LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: February 10th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributor - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week advisories were released for mydns, gnocatan, ipsec-tools, adzapper, mozilla, firefox, audit, unzip, Fedora kernel, GPdf, libextractor, LibAST, gallery, ADOdb, apache, poppler, kdegraphics, xpdf, openoffice, openssh php, and groff. The distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/linsec


EnGarde Secure Community 3.0.4 Released

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

The following reported bugs from bugs.engardelinux.org are fixed in this release:

    #0000048 The WebTool 'named' module does not check for duplicate zones
    #0000047 Nagios localhost ping test bug
    #0000045 SSH cannot create /root/.ssh directory as sysadm_r
    #0000042 Postfix-2.2.7's broken firewall workaround has problems - ...
    #0000041 Apache cannot talk to the MySQL socket.
    #0000039 Unable to mount /home at boot in EnGarde 3.0.3
    #0000038 Webtool automatically sets SELinux to Enforcing, even if ...
    #0000037 Support for PgSQL via WebTool
    #0000036 UPS - fails to work with selinux enabled
    #0000035 "postfix reload" fails when run by sysadm_r with selinux ...
    #0000034 tcpdump fails with selinux enabled

Several other bugs are fixed in this release as well.

New features include:

  • A new GDSN Package Management Interface in the Guardian Digital WebTool which allows you to easily browse and install packages from the EnGarde Secure Linux package archives.

  • A new Spanish (Español) translation of the Guardian Digital WebTool, courtesy of Joe Rodiguez Jr. To use this translation go into to the WebTool Configuration module, click on your username (normally 'admin'), and select Español from the drop-down.

  • New Guardian Digital WebTool modules for DHCP and UPS services. The DHCP (Dynamic Host Configuration Protocol) module allows you to run a DHCP server on your EnGarde Secure Linux machine. The UPS (Uninterruptible Power Supply) module allows you to configure and monitor a UPS connected to your EnGarde Secure Linux machine and to act as a server for other machines connected to the same UPS.

  • The latest stable versions of MySQL (5.0.18), fetchmail (6.3.2), iptables (1.3.5), mrtg (2.13.1), nmap (4.00), openssh (4.3p1), php (4.4.2), and postfix (2.2.8).

  • Several new installable packages such as amavisd-new (2.3.3), clamav (0.88), nagios (1.3), nagios-plugins (1.4.2), nrpe (2.0), postgresql (8.1.1), spamassassin, and many, many new Perl modules.

We're also happy to announce the availability of the following HOWTOs:

  • Installing Joomla! on EnGarde Secure Linux HOWTO
  • Installing PHPMyAdmin on EnGarde Secure Linux HOWTO
  • Installing PHP Applications on EnGarde Secure Linux HOWTO
  • Installing SpamAssassin, ClamAV and Amavisd-new on EnGarde HOWTO
  • Installing Squirrelmail on EnGarde Secure Linux HOWTO

All new users downloading EnGarde Secure Linux for the first time or users who use the LiveCD environment should download this release.

Users who are currently using EnGarde Secure Linux do not need to download this release -- they can update their machines via the Guardian Digital Secure Network WebTool module.

Find out more:
http://www.engardelinux.org/


LinuxSecurity.com Feature Extras:

EnGarde Secure Community 3.0.3 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment.

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New mydns packages fix denial of service
  2nd, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121475
 
  Debian: New gnocatan packages fix denial of service
  3rd, February, 2006

A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server an other clients to exit via an assert, and hence does not permit the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/121506
 
  Debian: New ipsec-tools packages fix denial of service
  6th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121534
 
  Debian: New adzapper packages fix denial of service
  9th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121573
 
   Fedora
  Fedora Core 4 Update: mozilla-1.7.12-1.5.2
  2nd, February, 2006

Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Mozilla to execute arbitrary JavaScript when a user runs Mozilla. (CVE-2006-0296) A denial of service bug was found in the way Mozilla saves history information. If a user visits a web page with a very long title, it is possible Mozilla will crash or take a very long time to start the next time it is run. (CVE-2005-4134)

http://www.linuxsecurity.com/content/view/121496
 
  Fedora Core 4 Update: firefox-1.0.7-1.2.fc4
  2nd, February, 2006

Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Firefox's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Firefox to execute arbitrary JavaScript when a user runs Firefox. (CVE-2006-0296) A denial of service bug was found in the way Firefox saves history information. If a user visits a web page with a very long title, it is possible Firefox will crash or take a very long time to start the next time it is run. (CVE-2005-4134)

http://www.linuxsecurity.com/content/view/121497
 
  Fedora Core 4 Update: audit-1.0.13-1.fc4
  3rd, February, 2006

This release backports some bugfixes and enhancements from the current devel branch.

http://www.linuxsecurity.com/content/view/121530
 
  Fedora Core 4 Update: unzip-5.51-13.fc4
  6th, February, 2006

This update fixes several vulnerabilities in the unzip utility.

http://www.linuxsecurity.com/content/view/121547
 
  Fedora Core 4 Update: kernel-2.6.15-1.1831_FC4
  7th, February, 2006

This update fixes a remotely exploitable denial of service attack in the icmp networking code (CVE-2006-0454). An information leak has also been fixed (CVE-2006-0095), and some debugging patches that had accidentally been left applied in the previous update have been removed, restoring the functionality of the 'quiet' argument.

http://www.linuxsecurity.com/content/view/121561
 
  Fedora Core 4 Update: audit-1.0.14-1.fc4
  8th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121571
 
   Gentoo
  Gentoo: GStreamer FFmpeg plugin Heap-based buffer overflow
  5th, February, 2006

The GStreamer FFmpeg plugin is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121532
 
  Gentoo: Paros Default administrator password
  6th, February, 2006

Paros's database component is installed without a password, allowing execution of arbitrary system commands.

http://www.linuxsecurity.com/content/view/121541
 
  Gentoo: Xpdf, Poppler, GPdf, libextractor, pdftohtml Heap overflows
  6th, February, 2006

Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code.

http://www.linuxsecurity.com/content/view/121542
 
  Gentoo: MyDNS Denial of Service
  6th, February, 2006

MyDNS contains a vulnerability that may lead to a Denial of Service attack.

http://www.linuxsecurity.com/content/view/121543
 
  Gentoo: LibAST Privilege escalation
  6th, February, 2006

A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges.

http://www.linuxsecurity.com/content/view/121544
 
  Gentoo: Gallery Cross-site scripting vulnerability
  6th, February, 2006

Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.

http://www.linuxsecurity.com/content/view/121545
 
  Gentoo: ADOdb PostgresSQL command injection
  6th, February, 2006

ADOdb is vulnerable to SQL injections if used in conjunction with a PostgreSQL database.

http://www.linuxsecurity.com/content/view/121548
 
  Gentoo: Apache Multiple vulnerabilities
  6th, February, 2006

Apache can be exploited for cross-site scripting attacks and is vulnerable to a Denial of Service attack.

http://www.linuxsecurity.com/content/view/121549
 
   Mandriva
  Mandriva: Updated libast packages fixes buffer overflow vulnerability
  2nd, February, 2006

Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/121491
 
  Mandriva: Updated poppler packages fixes heap-based buffer overflow vulnerability
  2nd, February, 2006

Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Poppler uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/121492
 
  Mandriva: Updated kdegraphics packages fixes heap-based buffer overflow vulnerability
  2nd, February, 2006

Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/121493
 
  Mandriva: Updated xpdf packages fixes heap-based buffer overflow vulnerability
  2nd, February, 2006

Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/121494
 
  Mandriva: Updated OpenOffice.org packages fix issue with disabled hyperlinks
  2nd, February, 2006

OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue.

http://www.linuxsecurity.com/content/view/121495
 
  Mandriva: Updated openssh packages fix vulnerability
  6th, February, 2006

A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp'ing a specially crafted filename.

http://www.linuxsecurity.com/content/view/121550
 
  Mandriva: Updated php packages fix vulnerability
  7th, February, 2006

A flaw in the PHP gd extension in versions prior to 4.4.1 could allow a remote attacker to bypass safe_mode and open_basedir restrictions via unknown attack vectors. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/121562
 
  Mandriva: Updated mozilla packages to address DoS vulnerability
  7th, February, 2006

Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134) The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection.

http://www.linuxsecurity.com/content/view/121563
 
  Mandriva: Updated mozilla-firefox packages to address DoS vulnerability
  7th, February, 2006

Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup.

http://www.linuxsecurity.com/content/view/121564
 
  Mandriva: Updated groff packages fix temporary file vulnerabilities
  8th, February, 2006

The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer.

http://www.linuxsecurity.com/content/view/121572
 
   Red Hat
  RedHat: Critical: mozilla security update
  2nd, February, 2006

Updated mozilla packages that fix several security bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/121482
 
  RedHat: Critical: firefox security update
  2nd, February, 2006

An updated firefox package that fixes several security bugs is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/121483
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.