Information Security News mailing list archives
LinuxSecurity Weekly Newsletter, August 28, 2000
From: InfoSec News <isn () C4I ORG>
Date: Mon, 28 Aug 2000 23:46:13 -0500
+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 28, 2000 Volume 1, Number 18 | | | | Editorial Team: Dave Wreski dave () linuxsecurity com | | Benjamin Thomas ben () linuxsecurity com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. This week, multiple vendors released advisories for xchat, ld.so, xlockmore, Netscape, zope, and Helix GNOME. We recommend updating these packages immediately. Our feature this week is written by Eric Hines. It is a comprehensive guide to setting up secure remote log servers. The article covers many topics ranging from building and configuring syslogd, to securing the server. If you have considered adding a remote log server to your network, this guide will prove to be extremely helpful. http://www.linuxsecurity.com/feature_stories/feature_story-64.html Privacy is still a major concern among Internet users. An interesting article titled "Protect your Internet privacy by Lying," discusses how "privacy warriors" provide fake names, addresses, and other contact information to remain anonymous. Also this week, the FBI's carnivore remains to be a hot topic. Anti-carnivore advocates are now using this potential breach of privacy as a platform to encourage the use of encryption. Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version available: http://www.linuxsecurity.com/newsletter.html --------------------- Advisories This Week: --------------------- * Mandrake: dhcp vulnerability August 25th, 2000 All versions of the ISC DHCP client program, dhclient, are vulnerable to a root attack by a corrupt DHCP server. This version fixes the vulnerability. Versions of Linux Mandrake prior to 7.0, while including the ISC DHCP server, do not include the DHCP client and are therefore not subject to this vulnerability. http://www.linuxsecurity.com/advisories/mandrake_advisory-659.html * Conectiva: Updated 'xchat' packages available August 25th, 2000 The IRC client Xchat allows one to right-click an URL and open many different browsers with it. This is done by opening the broswer via the shell, and commands inside the URL could be expanded by the shell and executed. http://www.linuxsecurity.com/advisories/other_advisory-658.html * Mandrake: Updated 'xchat' packages available. August 24th, 2000 This update changes the functionality of XChat to bypass the shell and execute the browser directly. http://www.linuxsecurity.com/advisories/mandrake_advisory-656.html * Caldera: ld.so vulnerability August 24th, 2000 A bug has been discovered in ld.so that could allow local users to obtain super user privilege. The bug causes these environment variables to not be removed completely under some circumstances. While setuid programs themselves are not vulnerable, external programs they execute can be affected by this problem. http://www.linuxsecurity.com/advisories/caldera_advisory-657.html * Mandrake: Updated xlockmore packages August 24th, 2000 A bug exists in previous versions of xlockmore with display name passing "%d" as the display name. This bug is corrected in this version. http://www.linuxsecurity.com/advisories/mandrake_advisory-655.html * RedHat: XChat vulnerability August 23rd, 2000 XChat allows users to right-click on a URL appearing in an IRC discussion and select "Open in Browser." To open the URL in a browser, XChat passes it to /bin/sh. So, a malicious URL could execute arbitrary shell commands as the user running XChat. This errata changes XChat to bypass the shell and execute the browser directly. http://www.linuxsecurity.com/advisories/redhat_advisory-654.html * SuSE: Netscape vulnerability [updated] August 23rd, 2000 Two security problems exist in the netscape package as shipped with SuSE Linux distributions. http://www.linuxsecurity.com/advisories/suse_advisory-652.html * Conectiva: netscape vulnerability August 21st, 2000 Netscape version 4.74 to 4.0 allows remote access to any file acessible through the UID of Netscape process, by using a vulnerability in the Java machine know as Brown Orifice http://www.linuxsecurity.com/advisories/other_advisory-645.html * Conectiva: Zope vulnerability August 21st, 2000 Xlock is a screensaver with locking capabilities. It is a SUID root program, but drops its privileges as soon as possible, but the encrypted user passwords remain in memory. http://www.linuxsecurity.com/advisories/other_advisory-650.html * Helix GNOME: Installer /tmp vulnerability August 21st, 2000 Xlock is a screensaver with locking capabilities. It is a SUID root program, but drops its privileges as soon as possible, but the encrypted user passwords remain in memory. http://www.linuxsecurity.com/advisories/other_advisory-651.html * Caldera: Netscape java security bug August 21st, 2000 Recently, a problem in netscape's java libraries was discovered that allows an applet to act as a web server on your machine, exposing all files on your system to the world. http://www.linuxsecurity.com/advisories/caldera_advisory-649.html * RedHat: New zope packages available. August 21st, 2000 Vulnerabilities exist with all Zope-2.0 releases. This advisory supercedes the advisory issued on 2000-08-11. Please use the packages listed in this advisory instead of the packages refered to previously. http://www.linuxsecurity.com/advisories/redhat_advisory-644.html * RedHat: New netscape packages available August 21st, 2000 New Netscape packages are available to fix a serious security problem with Java. It is recommended that all netscape users update to the new packages. Users of Red Hat Linux 6.0 and 6.1 should use the packages for Red Hat Linux 6.2. http://www.linuxsecurity.com/advisories/redhat_advisory-646.html * Redhat: New mailx and perl packages available August 21st, 2000 Updated perl and mailx package are now available which fix a potential exploit made possible by incorrect assumptions made in suidperl. http://www.linuxsecurity.com/advisories/redhat_advisory-647.html * Debian: New Version of zope released August 21st, 2000 Debian 2.2 (potato) does include zope and is vulnerable to this issue. A fixed package for Debian 2.2 (potato) is available in zope 2.1.6-5.2. http://www.linuxsecurity.com/advisories/debian_advisory-642.html * Mandrake: netscape vulnerability August 21st, 2000 There exists a problem in all versions of Netscape from 4.0 to 4.74 with Java enabled. Under certain conditions, Netscape can be turned into a server that serves files on your local hard drive that Netscape has read access to and remote people can access it by connecting their web client to port 8080 on your machine if they know the IP address. http://www.linuxsecurity.com/advisories/mandrake_advisory-648.html ----------------------- Top Articles This Week: ----------------------- Host Security News: ------------------- * How to create a Secure Install August 26th, 2000 It's important to be aware that when you're installing Linux, you're installing a powerful server operating system. As a home user, you probably won't use much of what's installed by default, and anything you don't use is a security risk you don't have to take. http://www.linuxsecurity.com/articles/host_security_article-1442.html * OpenBSD's Good Example August 24th, 2000 Last week I installed OpenBSD for the first time. I found that OpenBSD has done a lot of things right and that there are some things that the Linux community should study and emulate. Principles the OpenBSD developers are following such as "Secure by Default mode" and code auditing are things that we should be doing to Linux. http://www.linuxsecurity.com/articles/host_security_article-1431.html * Logging with Apache--Understanding Your access_log August 21st, 2000 Apache comes with built-in mechanisms for logging activity on your server. In this series of articles, I'll talk about the standard way that Apache writes log files, and some of the tricks for getting more useful information and statistics out of your server. http://www.linuxsecurity.com/articles/network_security_article-1412.html Network Security News: ---------------------- * Organised exploitation of the information super-highway August 24th, 2000 It has long been held that, in terms of a threat to IT systems, the protagonist would be an individual, skilled and knowledgeable, but at odds with the society surrounding them: typically, a college-educated, twenty-something male who found the challenge of accessing otherwise secure IT networks motivation enough. http://www.linuxsecurity.com/articles/network_security_article-1432.html * Meet PAM August 24th, 2000 Pluggable authentication modules (PAM) were originally developed by Sun Microsystems and released as an undocumented feature in Solaris 2.3. Since then, Sun has done little with PAM, compared to the open source community, and most specifically, the Linux community. In this article, we will explore the general role of Linux-PAM, its components, configuration and a few general examples of its use. http://www.linuxsecurity.com/articles/host_security_article-1430.html * Security Techniques and Survivability August 23rd, 2000 I've seen a lot of discussion recently of various computer security techniques. It seems everyone has their own favorite solution, which they feel is the correct one, and all other solutions are of course flawed and inferior. But the truth is even simpler: all security techniques are flawed. http://www.linuxsecurity.com/articles/general_article-1419.html * Linux not ready for DOD prime time August 23rd, 2000 Linux does not meet the Defense Information Infrastructure's Common Operating Environment Kernel Platform Compliance requirements for a Posix-compliant application programming interface, Posix-compliant commands and utilities, the Motif X Window System interface, the Common Desktop Environment and Network File System sockets. http://www.linuxsecurity.com/articles/government_article-1422.html * Linux for Security Applications August 22nd, 2000 In this article I go "all the way" and discuss how Linux can be used in areas where you need absolute control over what happens on a network, a firewall. http://www.linuxsecurity.com/articles/host_security_article-1418.html Cryptography News: ------------------ * Yahoo to offer encrypted email option August 25th, 2000 Yahoo plans to let its email account holders use data encryption to protect the privacy of their messages, marking a potentially significant advance for the mainstream use of encryption. http://www.linuxsecurity.com/articles/cryptography_article-1439.html * Pretty Good Privacy flaw reported August 25th, 2000 A GERMAN RESEARCHER has discovered a major security flaw in the latest versions of the PGP free e-mail encryption software that could allow someone to read another person's encrypted e-mail if he or she was able to intercept it. http://www.linuxsecurity.com/articles/cryptography_article-1441.html * Will You be Having a Party When the RSA Patent Expires? August 24th, 2000 In late September, 2000, the RSA Patent expires. Rivest, Shamir, and Adelman, Public Key Cryptography's most famous supergroup, developed this algorithm about 20 years ago. http://www.linuxsecurity.com/articles/cryptography_article-1350.html * PGP Vulnerability August 24th, 2000 A very serious PGP vulnerability was just discovered. Using this vulnerability, an attacker can create a modified version of someone's public key that will force a sender to encrypt messages to that person AND to the attacker. http://www.linuxsecurity.com/articles/cryptography_article-1434.html * Installing Command Line PGP August 23rd, 2000 The following is a description of how I got a Linux version of the PGP encryption program, how I installed it, and a few observations about quirks in the program. The Linux version of PGP that I got is PGPcmdfw_6.5.2_Linux.i386.rpm and it offers the options of 1024 or 2048 bit encryption. The 2048 bit option is compatible with people using PGP 2.6.2 with an extra command that will be noted later in REMARKS and QUIRKS. http://www.linuxsecurity.com/articles/cryptography_article-1425.html Vendor/Product/Tools News: -------------------------- * Security: From wristwatches to handhelds August 23rd, 2000 Ensure Technologies Inc., which makes a wireless access system, aims to make PC security even handier through a new partnership with wristwatch maker Golden State International. http://www.linuxsecurity.com/articles/general_article-1426.html * Secure messaging offered August 23rd, 2000 VERISIGN AND SLAM Dunk Networks are teaming up to offer a message delivery infrastructure that will guarantee business-to-business transaction participants that their messages will be protected, delivered, and properly accepted at their rightful destinations. http://www.linuxsecurity.com/articles/vendors_products_article-1420.html General News: ------------- * US to Detail Plans on Review of Web Wiretap August 25th, 2000 US Attorney General Janet Reno said on Wednesday that details for a planned review of the FBI computer program designed to capture email messages for criminal investigations will be released on Thursday. http://www.linuxsecurity.com/articles/government_article-1440.html * Free Speech On The Web? Don't Even Talk About It August 24th, 2000 If you weren't paying attention, U.S. District Court Judge Lewis Kaplan last week slapped hacker site 2600.com with a major defeat. He ruled that source code doesn't get the protection of free speech. The ruling is just another shot in the battle over copyright and free speech on the Net. http://www.linuxsecurity.com/articles/privacy_article-1437.html * Security group says major privacy organization tracks users August 24th, 2000 TRUSTe, a privacy advocate organization that runs a privacy seal-of-approval program for retail Web sites and shows companies how to write effective privacy policies, itself has tracked users with means not mentioned in its own privacy policy, a security group says. http://www.linuxsecurity.com/articles/privacy_article-1436.html * Protect your Internet privacy by lying August 24th, 2000 The battle over Internet privacy has a new faction: the Web privacy hawk using guerilla tactics such as lying about their identities when trading profile information for free services, the Pew Charitable Trust found in its latest survey. http://www.linuxsecurity.com/articles/privacy_article-1433.html * Infosec Experts: Carnivore Bite Too Big? August 23rd, 2000 Surveillance technology called Carnivore has the Internet community on the look out. Used by the FBI, Carnivore raises a variety of legal and privacy issues. One group, the Electronic Privacy Information Center (EPIC), sought a court order to get the operational details behind this surveillance system. http://www.linuxsecurity.com/articles/privacy_article-1423.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- LinuxSecurity Weekly Newsletter, August 28, 2000 InfoSec News (Aug 29)