[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Linux Advisory Watch - September 26th 2003

|  LinuxSecurity.com                        Linux Advisory Watch |
|  September 26th, 2003                     Volume 4, Number 38a |

  Editors:     Dave Wreski                Benjamin Thomas
               dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each

This week, advisories were released for vnc, krb5, php4, ipmasq, ssh, ARP,
openssh, wu-ftpd, ipmasq, sendmail, proftpd and perl.  The distributors
include Conectiva, Debian, Guardian Digital's EnGarde Secure Linux,
FreeBSD, Gentoo, Red Hat, Slackware, SuSE, and TurboLinux.

>> FREE Apache SSL Guide from Thawte  <<

Are you worried about your web server security?  Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.

 Click Command:

Several weeks ago, I wrote that I decided to move to England so that I
could pursue a Master's in Information Security from Royal Holloway,
University of London.  Due to the complex bureaucracy, it has taken me a
while to get settled. As soon as my program begins, I will update you on
how my journey is progressing.  This week, I thought that it would be best
if write about an "evergreen" topic in security, passwords!

For most, the subject of passwords is novel.  However, it is important to
take a step back and analyze their strengths, weaknesses, and

Using only passwords as a method of authentication is often insufficient
for critical data because they fundamentally have weaknesses.  Several of
those include: users pick easy to guess words, users often voluntarily
give them away in order to make work easier, and passwords are often
easily intercepted.  Many applications/protocols that are still in use
send passwords in cleartext.  A weak password is the equivalent of a
faulty lock on a safe.  Passwords do not guarantee security, only increase
the time required to access data or information.

System administrators can improve password security for users in several
ways.  First, a limit on log-in attempts should be set.  For example, user
IDs should be locked after a number of failed login attempts.  Next,
passwords should have strength requirements set.  For example, passwords
should have a minimum length, special characters and capitalizations
should be required, and they should be checked against a dictionary file.
Password security can also be improved if there are expiration dates set
and passwords are not reused consecutively.

Biometrics and other forms of authentication in addition to passwords can
dramatically increase security.  Having a second line of defense is
critical.  For example, ssh security can be improved by using
key-authentication and IP based access controls.  Passwords are slowly
becoming obsolete with improvements in technology, but will remain in use
for many years. Next week, I'll discuss how using single sign-on
mechanisms can improve password security and management for users.

Until next time, cheers!
Benjamin D. Thomas


FEATURE: R00ting The Hacker
Dan Verton, the author of The Hacker Diaries: Confessions of Teenage
Hackers is a former intelligence officer in the U.S. Marine Corps who
currently writes for Computerworld and CNN.com, covering national
cyber-security issues and critical infrastructure protection.



CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.



FEATURE: A Practical Approach of Stealthy Remote Administration This paper
is written for those paranoid administrators who are looking for a
stealthy technique of managing sensitive servers (like your enterprise
firewall console or IDS).


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Conectiva        | ----------------------------//

 9/22/2003 - wu-ftpd Command execution remote vulnerability

   This update fixes a vulnerability in the way wu-ftpd uses the
   "conversion" feature, which is used mostly to (un)compress files. The
   scenario where this vulnerability can be exploited varies depending on
   the server configuration.

 9/23/2003 - vnc
   Multiple vulnerabilities

   This update fixes two vulnerabilities found in VNC that affect the
   versions distributed with Conectiva Linux 7.0 and 8:

 9/23/2003 - krb5
   Multiple kerberos vulnerabilities

   This update fixes pricipal name handling, cryptographic weaknesses,
   faulty length checks in xdrmem_getbytes, and multiple other

 9/24/2003 - php4
   Multiple vulnerabilities

   This new version includes several fixes[3] and improvements, including
   fixes for potential integer overflow vulnerabilities.

|  Distribution: Debian           | ----------------------------//

 9/20/2003 - ipmasq
   Insecure packet filtering rules

   Due to use of certain improper filtering rules, traffic arriving on the
   external interface addressed for an internal host would be forwarded,
   regardless of whether it was associated with an established connection.

 9/21/2003 - ssh-krb5 Multiple vulnerabilities
   Insecure packet filtering rules

   This advisory is an addition to the earlier DSA-383-1 advisory: Solar
   Designer found four more bugs in OpenSSH that may be exploitable.

 9/21/2003 - ssh
   Multiple additional vulnerabilities

   This advisory is an addition to the earlier DSA-382-1 and DSA-382-3
   advisories: Solar Designer found four more bugs in OpenSSH that may be

|  Distribution: EnGarde          | ----------------------------//

 9/24/2003 - 'WebTool-userpass' passphrase disclosure vulnerability.
   Multiple additional vulnerabilities

   "Shawn"  discovered and reported an SSH passphrase disclosure
   vulnerability in the WebTool's User Password Changer via the
   engarde-users mailing list.

|  Distribution: FreeBSD          | ----------------------------//

 9/24/2003 - ARP
   resource starvation DoS

   Under certain circumstances, it is possible for an attacker to flood a
   FreeBSD system with spoofed ARP requests, causing resource starvation
   which eventually results in a system panic.

|  Distribution: Gentoo           | ----------------------------//

 9/23/2003 - openssh
   Multiple PAM vulnerabilities

   Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
   vulnerabilities in the new PAM code. At least one of these bugs is
   remotely exploitable (under a non-standard configuration, with privsep

|  Distribution: Red Hat          | ----------------------------//

 9/22/2003 - apache/mod_ssl Multiple vulnerabilities
   Multiple PAM vulnerabilities

   Updated Apache and mod_ssl packages that fix several minor security
   issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.

 9/22/2003 - perl
   Multiple vulnerabilities

   Updated Perl packages that fix a security issue in Safe.pm and a
   cross-site scripting (XSS) vulnerability in CGI.pm are now available.

|  Distribution: Slackware        | ----------------------------//

 9/23/2003 - 'wu-ftpd' vulnerability
   Multiple vulnerabilities

   Upgraded WU-FTPD packages are available for Slackware 9.0 and -current.
   These fix a problem where an attacker could use a specially crafted
   filename in conjunction with WU-FTPD's conversion feature to execute
   arbitrary commands on the server.

 9/23/2003 - 'proftpd' vulnerability
   Multiple vulnerabilities

   Upgraded ProFTPD packages are available for Slackware 8.1, 9.0 and
   -current.  These fix a security issue where an attacker could gain a
   root shell by downloading a specially crafted file.

 9/23/2003 - 'openssh' PAM vulnerability
   Multiple vulnerabilities

   Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0
   and -current.  This fixes security problems with PAM authentication.
   It also includes several code cleanups from Solar Designer.

|  Distribution: SuSE             | ----------------------------//

 9/20/2003 - sendmail, sendmail-tls
   Multiple vulnerabilities

   A remotely exploitable buffer overflow has been found in all versions
   of sendmail that come with SuSE products. These versions include
   sendmail-8.11 and sendmail-8.12 releases.

|  Distribution: TurboLinux       | ----------------------------//

 9/24/2003 - 'openssh' PAM vulnerabilities
   Multiple vulnerabilities

   Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
   vulnerabilities in the new PAM code.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.