LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 19th, 2014
Linux Security Week: September 15th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: April 14th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for dia, sash, mailman, libimager, libphp, moodle, cacti, sudo, zope, horde, xscreensaver, gnome, alsa-utils, system-config-printer, xsane, cario, subversion, netpbm, gnbd-kernel,shadow-utils, cman-kernel, ghostscript, checkpolicy, libsemanage, selinux-policy, eclipse-changelog, gaim, squirrelmail, ClamAV, mplayer, and openvpn. The distributors include Debian, Fedora, Gentoo, Mandriva, and SuSE.


EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration.

http://www.engardelinux.org/modules/index/register.cgi


Developing A Security Policy

Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding, as well as the privacy of the users. Some things to consider adding are who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system.

A generally accepted security policy starts with the phrase: "That which is not expressly permitted is prohibited"

This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account, Saying, ``Ah, I can't figure this permissions problem out, I'll just do it as root'' can lead to security holes that are very obvious, and even ones that haven't been exploited yet.

Additionally, there are several questions you will need to answer to successfully develop a security policy:

  • What level of security do your users expect?
  • How much is there to protect, and what is it worth?
  • Can you afford the down-time of an intrusion?
  • Should there be different levels of security for different groups?
  • Do you trust your internal users?
  • Have you found the balance between acceptable risk and secure?

You should develop a plan on who to contact when there is a security problem that needs attention.

There are quite a few documents available on developing a Site Security Policy. You can start with the SANS Security Policy Project.

http://www.sans.org/resources/policies/

Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@guardiandigital.com)


LinuxSecurity.com Feature Extras:

EnGarde Secure Community 3.0.4 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New dia packages fix arbitrary code execution
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122244
 
  Debian: New sash packages fix potential arbitrary code execution
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122245
 
  Debian: New mailman packages fix denial of service
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122246
 
  Debian: New libimager-perl packages fix denial of service
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122274
 
  Debian: New libphp-adodb packages fix several vulnerabilities
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122279
 
  Debian: New moodle packages fix several vulnerabilities
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122280
 
  Debian: New cacti packages fix several vulnerabilities
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122281
 
  Debian: New sudo packages fix privilege escalation
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122282
 
  Debian: New zope-cmfplone packages fix unprivileged data manipulation
  12th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122324
 
  Debian: New horde3 packages fix several vulnerabilities
  12th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122327
 
   Fedora
  Fedora Core 5 Update: xscreensaver-4.24-2
  6th, April, 2006

Don't leak zombie processes with the GL SlideShow ScreenSaver

http://www.linuxsecurity.com/content/view/122254
 
  Fedora Core 5 Update: GConf2-2.14.0-1
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122255
 
  Fedora Core 5 Update: liboil-0.3.8-1.fc5
  6th, April, 2006

This update rebases liboil to 0.3.8 to help resolve issues required by packages in Fedora Extras.

http://www.linuxsecurity.com/content/view/122256
 
  Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5
  6th, April, 2006

This update corrects a problem where kerberos credentials weren't being properly refreshed when a user successfully authenticates in the unlock dialog.

http://www.linuxsecurity.com/content/view/122257
 
  Fedora Core 5 Update: alsa-utils-1.0.11-4.rc2
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122258
 
  Fedora Core 5 Update: system-config-printer-0.6.151.2-1
  6th, April, 2006

With no configured printers, it was not possible to disable automatic browsing for shared printers.

http://www.linuxsecurity.com/content/view/122259
 
  Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5.1
  6th, April, 2006

This update fixes problems detecting idle activity.

http://www.linuxsecurity.com/content/view/122260
 
  Fedora Core 5 Update: xsane-0.99-2.2.fc5.4
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122269
 
  Fedora Core 5 Update: cairo-1.0.4-1
  7th, April, 2006

An updated version of the cairo package fixes several bugs, among them a bug which could lead to Pango crashes with corrupt fonts.

http://www.linuxsecurity.com/content/view/122270
 
  Fedora Core 4 Update: sane-backends-1.0.17-0.fc4.2
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122271
 
  Fedora Core 5 Update: subversion-1.3.1-2.1
  7th, April, 2006

This update includes the latest upstream release of Subversion, version 1.3.1. This release includes a number of minor bug fixes and improvements.

http://www.linuxsecurity.com/content/view/122272
 
  Fedora Core 5 Update: netpbm-10.33-0.fc5
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122273
 
  Fedora Core 5 Update: gnbd-kernel-2.6.15-5.FC5.25
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64.

http://www.linuxsecurity.com/content/view/122283
 
  Fedora Core 4 Update: netpbm-10.33-0.FC4
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122284
 
  Fedora Core 5 Update: shadow-utils-4.0.14-6.FC5
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122285
 
  Fedora Core 5 Update: cman-kernel-2.6.15.1-0.FC5.18
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64.

http://www.linuxsecurity.com/content/view/122286
 
  Fedora Core 5 Update: dlm-kernel-2.6.15.1-0.FC5.16
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64.

http://www.linuxsecurity.com/content/view/122287
 
  Fedora Core 5 Update: GFS-kernel-2.6.15.1-5.FC5.19
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64.

http://www.linuxsecurity.com/content/view/122288
 
  Fedora Core 5 Update: ghostscript-8.15.1-7.2
  10th, April, 2006

A problem with converting PS and EPS files into PDF has been fixed. Also, Japanese fonts have been added to the default font path.

http://www.linuxsecurity.com/content/view/122300
 
  Fedora Core 5 Update: checkpolicy-1.30.3-1.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems

http://www.linuxsecurity.com/content/view/122309
 
  Fedora Core 5 Update: libsemanage-1.6.2-2.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems

http://www.linuxsecurity.com/content/view/122310
 
  Fedora Core 5 Update: libsepol-1.12.4-1.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems

http://www.linuxsecurity.com/content/view/122311
 
  Fedora Core 5 Update: selinux-policy-2.2.29-3.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems

http://www.linuxsecurity.com/content/view/122312
 
  Fedora Core 5 Update: eclipse-changelog-2.0.2_fc-1
  11th, April, 2006

This is a bug-fix update for the Eclipse ChangeLog plugin. It includes fixes to the formatting of multiple ChangeLog entries by the same person.

http://www.linuxsecurity.com/content/view/122314
 
  Fedora Core 4 Update: gaim-1.5.0-16.fc4
  11th, April, 2006

This update fixes Bug #185222 where gaim would crash when you use the buddy blocking feature with the MSN protocol. It also contains a minor logging fix.

http://www.linuxsecurity.com/content/view/122315
 
  Fedora Core 5 Update: gaim-1.5.0-16.fc5
  11th, April, 2006

This update fixes Bug #185222 where gaim would crash when you use the buddy blocking feature with the MSN protocol.

http://www.linuxsecurity.com/content/view/122316
 
  Fedora Core 4 Update: squirrelmail-1.4.6-5.fc4
  12th, April, 2006

This update fixes revert Squirrelmail encoding behavior for Chinese and Korean languages, in addition to the Japanese fix of the previous update.

http://www.linuxsecurity.com/content/view/122325
 
  Fedora Core 5 Update: squirrelmail-1.4.6-5.fc5
  12th, April, 2006

This update fixes revert Squirrelmail encoding behavior for Chinese and Korean languages, in addition to the Japanese fix of the previous update.

http://www.linuxsecurity.com/content/view/122326
 
   Gentoo
  Gentoo: ClamAV Multiple vulnerabilities
  7th, April, 2006  

ClamAV contains multiple vulnerabilities that could lead to remote execution of arbitrary code or cause an application crash.

http://www.linuxsecurity.com/content/view/122275
 
   Mandriva
  Mandriva: Updated clamav packages fix vulnerabilities
  7th, April, 2006

Damian Put discovered an integer overflow in the PE header parser in ClamAV that could be exploited if the ArchiveMaxFileSize option was disabled (CVE-2006-1614).

http://www.linuxsecurity.com/content/view/122276
 
  Mandriva: Updated mplayer packages fix integer overflow vulnerabilities
  7th, April, 2006

Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attackers to cause a denial of service and trigger heap-based buffer overflows via (1) a certain ASF file handled by asfheader.c that causes the asf_descrambling function to be passed a negative integer after the conversion from a char to an int or (2) an AVI file with a crafted wLongsPerEntry or nEntriesInUse value in the indx chunk, which is handled in aviheader.c.

http://www.linuxsecurity.com/content/view/122277
 
  Mandriva: Updated openvpn packages fix vulnerability
  10th, April, 2006

A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable. Updated packages have been patched to correct this issue by removing setenv support.

http://www.linuxsecurity.com/content/view/122302
 
  Mandriva: Updated openvpn packages fix vulnerability
  10th, April, 2006

Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib where a certain data stream would cause zlib to corrupt a data structure, resulting in the linked application to dump core (CVE-2005-2096).

http://www.linuxsecurity.com/content/view/122303
 
  Mandriva: Updated xscreensaver packages fix clear-text password vulnerability
  11th, April, 2006

Rdesktop, with xscreensaver < 4.18, does not release the keyboard focus when xscreensaver starts, which causes the password to be entered into the active window when the user unlocks the screen. Updated xscreensaver packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/122313
 
   SuSE
  SuSE: clamav various problems
  11th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122308
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Encryption goof fixed in TorrentLocker file-locking malware
Qubes: The Open Source OS Built for Security
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.