Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!
Assurance via Documentation
In all business environments management must give a certain level of trust to staff in order for work to get done. In security, trust is extremely important. Security managers must trust staff to properly setup and configure systems, give appropriate access, and fix vulnerabilities as they arise. Trusting staff to get the job done is a fundamental part of doing business. As a manager, how can one be sure that the security staff is properly addressing security issues? How can one be sure that vulnerabilities are fixed and logs are monitored? Peter F. Drucker, a well known writer on business management topics once wrote, "if you cannot measure it, you cannot manage it."
This is directly relevant to security. How can a manager be sure that the backups are getting done? Are the IDS and firewall logs properly monitored? A manager can easily have trust in employees, but assurance also must be provided. Management should require staff to log backups, log reviews, server patching, etc. Rather than trusting staff to get the job done, it is necessary to have assurance. All general security maintenance tasks can be, and should be audit-able.
How will extra paper work help security? Will staff get fed up with all of the extra documentation? The purpose of extra documentation is not to burden staff, it is to increasingly justify security spending. If a security department is properly doing its job, incidents will have little affect. However, if the department isn't doing its job, something catastrophic could happen. It is hard for people not in security to see the value in spending more money when there are no security incidents. Having audit-able documented evidence of thwarted security attempts, log reviews, etc. can have a huge impact on the image of the security department. Rather than relying on trust, giving assurance and quantifying security will help get the budget necessary to have the appropriate level of protection.
Until next time, cheers!
LinuxSecurity.com Feature Extras:
Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).
A 2005 Linux Security Resolution - Year 2000, the coming of the new millennium, brought us great joy and celebration, but also brought great fear. Some believed it would result in full-scale computer meltdown, leaving Earth as a nuclear wasteland. Others predicted minor glitches leading only to inconvenience. The following years (2001-2004) have been tainted with the threat of terrorism worldwide.
State of Linux Security 2004 - In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise.
Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Contectiva | ||
| Conectiva: twiki Fix for twiki remote vulnerability | ||
| 14th, January, 2005
A vulnerability in twiki was found where a remote attacker could exploit it to run arbitrary shell commands on the server. For further information on this vulnerability, please, refer to the authors' announcement[2]. |
||
| Conectiva: xine-lib Fixes for xine-lib vulnerabilities | ||
| 19th, January, 2005
Ariel Berkman discovered a buffer overflow vulnerability[2] in demux_aiff.c, where it reads specific input data into an array without checking the input size. |
||
| Conectiva: libtiff3 Fixes for libtiff vulnerabilities | ||
| 20th, January, 2005
This announcement fixes several integer overflow vulnerabilities[3,4] that were encountered in libtiff by iDefense which could lead to remote arbitrary code execution. |
||
| Debian | ||
| Debian: New mc packages fix several vulnerabilities | ||
| 14th, January, 2005
ndrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, a file browser and manager, were not backported to the current version of mc that Debian ships in their stable release. advisories/debian/debian-new-mc-packages-fix-several-vulnerabilities |
||
| Debian: New gatos packages fix arbitrary code execution | ||
| 17th, January, 2005
Erik Sjšlund discovered a buffer overflow in xatitv, one of the programs in the gatos package, that is used to display video with certain ATI video cards. xatitv is installed setuid root in order to gain direct access to the video hardware. advisories/debian/debian-new-gatos-packages-fix-arbitrary-code-execution |
||
| New playmidi packages fix local root exploit | ||
| 17th, January, 2005
Erik Sjšlund discovered that playmidi, a MIDI player, contains a setuid root program with a buffer overflow that can be exploited by a local attacker. advisories/debian/new-playmidi-packages-fix-local-root-exploit |
||
| Debian: New gallery packages fix several vulnerabilities | ||
| 17th, January, 2005
Several vulnerabilities have been discovered in gallery, a web-based photo album written in PHP4. advisories/debian/debian-new-gallery-packages-fix-several-vulnerabilities-74984 |
||
| Debian: New queue packages fix buffer overflows | ||
| 18th, January, 2005
"jaguar" of the Debian Security Audit Project has discovered several buffer overflows in queue, a transparent load balancing system. advisories/debian/debian-new-queue-packages-fix-buffer-overflows |
||
| Debian: New chbg packages fix arbitrary code execution | ||
| 18th, January, 2005
Danny Lungstrom discoverd a vulnerability in chbg, a tool to change background pictures. A maliciously crafted configuration/scenario file could overflow a buffer and lead to the execution of arbitrary code on the victim's machine. advisories/debian/debian-new-chbg-packages-fix-arbitrary-code-execution |
||
| Debian: New CUPS packages fix arbitrary code execution | ||
| 19th, January, 2005
iDEFENSE has reported a buffer overflow in xpdf, the portable document format (PDF) suite. Similar code is present in the PDF processing part of CUPS. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. advisories/debian/debian-new-cups-packages-fix-arbitrary-code-execution-46685 |
||
| Debian: New ImageMagick packages fix arbitrary code execution | ||
| 19th, January, 2005
Andrei Nigmatulin discovered a buffer overflow in the PSD image-decoding module of ImageMagick, a commonly used image manipulation library. Remote exploition with a carefully crafted image could lead to the execution of arbitrary code. advisories/debian/debian-new-imagemagick-packages-fix-arbitrary-code-execution-48846 |
||
| Debian: New mysql packages fix insecure temporary files | ||
| 19th, January, 2005
Javier Fernandez-Sanguino Pena from the Debian Security Audit Project discoverd a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also could unveil the contents of a temporary file which might contain sensitive information. advisories/debian/debian-new-mysql-packages-fix-insecure-temporary-files |
||
| Debian: New xpdf packages fix arbitrary code execution | ||
| 19th, January, 2005
iDEFENSE has reported a buffer overflow in xpdf, the portable document format (PDF) suite. A maliciously crafted PDF file could exploit this problem, resulting in the execution of arbitrary code. advisories/debian/debian-new-xpdf-packages-fix-arbitrary-code-execution-69822 |
||
| Debian: New xtrlock packages fix authentication bypass | ||
| 20th, January, 2005
A buffer overflow has been discovered in xtrlock, a minimal X display lock program which can be exploited by a malicious local attacker to crash the lock program and take over the desktop session. advisories/debian/debian-new-xtrlock-packages-fix-authentication-bypass |
||
| Debian: New sword packages fix arbitrary command execution | ||
| 20th, January, 2005
Ulf Hþrnhammar discovered that due to missing input sanitising in diatheke, a CGI script for making and browsing a bible website, it is possible to execute arbitrary commands via a specially crafted URL. advisories/debian/debian-new-sword-packages-fix-arbitrary-command-execution |
||
| Debian: New squid packages fix denial of service | ||
| 20th, January, 2005
Several vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. advisories/debian/debian-new-squid-packages-fix-denial-of-service-8029 |
||
| Fedora | ||
| Fedora Core 3 Update: kernel-2.6.10-1.741_FC3 | ||
| 14th, January, 2005
Fix slab corruption in ACPI video code. advisories/fedora/fedora-core-3-update-kernel-2610-1741fc3-09-45-01-117924 |
||
| Fedora Core 2 Update: system-config-kickstart-2.5.19-1.fc2 | ||
| 14th, January, 2005
This update fixes bug #143946, where system-config-kickstart cannot load kickstart configuration files. It also incorporates all the other fixes and improvements that have taken place since the FC2 version of this utility. advisories/fedora/fedora-core-2-update-system-config-kickstart-2519-1fc2-17-45-16-117934 |
||
| Fedora Core 3 Update: gimp-2.2.2-0.fc3.2 | ||
| 16th, January, 2005
This is a major version upgrade from 2.0.x to 2.2.x but it is designed to be binary compatible in order that old plug-ins and scripts continue to work. advisories/fedora/fedora-core-3-update-gimp-222-0fc32-00-00-00-117937 |
||
| Fedora: NetworkManager-0.3.3-1.cvs20050112.1.fc3 update | ||
| 17th, January, 2005
Please see RPM Changelog for fixes and new features since the last version. advisories/fedora/fedora-networkmanager-033-1cvs200501121fc3-update-16-37-39-117948 |
||
| Fedora Core 3 Update: gimp-help-2-0.1.0.6.0.fc3.1 | ||
| 18th, January, 2005
The GIMP User Manual is a newly written User Manual for the GIMP. advisories/fedora/fedora-core-3-update-gimp-help-2-01060fc31-10-09-00-117953 |
||
| Fedora Core 3 Update: gimp-2.2.2-0.fc3.3 | ||
| 18th, January, 2005
clip thumbnail quality at 75 and don't barf on saving images at quality 0 advisories/fedora/fedora-core-3-update-gimp-222-0fc33-10-10-00-117954 |
||
| Fedora Core 2 Update: dovecot-0.99.13-4.FC2 | ||
| 18th, January, 2005
This is a bug fix update for the Dovecot IMAP server. This brings the Red Hat Dovecot rpm up to date with the latest upstream release from Timo Sirainen, version 0.99.13 released on Jan 6th 2005. advisories/fedora/fedora-core-2-update-dovecot-09913-4fc2-10-46-00-117955 |
||
| Fedora Core 3 Update: dovecot-0.99.13-3.FC3 | ||
| 18th, January, 2005
This is a bug fix update for the Dovecot IMAP server. This brings the Red Hat Dovecot rpm up to date with the latest upstream release from Timo Sirainen, version 0.99.13 released on Jan 6th 2005. advisories/fedora/fedora-core-3-update-dovecot-09913-3fc3-10-46-00-117956 |
||
| Fedora Core 3 Update: dhcpv6-0.10-11_FC3 | ||
| 19th, January, 2005
Updated dhcpv6 package, adding Relay Agent support, Support for prefix delegation to radvd on interface other than lease reception interface and Fix cores on resolv.conf and radvd.conf update advisories/fedora/fedora-core-3-update-dhcpv6-010-11fc3-14-15-00-117969 |
||
| Fedora Core 3 Update: dhcp-3.0.1-30_FC3 | ||
| 19th, January, 2005
Updated DHCP and DHCLIENT packages. advisories/fedora/fedora-core-3-update-dhcp-301-30fc3-14-16-00-117970 |
||
| Fedora Core 3 Update: bind-9.2.4-8_FC3 | ||
| 19th, January, 2005
Updated BIND packages. advisories/fedora/fedora-core-3-update-bind-924-8fc3-14-17-00-117971 |
||
| Fedora Core 3 Update: vixie-cron-4.1-20_FC3 | ||
| 19th, January, 2005
Updated vixie-cron package. advisories/fedora/fedora-core-3-update-vixie-cron-41-20fc3-14-18-00-117972 |
||
| Fedora Core 3 Update: sysklogd-1.4.1-26_FC3 | ||
| 19th, January, 2005
Updated sysklogd packages. advisories/fedora/fedora-core-3-update-sysklogd-141-26fc3-14-18-00-117973 |
||
| Fedora Core 3 Update: gpdf-2.8.2-2.2 | ||
| 19th, January, 2005
Add patch for CAN-2005-0064 advisories/fedora/fedora-core-3-update-gpdf-282-22-14-28-00-117976 |
||
| Fedora Core 2 Update: gpdf-2.8.2-2.1 | ||
| 19th, January, 2005
Add patch for CAN-2005-0064 advisories/fedora/fedora-core-2-update-gpdf-282-21-14-29-00-117977 |
||
| Fedora Core 2 Update: cups-1.1.20-11.10 | ||
| 20th, January, 2005
This package fixes a buffer overflow which may possibly allow attackers to execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. advisories/fedora/fedora-core-2-update-cups-1120-1110-09-45-00-117983 |
||
| Fedora Core 3 Update: cups-1.1.22-0.rc1.8.4 | ||
| 20th, January, 2005
This package fixes a buffer overflow which may possibly allow attackers to execute arbitrary code as the "lp" user. The Common Vulnerabilities and Exposures projects (cve.mitre.org) has assigned the name CAN-2005-0064 to this issue. advisories/fedora/fedora-core-3-update-cups-1122-0rc184-09-45-00-117984 |
||
| Fedora Core 3 Update: alsa-lib-1.0.6-7.FC3 | ||
| 20th, January, 2005
A flaw in the alsa mixer code was discovered, which disabled stack execution protection for the libasound.so library distributed with Fedora Core 3. The effect of this flaw resulted in stack execution protection, through NX or Exec-Shield, which was disabled for any application linked to libasound. advisories/fedora/fedora-core-3-update-alsa-lib-106-7fc3-09-46-00-117985 |
||
| Fedora Core 3 Update: grep-2.5.1-31.4 | ||
| 20th, January, 2005
This update fixes a small regression in handling multibyte input for "grep -Fi", and further improves performance when processing UTF-8 input. advisories/fedora/fedora-core-3-update-grep-251-314-12-55-00-117992 |
||
| Fedora Core 2 Update: xpdf-3.00-3.7 | ||
| 20th, January, 2005
Applied patch to fix CAN-2005-0064 (bug #145050) advisories/fedora/fedora-core-2-update-xpdf-300-37-12-58-00-117993 |
||
| Fedora Core 3 Update: xpdf-3.00-10.2 | ||
| 20th, January, 2005
Applied patch to fix CAN-2005-0064 (bug #145050) advisories/fedora/fedora-core-3-update-xpdf-300-102-12-59-00-117994 |
||
| Fedora Core 2 Update: kernel-utils-2.4-9.1.131_FC2 | ||
| 20th, January, 2005
Update microcode_ctl to 1.11 (#131885) advisories/fedora/fedora-core-2-update-kernel-utils-24-91131fc2-14-21-00-117997 |
||
| Fedora Core 3 Update: kernel-utils-2.4-13.1.49_FC3 | ||
| 20th, January, 2005
Update microcode_ctl to 1.11 advisories/fedora/fedora-core-3-update-kernel-utils-24-13149fc3-14-22-00-117998 |
||
| Fedora Core 3 Update: hal-0.4.6-1.FC3 | ||
| 20th, January, 2005
New upstream release advisories/fedora/fedora-core-3-update-hal-046-1fc3-16-51-00-118004 |
||
| Gentoo: Squid Multiple vulnerabilities | ||
| 16th, January, 2005
Squid contains vulnerabilities in the the code handling NTLM (NT Lan Manager), Gopher to HTML and WCCP (Web Cache Communication Protocol) which could lead to denial of service and arbitrary code execution. |
||
| Gentoo | ||
| Gentoo: ImageMagick PSD decoding heap overflow | ||
| 20th, January, 2005
ImageMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution. |
||
| Gentoo: Ethereal Multiple vulnerabilities | ||
| 20th, January, 2005
Multiple vulnerabilities exist in Ethereal, which may allow an attacker to run arbitrary code, crash the program or perform DoS by CPU and disk utilization. |
||
| Mandrake | ||
| Mandrake: CUPS multiple vulnerabilities fix | ||
| 17th, January, 2005
A buffer overflow was discovered in the ParseCommand function in the hpgltops utility. An attacker with the ability to send malicious HPGL files to a printer could possibly execute arbitrary code as the "lp" user (CAN-2004-1267). |
||
| Mandrake: Updated mpg123 packages fix | ||
| 19th, January, 2005
A vulnerability in mpg123's ability to parse frame headers in input streams could allow a malicious file to exploit a buffer overflow and execute arbitray code with the permissions of the user running mpg123. |
||
| Mandrake: Updated playmidi packages | ||
| 19th, January, 2005
Erik Sjolund discovered a buffer overflow in playmidi that could be exploited by a local attacker if installed setuid root. Note that by default Mandrakelinux does not ship playmidi installed setuid root. |
||
| Mandrake: Updated xine packages fix | ||
| 19th, January, 2005
iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size making it vulnerable to a buffer overflow problem (CAN-2004-1300). |
||
| Red Hat | ||
| RedHat: Updated kernel packages fix security | ||
| 18th, January, 2005
Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. advisories/red-hat/redhat-updated-kernel-packages-fix-security-2652 |
||
| RedHat: Updated krb5 packages fix security | ||
| 19th, January, 2005
Updated Kerberos (krb5) packages that correct buffer overflow and temporary file bugs are now available for Red Hat Enterprise Linux. advisories/red-hat/redhat-updated-krb5-packages-fix-security-RHSA-2005-012-01 |
||
| RedHat: Updated php packages fix security issues | ||
| 19th, January, 2005
Updated php packages that fix various security issues are now available for Red Hat Enterprise Linux 2.1. advisories/red-hat/redhat-updated-php-packages-fix-security-issues-RHSA-2005-031-01 |
||
| SuSE | ||
| SuSE: php4, mod_php4 remote code execution | ||
| 17th, January, 2005
Stefan Esser and Marcus Boerger found several buffer overflow problems in the unserializer functions of PHP (CAN-2004-1019) and Ilia Alshanetsky (CAN-2004-1065) found one in the exif parser. Any of them could allow remote attackers to execute arbitrary code as the user running the PHP interpreter. |
||
| TurboLinux | ||
| TurboLinux: xpdf Buffer overflow | ||
| 20th, January, 2005
These vulnerabilities may allow remote attackers to execute arbitrary code via malformed PDF files. |
||
