Author: Benjamin D. Thomas
released for bugzilla, apache, fileutils, postgresql, CUPS, and thttpd. The
distributors include Conectiva, Guardian Digital’s EnGarde Linux, Gentoo, Immunix,
Mandrake, RedHat, Slackware, and SuSE.
Although the update has
been out for several weeks, the SANS Top20 list still remains important. For
administrators and management, it is a good way to get an idea of some of the
most vulnerable services. Although best practice should dictate that these services
have already been eliminated or secured, this is often not the case. The SANS
Top20 can should be an eye-opener to those who do not regularly patch and update
systems.
Both the problem and beauty of the
Top20 list is its length. For those of us with only Unix and/or Linux based
servers, the list is cut down to 10. Some of the vulnerabilities listed are
related to BIND, RPC, Apache, passwords, and clear text services. The list is
very useful because of its length giving people a quick idea of some of the
biggest problems. My concern is that diligence will stop after number 10. After
each of the 10 Unix system vulnerabilities are addressed, administrators may
have a false sense of security. It is important to equally ensure that all other
services have been patched. One of the most common-sense ways to reduce this
workload is simply to not start services, or have software installed that may
be a potential problem in the future. Living with only the minimum necessary
requirements is often difficult. For example, when installing a particular flavor
of Linux, it takes much more time to individually choose the packages you require,
rather than simply installing a pre-configured server configuration.
The Top20 list should only be a
starting point for those wishing to maintain a secure network. After each item
on the list has been addressed, security staff should then strive to achieve
compliance with standards such as BS-7799/ISO-17799, NIST security standards,
the ISF’s Standard of Good Practice, and others. Once again, the common re-occurring
theme in information security process and standardization. The absolute best
way to achieve a secure operating environment is the continual re-evaluation
of policies, procedures, and practices.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity Feature
Extras:
EnGarde
GDSN Subscription Price Reduction
– Guardian Digital, the world’s premier open source security company, announced
today that they will be reducing the annual subscription cost of the Guardian
Digital Secure Network for EnGarde Community users from $229 to $60 for a
limited time.R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
Distribution: | Conectiva | ||
11/6/2003 | bugzilla | ||
multiple vulnerabilities Several vulnerabilities have been announced and are being fixed in this |
|||
11/6/2003 | apache | ||
multiple vulnerabilities New versions of the Apache web server have been made available with the |
|||
Distribution: | EnGarde | ||
11/4/2003 | ‘openssl’ ASN.1 parsing DoS |
||
multiple vulnerabilities This vulnerability (triggered by certain ASN.1 sequences which cause a large |
|||
11/5/2003 | ‘apache’ mod_alias and mod_rewrite buffer overflow |
||
multiple vulnerabilities A buffer overflow in mod_alias and mod_rewrite was discovered in the Apache |
|||
Distribution: | Gentoo | ||
10/31/2003 | net-www/apache Buffer overflow vulnerability |
||
multiple vulnerabilities A buffer overflow could occur in mod_alias and mod_rewrite when a regular |
|||
Distribution: | Immunix | ||
10/31/2003 | fileutils | ||
Memory exhaustion vulnerability An off-by-one attack that may lead to a memory exhaustion vulnerability |
|||
Distribution: | Mandrake | ||
11/3/2003 | postgresql | ||
Buffer overflow vulnerability Two bugs were discovered that lead to a buffer overflow in PostgreSQL versions |
|||
11/3/2003 | apache | ||
Buffer overflow vulnerability A buffer overflow in mod_alias and mod_rewrite was discovered in Apache |
|||
11/6/2003 | CUPS | ||
denial of service vulnerability A bug in versions of CUPS prior to 1.1.19 was reported in the Internet Printing |
|||
Distribution: | Red Hat |
||
11/3/2003 | CUPS | ||
Denial of Service vulnerability Updated CUPS packages that fix a problem where CUPS can hang are now available. |
|||
11/6/2003 | fileutils | ||
denial of service vulnerability Georgi Guninski discovered a memory starvation denial of service vulnerability |
|||
11/6/2003 | CUPS | ||
denial of service vulnerability Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol |
|||
Distribution: | Slackware | ||
11/4/2003 | apache | ||
multiple vulnerabilities These updates fix local vulnerabilities that could allow users who can create |
|||
Distribution: | SuSE | ||
11/1/2003 | thttpd | ||
Remote privilege escalation vulnerability A Buffer overflow and privilege escalation vulnerabilty have been fixed. |
|||
Category:
- Security