exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jun 26, 2000
Authored by Benjamin Thomas | Site linuxsecurity.com

Linux Security Week June 26 - In this issue: The default configuration of wu-ftpd is vulnerable to remote users gaining root access, Simple Object Access Protocol (SOAP), Network Intrusion Detection Using Snort, Updates for Mandrake bind, cdrecord, dump, fdutils, kdesu, xemacs, and xlockmore, Remote users can cause a FreeBSD system to panic and reboot via bugs in the processing of IP options in the FreeBSD IP stack, Remote vulnerabilities exist with all Zope-2.0 releases, NetBSD: libdes vulnerability, RedHat: 2.2.16 Kernel Released, Bastille Linux Review, and Intel admits wireless security concerns.

tags | remote, kernel, root, vulnerability, protocol
systems | linux, redhat, netbsd, freebsd, mandrake
SHA-256 | c0d7ad7845e4e90d9f4129a48230f19515b41a6a9486eb4dafc7447bd62eed0c


Change Mirror Download
| LinuxSecurity.com Weekly Newsletter |
| June 26, 2000 Volume 1, Number 9 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines and system

Multiple vendors released fixes for the serious wu-ftpd vulnerability.
The problem exists in wu-ftpd's handling of the SITE EXEC command. The
default configuration of wu-ftpd is vulnerable to remote users gaining
root access.

Privacy is an issue that caught the attention of many readers this week.
The World Wide Web Consortium debuted the Platform for Privacy Preferences
Project (P3P). It is intended to make privacy statements more
understandable to users who want to know how the sites they visit use
their personal information. An article titled, "Pretty Poor Privacy: An
Assessment of P3P" examines whether P3P is an effective solution to
growing public concerns about online privacy. Additional articles covering
this subject are available in the "General News" section of this

Another subject for discussion this week is Simple Object Access Protocol.
(SOAP) An articled titled, "Soap could slip up on security," points out
the problems with this protocol. The article states, "Microsoft promotes
Soap as a means for application developers to get around the 'limitations'
security administrators have set in place." This raises a very serious
question, is extending the functionality of software worth extra security
risks? Bruce Schneier states, "Soap is going to open up a whole new
avenue for security vulnerabilities."

Our feature this week, "Network Intrusion Detection Using Snort," by Dave
Wreski and Christopher Pallack, describes the basics of intrusion
detection, the steps necessary to configure the "snort" IDS, testing and
operation, and how to detect intrusion attempts. It is available at the
following URL:


Our sponsor this week is WebTrends. Their Security Analyzer has the most
vulnerability tests available for Red Hat & VA Linux. It uses advanced
agent-based technology, enabling you to scan your Linux servers from your
Windows NT/2000 console and protect them against potential threats. Now
with over 1,000 tests available.


HTML Version Available:

Advisories This Week:

June 23rd, 2000 -- Caldera: wu-ftpd vulnerability

There is a problem in wu-ftpd handling of the SITE EXEC command that
allows remote attackers to gain root access.


June 23rd, 2000 -- Debian: remote root exploit

The version of wu-ftpd distributed in Debian GNU/Linux 2.1 (a.k.a. slink),
as well as in the frozen (potato) and unstable (woody) distributions, is
vulnerable to a remote root compromise. The default configuration in all
current Debian packages prevents the currently available exploits in the
case of anonymous access, although local users could still possibly
compromise the server.


June 23rd, 2000 -- RedHat: wu-ftpd update

Buffer overflow in wu-ftpd 2.6.0 and below fixed. The bug in wu-ftpd can
permit remote users, even without an account, to gain root access.


June 23rd, 2000 -- Mandrake: Multiple Vulnerabilities

Updates available for bind, cdrecord, dump, fdutils, kdesu, xemacs,


June 23rd, 2000 -- Conectiva: wu-ftpd update

Buffer overflow fixed in wu-ftpd package version 2.6.0 and below. The
wu-ftpd package version 2.6.0 and below has a buffer overflow that can be
remotely exploited and give an attacker root privileges on the remote


June 22nd, 2000 -- FreeBSD: Remote denial-of-service in IP stack

Remote users can cause a FreeBSD system to panic and reboot. There are
several bugs in the processing of IP options in the FreeBSD IP stack,
which fail to correctly bounds-check arguments and contain other coding
errors leading to the possibility of data corruption and a kernel panic
upon reception of certain invalid IP packets.


June 22nd, 2000 -- RedHat PowerTools: Zope Vulnerabilities

Remote vulnerabilities exist with all Zope-2.0 releases. This hotfix
corrects issues with an inadequately protected method in one of the base
classes in the DocumentTemplate package that could allow the contents of
DTMLDocuments or DTMLMethods to be changed remotely or through DTML code
without forcing proper user authorization.


June 22nd, 2000 -- NetBSD: libdes vulnerability

The replacement versions of these functions written during the integration
process have a serious bug. If /dev/urandom is not present and
functioning correctly, des_init_random_number_generator seeds the random
number generator with constant data, causing the generation of keys which
are easy to determine.


June 21st, 2000 -- RedHat: 2.2.16 Kernel Released

This new kernel release fixes a security hole that could affect any setuid
program on the system. In addition, several accumulated fixes are


June 19th, 2000 -- TurboLinux: kernel vulnerability

Any local user with an account can use this vulnerability to obtain root
priviledges by exploiting setuid root applications. Originally this
security bug was reported by Sendmail. An unsafe fgets() usage in
sendmail's mail.local exposes the setuid() security hole in the Linux
kernel. This vunlnerability allows local users to obtain root privilege by
exploiting setuid root applications.


Host Security News:

Bastille Linux Review
June 20th, 2000

Bastille Linux has taken on the challenge of securing the often infamously
crackable Red Hat distribution with an "after market" hardening script.
The developers have stated that "the Bastille Hardening System attempts to
`harden' or `tighten' the Linux operating system.


An Interview with Chris Rouland
June 20th, 2000

Chris Rouland is the director of X-Force at Internet Security Systems
(ISS), a group dedicated to understanding, documenting and coding new
vulnerability checks and tests, attack signatures and solutions to global
security problems.


Trust and the System Administrator
June 19th, 2000

Noel writes about some things that a System Administrator should consider
when configuring or maintaining a system. "One of the first things many
of us think about is the trust we give to the users of our systems. Some
of these users have special privileges so that they can perform their own
jobs." They have to walk a fine line between making their systems unusable
and leaving them unsecured or unreliable.


Network Security News:

Intel admits wireless security concerns
June 23rd, 2000

Intel chief exec admits that the future of wireless and mobile technology
is overshadowed by security complications. Speaking at Intel's Wireless
Competency Centre in Stockholm this week managing director Leif Persson
acknowledged hugely complicated wireless environments are causing them
serious anxiety.


Network security threats growing
June 22nd, 2000

Networks face three vulnerabilities: physical security problems, logical
security problems such as computers within a network, and security
problems involving people -- all of which should be equally important to
businesses, according to a British Telecommunications executive speaking
here at InfowarCon Thursday.


Software Acts As Robotic Hacker
June 22nd, 2000

The best way to determine if your IT infrastructure is secure is to have a
hacker try to break into your corporate systems. Short of that, software
that simulates attacks is the next best thing. Wednesday, Sanctum rolled
out an automated audit tool that analyzes Web applications, points to
security glitches, and provides advice on how to fix any vulnerability.


Special Report: Privacy on the Internet
June 21st, 2000

My favorite trade mag has a new look. Here's a good (albeit, short)
article on network security and privacy. "The Internet is a powerful tool
that promises its users many exciting possibilities, including
unprecedented access to a vast expanse of information. Tacked onto that
promise as a sort of afterthought is the realization that the Internet can
acquire quite a bit of information about its users


Firewall News:

Dual Protection: New firewalls defend the interior
June 21st, 2000

The firewall, which has served as the sentry between the outside world of
the Internet and the internal agency network, may be moving inside the
network perimeter to World Wide Web servers, PCs, modems and silicon
chips. Such internal firewalls -- known as distributed firewalls -- are
the next line of defense against hackers who breach traditional firewalls
by exploiting open ports and e-mail servers.


Soap could slip up on security
June 21st, 2000

Microsoft is championing a protocol for cross-platform communication that
can bypass firewall defences and could leave companies open to what
experts describe as a fresh class of security vulnerabilities. The Simple
Object Access Protocol, or Soap, specifies how to encode an HTTP header
and an XML (eXtensible Markup Language) file so that a program in one
computer can call a program in another computer and pass it information.
It also defines how the called program can return a response.


New firewalls defend the interior
June 20th, 2000

"Such internal firewalls -- known as distributed firewalls -- are the next
line of defense against hackers who breach traditional firewalls by
exploiting open ports and e-mail servers. Network managers tend to see
distributed firewalls as added firepower against hackers."


Configuring an Internet Firewall and Home LAN With Linux
June 20th, 2000

Here is an interesting FAQ that you may want to consider reading. "This
FAQ describes basic Linux Ethernet connection and home LAN configuration.
Particular emphasis is placed on network security and firewall


Cryptography News:

Canadian encryption experts to guard secret U.S. data
June 21st, 2000

Canada's Kasten Chase has been given the exclusive go-ahead by the U.S.
National Security Agency to safeguard top-secret government data, which
could make the recent theft of computer hard drives laden with nuclear
secrets from Los Alamos National Laboratory a nonissue in the future.
Toronto-based Kasten Chase became the first company to be endorsed by the
security agency to encrypt the hard drives, not just the data, the company
said today.


Quantum physics used to create 'unhackable' systems
June 20th, 2000

Scientists at the Department of Energy's Los Alamos National Laboratory
and other research organizations around the world are harnessing the laws
of quantum physics to develop what they hope will be impregnable data
encryption systems.


Encryption Gets Better, but Remains Imperfect
June 19th, 2000

"There is some outstanding technology available, and in publicly available
algorithms," Bauer told Newsbytes after his speech. "The problem isn't
that there's no good cryptographic technology available. The problem is
that it's fiendishly difficult to implement the technology in a secure


Vendor/Product News:

Raven SSL 1.5 for Apache
June 23rd, 2000

Raven SSL 1.5 for Apache boasts added support for e-commerce. Covalent
Technologies, Inc., the leading provider of Apache Web server e-commerce
solutions, announced the availability today of the newest version of its
security add-on for Apache, Raven SSL 1.5.


WireX Announces the Release of Immunix OS 6.2 and StackGuard 2.0
June 22nd, 2000

"Immunix" is a family of tools designed to enhance system integrity by
hardening system components and platforms against security attacks. The
Immunix OS is a Linux platform hardened with the Immunix tool set.
Immunix works by hardening existing software components and platforms so
that attempts to exploit security vulnerabilities will fail safe, i.e. the
compromised process halts instead of giving control to the attacker, and
then is restarted.


Web Group Debuts Privacy Platform Prototype
June 22nd, 2000

The World Wide Web Consortium debuted a long-awaited technology Wednesday
that is intended to give Internet users more control over their personal
information. The consortium's interoperability session in New York gave
companies and privacy advocates the opportunity to add input to the
prototype design of the Platform for Privacy Preferences Project (P3P),
which will be available in the coming year. P3P technology makes privacy
statements understandable when users want to know how the sites they visit
use their personal information.


Trustix releases XPloy
June 22nd, 2000

Trondheim, Norway. Trustix AS, the leader in eBusiness Systems Management
Solution for Linux, today announced its release of the industry's first
truly graphical user interface for Linux operating system administration
and management.


IPAudit: Monitor Network Activity
June 21st, 2000

Here is a tool recently released on Packetstorm. IPAU DIT listens to a
network device in promiscuous mode, and records of every 'connection',
each conversation between two ip addresses. A unique connection is
determined by the ip addresses of the two machines, the protocol used
between them and the port numbers (if they are communicating via udp or


General News:

Pretty Poor Privacy: An Assessment of P3P
June 23rd, 2000

This report examines whether P3P is an effective solution to growing
public concerns about online privacy. The report surveys earlier
experience with "cookie" technology and notes similarities. The report
finds that P3P fails to comply with baseline standards for privacy


New Technology Is Aimed at Increasing Web Privacy
June 22nd, 2000

More on the P3P standard. Free registration required. Major Internet
companies and the Web's standard-setting body on Wednesday unveiled some
long-awaited technology that would alert computer users before they
visited Web sites that collect more personal information than they are
willing to share. Although the new standard, called the Platform for
Privacy Preferences, or P3P, was billed as just one step in improving the
state of privacy on the Internet, it was immediately denounced by some
privacy advocates as a way for companies to avoid increased regulation and
a tool that would give consumers a false sense of security.


Agencies act to secure the future
June 21st, 2000

In the charge to protect computer systems against cyberattacks, the
National Security Agency and the State Department are two prime examples
of agencies that have taken a proactive approach. NSA is one of the
federal agencies that have taken the lead in cooperation between
government and industry to advance cybersecurity. NSA has formed alliances
with more than 150 leading IT companies to help identify emerging security
solutions and has certified 14 academic institutions as "centers of
excellence" in security training, according to John Nagengast, assistant
deputy director for information systems security at NSA.


White House backs Web privacy project
June 21st, 2000

The White House today endorsed a major Internet industry initiative aimed
at boosting online privacy by redesigning the way "browsing" software
handles personal data. ... P3P is designed to provide an automated way to
compare consumers' privacy preferences with the privacy practices of the
Web sites they visit. It lets Web sites express their privacy practices in
a format that can be retrieved automatically and interpreted easily.


Cyberprivacy catches eye of Congress
June 20th, 2000

After years of piecemeal proposals to safeguard personal information on
the Internet, Congress is beginning to seriously address the concept of
''online privacy.'' It is considering an array of legislation that could
dramatically increase the rights of consumers who release personal details
into cyberspace.


Another Industry Group Tackles Online Privacy Problem
June 20th, 2000

As policy makers and regulators step up their scrutiny of invasive
Internet privacy practices, a coalition of high-tech executives and
advertising and marketing groups on Monday launched yet another effort to
try fixing some of the problems on their own. In full-page newspaper
advertisements, the more than 20 companies and groups vowed to work
closely with consumers to find privacy solutions that really work.


Distributed by: Guardian Digital, Inc. LinuxSecurity.com

To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.

Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By