Welcome to the Network Security website at the IAS

This website is intended to bring you the latest news, how to's, tools and resources in Information Security.  Security Awareness of our Faculty, Members and Staff is key in creating a safer computing environment.

The three major Principles of Information Security, Availability, Integrity and Confidentiality, will be covered throughout the security awareness program at the Institute.  For a description of these principles, please see our About section.

In keeping with the spirit of the Institute, I encourage questions and open discussions about security.  And if you discover anything out of the ordinary, please feel free to bring it to my attention so that we can work together to create a more productive, safer environment.

Thanks,
Brian Epstein <security@ias.edu>
twitter: @epepepep


Security update release of Sendmail 8.14.4

http://www.sendmail.org/releases/8.14.4

Sendmail has released a new version which fixes a few security bugs
surrounding certificates and encryption. Various other bugs were fixed
as well.

It is recommended that vulnerable versions of Sendmail be updated to the
latest copy. As of this writing, RedHat has not officially released an
update, but will probably release soon.

Thanks,
ep

Spamassassin Y2K10 Rule Bug

http://spamassassin.apache.org/

A bug fixed for Y2K in spamassassin unfortunately left another bug for
2010. This caused a rule FH_DATE_PAST_20XX to flag for every email sent
in 2010.

Depending on how your rules are structured, this could lead to mails
being marked as spam.

Spamassassin has a patch available which will fix this error. If you
cannot run sa-update to install the patch, you can disable this check by
putting:

score FH_DATE_PAST_20XX 0

Security update release of Sendmail 8.14.4

http://www.sendmail.org/releases/8.14.4

Sendmail has released a new version which fixes a few security bugs
surrounding certificates and encryption. Various other bugs were fixed
as well.

It is recommended that vulnerable versions of Sendmail be updated to the
latest copy. As of this writing, RedHat has not officially released an
update, but will probably release soon.

Thanks,
ep

Multiple vulnerabilities in Wireshark version 0.9.0 to 1.2.4

http://www.wireshark.org/security/wnpa-sec-2009-09.html

"It may be possible to make Wireshark crash remotely or by convincing
someone to read a malformed packet trace file."

There were three security bugs fixed in version 1.2.5 of Wireshark: SMB
and SMB2 dissectors, IPMI dissector and Daintree SNA file parser.

It is recommended that users upgrade their version of Wireshark to 1.2.5.

Multiple vulnerabilities in Wireshark version 0.9.0 to 1.2.4

http://www.wireshark.org/security/wnpa-sec-2009-09.html

"It may be possible to make Wireshark crash remotely or by convincing
someone to read a malformed packet trace file."

There were three security bugs fixed in version 1.2.5 of Wireshark: SMB
and SMB2 dissectors, IPMI dissector and Daintree SNA file parser.

It is recommended that users upgrade their version of Wireshark to 1.2.5.

Multiple vulnerabilities in Wireshark version 0.9.0 to 1.2.4

http://www.wireshark.org/security/wnpa-sec-2009-09.html

"It may be possible to make Wireshark crash remotely or by convincing
someone to read a malformed packet trace file."

There were three security bugs fixed in version 1.2.5 of Wireshark: SMB
and SMB2 dissectors, IPMI dissector and Daintree SNA file parser.

It is recommended that users upgrade their version of Wireshark to 1.2.5.

Mozilla patches critical, high-risk Firefox vulnerabilities

http://blogs.zdnet.com/security/?p=5137&tag=content;col1

"Mozilla has shipped Firefox 3.5.6 with patches for at least 11
documented security vulnerabilities."

It is recommended that you update your Firefox to the latest version to
fix these issues.

It should be noted, updating to 3.5.6 on my machine broke my Profile.
It could be related to an add-on that I have and may not affect you or
your users. To fix, I created a new profile from scratch.

Pages