Date: Tue, 20 Jan 2004 14:57:55 -0700 (MST)
From:"Kelly Martin" <kel@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #167
SecurityFocus Linux Newsletter #167
------------------------------------
I. FRONT AND CENTER
     1. Problems and Challenges with Honeypots
II. LINUX VULNERABILITY SUMMARY
     1. Multiple Vendor bzip2 Antivirus Software Denial of Service V...
     2. DansGuardian Webmin Module Edit.CGI Remote Directory Travers...
     3. Andy's PHP Projects Man Page Lookup Script Information Discl...
     4. VisualShapers EZContents Module.PHP Remote Command Execution...
     5. Jitterbug CGI Remote Arbitrary Command Execution Vulnerabili...
     6. Zope Multiple Vulnerabilities
     7. Mod-Auth-Shadow Apache Module Expired User Credential Weakne...
     8. SuSE YaST SuSEconfig.gnome-filesystem Local Insecure File Cr...
     9. H+BEDV AntiVir Insecure Temporary File Creation Symbolic Lin...
     10. KDE Personal Information Management Suite VCF File Remote 
Bu...
     11. Real Networks Helix Server/Gateway Administration Service 
HT...
     12. TCPDump ISAKMP Decoding Routines Multiple Remote Buffer 
Over...
     13. PHPDig Config.PHP Include Remote Command Execution 
Vulnerabi...
     14. FishNet FishCart Rounding Function Integer Wrapping 
Vulnerab...
     15. Linux Kernel 32 Bit Ptrace Emulation Full Kernel Rights 
Vuln...
     16. ELM  frm Command Remote Buffer Overflow Vulnerability
     17. QMail-SMTPD Long SMTP Session Integer Overflow Denial of 
Ser...
     18. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link 
V...

III. LINUX FOCUS LIST SUMMARY
     NO NEW POSTS FOR THE WEEK 2004-01-13 to 2004-01-20.

IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit

V. NEW TOOLS FOR LINUX PLATFORMS
     1. OSIRIS v3.0.0
     2. LEAF  (Bering-uClibc) v2.1rc1
     3. Andutteye  Surveillance v1.14-1
     4. Quick Spam Filter v0.9.25
     5. CryptoFS v0.3.1
     6. Enigmail v0.83.0

VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Problems and Challenges with Honeypots
By Lance Spitzner  Jan 14, 2004

In this paper we take a look at some of the many challenges and 
problems
facing honeypots, and possible approaches on how to solve them. By
identifying these problems now, we can hope to make honeypots a 
stronger
technology for the future.

http://www.securityfocus.com/infocus/1757


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Multiple Vendor bzip2 Antivirus Software Denial of Service V...
BugTraq ID: 9393
Remote: Yes
Date Published: Jan 09 2004
Relevant URL: http://www.securityfocus.com/bid/9393
Summary:
Multiple vendor antivirus software applications have been reported to 
be
prone to a denial of service vulnerability.  This issue presents itself
when an affected application attempts to decompress an excessively 
large
bzip2 archive.  It has been reported that the antivirus applications
attempt to decompress a bzip2 archive and store it on the local file
system before scanning the files for malicious code.  The applications 
may
fail to properly detect for anomalies such as the size of the archive.
Therefore, it is possible for an attacker to create an excessively 
large
bzip2 archive (containing 2GB of 0x31 characters), which may cause a
denial of service condition in the antivirus application upon
decompression.

Successful exploitation of this issue may allow an attacker to cause a
denial of service condition in the antivirus software due to resource
exhaustion, leading to a crash or hang.  A successful attack could also
leave a system vulnerable to malicious code threats.

Kaspersky AntiVirus for Linux 5.0.1.0, Trend Micro InterScan VirusWall 
3.8
Build 1130, and McAfee Virus Scan for Linux v4.16.0 have been reported 
to
be prone to this issue, however, it is likely that other products are
affected as well.

2. DansGuardian Webmin Module Edit.CGI Remote Directory Travers...
BugTraq ID: 9394
Remote: Yes
Date Published: Jan 10 2004
Relevant URL: http://www.securityfocus.com/bid/9394
Summary:
DansGuardian Webmin Module an adaptation of the DansGuardian script for
Webmin.  It is available for the Unix and Linux platforms.

A problem has been identified in the handling of input by scripts 
packaged
with the DansGuardian Webmin Module.  Because of this, it is possible 
for
a remote to gain access to potentially sensitive information.

The problem is in the handling of input by the edit.cgi script.  A 
remote
user may supply strings to the file parameter of the edit.cgi script to
view a file outside of the DansGuardian root directory.  An attacker 
may
view files readable by with the privileges of the web server process
hosting Webmin.

3. Andy's PHP Projects Man Page Lookup Script Information Discl...
BugTraq ID: 9395
Remote: Yes
Date Published: Jan 10 2004
Relevant URL: http://www.securityfocus.com/bid/9395
Summary:
Man Page Lookup script is a PHP script distributed and maintained by
Andy's PHP Projects.  It is available for the Unix and Linux platforms.

A problem in the handling of user-supplied input by Andy's PHP Projects
Man Page Lookup script has been reported.  Because of this, it is 
possible
for an attacker to gain unauthorized access to sensitive information on 
a
system.

The problem is in the checking of the command variable passed to the
index.php script.  An attacker can place a maliciously crafted value in
this field to escape the web root directory and view the contents of 
any
file on the system.  This issue is limited only by the read privileges 
of
the web server process.

4. VisualShapers EZContents Module.PHP Remote Command Execution...
BugTraq ID: 9396
Remote: Yes
Date Published: Jan 10 2004
Relevant URL: http://www.securityfocus.com/bid/9396
Summary:
ezContents is a freely available, open source content management 
system.
It is distributed and maintained by VisualShapers, and available for 
the
Unix and Linux platforms.

A problem in handling of specific types of input passed to the 
module.php
script in VisualShapers ezContents has been discovered.  Because of 
this,
an attacker may be able to gain unauthorized access to vulnerable 
systems.

The problem is in the handling of input supplied in to the link 
variable
in the module.php script.  An attacker can supply a link to a malicious
web site with arbitrary system contains containing in the URI.  Due to
insufficient sanitizing of input, these commands are passed directly to
the shell, where they are executed on the system with the privileges of
the web server process.

5. Jitterbug CGI Remote Arbitrary Command Execution Vulnerabili...
BugTraq ID: 9397
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9397
Summary:
Jitterbug is a freely available, open source bug tracking system 
written
in CGI.  It is available for the Linux platform.

A vulnerability has been identified in the handling of input by 
Jitterbug.
Because of this, an attacker may be able to gain unauthorized access to
vulnerable systems.

Due to the nature of this bug and the fact that it is hosted by a web
server process, it is likely that exploitation of this issue results in
command execution with the privileges of the web server process.  
However,
specific details about this issue are not currently available.  This
vulnerability will be further updated as additional information becomes
available.

6. Zope Multiple Vulnerabilities
BugTraq ID: 9400
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9400
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.

Multiple vulnerabilities have been reported to exist in the software 
that
may allow an attacker to carry out attacks resulting from improper 
input
validation, access validation, information disclosure, and various
improper security checks on a vulnerable system.  Successful 
exploitation
of these issues may lead to cross-site scripting attacks, denial of
service conditions, and other attacks.

The following specific issues have been identified:

The ZSearch interface has been reported to be prone to a cross-site
scripting vulnerability.  Successful exploitation of this issue may 
allow
a remote attacker to carry out cross-site scripting attacks by enticing 
a
victim user to follow a malicious link to a site hosting the software 
that
contains embedded HTML and script code. The embedded code may be 
rendered
in the web browser of the victim user in the security context of the 
site
hosting the vulnerable software.

A denial of service vulnerability has been identified in
'ZTUtils.SimpleTree' that may allow an attacker to cause a denial of
service condition the software.  This condition results from improper
state handling.

An access validation issue has been reported to exist in the admin 
"find"
functions.  This issue may lead to an attacker gaining access to 
sensitive
information without proper authentication.

An unspecified access validation issue has been identified in the
PropertyManager 'lines' and 'tokens' properties.  It has been reported
that some property types are stored in a mutable data type (list) and 
may
allow untrusted code to effect changes on the properties without proper
security validation.

An unspecified access validation issue may exist in the DTMLDocument
objects.  This issue could allow an attacker to gain access to 
sensitive
information.

Another access validation issue has been identified in DTMLMethods.  It
has been reported that DTMLMethods proxy rights may be incorrectly
inherited when traversing to a parent object.

A denial of service vulnerability has been identified in DTML tag
'dtml-tree' that may allow an attacker to cause a denial of service
condition the software.

An information disclosure vulnerability is reported to exist in the
software.  This issue may allow an attacker to disclose certain 
attributes
via XML-RPC marshalling of class instances.

An access validation issue has been reported to exist in the software 
that
may allow unauthorized access to certain variables.  This issue occurs 
due
to improper initialization of PythonScript class security.

A denial of service vulnerability exists in RESPONSE.write() that may
allow an attacker to pass malicious unicode values resulting in Zserver
main loop to terminate resulting in a crash or hang.

An access validation issue may exist in the software due to Unpacking 
via
function calls, variable assignment, exception variables without
sufficient security check.  This issue may allow an attacker to gain
access to sensitive data.

Another access validation issue may allow an attacker to execute a
malicious script on a vulnerable system in order to gain unauthorized
access to certain objects.  This issue results from improper 
verification
of variables bound to page templates and Python scripts such as 
'context'
and 'container'.

An unspecified error has been reported to exist due to the use of min,
max, enumerate, iter, and sum in untrusted code.

An issue has been identified in the use of 'import as' in Python 
scripts
that may allow an attacker to bypass security checks.

Another access validation issue has been identified in the list and
dictionary instance methods that may allow an attacker to gain
unauthorized access to certain objects.  A similar issue has also been
identified in for loops, list comprehensions, and other iterations of
untrusted code.

Further analysis of these issues is currently underway.  This BID will 
be
separated into individual BIDs upon completion of analysis.

These issues have been reported to exist in Zope versions 2.6.2 and 
prior
and development releases 2.7.0 beta3.  Other versions could be affected 
as
well.

7. Mod-Auth-Shadow Apache Module Expired User Credential Weakne...
BugTraq ID: 9404
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9404
Summary:
Mod-Auth-Shadow is a module for the Apache server that authenticates 
users
against the /etc/shadow file on Unix and Linux platforms.

A problem has been identified in mod-auth-shadow that may permit a user 
to
gain access to a system after the expiration of their credentials.  
This
weakness may result in users gaining access to the web site outside of 
the
period of validity for their credentials.

The problem is in the handling of expiration data entered into the
/etc/shadow file.  Specific details of this weakness are not available.
This vulnerability entry will be updated when further information 
becomes
available.

8. SuSE YaST SuSEconfig.gnome-filesystem Local Insecure File Cr...
BugTraq ID: 9411
Remote: No
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9411
Summary:
YaST helps configure and reconfigure SuSE Linux systems. The
SuSEConfig.gnome-filesystem script is designed to set up the GNOME
environment.

SuSEconfig.gnome-filesystem has been reported prone to an insecure file
creation vulnerability that may be exploited to corrupt arbitrary 
files.
The issue has been reported to present itself because the
SuSEconfig.gnome-filesystem script will follow symbolic links 
(symlinks)
when writing certain specific files.

Ultimately a local user may exploit this condition by creating a 
symlink
in the place of the vulnerable SuSEconfig.gnome-filesystem file. The
malicious symlink will point to an arbitrary file on the system. When 
an
unsuspecting user invokes SuSEconfig.gnome-filesystem, potentially via 
the
YaST software, the file linked by the symlink will be corrupted, the 
file
corruption will occur only if the user invoking
SuSEconfig.gnome-filesystem has sufficient privileges to write to the
target file. A local user may leverage this condition to corrupt 
arbitrary
files triggering a system wide denial of service or potentially 
elevating
their system privileges.

SuSE Linux 9.0 has been reported to be prone to this issue, however, 
other
versions could be affected as well.

9. H+BEDV AntiVir Insecure Temporary File Creation Symbolic Lin...
BugTraq ID: 9413
Remote: No
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9413
Summary:
AntiVir is an anti-virus software package distributed by H+BEDV.  It is
available for Linux and Windows platforms.

An error in the handling of temporary file creation may allow local
destruction of data.

It has been reported that AntiVir does not securely create temporary 
files
when the process is executed.  Due to this issue a local attacker may 
be
able to launch a symbolic link attack against system files.

This issue is due to the software failing to properly determine if a
temporary file exists before attempting to create it.  When the
application begins execution, the temporary file /tmp/.pid_antivir_X is
created, where 'X' represents the process ID of the application.  In
typical configurations, this file is created by the root user, and is 
not
removed until the computer is rebooted.

A local attacker could exploit this issue by successfully guessing the
name of a future temporary file and creating a symbolic link to a 
target
system file.  Upon reboot, the AntiVir software will then write to the
guessed symbolic link.  When the AntiVir software writes to the 
symbolic
link file it may destroy sensitive data, which could result in denial 
of
service.

This vulnerability is only known to affect the version of the software 
for
the Linux platform.

10. KDE Personal Information Management Suite VCF File Remote Bu...
BugTraq ID: 9419
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9419
Summary:
KDE Personal Information Management Suite (kdepim) helps users organize
mail, tasks, appointments, contacts etc.  It is packaged with KDE, a
graphical desktop for the X Window System.

A buffer overflow vulnerability has been reported to exist in the KDE
Personal Information Management Suite (kdepim) that may allow a remote
attacker to execute arbitrary code on a vulnerable system. The issue
presents itself when an attacker sends a malformed VCF file to a user 
on a
vulnerable system.  Due to a problem with the file information reader 
of
VCF files, an attacker may be able to execute arbitrary code on a
vulnerable system if the malicious VCF file is opened by the user.

The condition exists due to insufficient boundary checking. Because of
this, it may be possible for a remote attacker to gain unauthorized 
access
to a system running the vulnerable software.

Successful exploitation of this vulnerability may allow a remote 
attacker
to execute arbitrary code in the context of the user.

11. Real Networks Helix Server/Gateway Administration Service HT...
BugTraq ID: 9421
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9421
Summary:
Helix Universal Server is a media delivery server distributed and
maintained by Real Networks.  It is available for the Unix, Linux, and
Microsoft Windows platforms.

A problem has been identified in the handling of HTTP post requests by 
the
administrative service in Real Networks Helix Universal Server.  
Because
of this, a remote attacker may deny service to legitimate users of the
server on an affected host.

This issue requires the attacker to have legitimate administrative 
service
login credentials to exploit.  The root of the problem appears to be an
issue in the adminfs.so library, available on Microsoft Windows as
admi3260.dll.  An attacker may send a maliciously crafted HTTP POST
request to the service, and upon the service receiving the request, it
crashes.  This is likely due to an input-handling bug in the adminfs.so
library; this however has not been confirmed.

The server requires a manual restart to resume normal operation.  In
addition to the Helix Universal Server, this problem is known to affect
the Helix Universal Gateway, Helix Universal Mobile Server, and Helix
Universal Mobile Gateway.

12. TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Over...
BugTraq ID: 9423
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9423
Summary:
tcpdump is a freely available open source network monitoring tool. It 
is
available for the Unix, Linux, and Microsoft Windows operating systems.

Multiple buffer overflow vulnerabilities have been reported to exist in
tcpdump that may allow a remote attacker to gain unauthorized access to 
a
system running the vulnerable software. The conditions are present due 
to
insufficient boundary checking.

The conditions are reported to exist in the ISAKMP decoding routines of
tcpdump.  It has been reported that a remote attacker may be able to 
cause
a buffer overrun condition by sending specially crafted packets to a
vulnerable system.  Immediate consequences of a successful attack may
cause a denial of service condition in the software, however, it has 
been
reported that an attacker may be able to execute arbitrary code on a
vulnerable system as the 'pcap' user.

An attacker may leverage the issue by exploiting an unbounded memory 
copy
operation to overwrite the saved return address/base pointer, causing 
an
affected procedure to return to an address of their choice. Successful
exploitation of these issues may allow an attacker to execute arbitrary
code as the 'pcap' user in order to gain unauthorized access.

Some of the issues are reported to affect tcpdump versions prior to 
3.8.1
and others reportedly affect all versions up to and including tcpdump
3.8.1.

This vulnerability record will be divided into multiple Bugtraq IDs 
when
analysis of the individual issues is complete. Some of these issues may
already be known. Where it is appropriate, existing Bugtraq IDs will 
also
be updated to reflect the information in the advisory.

13. PHPDig Config.PHP Include Remote Command Execution Vulnerabi...
BugTraq ID: 9424
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9424
Summary:
PhpDig is a freely available, open source search engine written in PHP.
It is available for the Unix and Linux operating systems.

A problem has been identified in the handling of includes in PhpDig.
Because of this, it may be possible for a remote user to gain 
unauthorized
access to a vulnerable host.

The problem is in the filtering of input by the config.php script 
located
in the includes sub-directory.  It is possible for an attacker to 
supply
the $relative_script_path variable to the config.php script, making it
possible to include a script from a remote system containing malicious
content.  Upon supplying the location to the malicious language file or
other file required by the script, the commands contained in the file
would be executed on the vulnerable host.

It should be noted that commands executed on a host through this
vulnerability will be carried out with the privileges of the web server
process.

14. FishNet FishCart Rounding Function Integer Wrapping Vulnerab...
BugTraq ID: 9426
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9426
Summary:
FishCart is a commercially available, open source shopping cart 
software
package.  It is available for the Unix, Linux, and Microsoft platforms.

A problem in the handling of rounding has been discovered in FishNet
FishCart.  Because of this, attackers entering numbers of excessive 
size
may be able to produce unexpected results in a vulnerable 
implementation.

The problem is in the rnd() function.  By passing numbers of one 
billion
or more to fields in the software that pass the value to the rnd()
function, it is possible to force the value to wrap to a negative 
value.
An attacker could exploit this issue to interrupt business operations, 
and
potentially create security issues.

15. Linux Kernel 32 Bit Ptrace Emulation Full Kernel Rights Vuln...
BugTraq ID: 9429
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9429
Summary:
Unix and Unix-like kernels offer a debugging facility called ptrace.
Ptrace allows for one process to 'attach' to another and inspect/modify
it's memory. Updating certain sections of memory (system registers) 
that
control a process's privileges must be carefully verified to ensure 
that
privilege is not escalated.

A vulnerability has been discovered in the 32-bit ptrace emulation in 
the
Linux kernel on x86_64 (AMD64) architectures.  This vulnerability 
allows a
user space program to gain full control of the kernel due to a failure 
to
validate information stored in a system register.

It has been reported that due to improper validation of the data 
written
to the EFLAGS register of a child process it is possible for a user
process to set itself, or another process, to ring 0 privileges.  Ring 
0
is the highest possible privilege level, and so the user space process 
can
gain full control of the vulnerable kernel.

This issue arises because the PTRACE_SETREGS request, when used to set 
the
EFLAGS register, fails to retain the previous state of the system 
flags.
At every write to the EFLAGS register, the ptrace software clears all 
of
the EFLAGS flags that a restricted to privileged processes.  This 
results
in setting the I/O Privilege Level (via the IOPL flag in the EFLAGS
register) to ring 0, giving the process the ability to write to memory
space outside of its own.  Another result of this is that all maskable
interrupts become disabled.  This could be used to crash the kernel and
therefor result in denial of service.

This issue is known to affect the 2.4 Linux kernels that support the
x86_64 (AMD 64) architecture, however other version of the kernel may 
also
be vulnerable for x86_64 (AMD64) processors.

Further information concerning this issue is not currently available. 
This
BID will be updated as more information becomes available.

16. ELM  frm Command Remote Buffer Overflow Vulnerability
BugTraq ID: 9430
Remote: Yes
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9430
Summary:
ELM is a mail user agent for unix.

A buffer overflow vulnerability has been reported to exist in ELM 
e-mail
client that may allow a remote attacker to execute arbitrary code on a
vulnerable system.

It has been reported that a remote attacker may be able to cause a 
buffer
overrun condition by sending a message with an excessively long header
field.  Specifically, the issue is presented if the maliciously crafted
message is opened by a user via the 'frm' command.  The condition 
exists
due to insufficient boundary checking. Because of this, it may be 
possible
for a remote attacker to gain unauthorized access to a system running 
the
vulnerable software.

Successful exploitation of this vulnerability may allow a remote 
attacker
to execute arbitrary code in the context of the user running the 
affected
mail client.

Although unconfirmed, ELM versions 2.5.6 and prior may be vulnerable to
this issue.

17. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).

A vulnerability has been reported to exist in qmail-smtpd that may 
allow a
remote attacker to cause a denial of service condition in the software. 
It
has been reported that an attacker may be able to crash the current
qmail-smtpd session via a long SMTP request. The problem is reported to
exist due to an integer-handling bug. It has reported that the 
excessive
SMTP session data causes a signed integer to wrap; this negative value 
is
then employed as an array subscript. A subsequent attempt to access the
out-of-bounds address based on the wrapped integer will trigger a 
segment
violation. This may be leveraged by a remote attacker to consume 
resources
and thereby deny service to legitimate users.

A remote attacker may potentially exploit this vulnerability to crash 
or
hang a qmail SMTP session.

qmail 1.03 running on a Linux platform has been reported to be prone to
this issue, however, other versions may be affected as well.

18. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux 7.3 
and
greater.

A vulnerability has been found in the handling of temporary files by 
the
3Ddiag tool in the SuSE Linux distribution.  This issue may allow local
destruction of data on affected systems potentially leading to a loss 
of
sensitive data or denial of service.

This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.

The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An 
attacker
would be able to remove the temporary file and replace it with a 
malicious
symbolic link pointing to a target file.  When either application is
activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be 
overwritten.

The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb.  An attacker can create a symbolic 
link
with a name corresponding to the temporary file.  When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.

This issue is likely only to affect personal desktop machines and 
poorly
configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users.  Furthermore this tool is only available for SuSE Linux 
7.3
and greater.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2004-01-13 to 2004-01-20.

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in its own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. OSIRIS v3.0.0
By: The Shmoo Group
Relevant URL: http://osiris.shmoo.com
Platforms: BSDI, FreeBSD, Linux, MacOS, OpenBSD, UNIX, Windows 2000,
Windows NT, Windows XP
Summary:

Osiris is a host integrity management system that can be used to 
monitor
changes to a network of hosts over time and report those changes back 
to
the administrator(s). Currently, this includes monitoring any changes 
to
the filesystems. Osiris takes periodic snapshots of the filesystem and
stores them in a database. These databases, as well as the
configurations and logs, are all stored on a central management host.
When changes are detected, Osiris will log these events to the system
log and optionally send email to an administrator. In addition to 
files,
Osiris has preliminary support for the monitoring of other system
information including user lists, file system details, kernel modules,
and network interface configurations (not included with in this beta
release).

2. LEAF  (Bering-uClibc) v2.1rc1
By: LEAF Project Developers <leaf-devel@lists.sourceforge.net
Relevant URL: http://download.sourceforge.net/leaf/
Platforms: Linux
Summary:

LEAF (Linux Embedded Appliance Firewall) is an easy-to-use embedded 
Linux
system that is meant for creating network appliances for use in small
office, home office, and home automation environments. Although it can 
be
used in other ways, it is primarily used as a gateway/router/firewall 
for
Internet leaf sites.

3. Andutteye  Surveillance v1.14-1
By: andutt
Relevant URL: http://www.utterberg.com
Platforms: Linux
Summary:

Andutteye is surveillance software for Linux and Unix systems. Its used 
to
monitor your system, resolve local actions, and send alarms to a 
central
point. You can manage your client configurations, view and handle the
incoming alarms, and have FAQ entries on well known alarms.

4. Quick Spam Filter v0.9.25
By: Andrew Wood
Relevant URL: http://www.ivarch.com/programs/qsf.shtml
Platforms: Linux, POSIX
Summary:

Quick Spam Filter is a small, fast spam filter that works by learning 
to
recognise the words that are more likely to appear in spam than 
non-spam.
It is intended to be used in a procmail recipe to mark email as being
possible spam.

5. CryptoFS v0.3.1
By: Christoph Hohmann
Relevant URL: http://reboot.animeirc.de/cryptofs/
Platforms: Linux
Summary:

CryptoFS is a encryption filesystem for the Linux Userland Filesystem.
Files written to the mount point will be stored encrypted (data and
filename) in a directory on a normal filesystem.

6. Enigmail v0.83.0
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, 
Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:

Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication 
to
execute GPG to carry out encryption/authentication.

------------------------------------------------------------------------