LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 15th, 2014
Linux Advisory Watch: August 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: July 8th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Pax Dickinson   
Linux Advisory Watch This week, advisories were released for ppxp, gaim, clamav, razor, trac, zlib, bzip2, cvs, spamassassin, sudo, ht, fuse, netpbm, kernel, cryptsetup, selinux-policy, kdevelop, kde, php, gjdoc, javacc, lucene, grep, php-xmlrpc, phpBB, realplayer, tikiwiki, and cacti. The distributors include Fedora, Gentoo, and Red Hat.
Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design.

Pull the Plug Revisited: An Interview Five Years Later
By: Benjamin D. Thomas

Five years after our original interview with Brian Gemberling, founder of PullthePlug.org, we catch up with Daniel Alvarez and the rest of the site's administrative management. Its structured management and focus on the community will ensure many years of continued success. You're asking, what is pull the plug?

LinuxSecurity.com: Please explain again for our readers what Pull the Plug is about. What is the concept? How does it work? Who can participate?

PullthePlug.org: The concept of PullThePlug has always been to provide an arena for like minded individuals to discuss, train, and learn about computer security and associated technologies.

The primary focus of PullThePlug as a community is to deliver information and resources on computer security to a wide range of audiences. Some services we currently offer are war-game machines (vortex, semtex, catalyst, blackhole), mailing lists, IRC channels, and live lectures (http://www.pulltheplug.org/about/suntzu/) and repository/web hosting for research efforts (http://www.pulltheplug.org/about/rcs/).

As a result of PullThePlug being community driven (by the community for the community), anybody can participate in some way or another. More often then not, new talents are seen when participating in our wargames or contributing to mailing lists, and people are also free to join the IRC and discuss any topic of interest, or provide ideas or services which help in furthering the community driven learning experience.

Read Complete Article:
http://www.linuxsecurity.com/content/view/119500/49/

 

LinuxSecurity.com Feature Extras:

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New ppxp packages fix local root exploit
  4th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119480
 
  Debian: New gaim packages fix denial of service
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119493
 
  Debian: New clamav packages fix potential DOS
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119498
 
  Debian: New razor packages fix potential DOS
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119499
 
  Debian: New trac package fixes upload/download vulnerability
  6th, July, 2005

Stefan Esser discovered an input validation flaw within Trac, a wiki and issue tracking system, that allows download/upload of files and therefore can lead to remote code execution in some configurations.

http://www.linuxsecurity.com/content/view/119506
 
  Debian: New zlib packages fix denial of service
  6th, July, 2005

An error in the way zlib handles the inflation of certain compressed files can cause a program which uses zlib to crash when opening an invalid file.

http://www.linuxsecurity.com/content/view/119509
 
  Debian: New bzip2 packages prevent decompression bomb
  7th, July, 2005

Chris Evans discovered that a specially crafted archive can trigger an infinete loop in bzip2, a high-quality block-sorting file compressor.

http://www.linuxsecurity.com/content/view/119512
 
  Debian: New cvs packages fix arbitrary code execution
  7th, July, 2005

Derek Price, the current maintainer of CVS, discovered a buffer overflow in the CVS server, that serves the popular Concurrent Versions System, which could lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/119523
 
  Debian: New spamassassin packages fix potential DOS
  7th, July, 2005

A vulnerability was recently found in the way that SpamAssassin parses certain email headers. This vulnerability could cause SpamAssassin to consume a large number of CPU cycles when processing messages containing these headers, leading to a potential denial of service (DOS) attack.

http://www.linuxsecurity.com/content/view/119524
 
  Debian: New sudo packages fix pathname validation race
  7th, July, 2005

A local user who has been granted permission to run commands via sudo could run arbitrary commands as a privileged user due to a flaw in sudo's pathname validation. This bug only affects configurations which have restricted user configurations prior to an ALL directive in the configuration file.

http://www.linuxsecurity.com/content/view/119525
 
  Debian: New ht packages fix arbitrary code execution
  8th, July, 2005

Several problems have been discovered in ht, a viewer, editor and analyser for various executables, that may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/119530
 
  Debian: New fuse packages fix information disclosure
  8th, July, 2005

Sven Tantau discovered a security problem in fuse, a filesystem in userspace, that can be exploited by malicious local users to disclose potentially sensitive information.

http://www.linuxsecurity.com/content/view/119532
 
   Fedora
  Fedora Core 3 Update: netpbm-10.27-4.FC3.1
  1st, July, 2005

Updated package

http://www.linuxsecurity.com/content/view/119469
 
  Fedora Core 4 Update: netpbm-10.27-4.FC4.2
  1st, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119470
 
  Fedora Core 4 Update: kernel-2.6.12-1.1387_FC4
  1st, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119471
 
  Fedora Core 4 Update: cryptsetup-luks-1.0.1-0.fc4
  1st, July, 2005

This update fixes twp incompatibilities:, when moving disks to/from 32/64-bit systems, when using piped passwords.

http://www.linuxsecurity.com/content/view/119472
 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.16
  4th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119482
 
  Fedora Core 4 Update: kdevelop-3.2.1-0.fc4.2
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119486
 
  Fedora Core 4 Update: kdeartwork-3.4.1-0.fc4.2
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119487
 
  Fedora Core 3 Update: kdenetwork-3.3.1-3.1
  5th, July, 2005

Update package.

http://www.linuxsecurity.com/content/view/119490
 
  Fedora Core 3 Update: php-4.3.11-2.6
  5th, July, 2005

This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation.

http://www.linuxsecurity.com/content/view/119491
 
  Fedora Core 4 Update: php-5.0.4-10.3
  5th, July, 2005

This update includes the PEAR XML_RPC 1.3.1 package, which fixes a security issue in the XML_RPC server implementation.

http://www.linuxsecurity.com/content/view/119492
 
  Fedora Core 4 Update: gjdoc-0.7.5-3
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119494
 
  Fedora Core 4 Update: javacc-3.2-1jpp_2fc
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119495
 
  Fedora Core 4 Update: lucene-1.4.3-1jpp_3fc
  5th, July, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119496
 
  Fedora Core 4 Update: system-config-nfs-1.3.11-0.fc4.1
  7th, July, 2005

http://www.linuxsecurity.com/content/view/119516
 
  Fedora Core 3 Update: zlib-1.2.1.2-2.fc3
  7th, July, 2005

This update corrects security problem CAN-2005-2096.

http://www.linuxsecurity.com/content/view/119517
 
  Fedora Core 4 Update: zlib-1.2.2.2-4.fc4
  7th, July, 2005

This update corrects security problem CAN-2005-2096.

http://www.linuxsecurity.com/content/view/119518
 
  Fedora Core 4 Update: grep-2.5.1-48.2
  7th, July, 2005

This update fixes a regression in handling 'grep -Fw' for encodings other than UTF-8 (bug #161700).

http://www.linuxsecurity.com/content/view/119519
 
  Fedora Core 4 Update: selinux-policy-targeted-1.24-3
  7th, July, 2005

Security-enhanced Linux is a patch of the Linux® kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system.

http://www.linuxsecurity.com/content/view/119526
 
  Fedora Core 4 Update: kernel-2.6.12-1.1390_FC4
  7th, July, 2005

http://www.linuxsecurity.com/content/view/119527
 
   Gentoo
  Gentoo: PEAR XML-RPC, phpxmlrpc PHP script injection
  3rd, July, 2005

The PEAR XML-RPC and phpxmlrpc libraries allow remote attackers to execute arbitrary PHP script commands.

http://www.linuxsecurity.com/content/view/119474
 
  Gentoo: WordPress Multiple vulnerabilities
  4th, July, 2005

WordPress contains PHP script injection, cross-site scripting and path disclosure vulnerabilities.

http://www.linuxsecurity.com/content/view/119475
 
  Gentoo: phpBB Arbitrary command execution
  4th, July, 2005

A vulnerability in phpBB allows a remote attacker to execute arbitrary commands with the rights of the web server.

http://www.linuxsecurity.com/content/view/119478
 
  Gentoo: SpamAssassin 3, Vipul's Razor Denial of Service vulnerability
  4th, July, 2005

Sascha Lucas discovered that with certain malformed headers it was still possible to crash Vipul's Razor. The updated setions appear below.

http://www.linuxsecurity.com/content/view/119481
 
  Gentoo: RealPlayer Heap overflow vulnerability
  6th, July, 2005

RealPlayer is vulnerable to a heap overflow that could lead to remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/119503
 
  Gentoo: zlib Buffer overflow
  6th, July, 2005

A buffer overflow has been discovered in zlib, potentially resulting in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/119507
 
  Gentoo: TikiWiki Arbitrary command execution through XML-RPC
  6th, July, 2005

TikiWiki includes PHP XML-RPC code, making it vulnerable to arbitrary command execution.

http://www.linuxsecurity.com/content/view/119511
 
  Gentoo: Cacti Several vulnerabilities
  7th, July, 2005

Stefan Esser of the Hardened - PHP Project discovered that some of the recent vulnerabilities were incorrectly fixed, as well as a new vulnerability. The updated sections appear below. Cacti is vulnerable to several SQL injection, authentication bypass and file inclusion vulnerabilities.

http://www.linuxsecurity.com/content/view/119522
 
   Red Hat
  RedHat: Critical: RealPlayer security update
  5th, July, 2005

An updated RealPlayer package that fixes a buffer overflow issue is now available.

http://www.linuxsecurity.com/content/view/119497
 
  RedHat: Important: zlib security update
  6th, July, 2005

Updated Zlib packages that fix a buffer overflow are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/119508
 
  RedHat: Important: php security update
  7th, July, 2005

Updated PHP packages that fix two security issues are now available. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/119521
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Moving toward smart and secure continuous software delivery
Stealthy, Razor Thin ATM Insert Skimmers
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.