[ISN] Linux Advisory Watch - August 27th 2004
InfoSec News
isn at c4i.org
Mon Aug 30 02:31:03 EDT 2004
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 27th, 2004 Volume 5, Number 34a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave at linuxsecurity.com ben at linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for ruby, rsync, kdelibs, mysql,
acroread, Tomcat, glibc, spamassassin, qt3, ftpd, Netscape, the Linux
kernel. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD,
Red Hat, SuSE, and Trustix.
-----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
-----
Using swatch for log analysis
With most services, when anything slightly significant happens, a
message about it is reported to syslogd. The sooner the user is aware
of the message, the sooner the user can take action in regard to that
message if it is needed. With 1000+ long log files, log checkers are
needed as time savers and to make sure an indication of trouble is
not missed.
Swatch stands for Simple WATCHer. Other log analysis software scans the
logs periodically, they can tell you what HAS happened. Swatch can do
this, but it can also actively scan log entries as syslogd gets them and
tell you what IS happening. Not only this, swatch can also take actions
when it encounters certain log messages.
Installation:
First, download the newest version of swatch. Then run:
perl Makefile.PL
make
make test
make install
make realclean
After swatch is installed, perl modules that are needed for use of swatch
may also have to be downloaded.
Configuration:
Swatch uses regular expressions to find lines of interest. Once swatch
finds a line that matches a pattern, it takes an action, such as printing
it to the screen, emailing it, or taking a user defined action.
watchfor /[dD]enied|/DEN.*ED/
echo bold
bell 3
mail
exec "/etc/call_pager 5551234 08"
This is an example of a section of a swatch configuration script. First,
swatch looks for a line that contains the word denied, Denied, or anything
that starts with DEN and ends with ED. Once it finds a line that contains
one of the three search strings, it echoes the line in bold into the
terminal and makes the bell sound (^G) 3 times. Then, swatch emails the
user that is running swatch (usually root) about the line and executes the
/etc/call_pager program with the given options. ignore
/sendmail/,/fax/,/unimportant stuff/ In this example, the search strings
sendmail, fax, and unimportant stuff are going to be ignored, even if they
would normally match one of the strings being looked for.
Use:
Using swatch is very simple. For using swatch to
check logs normally, run:
swatch --config-file=/home/chris/swatch.conf --examine=/var/log/messages
This is assuming that the configuration file for swatch is located at
/home/chris/swatch.conf and that the file that is to be checked in called
/var/log/messages. To use swatch as a constantly running service that
scans lines of a log file as they come in, run:
swatch --config-file=/home/chris/swatch.conf
--tail-file=/var/log/messages
Security Tip Written by Chris Parker (news at linuxsecurity.com)
Additional tips are available at the following URL:
http://www.linuxsecurity.com/tips/
----
An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code
Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com
http://www.linuxsecurity.com/feature_stories/feature_story-171.html
---------------------------------------------------------------------
Security Expert Dave Wreski Discusses Open Source Security
LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian
Digital, Inc. and respected author of various hardened security and Linux
publications, to talk about how Guardian Digital is changing the face of
IT security today. Guardian Digital is perhaps best known for their
hardened Linux solution EnGarde Secure Linux, touted as the premier
secure, open-source platform for its comprehensive array of general
purpose services, such as web, FTP, email, DNS, IDS, routing, VPN,
firewalling, and much more.
http://www.linuxsecurity.com/feature_stories/feature_story-170.html
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
8/20/2004 - ruby
Insecure file permissions
This can lead an attacker who has also shell access to the
webserver to take over a session.
http://www.linuxsecurity.com/advisories/debian_advisory-4689.html
8/20/2004 - rsync
Insufficient path sanitation
The rsync developers have discoverd a security related problem in
rsync which offers an attacker to access files outside of the
defined directory.
http://www.linuxsecurity.com/advisories/debian_advisory-4690.html
8/20/2004 - kdelibs
Insecure temporary file vulnerability
This can be abused by a local attacker to create or truncate
arbitrary files or to prevent KDE applications from functioning
correctly.
http://www.linuxsecurity.com/advisories/debian_advisory-4691.html
8/20/2004 - mysql
Insecure temporary file vulnerability
Jeroen van Wolffelaar discovered an insecure temporary file
vulnerability in the mysqlhotcopy script when using the scp method
which is part of the mysql-server package.
http://www.linuxsecurity.com/advisories/debian_advisory-4692.html
+---------------------------------+
| Distribution: Fedora: | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Insufficient path sanitization
This update backports a security fix to a path-sanitizing flaw
that affects rsync when it is used in daemon mode without also
using chroot.
http://www.linuxsecurity.com/advisories/fedora_advisory-4688.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
8/20/2004 - acroread
Buffer overflow vulnerabilities
Acroread contains two errors in the handling of UUEncoded
filenames that may lead to execution of arbitrary code or
programs.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4682.html
8/20/2004 - Tomcat
Insecure installation
Improper file ownership may allow a member of the tomcat group to
execute scripts as root.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4683.html
8/20/2004 - glibc
Information leak vulnerability
glibc contains an information leak vulnerability allowing the
debugging of SUID binaries.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4684.html
8/20/2004 - rsync
Insufficient path sanitation
This vulnerability could allow the listing of arbitrary files and
allow file overwriting outside module's path on rsync server
configurations that allow uploading.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4685.html
8/20/2004 - xine-lib Buffer overflow vulnerability
Insufficient path sanitation
An attacker may construct a carefully-crafted playlist file which
will cause xine-lib to execute arbitrary code with the permissions
of the user.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4686.html
8/20/2004 - courier-imap Format string vulnerability
Insufficient path sanitation
An attacker may be able to execute arbitrary code as the user
running courier-imapd (oftentimes root).
http://www.linuxsecurity.com/advisories/gentoo_advisory-4687.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Insufficient path sanitation
If rsync is running in daemon mode, and not in a chrooted
environment, it is possible for a remote attacker to trick rsyncd
into creating an absolute pathname while sanitizing it.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4679.html
8/20/2004 - spamassassin
Denial of service vulnerability
Security fix prevents a denial of service attack open to certain
malformed messages.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4680.html
8/20/2004 - qt3
Heap overflow vulnerability
his vulnerability could allow for the compromise of the account
used to view or browse malicious graphic files.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4681.html
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
8/20/2004 - ftpd
Privilege escalation vulnerability
A set of flaws in the ftpd source code can be used together to
achieve root access within an ftp session.
http://www.linuxsecurity.com/advisories/netbsd_advisory-4678.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
8/20/2004 - Netscape
Multiple vulnerabilities
Netscape Navigator and Netscape Communicator have been removed
from the Red Hat Enterprise Linux 2.1 CD-ROM distribution as part
of Update 5. These packages were based on Netscape 4.8, which is
known to be vulnerable to recent critical security issues, such as
CAN-2004-0597, CAN-2004-0598, and CAN-2004-0599.
http://www.linuxsecurity.com/advisories/redhat_advisory-4673.html
8/20/2004 - kernel
Denial of service vulnerability
A bug in the SoundBlaster 16 code which did not properly handle
certain sample sizes has been fixed. This flaw could be used by
local users to crash a system.
http://www.linuxsecurity.com/advisories/redhat_advisory-4674.html
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Insufficient pathname sanitizing
If rsync is running in daemon-mode and without a chroot
environment it is possible for a remote attacker to trick rsyncd
into creating an absolute pathname while sanitizing it.
http://www.linuxsecurity.com/advisories/suse_advisory-4676.html
8/20/2004 - qt3
Buffer overflow vulnerability
Chris Evans found a heap overflow in the BMP image format parser
which can probably be abused by remote attackers to execute
arbitrary code.
http://www.linuxsecurity.com/advisories/suse_advisory-4677.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
8/20/2004 - rsync
Path escape vulnerability
Please either enable chroot or upgrade to 2.6.1. People not
running a daemon, running a read-only daemon, or running a
chrooted daemon are totally unaffected.
http://www.linuxsecurity.com/advisories/trustix_advisory-4675.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list