October 24, 2003

Linux Advisory Watch - October 24th 2003

Author: Benjamin D. Thomas

This week, advisories
were released for ircd, gdm, fileutils, sane, fetchmail, gdm, and fetchmail. The
distributors include Conectiva, Immunix, Mandrake, and Turbolinux.This week, Ballmer's comments
comparing Windows and Linux Security have been all over the press. As you might
suspect, the GNU/Linux community instantly fired back rebutting all of his points.
Personally, I believe he was comparing apples and oranges and exploiting the ignorance
people have for security. Fear, uncertainty, and doubt is a common theme that
we should come to expect. Unfortunately, some believe everything they are being
told without any verification of the facts.

The point of this commentary is
not to make any arguments for or against the security of Linux, but to re-emphasize
the point that the ultimate responsibility of security relies on the person(s)
that has chosen to implement a particular piece of software. For instance, by
choosing to setup a Linux based Web server, that means you take the responsibility
of ensuring that the bare minimum is installed, access is strictly controlled,
and the system is patched as much as necessary. Unfortunately, there will always
be vulnerabilities in software due to sloppy programming. I am not trying to
discount the responsibility of software makers, I am merely suggesting that
security isn't something that is controlled at a single point. Security is everyone's

When choosing to implement a piece
of software, security should be one of the most significant factors. Does the
vendor provide timely updates? If something goes horribly wrong, can I fix it
myself? What is the security-history of this software? All questions are important
and should be addressed. I just wanted to emphasize that security shouldn't
be a game of "my OS has less vulnerabilities than yours," the point should be
"how easily can the problem be fixed, and/or how long do I have to wait for
an update." Security is the responsibility of all at many levels and we shouldn't
forget that.

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity Feature

GDSN Subscription Price Reduction

- Guardian Digital, the world's premier open source security company, announced
today that they will be reducing the annual subscription cost of the Guardian
Digital Secure Network for EnGarde Community users from $229 to $60 for a
limited time.

The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe

Distribution: Conectiva

 10/17/2003ircd   DoS vulnerability

A buffer overflow vulnerability has been discovered that may allow an attacker
to crash the ircd server, thus causing a denial of service condition. The
package released with this advisory includes a patch that fixes the problem.

  10/17/2003gdm   DoS Vulnerabilities

Jarno Gassenbauer found two local denial of service vulnerabilites in GDM,
both fixed in the versions, and in the packages released
with this advisory:

  10/22/2003fileutils   denial
of service vulnerability

There is a memory starvation denial of service vulnerability in the ls program.
It is possible to make ls allocate a huge amount of memory by calling it
with the parameters "-w X -C" (where X is an arbitrary large number).

  10/22/2003sane   tmp file

This update fixes several vulnerabilities in the sane package.

  Distribution:Immunix 10/20/2003fetchmail   Multiple

This update fixes several bugs in fetchmail, including a broken boundary
condition check in the multidrop code, a header overflow that neglected
to account for '@' signs in email addresses, a header-rewriting bug, and
a head-reading bug.

  Distribution:Mandrake 10/17/2003gdm   multiple

Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that would
allow a local attacker to cause gdm to crash or freeze.

  10/17/2003fetchmail   denial
of service vulnerability

A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.

  Distribution:Turbolinux 10/20/2003kernel/kdebase
Multiple updates
of service vulnerability

Multiple issues in the Linux kernel and KDM have been resolved.



  • Security
Click Here!