[ISN] Linux Advisory Watch - June 18, 2004
InfoSec News
isn at c4i.org
Mon Jun 21 02:20:16 EDT 2004
+---------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| June 18, 2004 Volume 5, Number 25a |
+---------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave at linuxsecurity.com ben at linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes point
This week, advisories were released for cvs, krb5, kernel, subversion,
ethereal, squirrelmail, gallery, Webmin, squid, aspell and tripwire The
distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse, and
Trustix.
-----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn10
-----
Open Source Vulnerability Database
The open source community has long been fueled by the drive and
inspiration of those wishing to produce software for the good of everyone.
Open source allows its users to achieve things that would have otherwise
not been possible. Often, proprietary software is too expensive, not
flexible, and full of bugs. Users of proprietary software work at the
mercy of their vendors with little to no influence on features or
functionality. Those organizations who demand security often have trouble
getting proprietary software vendors to comply. Open source is a great
solution for those wishing to have complete control including over
security, flexibility, and functionality.
Open source thrives on those wishing to share their work for the benefit
of the community. To have a successful open source project, it must be
backed by individuals who are ultimately committed to the project.
Contributors must be willing donate time and money for the advancement of
the cause. Often, open source projects are not properly funded until they
are already well established.
Recently, I have had the great pleasure of talking with Tyler Owen, a
contributor to the Open Source Vulnerability Database project. He, and
others associated with the project have shown a lot of initiative.
Although it has been slow getting off the ground, there has been a renewed
commitment to provide the open source community with a database that
indexes security vulnerabilities. Rather than individual open source users
being burdened with keep track of them, OSVDB is striving for it to be a
more collaborative process so that work is not duplicated and everyone can
benefit.
Full Interview Text Available:
http://www.linuxsecurity.com/feature_stories/feature_story-156.html
Until next time, cheers!
Benjamin D. Thomas
ben at linuxsecurity.com
-----
Interview with Brian Wotring, Lead Developer for the Osiris Project
Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc.=C3=8AHe is also the founder of
knowngoods.org, an online database of known good file signatures.=C3=8A Bri=
an
is the co-author of Mac OS X Security and a long-standing member of the
Shmoo Group, an organization of security and cryptography professionals.
http://www.linuxsecurity.com/feature_stories/feature_story-164.html
--------------------------------------------------------------------
Guardian Digital Launches Next Generation Secure Mail Suite
Guardian Digital, the premier open source security company, announced the
availability of the next generation Secure Mail Suite, the industry's most
secure open source corporate email system. This latest edition has been
optimized to support the changing needs of enterprise and small business
customers while continually providing protection from the latest in email
security threats.
http://www.linuxsecurity.com/feature_stories/feature_story-166.html
--------------------------------------------------------------------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
6/17/2004 - cvs
Multiple vulnerabilities
Sebastian Krahmer and Stefan Esser discovered several
vulnerabilities in the CVS server during a code audit.
http://www.linuxsecurity.com/advisories/debian_advisory-4483.html
6/17/2004 - krb5
Buffer overflow vulnerability
This overflow only applies if aname_to_localname is enabled in the
configuration (not default).
http://www.linuxsecurity.com/advisories/debian_advisory-4484.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
6/17/2004 - kernel
2.6.6 Security enchancement
This upgrade is not specifically secuity; it fixes many kernel
bugs and adds support for stack non-execution on some systems,
which is important in guarding against buffer overflows.
http://www.linuxsecurity.com/advisories/fedora_advisory-4478.html
6/17/2004 - cvs
Multiple vulnerabilities
Many vulnerabilities, discovered in a recent audit of cvs, are
fixed.
http://www.linuxsecurity.com/advisories/fedora_advisory-4479.html
6/17/2004 - subversion
Heap overflow vulnerability
If using the svnserve daemon, an unauthenticated client may be
able execute arbitrary code as the daemon's user.
http://www.linuxsecurity.com/advisories/fedora_advisory-4480.html
6/17/2004 - kernel
2.6.6 Denial of service vulnerability
This update includes a fix for the local denial of service as
described in linuxreviews.org.
http://www.linuxsecurity.com/advisories/fedora_advisory-4481.html
6/17/2004 - ethereal
Security patch correction
These new packages fix a bug in the last errata where the actual
security patch didn't get applied.
http://www.linuxsecurity.com/advisories/fedora_advisory-4482.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
6/17/2004 - subversion
Heap overflow vulnerability
Subversion is vulnerable to a remote Denial of Service that may be
exploitable to execute arbitrary code
http://www.linuxsecurity.com/advisories/gentoo_advisory-4470.html
6/17/2004 - squirrelmail
Cross site scripting vulnerability
Squirrelmail fails to properly sanitize user input, which could
lead to a compromise of webmail accounts.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4471.html
6/17/2004 - Horde-Chora Code injection vulnerability
Cross site scripting vulnerability
A vulnerability in Chora allows remote code execution and file
upload.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4472.html
6/17/2004 - gallery
Privilege escalation vulnerability
Vulnerability may allow an attacker to gain administrator
privileges within Gallery.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4473.html
6/17/2004 - Horde-IMP Input validation vulnerability
Privilege escalation vulnerability
Horde-IMP fails to properly sanitize email messages that contain
malicious HTML or script code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4474.html
6/17/2004 - Webmin
Multiple vulnerabilities
Webmin contains two security vulnerabilities which could lead to a
denial of service attack and information disclosure.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4475.html
6/17/2004 - squid
Buffer overflow vulnerability
Squid contains a bug where it fails to properly check bounds of
the 'pass' variable.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4476.html
6/17/2004 - aspell
Buffer overflow vulnerability
A bug in the aspell utility word-list-compress can allow an
attacker to execute arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4477.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
6/17/2004 - squirrelmail
Multiple vulnerabilities
This patch resolves cross-site scripting and SQL injection
vulnerabilities.
http://www.linuxsecurity.com/advisories/redhat_advisory-4467.html
6/17/2004 - tripwire
Format string vulnerability
If Tripwire is configured to send reports via email, a local user
could gain privileges by creating a carefully crafted file.
http://www.linuxsecurity.com/advisories/redhat_advisory-4468.html
6/17/2004 - httpd,mod_ssl Buffer overflow vulnerability
Format string vulnerability
Updated httpd and mod_ssl packages that fix minor security issues
in the Apache Web server are now available for Red Hat Enterprise
Linux 2.1.
http://www.linuxsecurity.com/advisories/redhat_advisory-4469.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
6/15/2004 - kernel
2.4.26 Denial of service vulnerability
Patch resolves ability of local user to crash the kernel.
http://www.linuxsecurity.com/advisories/slackware_advisory-4463.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
6/17/2004 - kernel
Denial of service vulnerability
The Linux kernel is vulnerable to a local denial-of-service attack
by non-privileged users.
http://www.linuxsecurity.com/advisories/suse_advisory-4465.html
6/17/2004 - subversion
Heap overflow vulnerability
This heap overflow is exploitable even before authentication of
users.
http://www.linuxsecurity.com/advisories/suse_advisory-4466.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
6/17/2004 - kernel
Denial of service vulnerability
Stian Skjelstad discovered a bug whereby a non-privileged user can
crash the kernel.
http://www.linuxsecurity.com/advisories/trustix_advisory-4464.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list