Linux Advisory Watch – October 24th 2003

This week, advisories
were released for ircd, gdm, fileutils, sane, fetchmail, gdm, and fetchmail. The
distributors include Conectiva, Immunix, Mandrake, and Turbolinux.This week, Ballmer’s comments
comparing Windows and Linux Security have been all over the press. As you might
suspect, the GNU/Linux community instantly fired back rebutting all of his points.
Personally, I believe he was comparing apples and oranges and exploiting the ignorance
people have for security. Fear, uncertainty, and doubt is a common theme that
we should come to expect. Unfortunately, some believe everything they are being
told without any verification of the facts.

The point of this commentary is
not to make any arguments for or against the security of Linux, but to re-emphasize
the point that the ultimate responsibility of security relies on the person(s)
that has chosen to implement a particular piece of software. For instance, by
choosing to setup a Linux based Web server, that means you take the responsibility
of ensuring that the bare minimum is installed, access is strictly controlled,
and the system is patched as much as necessary. Unfortunately, there will always
be vulnerabilities in software due to sloppy programming. I am not trying to
discount the responsibility of software makers, I am merely suggesting that
security isn’t something that is controlled at a single point. Security is everyone’s
responsibility.

When choosing to implement a piece
of software, security should be one of the most significant factors. Does the
vendor provide timely updates? If something goes horribly wrong, can I fix it
myself? What is the security-history of this software? All questions are important
and should be addressed. I just wanted to emphasize that security shouldn’t
be a game of “my OS has less vulnerabilities than yours,” the point should be
“how easily can the problem be fixed, and/or how long do I have to wait for
an update.” Security is the responsibility of all at many levels and we shouldn’t
forget that.

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity Feature
Extras:

EnGarde
GDSN Subscription Price Reduction
– Guardian Digital, the world’s premier open source security company, announced
today that they will be reducing the annual subscription cost of the Guardian
Digital Secure Network for EnGarde Community users from $229 to $60 for a
limited time.

R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]

Distribution:			Conectiva
	10/17/2003	ircd
		DoS vulnerability A buffer overflow vulnerability has been discovered that may allow an attacker to crash the ircd server, thus causing a denial of service condition. The package released with this advisory includes a patch that fixes the problem. http://www.linuxsecurity.com/advisories/connectiva_advisory-3736.html
	10/17/2003	gdm
		DoS Vulnerabilities Jarno Gassenbauer found two local denial of service vulnerabilites in GDM, both fixed in the versions 2.4.4.4, 2.4.1.7 and in the packages released with this advisory: http://www.linuxsecurity.com/advisories/connectiva_advisory-3737.html
	10/22/2003	fileutils
		denial of service vulnerability There is a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by calling it with the parameters “-w X -C” (where X is an arbitrary large number). http://www.linuxsecurity.com/advisories/connectiva_advisory-3741.html
	10/22/2003	sane
		tmp file vulnerabilities This update fixes several vulnerabilities in the sane package. http://www.linuxsecurity.com/advisories/connectiva_advisory-3742.html
Distribution:			Immunix
	10/20/2003	fetchmail
		Multiple vulnerabilities This update fixes several bugs in fetchmail, including a broken boundary condition check in the multidrop code, a header overflow that neglected to account for ‘@’ signs in email addresses, a header-rewriting bug, and a head-reading bug. http://www.linuxsecurity.com/advisories/immunix_advisory-3738.html
Distribution:			Mandrake
	10/17/2003	gdm
		multiple vulnerabilities Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that would allow a local attacker to cause gdm to crash or freeze. http://www.linuxsecurity.com/advisories/mandrake_advisory-3734.html
	10/17/2003	fetchmail
		denial of service vulnerability A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. http://www.linuxsecurity.com/advisories/mandrake_advisory-3735.html
Distribution:			Turbolinux
	10/20/2003	kernel/kdebase Multiple updates
		denial of service vulnerability Multiple issues in the Linux kernel and KDM have been resolved. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3739.html