+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 26, 2000 Volume 1, Number 9 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. Multiple vendors released fixes for the serious wu-ftpd vulnerability. The problem exists in wu-ftpd's handling of the SITE EXEC command. The default configuration of wu-ftpd is vulnerable to remote users gaining root access. Privacy is an issue that caught the attention of many readers this week. The World Wide Web Consortium debuted the Platform for Privacy Preferences Project (P3P). It is intended to make privacy statements more understandable to users who want to know how the sites they visit use their personal information. An article titled, "Pretty Poor Privacy: An Assessment of P3P" examines whether P3P is an effective solution to growing public concerns about online privacy. Additional articles covering this subject are available in the "General News" section of this newsletter. Another subject for discussion this week is Simple Object Access Protocol. (SOAP) An articled titled, "Soap could slip up on security," points out the problems with this protocol. The article states, "Microsoft promotes Soap as a means for application developers to get around the 'limitations' security administrators have set in place." This raises a very serious question, is extending the functionality of software worth extra security risks? Bruce Schneier states, "Soap is going to open up a whole new avenue for security vulnerabilities." Our feature this week, "Network Intrusion Detection Using Snort," by Dave Wreski and Christopher Pallack, describes the basics of intrusion detection, the steps necessary to configure the "snort" IDS, testing and operation, and how to detect intrusion attempts. It is available at the following URL: http://www.linuxsecurity.com/feature_stories/feature_story-49.html Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version Available: http://www.linuxsecurity.com/articles/forums_article-963.html Advisories This Week: --------------------- June 23rd, 2000 -- Caldera: wu-ftpd vulnerability There is a problem in wu-ftpd handling of the SITE EXEC command that allows remote attackers to gain root access. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-498.html June 23rd, 2000 -- Debian: remote root exploit The version of wu-ftpd distributed in Debian GNU/Linux 2.1 (a.k.a. slink), as well as in the frozen (potato) and unstable (woody) distributions, is vulnerable to a remote root compromise. The default configuration in all current Debian packages prevents the currently available exploits in the case of anonymous access, although local users could still possibly compromise the server. http://www.linuxsecurity.com/advisories/advisory_documents/debian_advisory-496.html June 23rd, 2000 -- RedHat: wu-ftpd update Buffer overflow in wu-ftpd 2.6.0 and below fixed. The bug in wu-ftpd can permit remote users, even without an account, to gain root access. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-500.html June 23rd, 2000 -- Mandrake: Multiple Vulnerabilities Updates available for bind, cdrecord, dump, fdutils, kdesu, xemacs, xlockmore http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-497.html June 23rd, 2000 -- Conectiva: wu-ftpd update Buffer overflow fixed in wu-ftpd package version 2.6.0 and below. The wu-ftpd package version 2.6.0 and below has a buffer overflow that can be remotely exploited and give an attacker root privileges on the remote machine http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-499.html June 22nd, 2000 -- FreeBSD: Remote denial-of-service in IP stack Remote users can cause a FreeBSD system to panic and reboot. There are several bugs in the processing of IP options in the FreeBSD IP stack, which fail to correctly bounds-check arguments and contain other coding errors leading to the possibility of data corruption and a kernel panic upon reception of certain invalid IP packets. http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-494.html June 22nd, 2000 -- RedHat PowerTools: Zope Vulnerabilities Remote vulnerabilities exist with all Zope-2.0 releases. This hotfix corrects issues with an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-495.html June 22nd, 2000 -- NetBSD: libdes vulnerability The replacement versions of these functions written during the integration process have a serious bug. If /dev/urandom is not present and functioning correctly, des_init_random_number_generator seeds the random number generator with constant data, causing the generation of keys which are easy to determine. http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-493.html June 21st, 2000 -- RedHat: 2.2.16 Kernel Released This new kernel release fixes a security hole that could affect any setuid program on the system. In addition, several accumulated fixes are included. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-492.html June 19th, 2000 -- TurboLinux: kernel vulnerability Any local user with an account can use this vulnerability to obtain root priviledges by exploiting setuid root applications. Originally this security bug was reported by Sendmail. An unsafe fgets() usage in sendmail's mail.local exposes the setuid() security hole in the Linux kernel. This vunlnerability allows local users to obtain root privilege by exploiting setuid root applications. http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advisory-491.html Host Security News: ------------------- Bastille Linux Review June 20th, 2000 Bastille Linux has taken on the challenge of securing the often infamously crackable Red Hat distribution with an "after market" hardening script. The developers have stated that "the Bastille Hardening System attempts to `harden' or `tighten' the Linux operating system. http://www.linuxsecurity.com/articles/host_security_article-921.html An Interview with Chris Rouland June 20th, 2000 Chris Rouland is the director of X-Force at Internet Security Systems (ISS), a group dedicated to understanding, documenting and coding new vulnerability checks and tests, attack signatures and solutions to global security problems. http://www.linuxsecurity.com/articles/general_article-930.html Trust and the System Administrator June 19th, 2000 Noel writes about some things that a System Administrator should consider when configuring or maintaining a system. "One of the first things many of us think about is the trust we give to the users of our systems. Some of these users have special privileges so that they can perform their own jobs." They have to walk a fine line between making their systems unusable and leaving them unsecured or unreliable. http://www.linuxsecurity.com/articles/network_security_article-912.html Network Security News: ---------------------- Intel admits wireless security concerns June 23rd, 2000 Intel chief exec admits that the future of wireless and mobile technology is overshadowed by security complications. Speaking at Intel's Wireless Competency Centre in Stockholm this week managing director Leif Persson acknowledged hugely complicated wireless environments are causing them serious anxiety. http://www.linuxsecurity.com/articles/network_security_article-954.html Network security threats growing June 22nd, 2000 Networks face three vulnerabilities: physical security problems, logical security problems such as computers within a network, and security problems involving people -- all of which should be equally important to businesses, according to a British Telecommunications executive speaking here at InfowarCon Thursday. http://www.linuxsecurity.com/articles/network_security_article-947.html Software Acts As Robotic Hacker June 22nd, 2000 The best way to determine if your IT infrastructure is secure is to have a hacker try to break into your corporate systems. Short of that, software that simulates attacks is the next best thing. Wednesday, Sanctum rolled out an automated audit tool that analyzes Web applications, points to security glitches, and provides advice on how to fix any vulnerability. http://www.linuxsecurity.com/articles/network_security_article-951.html Special Report: Privacy on the Internet June 21st, 2000 My favorite trade mag has a new look. Here's a good (albeit, short) article on network security and privacy. "The Internet is a powerful tool that promis...
zorazelda