NETWORK WORLD FUSION FOCUS: JASON MESERVE on
SECURITY AND BUG PATCH ALERT
TODAY'S FOCUS: BUG ALERT: WELCOME
03/06/00

Dear Wincenty Kaminski,

Today's Focus: Bug Alert: Welcome
---------------------------------------------------------------
By Jason Meserve

Welcome to the Security and Bug Patch Alert newsletter!

Given the recent spate of high-profile denial-of-service and hack
attacks and the large number of people who have signed up for this
newsletter before this first edition has been even published, it is
clear that security is a major concern in the IT community  as it
should be.

With technology now being looked upon as a profit rather than cost
center, IT departments face more pressure to keep critical systems up
and running  as well as secure. No chief information officer or network
manager wants to have to tell the CEO that their e-commerce site has
been broken into and customer credit card data copied. Stories like that
tend to stick in a potential customer,s mind more than an expensive
Super Bowl ad.

It,s hard enough to keep up with the latest new technologies, never mind
latest security patch for your operating system or e-commerce
application. But we,re here to help.

Once a week we,ll publish a list of patches and alerts from all the
major vendors and security organizations with links to the source. We,ll
also provide other (hopefully) useful resources for the security-
conscious IT manager.

Comments and suggestions are always welcome! Send mail to
jmeserve@nww.com.


Now on with the latest patches and alerts:


Security glitch hits Foundry switches

From this week,s Network World: A security problem has cropped up in
Foundry Networks, ServerIron switches that make the devices susceptible
to denial-of-service attacks.

Read the story:
http://www.nwfusion.com/archive/2000/89454_03-06-2000.html

Download the patch:
http://www.foundrynet.com/bugTraq.html
********


New version of Apache Web server released

The Apache Server Project released Version 1.3.12 of the popular Apache
Web server this week. The new release fixes what Apache calls a cross-
site scripting problem that could allow malicious HTML tags to be
inserted into client-side scripts. Download the new version at:
http://www.apache.org/dist/
********


Problem with Linux htdig package

Both FreeBSD and Debian are reporting a problem with the htdig package
that runs on their respective platforms. The problem is with the
htsearch and could allow a user to read any file on the local machine
accessible to the user ID that the script is running under (which in
most cases is +nobody,).

For more information from Debian:
http://www.debian.org/security/

to download a patch from FreeBSD:
http://www.freebsd.org/ports/
********


nmh Linux package patched

Versions of nmh prior to 1.0.3 have a vulnerability that could allow
malicious users to modify the MIME headers in a mail message that may
cause nmh,s mshow command to execute arbitrary commands. A patch is
available at:
ftp://ftp.mhost.com/pub/nmh/nmh-1.0.3.tar.gz
********


Zombie Zapper 1.1 available

Zombie Zapper 1.1 helps shut down the Troj_Trinoo denial-of-service
client on Windows NT and Unix machines. More information at:
http://razor.bindview.com/tools/index.shtml
********


Problem with MySQL password authentication

According to the makers of FreeBSD, a vulnerability in the MySQL
database server (prior to Version 3.22.32) could allow anyone that can
connect to the database to access it without a password. More
information at:
http://www.mysql.com/Manual_chapter/manual_Privilege_system.html
********


To contact Jason Meserve:
-------------------------
Jason Meserve is a staff writer with Network World, covering search
engines, portals, videoconferencing, IP Multicast and document management.
He also oversees the "Security Alerts" page on Fusion
(http://www2.nwfusion.com/security/bulletins.html). Jason can be reached
at mailto:jmeserve@nww.com.

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail newsletters,
go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to this
message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor, at:
mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account Executive,
at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online Network.
IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000