Linux Advisory Watch - December 30th 2005

[vuln-newsletter-admins@xxxxxxxxxxxxxxxxx]

+---------------------------------------------------------------------+
|  LinuxSecurity.com                               Weekly Newsletter  |
|  December 30th, 2005                          Volume 6, Number 52a  |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for phpbb2, ketm, tkdiff,
dhis-tools-dns, Mantis, NDB, rssh, OpenMotif, scponly, msec, fetchmail,
cpio, php-mbstring, and libgphoto.  The distributors include Debian,
Gentoo, and Mandriva.

----

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.

http://www.msia.norwich.edu/linsec

----

IPv6 approach for TCP SYN Flood attack over VoIP, Part II
By: Suhas Desai

3. Classification of DoS Attacks

There are several general categories of DoS attacks. Some groups
divide attacks into three classes: bandwidth attacks, protocol attacks,
and logic attacks. Following are brief descriptions of some common types
of DoS attacks.

3.1 Bandwidth attacks

Bandwidth attacks are relatively straightforward attempts to consume
resources, such as network bandwidth or equipment throughput. High-data-
volume attacks can consume all available bandwidth between an ISP and
your site. The link fills up, and legitimate traffic slows down. Timeouts
may occur, causing retransmission, generating even more traffic. An
attacker can consume bandwidth by transmitting any traffic at all on
your network connection. A basic flood attack might use UDP or ICMP
packets to simply consume all available bandwidth. For that matter,
an attack could consist of TCP or raw IP packets, as long as the traffic
is routed to your network.

A simple bandwidth-consumption attack can exploit the throughput limits
of servers or network equipment by focusing on high packet rates.sending
large numbers of small packets. High-packet-rate attacks typically
overwhelm network equipment before the traffic reaches the limit of
available bandwidth. Routers, servers, and firewalls all have
constraints on input-output processing, interrupt processing, CPU,
and memory resources. Network equipment that reads packet headers to
properly route traffic becomes stressed handling the high packet rate
(pps), not the volume of the data (Mbps). In practice, denial of service
is often accomplished by high packet rates, not by sheer traffic volume.

3.2 Protocol Attacks

The basic flood attack can be further refined to take advantage of the
inherent design of common network protocols. These attacks do not
directly exploit weaknesses in TCP/IP stacks or network applications
but, instead, use the expected behavior of protocols such as TCP,
UDP, and ICMP to the attacker's advantage. Examples of protocol attacks
include the following:

3.2.1 SYN flood is an asymmetric resource starvation attack in which
the attacker floods the victim with TCP SYN packets and the victim
allocates resources to accept perceived incoming connections. As
mentioned above, the proposed Host Identity Payload and Protocol
(HIP) are designed to mitigate the effects of a SYN flood attack.
Another technique, SYN Cookies is implemented in some TCP/IP stacks.

3.2.2 Smurf is an asymmetric reflector attack that targets a vulnerable
networkm broadcast address with ICMP ECHO REQUEST packets and spoofs
the source of the victim.

3.2.3 Fraggle is a variant of smurf that sends UDP packets to echo or
chargen ports on broadcast addresses and spoofs the source of the
victim.


Read Entire Article:
http://www.linuxsecurity.com/content/view/121124/49/

----------------------

Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.

http://www.linuxsecurity.com/content/view/119415/49/

---

Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to
store more data in a temporary data storage area than it was
intended to hold. Since buffers are created to contain a finite
amount of data, the extra information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.

http://www.linuxsecurity.com/content/view/119087/49/

---

Review: The Book of Postfix: State-of-the-Art Message Transport

I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.

http://www.linuxsecurity.com/content/view/119027/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New phpbb2 packages fix several vulnerabilities
  22nd, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121073


* Debian: New ketm packages fix privilege escalation
  23rd, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121092


* Debian: New ketm packages fix privilege escalation
  23rd, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121094


* Debian: New tkdiff packages fix insecure temporary file creation
  27th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121103


* Debian: New dhis-tools-dns packages fix insecure temporary file
creation
  27th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121107


* Debian: New tkdiff packages fix insecure temporary file creation
  29th, December, 2005

Updated package.

http://www.linuxsecurity.com/content/view/121115


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: Mantis Multiple vulnerabilities
  22nd, December, 2005

Mantis is affected by multiple vulnerabilities ranging from file
upload and SQL injection to cross-site scripting and HTTP response
splitting.

http://www.linuxsecurity.com/content/view/121082


* Gentoo: Dropbear Privilege escalation
  23rd, December, 2005

A buffer overflow in Dropbear could allow authenticated users to
execute arbitrary code as the root user.

http://www.linuxsecurity.com/content/view/121086


* Gentoo: NBD Tools Buffer overflow in NBD server
  23rd, December, 2005

The NBD server is vulnerable to a buffer overflow that may result in
the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121093


* Gentoo: rssh Privilege escalation
  27th, December, 2005

Local users could gain root privileges by chrooting into arbitrary
directories.

http://www.linuxsecurity.com/content/view/121109


* Gentoo: OpenMotif, AMD64 x86 emulation X libraries Buffer
  28th, December, 2005

Two buffer overflows have been discovered in libUil, part of the
OpenMotif toolkit, that can potentially lead to the execution of
arbitrary code.

http://www.linuxsecurity.com/content/view/121114


* Gentoo: scponly Multiple privilege escalation issues
  29th, December, 2005

Local users can exploit an scponly flaw to gain root privileges, and
scponly restricted users can use another vulnerability to evade shell
restrictions.

http://www.linuxsecurity.com/content/view/121116


+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated msec packages fixes various bugs
  22nd, December, 2005

Bugs in the msec package have been corrected: msec wasn't properly
parsing the output on security checks to check ownership of files,
reporting files as unowned when they were in fact properly owned by a
valid user.

http://www.linuxsecurity.com/content/view/121085


* Mandriva: Updated fetchmail packages fix vulnerability
  23rd, December, 2005

Fetchmail before 6.3.1 and before 6.2.5.5, when configured for
multidrop mode, allows remote attackers to cause a DoS (application
crash) by sending messages without headers from upstream mail
servers.

http://www.linuxsecurity.com/content/view/121095


* Mandriva: Updated cpio packages fix buffer overflow on x86_64
  23rd, December, 2005

A buffer overflow in cpio 2.6 on 64-bit platforms could allow a local
user to create a DoS (crash) and possibly execute arbitrary code when
creating a cpio archive with a file whose size is represented by more
than 8 digits.

http://www.linuxsecurity.com/content/view/121096


* Mandriva: Updated digikamimageplugins packages fix showfoto crash
issue.
  26th, December, 2005

A previous update of DigiKam (MDKA-2005:059) bumped the version to
0.8.0. After this update, Narfi Stefansson reported that showfoto,
from digikamimageplugins was crashing when trying to use "Free
Rotation". This update bumps digikamimageplugins to version 0.8.0
also.

http://www.linuxsecurity.com/content/view/121101


* Mandriva: Updated php/php-mbstring packages fix mail injection
vulnerability
  27th, December, 2005

A CRLF injection vulnerability in the mb_send_mail function in PHP
before 5.1.0 might allow remote attackers to inject arbitrary  e-mail
headers via line feeds (LF) in the "To" address argument, when using
sendmail as the MTA (mail transfer agent).

http://www.linuxsecurity.com/content/view/121110


* Mandriva: Updated libgphoto packages fixes issue with some cameras
  29th, December, 2005

The hotplug usermap has been restored for this package because it is
used by HAL to correctly detect digital cameras which are not using
USB Mass storage (for instance, all Canon digital cameras, as well as
some Nikon ones and all PTP cameras). This should allow
gnome-volume-manager to automatically popup a "Do you want to import
photos?" dialog when the camera is plugged in.

http://www.linuxsecurity.com/content/view/121117

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------