[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux Advisory Watch - September 3rd 2004

|  LinuxSecurity.com                             Weekly Newsletter    |
|  September 3rd, 2004                         Volume 5, Number 35a   |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each

This week, advisories were released for qt, krb5, kdelibs, zlib, kernel,
acrobat, gaim, and the Linux kernel.  The distributors include Debain,
Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and


>> Internet Productivity Suite:  Open Source Security <<

Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available.  Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their



Introduction to Cryptography

Implementing any large security project on the Linux operating system
requires the use of cryptography. Several weeks ago, I wrote about a book
by Fred Piper and Sean Murphy titled, "Cryptography: A Very Short
Introduction." It offers a very good introduction to the subject, but
those wishing to implement cryptography in an open source projects need a
more in-depth understanding of the area. Another excellent resource is the
"Handbook of Applied Cryptography," by Menezes, Oorschot, and Vanstone. It
has often been considered "the bible of cryptography" and offers a
detailed and technical view.

The first several chapters of the book focus on the basics. It gives an
overview and history of cryptography and follows with an explanation of
the mathematics necessary to understand the algorithms.  Midway through
the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After
the reader has an understanding of the algorithms, the book moves to
explain how they can be used in key establishment protocols. It also
offers chapters on key management and tips for efficient implementation.

For the long time manager, this book may be slightly on the technical
side. However, there are clear benefits for management having an
understanding of technical subjects. Cryptography today offers a very
strong level of protection. It only fails in implementation. For example,
keys are not properly protected or managed. For those of you wishing to
learn a little more about the fascinating subject of cryptography, I
highly recommend this book.

Perhaps the best part is that the book is available fully for free on the
Web:  http://www.cacr.math.uwaterloo.ca/hac/

Hard-copies of the book can also be purchased through Amazon or any other
large bookseller.

When any company decides to take on a in-house software development
project, it is essential to include cryptographic mechanisms. Books such
as this, can give programmers the proper knowledge necessary to understand
how cryptography works and how to avoid problems.

Until next time, cheers!
Benjamin D. Thomas



Network security is continuing to be a big problem for companies and home
users. The problem can be resolved with an accurate security analysis. In
this article I show how to approach security using aide and chkrootkit.



An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code

Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

 8/27/2004 - icecast-server cross site scripting vulnerability

   Markus Wrle discovered a cross site scripting problem in
   status-display (list.cgi) of the icecast internal webserver.

 8/30/2004 - qt
   arbitrary code execution and DoS

   Several vulnerabilities were discovered in recent versions of Qt,
   a commonly used graphic widget set.

 8/31/2004 - python2.2 really fix buffer overflow
   arbitrary code execution and DoS

   This security advisory corrects DSA 458-1 which caused some
   segmentation faults in gethostbyaddr with non-localhost input.
   This update also disables IPv6 on all architectures.

 8/31/2004 - krb5
   several vulnerabilities

   The MIT Kerberos Development Team has discovered a number of
   vulnerabilities in the MIT Kerberos Version 5 software

|  Distribution: Fedora           | ----------------------------//

 8/31/2004 - krb5
   double-free bugs (Core 1)

   Several double-free bugs were found in the Kerberos 5 KDC and

 8/31/2004 - krb5
   double-free bugs (Core 2)

   Several double-free bugs were found in the Kerberos 5 KDC and

|  Distribution: Gentoo           | ----------------------------//

 8/27/2004 - Mozilla, Firefox, Thunderbird New releases fix
   vulnerabilities double-free bugs (Core 2)

   New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox
   fix several vulnerabilities, including remote DoS and buffer

 8/27/2004 - kdelibs
   Cross-domain cookie injection vulnerability

   The cookie manager component in kdelibs contains a vulnerability
   allowing an attacker to potentially gain access to a user's
   session on a legitimate web server.

 8/27/2004 - zlib
   enial of service vulnerabilit

   The zlib library contains a Denial of Service vulnerability.

 8/27/2004 - gaim
   New vulnerabilities

   Gaim contains several security issues that might allow an attacker
   to execute arbitrary code or commands.

|  Distribution: Mandrake         | ----------------------------//

 8/27/2004 - kernel
   multiple vulnerabilities

   A race condition was discovered in the 64bit file offset handling
   by  Paul Starzetz from iSEC.

 9/1/2004 - krb5
   multiple vulnerabilities

   A double-free vulnerability exists in the MIT Kerberos 5's KDC
   program  that could potentially allow a remote attacker to execute
   arbitrary  code on the KDC host.

|  Distribution: OpenBSD          | ----------------------------//

 8/31/2004 - zlib
   reliabilty fix

   A bug has been found in the version of zlib included in OpenBSD
   3.5 (and only 3.5) that could allow an attacker to crash programs
   linked with it

|  Distribution: Red Hat          | ----------------------------//

 8/27/2004 - acrobat
   security issues

   An updated Adobe Acrobat Reader package that fixes multiple
   security issues is now available.

 8/31/2004 - krb5
   security vulnerabilities

   Updated Kerberos (krb5) packages that correct double-free and
   ASN.1 parsing bugs are now available for Red Hat Enterprise Linux.

 8/31/2004 - krb5
   security issues

   Updated krb5 packages that improve client responsiveness and fix
   several security issues are now available for Red Hat Enterprise
   Linux 3.

|  Distribution: Slackware        | ----------------------------//

 8/27/2004 - gaim
   updated again

   A couple of bugs were found in the gaim 0.82 release, and
   gaim-0.82.1 was released to fix them

|  Distribution: SuSE             | ----------------------------//

 9/1/2004 - kernel

   Various signedness issues and integer overflows have been fixed
   within kNFSd and the XDR decode functions of kernel 2.6.

|  Distribution: Trustix          | ----------------------------//

 8/27/2004 - courier-imap, samba, zlib Multiple vulnerabilities

   Security roll-up.

|  Distribution: Turbolinux       | ----------------------------//

 8/31/2004 - rsync, qt vulnerabilities

   Security roll-up for 31/Aug/2004.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.

[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux