Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.21 (Version 3.0, Release 21). This release includes many
updated packages and bug fixes and some feature enhancements to the
EnGarde Secure Linux Installer and the SELinux policy.
In distribution since 2001, EnGarde Secure Community was one of the very
first security platforms developed entirely from open source, and has been
engineered from the ground-up to provide users and organizations with
complete, secure Web functionality, DNS, database, e-mail security and
even e-commerce.
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.20 (Version 3.0, Release 20). This release includes many
updated packages and bug fixes and some feature enhancements to the
EnGarde Secure Linux Installer and the SELinux policy.
In distribution since 2001, EnGarde Secure Community was one of the very
first security platforms developed entirely from open source, and has been
engineered from the ground-up to provide users and organizations with
complete, secure Web functionality, DNS, database, e-mail security and
even e-commerce.
This is likely the last announcement posting for today, and maybe for this month. It is to announce availability of John the Ripper 1.7.3 Pro for Linux (stable release) and 1.7.3.1 Pro for Mac OS X (currently in public beta).I'd like to thank Alain Espinosa for the optimized NTLM code, and for
kindly placing it in the public domain. This release of JtR Pro includes Alain's code with slight modifications, as well as replacement code for the password file loader; I am going to roll these into the next revision of the jumbo patch.
Have you heard John the Ripper 1.7.3 Pro for Linux was just release? Test it out for yourself and let us know what you think about this release.
Users of the open source VLC media player should download version 0.8.6i to avoid a serious vulnerability in previous releases. According to a security advisory released by the VideoLAN project, a maliciously crafted WAV file could either crash VLC or cause the execution of arbitrary code.
In common with so many vulnerabilities that can be exploited through media files, this is another buffer overflow problem.
I use VLC because it supports so many different formats but, why did this security vulnerability got so much attention in the news?
Google has thrown its weight behind a fledgling security reporting group for the open-source community.
The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.
What do you think about this statement by Google? Do you think it will help Open-Source Security?
The Solar Designer from the Openwall project announced some interesting news about their project. They are joined the oCERT project which is an important project for the Linux Security. Solar Designer is creator of the popular John the Ripper password cracker and has developed many of the Openwall projects. His is one of the key players in making open source security so successful.
We have joined the oCERT project (the Open Source Computer Emergency
Response Team), in two ways: I serve on the advisory board of oCERT,
and Openwall is a registered public member of oCERT such that we can be
sure to receive notification of vulnerabilities pertaining to our
software (and, far more likely, to third-party software that we
redistribute as a part of Openwall GNU/*/Linux) that will be handled via
oCERT. Other Open Source projects are welcome to register with oCERT,
too. (We're also a member of oss-security and vendor-sec, and are
registered with the CERT/CC.) The website for oCERT is:
The SELinux Developer Summit for 2008 has been announced. It will be held in Ottawa on the 22nd of July in conjunction with the Linux Symposium. This will be an open event for developers of SELinux and Flask/TE projects, as well as those with a strong technical interest. For more details, see the SELinux Developer Summit page.
Have you heard that the 2008 SELinux Developer Summit for 2008 is going to be held in Ottawa Canada? What do you think will come out of this Summit and are you planning on going?
Engineers from CoreLabs, the research arm of Core Security, discovered that an attacker could gain complete access to a host system by exploiting this vulnerability in VMware’s desktop software products. The vulnerability could allow an attacker to create or modify executable files on the host operating system.
One of the most interesting aspects of this vulnerability however, and one that comes up again and again, is that it abuses the shared folder access, a default setting.
One of the ways to fix it is to disable this setting. Why is this an "opt-out" security feature? Shouldn't sharing folders be an "opt-in" feature? Are there other examples that you can think of where the same pattern applies?
Security is always evolving and every day there's some new way to combat threats. This 'undercover' system, as it is being called seems like it an interesting step in a new direction - especially since it can help protect against people snooping over your shoulder!
Researchers have built a prototype authentication technique that could ultimately reduce the risk of attackers hacking users' credentials via a keylogger or spyware.
The so-called Undercover system, which was built by Carnegie Mellon University faculty members and students approaches authentication differently: It hides the authentication challenges rather than the user's input or password during the authentication process.
WordPress 2.3.3 is an urgent security release. If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.
