[ISN] Linux Advisory Watch - October 14th 2005

InfoSec News isn at c4i.org
Mon Oct 17 00:05:50 EDT 2005


+---------------------------------------------------------------------+
|  LinuxSecurity.com                             Weekly Newsletter    |
|  October 14th, 2005                         Volume 6, Number 42a    |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for mason, cpio, dia, masqmail,
shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play,
graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player,
uw-imap, openssl, thunderbird, binutils, and libuser.  The distributors
include Debian, Gentoo, and Red Hat.

---

System Accounting
By: Dave Wreski

It is very important that the information that comes from syslog not
be compromised. Making the files in /var/log readable and writable by
only a limited number of users is a good start.

Be sure to keep an eye on what gets written there, especially under
the auth facility. Multiple login failures, for example, can indicate
an attempted break-in.

Where to look for your log file will depend on your distribution. In a
Linux system that conforms to the "Linux Filesystem Standard", such as
Red Hat, you will want to look in /var/log and check messages, mail.log,
and others.

You can find out where your distribution is logging to by looking at
your /etc/syslog.conf file. This is the file that tells syslogd (the
system logging daemon) where to log various messages.

You might also want to configure your log-rotating script or daemon
to keep logs around longer so you have time to examine them. Take a
look at the logrotate package on recent Red Hat distributions. Other
distributions likely have a similar process.

If your log files have been tampered with, see if you can determine
when the tampering started, and what sort of things appeared to be
tampered with. Are there large periods of time that cannot be accounted
for? Checking backup tapes (if you have any) for untampered log files
is a good idea.

Intruders typically modify log files in order to cover their tracks,
but they should still be checked for strange happenings. You may
notice the intruder attempting to gain entrance, or exploit a program
in order to obtain the root account. You might see log entries before
the intruder has time to modify them.

You should also be sure to separate the auth facility from other log
data, including attempts to switch users using su, login attempts, and
other user accounting information.

If possible, configure syslog to send a copy of the most important data
to a secure system. This will prevent an intruder from covering his
tracks by deleting his login/su/ftp/etc attempts. See the syslog.conf
man page, and refer to the @ option.

Finally, log files are much less useful when no one is reading them.
Take some time out every once in a while to look over your log files,
and get a feeling for what they look like on a normal day. Knowing
this can help make unusual things stand out.

Read more from the Linux Security Howto:
http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/

----------------------

Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and directory
permissions that are far too liberal and allow access beyond that which
is needed for proper system operations. A full explanation of unix file
permissions is beyond the scope of this article, so I'll assume you are
familiar with the usage of such tools as chmod, chown, and chgrp. If
you'd like a refresher, one is available right here on linuxsecurity.com.

http://www.linuxsecurity.com/content/view/119415/49/

---

Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to store more
data in a temporary data storage area than it was intended to hold. Since
buffers are created to contain a finite amount of data, the extra
information can overflow into adjacent buffers, corrupting or overwriting
the valid data held in them.

http://www.linuxsecurity.com/content/view/119087/49/

---

Review: The Book of Postfix: State-of-the-Art Message Transport

I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.

http://www.linuxsecurity.com/content/view/119027/49/


--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New mason packages fix missing init script
  6th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120537


* Debian: New cpio packages fix several vulnerabilities
  7th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120548


* Debian: New dia packages fix arbitrary code execution
  8th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120550


* Debian: New masqmail packages fix several vulnerabilities
  8th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120551


* Debian: New shorewall packages fix firewall bypass
  8th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120552


* Debian: New tcpdump packages fix denial of service
  9th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120555


* Debian: New openvpn packages fix denial of service
  9th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120556


* Debian: New up-imapproxy packages fix arbitrary code execution
  9th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120557


* Debian: New ethereal packages fix several vulnerabilities
  9th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120558


* Debian: New tcpdump packages fix denial of service
  9th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120559


* Debian: New weex packages fix arbitrary code execution
  10th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120561


* Debian: New py2play packages fix arbitrary code execution
  10th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120562


* Debian: New graphviz packages fix insecure temporary file
  10th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120563


* Debian: New xloadimage packages fix arbitrary code execution
  10th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120568


* Debian: New xli packages fix arbitrary code execution
  10th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120570


* Debian: New Ruby packages fix safety bypass
  11th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120571


* Debian: New uw-imap packages fix arbitrary code execution
  11th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120572


* Debian: New Ruby 1.6 packages fix safety bypass
  11th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120573


* Debian: New xine-lib packages fix arbitrary code execution
  12th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120583


* Debian: New Ruby 1.8 packages fix safety bypass
  13th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120589


* Debian: New hylafax packages fix insecure temporary files
  13th, October, 2005

Updated package.

http://www.linuxsecurity.com/content/view/120590



+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: Ruby Security bypass vulnerability
  6th, October, 2005

Ruby is vulnerable to a security bypass of the safe level mechanism.

http://www.linuxsecurity.com/content/view/120539


* Gentoo: Dia Arbitrary code execution through SVG import
  6th, October, 2005

Improperly sanitised data in Dia allows remote attackers to execute
arbitrary code.

http://www.linuxsecurity.com/content/view/120540


* Gentoo: RealPlayer, Helix Player Format string vulnerability
  7th, October, 2005

RealPlayer and Helix Player are vulnerable to a format string
vulnerability resulting in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120549


* Gentoo: xine-lib Format string vulnerability
  8th, October, 2005

xine-lib contains a format string error in CDDB response handling
that may be exploited to execute arbitrary code.

http://www.linuxsecurity.com/content/view/120553


* Gentoo: Weex Format string vulnerability
  8th, October, 2005

Weex contains a format string error that may be exploited by
malicious servers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/120554


* Gentoo: uw-imap Remote buffer overflow
  11th, October, 2005

uw-imap is vulnerable to remote overflow of a buffer in the IMAP
server leading to execution of arbitrary code.

http://www.linuxsecurity.com/content/view/120575


* Gentoo: OpenSSL SSL 2.0 protocol rollback
  12th, October, 2005

When using a specific option, OpenSSL can be forced to fallback to
the less secure SSL 2.0 protocol.

http://www.linuxsecurity.com/content/view/120586


* RedHat: Important: thunderbird security update
  6th, October, 2005

An updated thunderbird package that fixes various bugs is now
available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response
Team.

http://www.linuxsecurity.com/content/view/120541



+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Low: binutils security update
  11th, October, 2005

An updated binutils package that fixes minor security issues is now
available. This update has been rated as having low security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120578


* RedHat: Low: libuser security update
  11th, October, 2005

Updated libuser packages that fix various security issues are now
available. This update has been rated as having low security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120579


* RedHat: Moderate: util-linux and mount security update
  11th, October, 2005

Updated util-linux and mount packages that fix two security issues
are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120580


* RedHat: Moderate: ruby security update
  11th, October, 2005

Updated ruby packages that fix an arbitrary command execution issue
are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120581


* RedHat: Moderate: openssl security update
  11th, October, 2005

Updated OpenSSL packages that fix various security issues are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/120582

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------





More information about the ISN mailing list