LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: March 3rd 2006 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for gpdf, pdftohtml, tutos, bmv, xpdf, module-init-tools, udev, gnupg, gawk, dhcp, system-config-netboot, xterm, GraphicsMagick, noweb, metamail, mplayer, squirrelmail, unzip, gettext, tar, heimdal, and liby2util. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE.


EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration.

http://www.engardelinux.org/modules/index/register.cgi


ARC: A Synchronous Stream Cipher from Hash Functions
By: Angelo P. E. Rosiello and Roberto Carrozzo

Abstract

We consider a simple and secure way to realize synchronous stream cipher from iterated hash functions. It is similar the OFB mode where underlying block algorithm replaced with keyed function, adopting secret suffixx method[20]. analyzed key, keystream necessary properties assume function for be considered secure. Motivated by our analysis conjecture that most effcient break proposed or through exhaustive search keyspace K of bits, requires O(2k) operations. Keywords : cipher, keystream, one-time pad cryptosystem, function. >

1.1 Algorithm Requirements

The algorithm should have a flat keyspace allowing any random bit string to be a possible key.

The algorithm should make easier the key-management for software implementations.

The typed password should not become directly the key, else the actual keyspace is limited to keys constructed with the 95 characters of printable ASCII.

The algorithm should be easily modifiable satisfying minimum or maximum requirements.

Moreover, according to basic engineering software theories, the algorithm does not have to bind developers with static u se of pre-defined logical block functions, but it is important to let wide alternatives during the implementation of the software[13, 17].

The algorithm should be simple to code, otherwise programmers could make implementation mistakes if the structure is too complicated[13].

1.2 Areas of Application

Nowadays encrypting information has become a 'must', which means that a good crypto algorithm must give to the community the possibility to manage safe data.

Practical applications pertain to:

  • Bulk Encryption: data files or a continuous data stream (e.g. important information saved on hardisks such as databases or any kind of secret document);

  • Data Transmission: a lot of communication mediums need a secure way to crypt exchanged information (e.g. Internet packets, wireless connections, radio signals, etc.);

  • Small Encryption: banks and commercial companies need secure encryption methodologies to interact with customers by small encryption technologies. Definitely, a good algorithm should be suitable for lots of disparate situations.

Read Full Paper
http://www.linuxsecurity.com/images/stories/arc-hash.pdf


LinuxSecurity.com Feature Extras:

EnGarde Secure Community 3.0.4 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New gpdf packages fix several vulnerabilities
  27th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121760
 
  Debian: New pdftohtml packages fix several vulnerabilities
  28th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121765
 
  Debian: New tutos package fixes several vulnerabilities
  2nd, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121790
 
  Debian: new bmv packages fix arbitrary code execution
  2nd, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121791
 
  Debian: New xpdf packages fix several problems
  2nd, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121792
 
   Fedora
  Fedora Core 4 Update: module-init-tools-3.2-0.pre9.0.FC4.4
  23rd, February, 2006

This module-init-tools adds a stub /etc/modprobe.conf.dist which is included by older /etc/modprobe.conf config files. This avoids the printing of a warning Matrox framebuffer modules are also not autoloaded with this version.

http://www.linuxsecurity.com/content/view/121727
 
  Fedora Core 4 Update: udev-071-0.FC4.3
  23rd, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121728
 
  Fedora Core 4 Update: gnupg-1.4.2.1-3
  24th, February, 2006

The previous update, to version 1.4.2.1, could produce errors when gpg attempted to read certain keyrings produced by earlier versions of GnuPG. This update includes a fix for that bug.

http://www.linuxsecurity.com/content/view/121740
 
  Fedora Core 4 Update: gawk-3.1.4-5.4
  24th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121741
 
  Fedora Core 4 Update: util-linux-2.12p-9.14
  27th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121759
 
  Fedora Core 4 Update: dhcp-3.0.2-34.FC4
  1st, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121787
 
  Fedora Core 4 Update: system-config-netboot-0.1.38-2_FC4
  1st, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121788
 
  Fedora Core 4 Update: xterm-208-2.FC4
  1st, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121789
 
   Gentoo
  Gentoo: GraphicsMagick Format string vulnerability
  26th, February, 2006

A vulnerability in GraphicsMagick allows attackers to crash the application and potentially execute arbitrary code.

http://www.linuxsecurity.com/content/view/121750
 
  Gentoo: noweb Insecure temporary file creation
  26th, February, 2006

noweb is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/121751
 
   Mandriva
  Mandriva: Updated metamail packages fix vulnerability
  23rd, February, 2006

Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages. An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail.

http://www.linuxsecurity.com/content/view/121722
 
  Mandriva: Updated mplayer packages fix integer overflow vulnerabilities
  24th, February, 2006

Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. The updated packages have been patched to prevent this problem.

http://www.linuxsecurity.com/content/view/121749
 
  Mandriva: Updated squirrelmail packages fix vulnerabilities
  27th, February, 2006

Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188)

http://www.linuxsecurity.com/content/view/121763
 
  Mandriva: Updated unzip packages fix vulnerabilities
  28th, February, 2006

A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges.

http://www.linuxsecurity.com/content/view/121764
 
  Mandriva: Updated gettext packages fix temporary file vulnerabilities
  28th, February, 2006

The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/121776
 
   Red Hat
  RedHat: Moderate: tar security update
  1st, March, 2006

An updated tar package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having Moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/121781
 
   SuSE
  SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:010)
  24th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121738
 
  SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:011)
  24th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121739
 
  SuSE: kernel various security problems
  27th, February, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121756
 
  SuSE: gpg,liby2util signature checking
  1st, March, 2006

Updated package.

http://www.linuxsecurity.com/content/view/121777
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Canadians arrest a Heartbleed hacker
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.