[NTLUG:Discuss] US-CERT Cyber Security Bulletin SB04-245 -- Summary of SecurityItems from August 18 through August 31, 2004
terry
kj5zr at yahoo.com
Thu Sep 2 00:55:19 CDT 2004
This link, (summary list of "Bugs, Holes, & Patches" as reported by
CERT), was sent to me by a MS orientied IT person that contends that
Linux is as insecure or maybe even more insecure than MS Windows.
<http://www.us-cert.gov/cas/bulletins/SB04-245.html#altsoft-agsm>
First glance shows:
MS Windows has only:
23 "Bugs, Holes, & Patches"
And Unix / Linux has:
51 "Bugs, Holes, & Patches"
**** humm.... "& Patches" ****
Second glance shows:
MS Windows:
18 out of 23 "No workaround or patch available at time of publishing."
Unix / Linux
6 out of 51 "No workaround or patch available at time of publishing."
or
MS Windows: 18 unresolved security issues
Unix / Linux 6 unresolved security issues
I guess we could say MS has a lot of work to do?
Fair? Unfair? or Maybe that's uderstandable given the fact that our
developer base is somewhat broader than theirs?
I don't know how many of those MS issues have been worked out since
publish dates of above listed advisories,
BUT
Some of those Unix / Linux issues seem to have been worked on, or maybe
even worked out completely:
==============================================================
IMWheel 1.0.0pre12 Released(* Security Fix *) Dated Sunday, August 29, 2004
http://imwheel.sourceforge.net/
fidogate:
fidogate.org
Changes in 4.4.10:
* SECURITY BUG in all setuid news programs fixed (environment
variables FIDOGATE_LOGFILE, LOGFILE allowed local append to
all files writable by news).
=================================================================
Hafiye (from CERT)
EnderUNIX SDT
High Risk
SecurityFocus, August 23, 2004
EnderUNIX Hafiye 1.0 Changelog
------------------------------
From: http://www.enderunix.org/hafiye/hafiye-1.0/ChangeLog
* Tue Aug 25 09:30:00 EEST 2004
fixed a terminal escape sequence injection bug reported by
Serkan Akpolat.
==================================================================
May be more, just all I found at the moment.
BTW, I heard someplace that CERT has advised against use of IE, or has
advised that we should use some browser other than IE.
Anyone have a link to any such advisory or bulletin?
I noticed vulnerabilities cited in Netscape / Mozilla / Firefox, but
maybe those have been fixed, or patched recently?
It's over a week old news, but here is some info on Mozilla / Firevox:
Following information from:
http://www.linuxsecurity.com/advisories/gentoo_advisory-4708.html
---<quote>---
Mozilla, Firefox, Thunderbird: New releases fix
vulnerabilities
Date: August 23, 2004
Bugs: #57380, #59419
ID: 200408-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix
several vulnerabilities, including remote DoS and buffer overflows.
Mozilla, Mozilla Firefox and Mozilla Thunderbird contain the following
vulnerabilities:
* All Mozilla tools use libpng for graphics. This library contains a
buffer overflow which may lead to arbitrary code execution.
* If a user imports a forged Certificate Authority (CA) certificate,
it may overwrite and corrupt the valid CA already installed on the
machine.
Impact
======
Users of Mozilla and Mozilla Firefox are susceptible to SSL certificate
spoofing, a Denial of Service against legitimate SSL sites, crashes,
and arbitrary code execution. Users of Mozilla Thunderbird are
susceptible to crashes and arbitrary code execution via malicious
e-mails.
Workaround
==========
There is no known workaround for most of these vulnerabilities. All
users are advised to upgrade to the latest available version.
Resolution
==========
All users should upgrade to the latest stable version:
# emerge sync
# emerge -pv your-version
# emerge your-version
----</quote>-----
So, does that knock the score down to 5 to 18?
or not?
--
test everything; hold fast what is good,
More information about the Discuss
mailing list