LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: February 11th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for python, squid, php, emacs, postgres, evolution, mailman, hztty, hwbrowser, cups, hotplug, xpdf, kdegraphics, gallery, perl, and squirrelmail. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE.


Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!

Are Your Servers Secure?
By Blessen Cherian

In a word, No. No machine connected to the internet is 100% secure. This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house — when the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil.

What is Information Security?

For our purposes, Information Security means the methods we use to protect sensitive data from unauthorized users.

Why do we need Information Security?

The entire world is rapidly becoming IT enabled. Wherever you look, computer technology has revolutionized the way things operate. Some examples are airports, seaports, telecommunication industries, and TV broadcasting, all of which are thriving as a result of the use of IT. "IT is everywhere."

A lot of sensitive information passes through the Internet, such as credit card data, mission critical server passwords, and important files. There is always a chance of some one viewing and/or modifying the data while it is in transmission. There are countless horror stories of what happens when an outsider gets someone's credit card or financial information. He or she can use it in any way they like and could even destroy you and your business by taking or destroying all your assets. As we all know "An ounce of prevention beats a pound of cure," so to avoid such critical situations, it is advisable to have a good security policy and security implementation.

Read complete feature story:
http://www.linuxsecurity.com/content/view/118211/49/

 

LinuxSecurity.com Feature Extras:

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.

Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).

 

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New Python2.2 packages fix unauthorised XML-RPC internals access
  4th, February, 2005

For the stable distribution (woody) this problem has been fixed in version 2.2.1-4.7. No other version of Python in woody is affected.

http://www.linuxsecurity.com/content/view/118182
 
  Debian: New squid packages fix several vulnerabilities
  4th, February, 2005

LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting.

http://www.linuxsecurity.com/content/view/118184
 
  Debian: New php3 packages fix several vulnerabilities
  7th, February, 2005

Updated packages.

http://www.linuxsecurity.com/content/view/118192
 
  Debian: New emacs20 packages fix arbitrary code execution
  8th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118207
 
  Debian: New PostgreSQL packages fix arbitrary library loading
  4th, February, 2005

Upgrade

http://www.linuxsecurity.com/content/view/118186
 
  Debian: New xemacs21 packages fix arbitrary code execution
  8th, February, 2005

Updated xemacs package.

http://www.linuxsecurity.com/content/view/118210
 
  Debian: New xview packages fix potential arbitrary code execution
  9th, February, 2005

Updated Package

http://www.linuxsecurity.com/content/view/118222
 
  Debian: New evolution packages fix arbitrary code execution as root
  10th, February, 2005

Max Vozeler discovered an integer overflow in a helper application inside of Evolution, a free grouware suite. A local attacker could cause the setuid root helper to execute arbitrary code with elevated privileges.

http://www.linuxsecurity.com/content/view/118234
 
  Debian: New mailman packages fix several vulnerabilities
  10th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118235
 
  Debian: New hztty packages fix local utmp exploit
  10th, February, 2005

Updated package

http://www.linuxsecurity.com/content/view/118245
 
   Fedora
  Fedora Core 3 Update: system-config-printer-0.6.116.1.1-1
  4th, February, 2005

Bug-fix update.

http://www.linuxsecurity.com/content/view/118187
 
  Fedora Core 3 Update: hwbrowser-0.19-0.fc3.2
  4th, February, 2005

Upgrade

http://www.linuxsecurity.com/content/view/118188
 
  Fedora Core 3 Update: python-2.3.4-13.1
  4th, February, 2005

n object traversal bug was found in the Python SimpleXMLRPCServer.

http://www.linuxsecurity.com/content/view/118190
 
  Fedora Core 3 Update: postgresql-7.4.7-1.FC3.2
  7th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118202
 
  Fedora Core 2 Update: postgresql-7.4.7-1.FC2.2
  7th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118203
 
  Fedora Core 2 Update: cups-1.1.20-11.11
  8th, February, 2005

A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete.

http://www.linuxsecurity.com/content/view/118212
 
  Fedora Core 3 Update: cups-1.1.22-0.rc1.8.5
  8th, February, 2005

A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue. FEDORA-2004-337 attempted to correct this but the patch was incomplete.

http://www.linuxsecurity.com/content/view/118213
 
  Fedora Core 2 Update: hotplug-2004_04_01-1.1
  8th, February, 2005

This update fixes updfstab in the presence of multiple USB plug/unplug events.

http://www.linuxsecurity.com/content/view/118214
 
  Fedora Core 3 Update: emacs-21.3-21.FC3
  8th, February, 2005

This update fixes the CAN-2005-0100 movemail vulnerability and backports the latest bug fixes.

http://www.linuxsecurity.com/content/view/118219
 
  Fedora Core 2 Update: xpdf-3.00-3.8
  9th, February, 2005

Updated XPDF

http://www.linuxsecurity.com/content/view/118223
 
  Fedora Core 3 Update: xpdf-3.00-10.4
  9th, February, 2005

Updated XPDF

http://www.linuxsecurity.com/content/view/118224
 
  Fedora Core 3 Update: kdegraphics-3.3.1-2.4
  9th, February, 2005

Updated KDEGraphics

http://www.linuxsecurity.com/content/view/118225
 
  Fedora Core 2 Update: kdegraphics-3.2.2-1.4
  9th, February, 2005

Updated kdegraphics

http://www.linuxsecurity.com/content/view/118226
 
  Fedora Core 2 Update: gpdf-2.8.2-4.1
  9th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118230
 
  Fedora Core 3 Update: gpdf-2.8.2-4.2
  9th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118231
 
  Fedora Core 3 Update: mailman-2.1.5-30.fc3
  10th, February, 2005

There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files.

http://www.linuxsecurity.com/content/view/118243
 
  Fedora Core 2 Update: mailman-2.1.5-8.fc2
  10th, February, 2005

There is a critical security flaw in Mailman 2.1.5 which will allow attackers to read arbitrary files.

http://www.linuxsecurity.com/content/view/118244
 
  Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2
  10th, February, 2005

Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL.

http://www.linuxsecurity.com/content/view/118252
 
  Fedora Core 3 Update: mod_python-3.1.3-5.2
  10th, February, 2005

Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL.

http://www.linuxsecurity.com/content/view/118253
 
   Gentoo
  Gentoo: pdftohtml Vulnerabilities in included Xpdf
  9th, February, 2005

pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file.

http://www.linuxsecurity.com/content/view/118221
 
  Gentoo: LessTif Multiple vulnerabilities in libXpm
  6th, February, 2005

Multiple vulnerabilities have been discovered in libXpm, which is included in LessTif, that can potentially lead to remote code execution.

http://www.linuxsecurity.com/content/view/118191
 
  Gentoo: PostgreSQL Local privilege escalation
  7th, February, 2005

The PostgreSQL server can be tricked by a local attacker to execute arbitrary code.

http://www.linuxsecurity.com/content/view/118199
 
  Gentoo: OpenMotif Multiple vulnerabilities in libXpm
  7th, February, 2005

Multiple vulnerabilities have been discovered in libXpm, which is included in OpenMotif, that can potentially lead to remote code execution.

http://www.linuxsecurity.com/content/view/118193
 
  Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer
  8th, February, 2005

Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118216
 
  Gentoo: Python Arbitrary code execution through SimpleXMLRPCServer
  10th, February, 2005

Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118240
 
  Gentoo: Mailman Directory traversal vulnerability
  10th, February, 2005

Mailman fails to properly sanitize input, leading to information disclosure.

http://www.linuxsecurity.com/content/view/118242
 
  Gentoo: Gallery Cross-site scripting vulnerability
  10th, February, 2005

The cross-site scripting vulnerability that Gallery 1.4.4-pl5 was intended to fix, did not actually resolve the issue. The Gallery Development Team have released version 1.4.4-pl6 to properly solve this problem.

http://www.linuxsecurity.com/content/view/118251
 
  Mandrake: Updated perl-DBI packages
  8th, February, 2005

Javier Fernandez-Sanguino Pena disovered the perl5 DBI library created a temporary PID file in an insecure manner, which could be exploited by a malicious user to overwrite arbitrary files owned by the user executing the parts of the library. The updated packages have been patched to prevent these problems.

http://www.linuxsecurity.com/content/view/118217
 
   Mandrake
  Mandrake: Updated perl packages fix
  8th, February, 2005

Updated perl package.

http://www.linuxsecurity.com/content/view/118218
 
   Red Hat
  RedHat: Updated Perl packages fix security issues
  7th, February, 2005

Updated Perl packages that fix several security issues are now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/118195
 
  RedHat: Updated mailman packages fix security
  10th, February, 2005

Updated mailman packages that correct a mailman security issue are now available.

http://www.linuxsecurity.com/content/view/118239
 
  RedHat: Updated kdelibs and kdebase packages correct
  10th, February, 2005

Updated kdelib and kdebase packages that resolve several security issues are now available.

http://www.linuxsecurity.com/content/view/118246
 
  RedHat: Updated mod_python package fixes security issue
  10th, February, 2005

An Updated mod_python package that fixes a security issue in the publisher handler is now available.

http://www.linuxsecurity.com/content/view/118247
 
  RedHat: Updated emacs packages fix security issue
  10th, February, 2005

Updated Emacs packages that fix a string format issue are now available.

http://www.linuxsecurity.com/content/view/118248
 
  RedHat: Updated xemacs packages fix security issue
  10th, February, 2005

Updated XEmacs packages that fix a string format issue are now available.

http://www.linuxsecurity.com/content/view/118249
 
  RedHat: Updated Squirrelmail package fixes security
  10th, February, 2005

An updated Squirrelmail package that fixes several security issues is now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/118250
 
   SuSE
  SuSE: kernel bugfixes and SP1 merge
  4th, February, 2005

Two weeks ago we released the Service Pack 1 for our SUSE Linux Enterprise Server 9 product. Due to the strict code freeze we were not able to merge all the security fixes from the last kernel update on Jan23rd (SUSE-SA:2005:003) into this kernel.

http://www.linuxsecurity.com/content/view/118185
 
  SuSE: squid (SUSE-SA:2005:006)
  10th, February, 2005

The last two squid updates from February the 1st and 10th fix several vulnerabilities. The impact of them range from remote denial-of-service over cache poisoning to possible remote command execution.

http://www.linuxsecurity.com/content/view/118241
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Mobile Device Encryption Could Lead to a ‘Very, Very Dark Place’, FBI Director Says
What a hacker can learn about your life from the coffee shop’s Wi-Fi network
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.