[Plug-security] Security Advisories

[Jean Francois]

--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Caldera

    Buffer overflow in mount/umount=20
    ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-002.0.txt
    MySQL password handling=20
    ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-001.0.txt

    Debian

    symlink attack in apcd=20
    http://www.debian.org/security/2000/20000201

    Mandrake

    Nothing new

    Red Hat

    Nothing new

    SuSE

    Nothing new

    TurboLinux

    Nothing new


    As seen on Bugtraq:

    Permissions problem with libguile reported on Debian potato (currently =
frozen), which is used by GnuCash (which may
    handle sensitive financial data), chmod libguile to mode 644 (chmod 644=
 /usr/lib/libguile.so.6.0.0). Reported by Jamie
    Fifield <fifield@chebucto.ns.ca>.


    Tidbits:

    Bastille Linux is making progress, 1.0.3 pre releases are out and there=
 is some serious discussion as to the long term
    layout of it going on.
    =20


    Tip of the week:

    Create a separate filesystem for /tmp, this way no hardlinks can be cre=
ated, only symlinks. Additionally, you can mount
    it with various options like nosuid to prevent suid bits on programs (s=
uch as a copy of the command shell). Simply
    create a filesystem, around 50 to 100 megs is more then enough for most=
 people, and add an entry (see man mount for
    more information) in fstab like:

  /dev/hda6 /tmp ext2 rw,auto,nouser,async,nosuid,noexec,nodev 1 2

    This will also prevent any executables, and special files like device n=
odes. There should be no broken functionality, no
    normal program should need to place executable files in /tmp and run th=
em, ditto for setuid bits, and device files.=20
    =20

JLF Sends...

The whole aim of practical politics is to keep the populace alarmed (and
hence clamorous to be led to safety) by menacing it with an endless series
of hobgoblins, all of them imaginary.
        -- H.L. Mencken


--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
Comment: No Good Deed Goes Unpunished

iQEPAwUBOKHzIYwLFyn9uVjnAQFA3AfPa15Q0hR4J4TPLfOqJ+XTfn8v3bHYmarD
v8sbrqP4bW/six2dDeUB+S+9QVdS93brBTj4CUx2XkbEYbmZW7wjFpa1BguYWs9H
oOnwzr5VYuysDUa3uyAUpksRXEEs7C5DFJFMuObz7y/3saSDJkHa35gyTfWqH8U/
c6tZ7yR2HsGkVSv7imBVcIM0cGdhrGjOBkQw+4FV+ndwHzGADLhnLTxzqA6Sf1qh
GoKKOF/kr6f3bl8tCZMEyEudr0bN9rmrF/EeXjypFkcpRaa4bcn284gpzpECsWY6
Ba1cikWMN3yekgQaH4eJhjVsl/XPMbOdL/m1p3mCzJ3fLQ==
=acP4
-----END PGP SIGNATURE-----

--J2SCkAp4GZ/dPZZf--