LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 15th, 2014
Linux Security Week: September 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: June 9th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for motor, typespeed, lynx-cur, xmcd, postgresql, centericq, freeradius, spamassassin, dia, tetex, squirrelmail, mc, gdm, gnome-panel, dovecot, evolution, x11, libtiff, openldap, MySQL, postgresql, quagga, zebra, and rug. The distributors include Debian, Fedora, Mandriva, Red Hat, and SuSE.


Security on your mind?

Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data.

The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi


EnGarde Secure Linux v3.0.7 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.

  • A new package (hwlister) which can be used to generate an inventory of all the hardware which comprises your system. This package is now installed by default with EnGarde Secure Linux. PHP was re-build with cURL support and a race condition was fixed in shadow-utils.
  • The latest stable versions of: MySQL (5.0.22), apache (2.0.58), asterisk (1.2.8), bacula (1.38.9), imap (2004g), openssl (0.9.8b), php5 (5.1.4), postfix (2.2.10), snort (2.4.4), sudo (1.6.8p12), syslog-ng (1.6.11), vim (6.4.010), and zaptel (1.2.6).
  • Several new packages: - binstats (1.08) Binstats is a statistics generation tool for installed programs. It is also useful for cleaning up a system by helping find duplicate executables, unused libraries, statically linked binaries and duplicate man pages.
  • bitchx (1.1) BitchX is an IRC (Internet Relay Chat) client that is based on ircII (but heavily modified). It is ncurses based and allows the user to get onto IRC without requiring the use of GUI client.
  • bittorrent (4.9.2) Bittorrent is a scatter-gather network file transfer protocol used for distributing files. It works in the opposite method of regular downloads with regard to the fact that the more people are currently downloading a file using bittorrent, the faster it will go.
  • ethereal (0.99.0) Ethereal is a network protocol analyzer. This version is ncurses based and allows the user to examine and capture data from a live network.
  • hyperion (1.0.2) Hyperion is an IRC daemon that allows clients to connect to it. This is the server that is used by Freenode.
  • john (1.7.0.2) "John" is a password cracker whose primary purpose is to detect weak passwords in order to strengthen the overall security of a system.
  • libapache-mod_fcgid (1.09) mod_fcgid is an apache web server module that acts as a binary compatibility alternative to mod_fastcgi. It comes with a new process management strategy.
  • libapache-mod_mono (1.1.14) mod_mono is an apache web server module that provides ASP.NET support for the apache web server.
  • libapache-mod_security (1.9.3) mod_security is an apache web server module that acts as an intrusion detection and prevention engine for web applications. It acts as another line of defense between improperly coded applications and the webserver.
  • makejail (0.0.5) Makejail, in conjunction with binstats, determines which binaries a program is going to need to be chrooted and creates a chroot jail for it.
  • mc (4.6.0) Midnight Commander is a console based ncurses visual file manager similar to Norton Commander. It has the ability to handle archives, FTP site, and many other files built in.
  • paketto (1.10) The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. scanrand is said to be faster than nmap and more useful in some scenarios.
  • psad (1.4.5) PSAD is a collection of utilities that work with the linux firewalling code (IPTables) to detect port scans and other suspect traffic. It also includes the ability to configure threshold levels based on how stringent your ruleset is.
  • slat (2.0) SLAT provides a systematic way of determining if your SE Linux policy achieves your desired security goal. This is a useful tool when creating or modifying SELinux policy.

    All new users downloading EnGarde Secure Linux for the first time or users who use the LiveCD environment should download this release.

    Users who are currently using EnGarde Secure Linux do not need to download this release -- they can update their machines via the Guardian Digital Secure Network WebTool module.

    http://www.linuxsecurity.com/content/view/123016/65/


    LinuxSecurity.com Feature Extras:

    Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

    Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

    Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


       Debian
      Debian: New motor packages fix arbitrary code execution
      31st, May, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/122940
     
      Debian: New typespeed packages fix arbitrary code execution
      31st, May, 2006

    Niko Tyni discovered a buffer overflow in the processing of network data in typespeed, a game for testing and improving typing speed, which could lead to the execution of arbitrary code.

    http://www.linuxsecurity.com/content/view/122948
     
      Debian: New lynx-cur packages fix several vulnerabilities
      1st, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/122956
     
      Debian: New xmcd packages fix denial of service
      2nd, June, 2006

    The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1.

    http://www.linuxsecurity.com/content/view/122971
     
      Debian: New PostgreSQL packages fix encoding vulnerabilities
      3rd, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/122984
     
      Debian: New centericq packages fix arbitrary code execution
      3rd, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/122985
     
      Debian: New freeradius packages fix arbitrary code execution
      3rd, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/122986
     
      Debian: New spamassassin packages fix remote command execution
      6th, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/123002
     
       Fedora
      Fedora Extras 5 update: dia-0.95-3
      6th, June, 2006

    This update fixes CVE-2006-1550, CVE-2006-2453, CVE-2006-2480.

    http://www.linuxsecurity.com/content/view/123007
     
      Fedora Core 4 Update: spamassassin-3.0.6-1.fc4
      6th, June, 2006

    Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration.

    http://www.linuxsecurity.com/content/view/123011
     
      Fedora Core 5 Update: spamassassin-3.1.3-1.fc5
      6th, June, 2006

    3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. Also included are bug fixes from 3.1.2.

    http://www.linuxsecurity.com/content/view/123015
     
      Fedora Core 4 Update: tetex-3.0-10.FC4
      7th, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/123033
     
      Fedora Core 4 Update: squirrelmail-1.4.6-7.fc4
      7th, June, 2006

    CVE-2006-2842 Squirrelmail File Inclusion

    http://www.linuxsecurity.com/content/view/123034
     
      Fedora Core 5 Update: mc-4.6.1a-13.FC5
      7th, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/123035
     
      Fedora Core 5 Update: gdm-2.14.4-1.fc5.3
      7th, June, 2006

    This update resolves an issue in gdm-2.14.4-1.fc5.2 where GDM would choose the wrong X server path.

    http://www.linuxsecurity.com/content/view/123036
     
      Fedora Core 5 Update: gnome-panel-2.14.2-1.fc5.1
      7th, June, 2006

    The gnome-panel package has been rebuilt against the latest evolution-data-server package.

    http://www.linuxsecurity.com/content/view/123037
     
      Fedora Core 5 Update: squirrelmail-1.4.6-7.fc5
      7th, June, 2006

    CVE-2006-2842 Squirrelmail File Inclusion Vulnerability

    http://www.linuxsecurity.com/content/view/123038
     
      Fedora Core 5 Update: dovecot-1.0-0.beta8.1.fc5
      7th, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/123039
     
       Mandriva
      Mandriva: Updated evolution packages fix DoS (crash) vulnerability on certain messages.
      1st, June, 2006

    Evolution, as shipped in Mandriva Linux 2006.0, can crash displaying certain carefully crafted images, if the "Load images if sender is in address book" option in enabled in Edit | Preferences | Mail Preferences | HTML.

    http://www.linuxsecurity.com/content/view/122966
     
      Mandriva: Updated xorg-x11 packages to address bug with keyboard layouts.
      5th, June, 2006

    A misapplied patch in a recent X.org updated caused keyboard layout problems which resulted in some users being unable to use the CTRL-ALT-function key combination to switch to a console, as well as other keyboard mapping issues. Updated packages have been re-patched to correct these issues.

    http://www.linuxsecurity.com/content/view/123000
     
      Mandriva: Updated libtiff packages fixes tiffsplit vulnerability
      5th, June, 2006

    A stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename.

    http://www.linuxsecurity.com/content/view/123001
     
      Mandriva: Updated openldap packages fixes buffer overflow vulnerability.
      7th, June, 2006

    A stack-based buffer overflow in st.c in slurpd for OpenLDAP might allow attackers to execute arbitrary code via a long hostname. Packages have been patched to correct this issue.

    http://www.linuxsecurity.com/content/view/123029
     
      Mandriva: Updated MySQL packages fixes SQL injection vulnerability.
      7th, June, 2006

    SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input. MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages have been patched to correct this issue.

    http://www.linuxsecurity.com/content/view/123030
     
      Mandriva: Updated postgresql packages fixes SQL injection vulnerabilities.
      7th, June, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/123032
     
       Red Hat
      RedHat: Moderate: quagga security update
      1st, June, 2006

    Updated quagga packages that fix several security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

    http://www.linuxsecurity.com/content/view/122967
     
      RedHat: Moderate: zebra security update
      1st, June, 2006

    Updated zebra packages that fix several security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

    http://www.linuxsecurity.com/content/view/122968
     
      RedHat: Moderate: dia security update
      1st, June, 2006

    Updated Dia packages that fix several buffer overflow bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

    http://www.linuxsecurity.com/content/view/122969
     
      RedHat: Moderate: spamassassin security update
      6th, June, 2006

    Updated spamassassin packages that fix an arbitrary code execution flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

    http://www.linuxsecurity.com/content/view/123010
     
       SuSE
      SuSE: cron local privilege escalation
      31st, May, 2006

    The code in do_command.c in Vixie cron does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. This problem is known to affect only distributions with Linux 2.6 kernels, but the package was updated for all distributions for completeness. This problem is tracked by the Mitre CVE ID CVE-2006-2607.

    http://www.linuxsecurity.com/content/view/122947
     
      SuSE: kernel (SUSE-SA:2006:028)
      31st, May, 2006

    Multiple vulnerabilities have been fixed in the linux kernel.

    http://www.linuxsecurity.com/content/view/122949
     
      SuSE: rug (SUSE-SA:2006:029)
      31st, May, 2006

    Updated package.

    http://www.linuxsecurity.com/content/view/122950
     

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Apache Warns of Tomcat Remote Code Execution Vulnerability
Cloud security: We're asking the wrong questions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.