LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch - December 3rd 2004 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week advisories were released for java, abiworld, cyrus, squirrelmail, libgd1, openssl, hpsockd, policycoreutils, prelink, libselinux, udev, tcpdump, samba, gaim, FreeBSD kernel, phpMyAdmin, libxpm4, kde, amavisd, open motif, linux kernel, and cyrus-imapd. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Trustix, Red Hat, and SuSE.

Open Letter to Linux Security Community

Welcome to the new LinuxSecurity.com! I must admit, I am really proud of what we have been able to accomplish over the years. LinuxSecurity.com has grown from a small idea that a couple of security geeks had in 1999, to a major and well respected Linux resource. With an all new look & feel, organizational changes, security events, and additions to our staff, we hope to better serve the Linux and open source community. Although there are many aesthetic improvements, a major part of our development has focused on creating a content structure and backend system that is easy to update.

Since the beginning, we have been able to maintain one of the largest, if not the largest and most comprehensive Linux advisory archive on the Internet. Through the years, we have scoured the net for thousands of hours to bring fresh and relevant articles, papers, and resources to you. It wasn't easy in the beginning. We had to create the site from scratch and build a community-wide reputation. The site was started in 1999, the middle of the dot-com boom. Dave Wreski, a Linux security expert and the original founder of LinuxSecurity.com had great foresight. He envisioned the widespread use of Linux as well as many other open source tools. Rather than companies spending thousands of dollars on proprietary tools, he saw a world where open source would be respected and adopted because of its flexibility and greater security through open standards and full disclosure...

Click to Read Full Text


LinuxSecurity.com Feature Extras:

Mass deploying Osiris - Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel.

AIDE and CHKROOTKIT -Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit.

An Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code - Gary McGraw is perhaps best known for his groundbreaking work on securing software, having co-authored the classic Building Secure Software (Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund a companion volume, Exploiting Software, which details software security from the vantage point of the other side, the attacker. He has graciously agreed to share some of his insights with all of us at LinuxSecurity.com.


Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability.[ Subscribe ]

  Conectiva
  Conectiva: java plugin vulnerability
  26th, November, 2004

Jouko Pynnonen reported[2], through iDEFENSE, a vulnerability[3] in the plugin mechanism which allows remote attackers to bypass the Java sandbox through the use of javascript.

http://www.linuxsecurity.com/content/view/106930
 
  Conectiva: abiword buffer overflow vulnerability fix
  1st, December, 2004

iDefense[3] discovered[4] a buffer overflow vulnerability[5] in the wv library which could allow an attacker to execute arbitrary code with the privileges of the user running the vulnerable application.

http://www.linuxsecurity.com/content/view/117319
 
  Conectiva: cyrus-imapd Multiple vulnerabilities
  1st, December, 2004

Stefan Esser from e-matters security recently published[2] several vulnerabilities in cyrus-imapd.

http://www.linuxsecurity.com/content/view/117320
 
  Conectiva: squirrelmail cross site scripting vulnerability fix
  2nd, December, 2004

Joost Pol noticed[2] that SquirrelMail is prone to a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the result.

http://www.linuxsecurity.com/content/view/117321
 
  Debian
  Debian: libgd1 arbitrary code execution fix
  29th, November, 2004

More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory DSA 589. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine.

http://www.linuxsecurity.com/content/view/106931
 
  Debian: libgd2 arbitrary code execution fix
  29th, November, 2004

More potential integer overflows have been found in the GD graphics library which weren't covered by our security advisory DSA 589. They could be exploited by a specially crafted graphic and could lead to the execution of arbitrary code on the victim's machine.

http://www.linuxsecurity.com/content/view/106932
 
  Debian: openssl insecure temporary file creation fix
  1st, December, 2004

Trustix developers discovered insecure temporary file creation in a supplemental script (der_chop) of the openssl package which may allow local users to overwrite files via a symlink attack.

http://www.linuxsecurity.com/content/view/117312
 
  Debian: hpsockd denial of service fix
  3rd, December, 2004

"infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect.

http://www.linuxsecurity.com/content/view/117313
 
  Fedora
  Fedora: policycoreutils-1.18.1-2 update Resend with correct id
  30th, November, 2004

FixFiles.cron is not needed for targeted policy and needs to be reworked for strict policy. Removing prevents possible relabeling problems.

http://www.linuxsecurity.com/content/view/106953
 
  Fedora: policycoreutils-1.18.1-2 update
  30th, November, 2004

FixFiles.cron is not needed for targeted policy and needs to be reworked for strict policy. Removing prevents possible relabeling problems.

http://www.linuxsecurity.com/content/view/106952
 
  Fedora: prelink-0.3.3-0.fc3 update
  30th, November, 2004

if layout code needs to re-prelink some library, make sure all libraries that depend on it are re-prelinked too (#140081)

http://www.linuxsecurity.com/content/view/106950
 
  Fedora: libselinux-1.19.1-8 update
  30th, November, 2004

Change location of helper applications and remove some debug applications that should not have been part of the distribution.

http://www.linuxsecurity.com/content/view/106951
 
  Fedora: udev-039-10.FC3.2 update
  30th, November, 2004

Forgot to turn of debugging logging. This release speeds up udev.

http://www.linuxsecurity.com/content/view/106948
 
  Fedora: tcpdump-3.8.2-6.FC2.1 update
  30th, November, 2004

fixed nfs protocol parsing for 64 bit architectures (bug 132781)

http://www.linuxsecurity.com/content/view/106949
 
  Fedora: abiword-2.0.12-7.fc3 update
  30th, November, 2004

Fixes for tempnam usages and startup geometry crashes

http://www.linuxsecurity.com/content/view/106947
 
  Fedora: system-config-securitylevel-1.4.18-2 update
  29th, November, 2004

This fixes tracebacks introduced by the libselinux update (#139155)

http://www.linuxsecurity.com/content/view/106944
 
  Fedora: samba-3.0.9-1.fc2 update
  29th, November, 2004

This update closes two security holes: CAN-2004-0882 and CAN-2004-0930

http://www.linuxsecurity.com/content/view/106941
 
  Fedora: samba-3.0.9-1.fc3 update
  29th, November, 2004

This update closes two security holes: CAN-2004-0882 and CAN-2004-0930.

http://www.linuxsecurity.com/content/view/106942
 
  Fedora: gaim-1.0.2-0.FC2 update
  29th, November, 2004

FC2 Update

http://www.linuxsecurity.com/content/view/106943
 
  Fedora: squirrelmail-1.4.3a-6.FC2 update
  28th, November, 2004

CAN-2004-1036 Cross Site Scripting in encoded text

http://www.linuxsecurity.com/content/view/106934
 
  Fedora: squirrelmail-1.4.3a-6.FC3 update
  28th, November, 2004

CAN-2004-1036 Cross Site Scripting in encoded text

http://www.linuxsecurity.com/content/view/106935
 
  Fedora: spamassassin-3.0.1-0.FC3 update
  28th, November, 2004

Several important bug fixes in upstream release.

http://www.linuxsecurity.com/content/view/106936
 
  Fedora: system-config-date-1.7.13-0.fc3.1 update
  29th, November, 2004

enable Gujarati and Tamil translations (#140881)

http://www.linuxsecurity.com/content/view/106937
 
  FreeBSD: Kernel memory disclosure in procfs and linprocfs
  2nd, December, 2004

The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed.

http://www.linuxsecurity.com/content/view/117318
 
  Gentoo
  Gentoo: Sun and Blackdown Java Applet privilege escalation
  29th, November, 2004

The Java plug-in security in Sun and Blackdown Java environments can be bypassed to access arbitrary packages, allowing untrusted Java applets to perform unrestricted actions on the host system.

http://www.linuxsecurity.com/content/view/106945
 
  Gentoo: Open DC Hub Remote code execution
  28th, November, 2004

Open DC Hub contains a buffer overflow that can be exploited to allow remote code execution.

http://www.linuxsecurity.com/content/view/106940
 
  Gentoo: phpWebSite HTTP response splitting vulnerability
  26th, November, 2004

phpWebSite is vulnerable to possible HTTP response splitting attacks.

http://www.linuxsecurity.com/content/view/106929
 
  Gentoo: phpMyAdmin Multiple XSS vulnerabilities
  27th, November, 2004

phpMyAdmin is vulnerable to cross-site scripting attacks.

http://www.linuxsecurity.com/content/view/106939
 
  Mandrake
  Mandrake: libxpm4 correct issues with previous update
  30th, November, 2004

The previous libxpm4 update had a linking error that resulted in a missing s_popen symbol error running applications dependant on the library. In addition, the file path checking in the security updates prevented some applications, like gimp-2.0 from being able to save xpm format images.

http://www.linuxsecurity.com/content/view/106946
 
  Mandrake: kdepim various bugs fix
  27th, November, 2004

A number of bugs in kdepim are fixed with this update.

http://www.linuxsecurity.com/content/view/106938
 
  Mandrake: kdelibs various bugs fix
  26th, November, 2004

A number of bugs in kdelibs are fixed with this update.

http://www.linuxsecurity.com/content/view/106925
 
  Mandrake: kdebase various bugs fixes
  26th, November, 2004

A number of bugs in kdebase are fixed with this update.

http://www.linuxsecurity.com/content/view/106924
 
  Trustix
  Trustix: amavisd-new, anaconda, courier-imap, cyrus-imapd, cyrus-sasl, file, kernel, mkbootdisk, mys
  29th, November, 2004

Fix amavis user creation on install. Support kickstart files on FTP. Hyperthreading detection.

http://www.linuxsecurity.com/content/view/106933
 
  Red Hat
  Red Hat: openmotif image vulnerability fix
  2nd, December, 2004

Updated openmotif packages that fix flaws in the Xpm image library are now available.

http://www.linuxsecurity.com/content/view/117314
 
  Red Hat: kernel security vulnerabilities fix
  2nd, December, 2004

Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available.

http://www.linuxsecurity.com/content/view/117315
 
  SuSE
  SuSE: various kernel problems
  1st, December, 2004

Several security problems have been found and addressed by the SUSE Security Team. The following issues are present in all SUSE Linux based products.

http://www.linuxsecurity.com/content/view/117316
 
  SuSE: cyrus-imapd remote command execution
  3rd, December, 2004

Stefan Esser reported various bugs within the Cyrus IMAP Server. These include buffer overflows and out-of-bounds memory access which could allow remote attackers to execute arbitrary commands as root. The bugs occur in the pre-authentication phase, therefore an update is strongly recommended.

http://www.linuxsecurity.com/content/view/117317
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia
Even the most secure cloud storage may not be so secure, study finds
Targeted Attack Uses Heartbleed to Hijack VPN Sessions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.