[aclug-L] FW: Linux Advisory Watch - June 8th 2001
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
-----Original Message-----
From: vuln-newsletter-admins@xxxxxxxxxxxxxxxxx
[mailto:vuln-newsletter-admins@xxxxxxxxxxxxxxxxx]
Sent: Friday, June 08, 2001 1:29 AM
To: vuln-newsletter@xxxxxxxxxxxxxxxxx
Subject: Linux Advisory Watch - June 8th 2001
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| June 8th, 2001 Volume 2, Number 23a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for gnupg, ispell, and xinetd. The
vendors include Conectiva, Red Hat, and SuSE. It seems to be a rather
slow week, but that does not mean that vulnerabilities do not exist.
Weeks such as this are a good time to go back and evaluate advisories from
previous weeks. Did you miss one? Are you running the most current
stable packages? It is often a good idea to go back and check previous
newsletters and make sure that all packages are up-to-date.
FEATURE: UnixReview Review's EnGarde Secure Linux
Writes Joe "Zonker" Brockmeier of UnixReview, "The EnGarde Linux
distribution is probably the most secure Linux distribution I've seen.
EnGarde enforces physical, host, and network security to protect your
machine from attacks inside and out. In addition to tightening security
policies and adding features like a LILO password to prevent someone with
physical access getting root, EnGarde also includes intrusion detection to
alert you to break-in attempts. Some distributions I've looked at seem to
concentrate too heavily on one aspect of security or another, but EnGarde
seems pretty well rounded."
http://www.linuxsecurity.com/articles/vendors_products_article-3135.html
** FREE Apache SSL Guide from Thawte ** - Planning Web Server Security?
Find out how to implement SSL! Get the free Thawte Apache SSL Guide and
find the answers to all your Apache SSL security issues and more at:
http://www.thawte.com/ucgi/gothawte.cgi?a=n366005500018000
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| gnupg | ----------------------------//
+---------------------------------+
A format string vulnerability in versions of GnuPG before 1.0.6 has been
found. The error occurs when gpg encounters a filename suffix that is not
".gpg" and prints the filename without the suffix as a default to the
terminal. The bug allows an attacker to execute arbitrary code as the user
calling gpg. Werner Koch, the author of the GnuPG package, states that
when the "--batch" commandline option is used (such as when verifying rpm
packages, see Section 3 of this announcement, or when used in MUAs (Mail
User Agent)), the error cannot occur since this option supresses the
printout of the filename on the terminal. There is no temporary workaround
for the problem except for the "--batch" commandline option to gpg. We
recommend to update the gpg package on all systems where it is installed.
As an additional reason to update the package, it should be noted that
gnupg 1.0.5 (packages were available on our ftp server) fixed some
security-related problems, where one of them could allow an attacker with
access to your key ring to compute the private key in considerably less
time.
i386 Intel Platform: SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/
sec1/gpg-1.0.6-0.i386.rpm
39153126feeddf43a939c89a9b1a33fd
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1418.html
i386: Red Hat
ftp://updates.redhat.com/7.1/en/os/i386/
gnupg-1.0.6-1.i386.rpm
06dea237f91666032224592e2af68894
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1422.html
i386 Conectiva:
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
gnupg-1.0.6-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
gnupg-doc-1.0.6-1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1423.html
+---------------------------------+
| xinetd | ----------------------------//
+---------------------------------+
Xinetd runs with umask 0 - this means that applications using the
xinetd umask and not setting the permissions themselves (like
swat from the samba package), will create world writable files.
This update sets the default umask to 022. Also, the web
interface for linuxconf did not work in Red Hat Linux 7.1. Other
minor issues have also been addressed.
Red Hat Linux 7.1:
i386:
ftp://updates.redhat.com/7.1/en/os/i386/
xinetd-2.1.8.9pre15-2.i386.rpm
18d39a2f89bf09dc74b6cdc5286e0c49
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1420.html
+---------------------------------+
| ispell | ----------------------------//
+---------------------------------+
The ispell program uses mktemp() to open temporary files - this
makes it vulnerable to symlink attacks. This version now uses
mkstemp(), and also switches from gets() to fgets() in two
locations dealing with user input. The patches for ispell are
from OpenBSD.
i386:
ftp://updates.redhat.com/5.2/en/os/i386/
ispell-3.1.20-26.52.i386.rpm
PLEASE SEE VENDOR ADVISORY FOR OTHER LANGUAGES
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1421.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [aclug-L] FW: Linux Advisory Watch - June 8th 2001,
Dale W Hodge <=
|
|
