[ISN] Linux Advisory Watch - June 18, 2004

InfoSec News isn at c4i.org
Mon Jun 21 02:20:16 EDT 2004


+---------------------------------------------------------------+
|  LinuxSecurity.com                    Linux Advisory Watch    |
|  June 18, 2004                        Volume 5, Number 25a    |
+---------------------------------------------------------------+

  Editors:      Dave Wreski               Benjamin Thomas
                dave at linuxsecurity.com    ben at linuxsecurity.com


Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes point

This week, advisories were released for cvs, krb5, kernel, subversion,
ethereal, squirrelmail, gallery, Webmin, squid, aspell and tripwire The
distributors include Debian, Fedora, Gentoo, Red Hat, Slackware, Suse, and
Trustix.

-----

>> Internet Productivity Suite:  Open Source Security <<

Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available.  Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.

http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=3Dgdn10

-----

Open Source Vulnerability Database

The open source community has long been fueled by the drive and
inspiration of those wishing to produce software for the good of everyone.
Open source allows its users to achieve things that would have otherwise
not been possible. Often, proprietary software is too expensive, not
flexible, and full of bugs. Users of proprietary software work at the
mercy of their vendors with little to no influence on features or
functionality. Those organizations who demand security often have trouble
getting proprietary software vendors to comply. Open source is a great
solution for those wishing to have complete control including over
security, flexibility, and functionality.

Open source thrives on those wishing to share their work for the benefit
of the community. To have a successful open source project, it must be
backed by individuals who are ultimately committed to the project.
Contributors must be willing donate time and money for the advancement of
the cause. Often, open source projects are not properly funded until they
are already well established.

Recently, I have had the great pleasure of talking with Tyler Owen, a
contributor to the Open Source Vulnerability Database project. He, and
others associated with the project have shown a lot of initiative.
Although it has been slow getting off the ground, there has been a renewed
commitment to provide the open source community with a database that
indexes security vulnerabilities. Rather than individual open source users
being burdened with keep track of them, OSVDB is striving for it to be a
more collaborative process so that work is not duplicated and everyone can
benefit.

Full Interview Text Available:
http://www.linuxsecurity.com/feature_stories/feature_story-156.html

Until next time, cheers!
Benjamin D. Thomas
ben at linuxsecurity.com

-----

Interview with Brian Wotring, Lead Developer for the Osiris Project

Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc.=C3=8AHe is also the founder of
knowngoods.org, an online database of known good file signatures.=C3=8A Bri=
an
is the co-author of Mac OS X Security and a long-standing member of the
Shmoo Group, an organization of security and cryptography professionals.

http://www.linuxsecurity.com/feature_stories/feature_story-164.html

--------------------------------------------------------------------

Guardian Digital Launches Next Generation Secure Mail Suite

Guardian Digital, the premier open source security company, announced the
availability of the next generation Secure Mail Suite, the industry's most
secure open source corporate email system. This latest edition has been
optimized to support the changing needs of enterprise and small business
customers while continually providing protection from the latest in email
security threats.

http://www.linuxsecurity.com/feature_stories/feature_story-166.html

--------------------------------------------------------------------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 6/17/2004 - cvs
   Multiple vulnerabilities

   Sebastian Krahmer and Stefan Esser discovered several
   vulnerabilities in the CVS server during a code audit.
   http://www.linuxsecurity.com/advisories/debian_advisory-4483.html

 6/17/2004 - krb5
   Buffer overflow vulnerability

   This overflow only applies if aname_to_localname is enabled in the
   configuration (not default).
   http://www.linuxsecurity.com/advisories/debian_advisory-4484.html


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

 6/17/2004 - kernel
   2.6.6 Security enchancement

   This upgrade is not specifically secuity; it fixes many kernel
   bugs and adds support for stack non-execution on some systems,
   which is important in guarding against buffer overflows.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4478.html

 6/17/2004 - cvs
   Multiple vulnerabilities

   Many vulnerabilities, discovered in a recent audit of cvs, are
   fixed.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4479.html

 6/17/2004 - subversion
   Heap overflow vulnerability

   If using the svnserve daemon, an unauthenticated client may be
   able execute arbitrary code as the daemon's user.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4480.html

 6/17/2004 - kernel
   2.6.6 Denial of service vulnerability

   This update includes a fix for the local denial of service as
   described in linuxreviews.org.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4481.html

 6/17/2004 - ethereal
   Security patch correction

   These new packages fix a bug in the last errata where the actual
   security patch didn't get applied.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4482.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 6/17/2004 - subversion
   Heap overflow vulnerability

   Subversion is vulnerable to a remote Denial of Service that may be
   exploitable to execute arbitrary code
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4470.html

 6/17/2004 - squirrelmail
   Cross site scripting vulnerability

   Squirrelmail fails to properly sanitize user input, which could
   lead to a compromise of webmail accounts.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4471.html

 6/17/2004 - Horde-Chora Code injection vulnerability
   Cross site scripting vulnerability

   A vulnerability in Chora allows remote code execution and file
   upload.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4472.html

 6/17/2004 - gallery
   Privilege escalation vulnerability

   Vulnerability may allow an attacker to gain administrator
   privileges within Gallery.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4473.html

 6/17/2004 - Horde-IMP Input validation vulnerability
   Privilege escalation vulnerability

   Horde-IMP fails to properly sanitize email messages that contain
   malicious HTML or script code.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4474.html

 6/17/2004 - Webmin
   Multiple vulnerabilities

   Webmin contains two security vulnerabilities which could lead to a
   denial of service attack and information disclosure.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4475.html

 6/17/2004 - squid
   Buffer overflow vulnerability

   Squid contains a bug where it fails to properly check bounds of
   the 'pass' variable.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4476.html

 6/17/2004 - aspell
   Buffer overflow vulnerability

   A bug in the aspell utility word-list-compress can allow an
   attacker to execute arbitrary code.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4477.html


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

 6/17/2004 - squirrelmail
   Multiple vulnerabilities

   This patch resolves cross-site scripting and SQL injection
   vulnerabilities.
   http://www.linuxsecurity.com/advisories/redhat_advisory-4467.html

 6/17/2004 - tripwire
   Format string vulnerability

   If Tripwire is configured to send reports via email, a local user
   could gain privileges by creating a carefully crafted file.
   http://www.linuxsecurity.com/advisories/redhat_advisory-4468.html

 6/17/2004 - httpd,mod_ssl Buffer overflow vulnerability
   Format string vulnerability

   Updated httpd and mod_ssl packages that fix minor security issues
   in the Apache Web server are now available for Red Hat Enterprise
   Linux 2.1.
   http://www.linuxsecurity.com/advisories/redhat_advisory-4469.html


+---------------------------------+
|  Distribution: Slackware        | ----------------------------//
+---------------------------------+

 6/15/2004 - kernel
   2.4.26 Denial of service vulnerability

   Patch resolves ability of local user to crash the kernel.
   http://www.linuxsecurity.com/advisories/slackware_advisory-4463.html


+---------------------------------+
|  Distribution: Suse             | ----------------------------//
+---------------------------------+

 6/17/2004 - kernel
   Denial of service vulnerability

   The Linux kernel is vulnerable to a local denial-of-service attack
   by non-privileged users.
   http://www.linuxsecurity.com/advisories/suse_advisory-4465.html

 6/17/2004 - subversion
   Heap overflow vulnerability

   This heap overflow is exploitable even before authentication of
   users.
   http://www.linuxsecurity.com/advisories/suse_advisory-4466.html


+---------------------------------+
|  Distribution: Trustix          | ----------------------------//
+---------------------------------+

 6/17/2004 - kernel
   Denial of service vulnerability

   Stian Skjelstad discovered a bug whereby a non-privileged user can
   crash the kernel.
   http://www.linuxsecurity.com/advisories/trustix_advisory-4464.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------





More information about the ISN mailing list