result in a temporary denial of service until the bad record expires
from the cache.

Distribution: Fedora
  11/25/2003 Ethereal
overflow vulnerability

These updated ethereal packages fix a security problem found in versions
prior to 0.9.16. It also fixes several other minor bugs and problems.

Distribution: Gentoo
  11/24/2003 Ethereal

It may be possible to make Ethereal crash or run arbitrary code by injecting
a purposefully malformed packet onto the wire, or by convincing someone
to read a malformed packet trace file.

  11/24/2003 Glibc
overrun vulnerability

A bug in the getgrouplist function can cause a buffer overflow if the size
of the group list is too small to hold all the user's groups. This overflow
can cause segmentation faults in user applications. This vulnerability exists
only when an administrator has placed a user in a number of groups larger
than that expected by an application.

  11/24/2003 Libnids
code execution

There is a bug in the part of libnids code responsible for TCP reassembly.
The flaw probably allows remote code execution.

  11/24/2003 phpSysInfo

phpSysInfo contains two vulnerabilities which could allow local files to
be read or arbitrary PHP code to be executed, under the privileges of the
web server process.

Distribution: Mandrake
  11/21/2003 freeswan

The version of freeswan bundled with the latest kernel update did not match
the freeswan package which essentially rendered it unuseable. This update
brings the freeswan package up to date with the kernel version.

  11/26/2003 Stunnel
    file descriptor

A vulnerability was discovered in stunnel versions 3.24 and earlier, as
well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical
file descriptor that can be used to hijack stunnel's services.

Distribution: Red
  11/24/2003 EPIC
overflow vulnerability

Updated EPIC packages which fix an exploitable buffer overflow vulnerability
are now available.

  11/24/2003 iproute
denial of service vulnerability

Updated iproute packages that close a locally-exploitable denial of service
vulnerability are now available.

  11/24/2003 stunnel

Updated stunnel packages are now available for Red Hat Linux 7.1, 7.2, 7.3,
and 8.0 systems. These updates address problems stemming from improper use
of non-reentrant functions in signal handlers.

  11/24/2003 Pan
of service vulnerability

Updated Pan packages that close a denial of service vulnerability are now

  11/25/2003 XFree86

Multiple integer overflows in the transfer and enumeration of font libraries
in XFree86 allow local or remote attackers to cause a denial of service
or execute arbitrary code via heap-based and stack-based buffer overflow



  • Security
Click Here!