Date: Mon, 17 Jul 2000 10:59:03 -0400 (EDT)
From: newsletter-admins@linuxsecurity.com
To: newsletter@linuxsecurity.com
Subject: Linux Security Week, July 17th, 2000

+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 17, 2000                             Volume 1, Number 12      |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@linuxsecurity.com    |
|                   Benjamin Thomas         ben@linuxsecurity.com     |
+---------------------------------------------------------------------+
 
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines and system
advisories.
 
This week, several vendors released patches for packages such as:  
cvsweb, popper, canna, wu-ftpd, dump, dhclient, tnef, and Apache::ASP.
Although most of these problems surfaced weeks ago, it is important that
you check for and implement each update provided by your current distro.
 
Privacy continues to weigh on the minds of many Internet users.  
Recently, the FBI's newest e-mail surveillance tool, "Carnivore," has
upset many privacy-conscience individuals and organizations. While the FBI
argues that there is no clear law that prohibits the usage of this system,
some ISPs are already vowing to resist 'Carnivore' being installed on
their networks. If you are interested in this topic, articles regarding
privacy and 'Carnivore' can be found in the General News section of this
newsletter.
 
Our feature this week, "Jay Beale and the Bastille Linux Project," by Dave
Wreski, discusses Jay's efforts as a lead developer for the Bastille Linux
Project. He points out that security is an easier process if users are
educated and understand basic vulnerabilities. He continues to speak about
the "tradeoffs" that must be made to fully secure a system.  Bastille
helps users understand vulnerabilities and usability sacrifices.
 
http://www.linuxsecurity.com/feature_stories/feature_story-59.html
 
Our sponsor this week is WebTrends. Their Security Analyzer has the most
vulnerability tests available for Red Hat & VA Linux. It uses advanced
agent-based technology, enabling you to scan your Linux servers from your
Windows NT/2000 console and protect them against potential threats. Now
with over 1,000 tests available.
 
http://www.webtrends.com/redirect/linuxsecurity1.htm 
 
HTML Version Available:
http://www.linuxsecurity.com/articles/forums_article-1137.html
 
---------------------
Advisories This Week:
---------------------
 
* Debian: cvsweb vulnerability
July 16th, 2000
 
The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as
well as in the frozen (potato) and unstable (woody) distributions, are
vulnerable to a remote shell exploit. An attacker with write access to the
cvs repository can execute arbitrary code on the server, as the www-data
user.
 
http://www.linuxsecurity.com/advisories/debian_advisory-559.html
 

* FreeBSD: Multiple kerberosIV vulnerabilities
July 14th, 2000
 
Local or remote users can obtain root access on the system running
Kerberos, whether as client or server. If you have not chosen to install
the KerberosIV distribution on your FreeBSD 3.x system, then your system
is not vulnerable to this problem.
 
http://www.linuxsecurity.com/advisories/freebsd_advisory-557.html
 

* Mandrake: cvsweb vulnerability
July 14th, 2000
 
Cvsweb contains a hole that provides attackers who have write access to a
cvs repository with shell access. Thus, attackers who have write access to
a cvs repository but not shell access can obtain a shell. In addition,
anyone with write access to a cvs repository that is viewable with cvsweb
can get access to whatever user the cvsweb cgi script runs as (typically
nobody or www-data, etc.).
 
http://www.linuxsecurity.com/advisories/mandrake_advisory-558.html
 

* FreeBSD: UPDATE: Remote denial-of-service in IP stack
July 12th, 2000
 
There are several bugs in the processing of IP options in the FreeBSD IP
stack, which fail to correctly bounds-check arguments and contain other
coding errors leading to the possibility of data corruption and a kernel
panic upon reception of certain invalid IP packets.
 
http://www.linuxsecurity.com/advisories/freebsd_advisory-552.html
 

* FreeBSD: UPDATE: popper port contains remote vulnerability
July 12th, 2000
 
Remote users can cause arbitrary code to be executed as the retrieving
user when a POP client retrieves email.  If you have not chosen to install
the qpopper-2.53 port/package, then your system is not vulnerable to this
problem.
 
http://www.linuxsecurity.com/advisories/freebsd_advisory-553.html
 

* FreeBSD: UPDATE: Canna port contains remote vulnerability
July 12th, 2000
 
Remote users can run arbitrary code as user 'bin' on the local system.
Depending on the local system configuration, the attacker may be able to
upgrade privileges further by exploiting local vulnerabilities. If you
have not chosen to install the Canna port/package, then your system is not
vulnerable to this problem.
 
http://www.linuxsecurity.com/advisories/freebsd_advisory-554.html
 

* FreeBSD: UPDATE: wu-ftpd port contains remote root compromise
July 12th, 2000
 
FTP users, including anonymous FTP users, can cause arbitrary commands to
be executed as root on the local machine. If you have not chosen to
install the wu-ftpd port/package, then your system is not vulnerable to
this problem.
 
http://www.linuxsecurity.com/advisories/freebsd_advisory-556.html
 

* Mandrake: dump vulnerability
July 12th, 2000
 
There was the potential for a buffer overflow exploit in the restore
program.  This new verson fixes this possible vulnerability.
 
http://www.linuxsecurity.com/advisories/mandrake_advisory-555.html
 

* SuSE: dhclient
July 11th, 2000
 
Dhclient could be tricked by a rogue DHCP server to execute commands as
user root.  This leads to a remote root compromise of the system using
dhclient.
 
http://www.linuxsecurity.com/advisories/suse_advisory-547.html
 

* SuSE: tnef vulnerability
July 11th, 2000
 
By specifing a path name like /etc/passwd and sending a compressed mail to
root an adversary could gain remote root access to a system by overwriting
the local password database. The same could happen if a mail virus
scanner, like AMaVIS, process' a malicious mail.
 
http://www.linuxsecurity.com/advisories/suse_advisory-548.html
 

* Apache::ASP v1.95: Permissions vulnerability
July 11th, 2000
 
Apache::ASP < http://www.nodeworks.com/asp/ > had a security hole in its
./site/eg/source.asp distribution examples file, allowing a malicious
hacker to potentially write to files in the directory local to the
source.asp example script.
 
http://www.linuxsecurity.com/advisories/other_advisory-551.html
 

* Big Brother: Permission vulnerability
July 11th, 2000
 
It is possible to view the contents of any file on the remote system. The
problem exists in the code where $HOSTSVC does not do authenticity
checking for its assigned variable.
 
http://www.linuxsecurity.com/advisories/other_advisory-550.html
 

* NetBSD: wu-ftpd package vulnerability.
July 10th, 2000
 
Remote anonymous FTP users to execute arbitrary code as root on the local
machine.
 
http://www.linuxsecurity.com/advisories/netbsd_advisory-544.html
 

* NetBSD: ftpd setproctitle vulnerability
July 10th, 2000
 
An improper use of the setproctitle() library function by ftpd may allow a
malicious remote ftp client to subvert an FTP server, including possibly
getting remote access to a system.
 
http://www.linuxsecurity.com/advisories/netbsd_advisory-545.html
 

* NetBSD: dhclient vulnerability
July 10th, 2000
 
The DHCP client program, dhclient(8), did not correctly handle DHCP
options it receives in DHCP response messages, possibly permitting a rogue
dhcp server to send maliciously formed options which resulted in a remote
root compromise.
 
http://www.linuxsecurity.com/advisories/netbsd_advisory-546.html
 

* SuSE: makewhatis not vulnerable
July 10th, 2000
 
makewhatis from man package reported to not be vulnerable to /tmp race
condition bug.
 
http://www.linuxsecurity.com/advisories/suse_advisory-543.html
 

-----------------------
Top Articles This Week:
-----------------------
 

Host Security News:
-------------------
 
* Unix Security Holes
July 13th, 2000
 
The hottest trend these days in network intrusion is to exploit buffer
overruns, a technique where-by you feed a program more data than it has
allocated, overwriting the memory in the hope of making the program do
something it would normally never do. It's an interesting technique but
just one of many available in the arsenal of today's intruders. In the
interest of feeding the media blitz about Internet security, this month's
column features a walk through some of the more innovative and interesting
security holes that we've come across in the past few years.
 
http://www.linuxsecurity.com/articles/server_security_article-1116.html
 

* Securing Sendmail on Four Types of Systems
July 12th, 2000
 
Depending on where you are and what you're doing there, security can mean
very different things. This second article in our series on sendmail and
security, based on the tutorial given by Eric Allman and Greg Shapiro at
the recent USENIX conference in San Diego, looks at what you can do to
secure sendmail on four types of systems: systems with user login access,
systems with user accounts but no shell access, POP/IMAP mail servers, and
firewalls.
 
http://www.linuxsecurity.com/articles/server_security_article-1104.html
 

* Tripwire - The Only Way to Really Know
July 11th, 2000
 
So you think you may have been hacked, but you're really not sure 'cause
some crackers seem pretty stealthy. There really is only one way to know -
employ a file integrity checker, like Tripwire or AIDE. In this article,
I'll explain why you need Tripwire/AIDE, what they do, and how you can
deploy Tripwire. I'll give you a sample configuration that you can tune.
 
http://www.linuxsecurity.com/articles/host_security_article-1095.html
 

* Installing djbdns (DNScache) for Name Service Part 2
July 11th, 2000
 
Traditionally, BIND has been the nameserver of choice when doing name
service on a Unix system. Like many of its close relatives, such as
sendmail, it was designed at a time when the internet wasn't even known as
the internet, and security wasn't a concern. This has caused more than a
few problems over the years, and many point to the age of its codebase,
and lack of designed-in security as part of the problem.
 
http://www.linuxsecurity.com/articles/server_security_article-1094.html
 
 
 
Network Security News:
-------------------
* Smart card accepted at portal
July 13th, 2000
 
Pulsar Data Systems Inc. on Tuesday unveiled its secure e-commerce portal,
PulsarData.com, which uses smart cards to enable agencies to purchase
information technology products.  Pulsar, a wholly owned subsidiary of
Internet data security company Litronic Inc., announced the smart card
feature, which is free for government users, at the E-Gov trade show in
Washington, D.C.
 
http://www.linuxsecurity.com/articles/server_security_article-1121.html
 

* Stolen Computers Will Self-Destruct
July 13th, 2000
 
The Cyber Group Network Corp. (CGN) is developing a software-controlled
hardware device that can be installed in computers worldwide to either
locate or destroy the devices when they are lost or stolen.  CGN says that
the hardware/software combination, code named "The C-4 Chip," will be able
to determine the location, within five feet, of missing or stolen
computers as well as other devices, anywhere on the planet.
CyberCrimeCorp, a subsidiary of CGN, will distribute the device.  
According to the company, for locating a computer that is stolen or
missing, a toll-free number will be available 24 hours a day, seven days a
week, in more than 20 countries.
 
http://www.linuxsecurity.com/articles/vendors_products_article-1120.html
 

* Cracked! Part 7: The Cracker's Revenge
July 12th, 2000
 
In this article I explain what the Cracker did when he broke back in, our
recovery from this, talking to the cracker afterwards and bring the story
to a close.
 
http://www.linuxsecurity.com/articles/intrusion_detection_article-1109.html
 

* Security policies fall short
July 12th, 2000
 
Federal agencies are failing to follow the policies to ensure that changes
in their software and systems do not open security vulnerabilities, the
General Accounting Office told agency officials last month.
 
http://www.linuxsecurity.com/articles/government_article-1113.html
 

* Companies adding Privacy officers
July 12th, 2000
 
Move over, CEO, CIO, and COO. Your titles are passe compared to the newest
position in high demand from corporate headhunters -- Chief Privacy
Officer.  With consumers increasingly concerned about their privacy and
new technology able to track Internet users click by click, companies are
rapidly hiring privacy officers and giving them broad powers to set
policies that protect consumers from invasion and companies from public
relations nightmares.
 
http://www.linuxsecurity.com/articles/privacy_article-1108.html
 

* Telecommuting has Increased Security Threats
July 11th, 2000
 
The proliferation of Internet technologies has helped fuel the
telecommuting wave with its mobility and connectivity needs, but it's been
a double-edged sword as that very mobility has increased security threats
to networks from dial-up and wireless access
 
http://www.linuxsecurity.com/articles/general_article-1091.html
 
 
 
Cryptography News:
------------------
 
* Counterpane Crypto-Gram
July 16th, 2000
 
This month Bruce Schneier comments on CIA, Counterpane cracker insurance,
(in)security in QuickBooks, current security news, and more.  Always a
good read.
 
http://www.linuxsecurity.com/articles/cryptography_article-1133.html
 

* SSH Tutorial
July 14th, 2000
 
Enter SSH (Secure SHell). By using SSH, you encrypt the traffic and you
can make 'man-in-the-middle' attacks almost impossible. It also protects
you from DNS and IP spoofing.
 
http://www.linuxsecurity.com/articles/cryptography_article-1125.html
 

* OpenSSH's Cinderella story
July 11th, 2000
 
Once upon a time, a Finnish programmer named Tatu Ylnen developed a
networking protocol and attendant software called SSH, short for Secure
SHell. Not having spoken to Mr. Ylnen, I know nothing about his precise
motivations at the time, but the practical upshot of SSH is that it
provides the world with an encrypted alternative to telnet.
 
http://www.linuxsecurity.com/articles/cryptography_article-1096.html
 

* Making an Unbreakable Code
July 10th, 2000
 
Because information is sent over the Internet (which is an open network),
valuable data can be easily intercepted and exploited. Obviously, there
could be disastrous consequences for individuals and businesses if this
information fell into the wrong hands.
 
http://www.linuxsecurity.com/articles/cryptography_article-1083.html
 
 
 
Vendor/Product/Tools News:
---------------------------
 
* Beware: E-signatures can be easily forged
July 14th, 2000
 
Consumer groups say the electronic signatures recently authorized by
President Clinton are easy to forge.
 
http://www.linuxsecurity.com/articles/privacy_article-1129.html
 

* Security, the Way It Should Be
July 12th, 2000
 
Today, security is often provided by patched-together, reactionary
defenses, which many see as an inhibitor to business. In order to take
their rightful place as a business enabler, security systems must provide
distributed, real-time, flexible defenses against attacks.
 
http://www.linuxsecurity.com/articles/network_security_article-1105.html
 
 
 
General News:
-------------
 
* FBI Defends 'Carnivore' Cyber-Snoop Device
July 13th, 2000
 
The FBI's newest e-mail surveillance tool is simply a logical extension of
its existing wiretapping technology and does not pose any new privacy
threat to rank-and-file Internet users, the FBI contended today in
response to a critical news report about its recently developed
"Carnivore" device.
 
http://www.linuxsecurity.com/articles/privacy_article-1117.html
 

* ACLU: Law Needs 'Carnivore' Fix
July 13th, 2000
 
"There's no clear law that authorizes Carnivore," said ACLU associate
director Barry Steinhardt. "But the FBI and the Justice Department ...
will argue that there's no clear law that prohibits it. And Congress needs
to put some real limits on what law enforcement can do."
 
http://www.linuxsecurity.com/articles/privacy_article-1115.html
 

* 'Carnivore' Eats Your Privacy
July 13th, 2000
 
"An FBI surveillance system called Carnivore is alarming privacy advocates
and some members of Congress. Agents typically install the specialized
computer on the networks of Internet providere target of an investigation,
the Wall Street Journal reported on Tuesday." s, where it intercepts all
communications and records sent to or from th
 
http://www.linuxsecurity.com/articles/privacy_article-1114.html
 

* ISPs bite back at Carnivore
July 13th, 2000
 
Internet-service providers and privacy advocates are concerned about the
implications of a new electronic surveillance system devised by the
Federal Bureau of Investigation, with some providers vowing to resist if
they are asked to install it on their networks.
 
http://www.linuxsecurity.com/articles/privacy_article-1119.html
 

* Websites Facing 'Privacy Storm'
July 13th, 2000
 
Members of the Internet Advertising Bureau met Wednesday for a privacy
forum where a quartet of industry players fired a warning shot at Web
companies. The message: People are worried, politicians are aware of it,
and laws are coming. So, be ready.
 
http://www.linuxsecurity.com/articles/privacy_article-1123.html
 

* FBI's system to covertly search e-mail raises privacy, legal issues
July 11th, 2000
 
The U.S. Federal Bureau of Investigation is using a superfast system
called Carnivore to covertly search e-mails for messages from criminal
suspects. Essentially a personal computer stuffed with specialized
software, Carnivore represents a new twist in the federal government's
fight to sustain its snooping powers in the Internet age.
 
http://www.linuxsecurity.com/articles/privacy_article-1102.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------