Linux Security Watch m21
Linux Security Watch m21
This week, advisories were released for hpsockd, viewvcs, nfs-util, cyrus-imapd, netatalk, gaim, rhpl, ttfonts, mc, udev, gnome-bluetooth, rsh, mysql, libpng, glib, gtk, postgresql, shadow-utils, perl, mirrorselect, drakxtools, dietlib, gzip, rp-ppoe, openssl, ImageMagick, samba, and cups. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, Trustix, and Turbo Linux. Internet Productivity Suite: Open Source Security Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Packet Sniffers One of the most common ways intruders gain access to more systems on your network is by employing a packet sniffer on a already compromised host. This "sniffer" just listens on the Ethernet port for things like passwd and login and su in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Clear-text passwords are very vulnerable to this attack. Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up admin logging into Host B from Host C. It gets the admins personal password as they login to B. Then, the admin does a su to fix a problem. They now have the root password for Host B. Later the admin lets someone telnet from his account to Host Z on another site. Now the attacker has a password/login on Host Z. In this day and age, the attacker doesn't even need to compromise a system to do this: they could also bring a laptop or pc into a building and tap into your net. Using ssh or other encrypted password methods thwarts this attack. Things like APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable to this, as is anything that sends clear-text passwords over the network.) Excerpt from LinuxSecurity HowTO: Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. - AIDE and CHKROOTKIT Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit. -- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> | Distribution: Debian * Debian: hpsockd denial of service fix 3rd "infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect. * Debian: viewcvs information leak fix 6th Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility for viewing CVS and Subversion repositories via HTTP. When exporting a repository as a tar archive the hide_cvsroot and forbidden settings were not honoured enough. * Debian: nfs-util denial of service fix 8th SGI has discovered that rpc.statd from the nfs-utils package, the Network Status Monitor, did not ignore the "SIGPIPE". Hence, a client prematurely terminating the TCP connection could also terminate the server process. | Distribution: Fedora * Fedora: cyrus-imapd-2.2.10-3.fc2 update 3rd The recent update to cyrus-imapd-2.2.10-1.fc2 for security exploits revealed a package installation problem. * Fedora: cyrus-imapd-2.2.10-3.fc3 update 3rd The recent update to cyrus-imapd-2.2.10-1.fc3 for security exploits revealed a package installation problem. If the main configuration files for cyrus-imapd * Fedora: netatalk-1.6.4-2.2 update 6th Fix to temp file vulnerability in /etc/psf/etc2ps * Fedora: netatalk-1.6.4-4 update 6th Fix temp file vulnerability in /etc/psf/etc2ps * Fedora: gaim-1.1.0-0.FC2 update 6th Gaim allows you to talk to anyone using a variety of messaging protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!, MSN Messenger, Jabber, Gadu-Gadu, Napster, and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. * Fedora: gaim-1.1.0-0.FC3 update 6th Gaim allows you to talk to anyone using a variety of messaging protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!, MSN Messenger, Jabber, Gadu-Gadu, Napster, and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. * Fedora: rhpl-0.148.1-2 update 6th Remove synaptics requires (#137935) * Fedora: ttfonts-ja-1.2-36.FC3.0 update 7th reverted the previous changes so that it broke ghostscript working. (#139798) * Fedora: mc-4.6.1-0.11FC3 update 7th The updated version of Midnight Commander contains finished CAN--0494 security fixes in extfs scripts and has better support for UTF-8, contains subshell prompt fixes and enhanced large file support. * Fedora: udev-039-10.FC3.4 update 7th udev is a implementation of devfs in userspace using sysfs and /sbin/hotplug. It requires a 2.6 kernel to run properly. * Fedora: udev-039-10.FC3.5 update 7th fixed udev.rules for cdrom symlinks (bug 141897) * Fedora: gnome-bluetooth-0.5.1-5.FC3.1 update 7th fixed again gnome-bluetooth-manager script for 64bit (bug 134864) * Fedora: rsh update 8th fixed rexec fails with "Invalid Argument" (#118630) * Fedora: Omni-0.9.2-1.1 update 8th This is the 0.9.2 release of the Omni printer driver collection. It also fixes a library path problem on multilib architectures such as x86_64. * Fedora: mysql-3.23.58-9.1 update 8th fix security issues CAN--0835, CAN--0836, CAN--0837 (bugs #135372, 135375, 135387) * Fedora: libpng-1.2.8-1.fc2 update 9th Updates libpng to the current release 1.2.8. * Fedora: libpng10-1.0.18-1.fc2 update 9th Updates libpng10 to the current release 1.0.18. * Fedora: glib2-2.4.8-1.fc2 update 9th Updates GLib to the current stable release 2.4.8. * Fedora: libpng-1.2.8-1.fc3 update 9th Updates libpng to the current release 1.2.8. * Fedora: glib2-2.4.8-1.fc3 update 9th Updates GLib to the current stable release 2.4.8.
