This week, advisories were released for cyrus-imapd, curl, xloadimage, xli,
PERL, slypheed, libgal2, libsoup, evolution, gimp, procps, lsof, lockdev, xloadimage,
mailman, boost, kdelibs, firefox, thunderbird, mozilla, devhelp, epiphany, rxvt,
LTris, MySQL, ethereal, ipsec-tools, and ImageMagick. The distributors include
Conectiva, Debian, Fedora, Genotoo, Mandrake, Red Hat, and SuSE.
Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!
Authentication: Passwords
For most, the subject of passwords is novel. However, it is important to take a step back and analyze their strengths, weaknesses, and alternatives.
Using only passwords as a method of authentication is often insufficient for critical data because they fundamentally have weaknesses. Several of those include: users pick easy to guess words, users often voluntarily give them away in order to make work easier, and passwords are often easily intercepted. Many applications/protocols that are still in use send passwords in cleartext. A weak password is the equivalent of a faulty lock on a safe. Passwords do not guarantee security, only increase the time required to access data or information.
System administrators can improve password security for users in several ways. First, a limit on log-in attempts should be set. For example, user ids should be locked after a number of failed login attempts. Next, passwords should have strength requirements set. For example, passwords should have a minimum length, special characters and capitalizations should be required, and they should be checked against a dictionary file. Password security can also be improved if there are expiration dates set and passwords are not reused consecutively.
Biometrics and other forms of authentication in addition to passwords can dramatically increase security. Having a second line of defense is critical. For example, ssh security can be improved by using key-authentication and IP based access controls. Passwords are slowly becoming obsolete with improvements in technology, but will remain in use for many years. Next week, I'll discuss how using single sign-on mechanisms can improve password security and management for users.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity.com Feature Extras:
Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.
The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.
Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).
Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Contectiva | ||
| Conectiva: cyrus-imapd Fix for multiple cyrus-imapd vulnerabilities | ||
| 17th, March, 2005
cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced features such as SASL authentication, server-side mail filtering, mailbox ACLs and others. http://www.linuxsecurity.com/content/view/118624 |
||
| Conectiva: curl Fix for cURL vulnerability | ||
| 21st, March, 2005
cURL[1] is a client to get/put files from/to servers, using any of the supported protocols. http://www.linuxsecurity.com/content/view/118655 |
||
| Debian | ||
| Debian: New xloadimage packages fix several vulnerabilities | ||
| 21st, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118650 |
||
| Debian: New xli packages fix several vulnerabilities | ||
| 21st, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118656 |
||
| Debian: New perl packages fix privilege escalation | ||
| 22nd, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118663 |
||
| Fedora | ||
| Fedora Core 2 Update: sylpheed-1.0.3-0.FC2 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118626 |
||
| Fedora Core 3 Update: libgal2-2.2.5-1 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118627 |
||
| Fedora Core 3 Update: libsoup-2.2.2-1.FC3 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118628 |
||
| Fedora Core 3 Update: evolution-data-server-1.0.4-3 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118629 |
||
| Fedora Core 3 Update: evolution-2.0.4-1 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118630 |
||
| Fedora Core 3 Update: evolution-connector-2.0.4-1 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118631 |
||
| Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.89 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118632 |
||
| Fedora Core 3 Update: policycoreutils-1.18.1-2.10 | ||
| 17th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118633 |
||
| Fedora Core 3 Update: gimp-2.2.4-0.fc3.3 | ||
| 18th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118640 |
||
| Fedora Core 3 Update: procps-3.2.3-5.2 | ||
| 18th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118641 |
||
| Fedora Core 3 Update: lsof-4.72-2.1 | ||
| 18th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118642 |
||
| Fedora Core 3 Update: lockdev-1.0.1-4.1 | ||
| 18th, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118643 |
||
| Fedora Core 2 Update: xloadimage-4.1-34.FC2 | ||
| 18th, March, 2005
This update fixes CAN-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. http://www.linuxsecurity.com/content/view/118644 |
||
| Fedora Core 3 Update: xloadimage-4.1-34.FC3 | ||
| 18th, March, 2005
This update fixes CAN-2005-0638, a problem in the parsing of shell metacharacters in filenames. It also fixes bugs in handling of malformed TIFF and PBM/PNM/PPM issues. http://www.linuxsecurity.com/content/view/118645 |
||
| Fedora Core 2 Update: mailman-2.1.5-10.fc2 | ||
| 22nd, March, 2005
A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1177 to this issue. Users of mailman should update to this erratum package, which corrects this issue by turning on STEALTH_MODE by default and using Utils.websafe() to quote the html. http://www.linuxsecurity.com/content/view/118667 |
||
| Fedora Core 3 Update: mailman-2.1.5-32.fc3 | ||
| 22nd, March, 2005
A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users. The Common Vulnerabilities. http://www.linuxsecurity.com/content/view/118668 |
||
| Fedora Core 3 Update: boost-1.32.0-5.fc3 | ||
| 22nd, March, 2005
This is a bugfix release. http://www.linuxsecurity.com/content/view/118669 |
||
| Fedora Core 2 Update: kdelibs-3.2.2-14.FC2 | ||
| 23rd, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118683 |
||
| Fedora Core 3 Update: firefox-1.0.2-1.3.1 | ||
| 23rd, March, 2005
A buffer overflow bug was found in the way Firefox processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118684 |
||
| Fedora Core 3 Update: kdelibs-3.3.1-2.9.FC3 | ||
| 23rd, March, 2005
Updated package. http://www.linuxsecurity.com/content/view/118685 |
||
| Fedora Core 3 Update: thunderbird-1.0.2-1.3.1 | ||
| 23rd, March, 2005
A buffer overflow bug was found in the way Thunderbird processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. http://www.linuxsecurity.com/content/view/118686 |
||
| Fedora Core 3 Update: mozilla-1.7.6-1.3.2 | ||
| 23rd, March, 2005
A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. http://www.linuxsecurity.com/content/view/118687 |
||
| Fedora Core 3 Update: devhelp-0.9.2-2.3.1 | ||
| 23rd, March, 2005
There were several security flaws found in the mozilla package, which devhelp depends on. Users of devhelp are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118688 |
||
| Fedora Core 3 Update: epiphany-1.4.4-4.3.1 | ||
| 23rd, March, 2005
There were several security flaws found in the mozilla package, which epiphany depends on. Users of epiphany are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118689 |
||
| Fedora Core 3 Update: evolution-2.0.4-2 | ||
| 23rd, March, 2005
There were several security flaws found in the mozilla package, which evolution depends on. Users of evolution are advised to upgrade to this updated package which has been rebuilt against a later version of mozilla which is not vulnerable to these flaws. http://www.linuxsecurity.com/content/view/118690 |
||
| Gentoo | ||
| Gentoo: Grip CDDB response overflow | ||
| 17th, March, 2005
Grip contains a buffer overflow that can be triggered by a large CDDB response, potentially allowing the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118625 |
||
| Gentoo: KDE Local Denial of Service | ||
| 19th, March, 2005
KDE is vulnerable to a local Denial of Service attack. http://www.linuxsecurity.com/content/view/118646 |
||
| Gentoo: rxvt-unicode Buffer overflow | ||
| 20th, March, 2005
rxvt-unicode is vulnerable to a buffer overflow that could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118647 |
||
| Gentoo: LTris Buffer overflow | ||
| 20th, March, 2005
LTris is vulnerable to a buffer overflow which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/118648 |
||
| Gentoo: Sylpheed, Sylpheed-claws Message reply overflow | ||
| 20th, March, 2005
Sylpheed and Sylpheed-claws contain a vulnerability that can be triggered when replying to specially crafted messages. http://www.linuxsecurity.com/content/view/118649 |
||
| Mandrake | ||
| Mandrake: Updated KDE packages address | ||
| 21st, March, 2005
New KDE packages are available to address various bugs. The details are as follows. http://www.linuxsecurity.com/content/view/118661 |
||
| Mandrake: Updated MySQL packages fix | ||
| 21st, March, 2005
A number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server: If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CAN-2005-0709). http://www.linuxsecurity.com/content/view/118662 |
||
| Red Hat | ||
| RedHat: Moderate: ethereal security update | ||
| 18th, March, 2005
Updated Ethereal packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118636 |
||
| RedHat: Important: sylpheed security update | ||
| 18th, March, 2005
An updated sylpheed package that fixes a buffer overflow issue is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118635 |
||
| RedHat: Important: mailman security update | ||
| 21st, March, 2005
An updated mailman package that corrects a cross-site scripting flaw is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118658 |
||
| RedHat: Important: realplayer security update | ||
| 21st, March, 2005
Updated realplayer packages that fix a number of security issues are now available for Red Hat Enterprise Linux 3 Extras. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118659 |
||
| RedHat: Low: libexif security update | ||
| 21st, March, 2005
Updated libexif packages that fix a buffer overflow issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118660 |
||
| RedHat: Moderate: ImageMagick security update | ||
| 23rd, March, 2005
Updated ImageMagick packages that fix a heap based buffer overflow are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118670 |
||
| RedHat: Moderate: ipsec-tools security update | ||
| 23rd, March, 2005
An updated ipsec-tools package that fixes a bug in parsing of ISAKMP headers is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118671 |
||
| RedHat: Moderate: ImageMagick security update | ||
| 23rd, March, 2005
Updated ImageMagick packages that fix a format string bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118672 |
||
| RedHat: Important: kdelibs security update | ||
| 23rd, March, 2005
Updated kdelibs packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118673 |
||
| RedHat: Critical: mozilla security update | ||
| 23rd, March, 2005
Updated mozilla packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118679 |
||
| RedHat: Critical: mozilla security update | ||
| 23rd, March, 2005
Updated mozilla packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118680 |
||
| RedHat: Critical: firefox security update | ||
| 23rd, March, 2005
Updated firefox packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118681 |
||
| RedHat: Critical: thunderbird security update | ||
| 23rd, March, 2005
Updated thunderbird packages that fix various bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/118682 |
||
| SuSE | ||
| SuSE: ImageMagick problems | ||
| 23rd, March, 2005
This update fixes several security issues in the ImageMagick program suite: - A format string vulnerability was found in the display program which could lead to a remote attacker being to able to execute code as the user running display by providing handcrafted filenames of images. This is tracked by the Mitre CVE ID CAN-2005-0397. http://www.linuxsecurity.com/content/view/118678 |
||
|
|
Only registered users can write comments.
Please login or register.
Powered by AkoComment!