LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 24th, 2014
Linux Security Week: October 20th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: June 16th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for freetype, webcalendar, kernel, horde3, horde2, wv2, subversion, ruby, squid, dovecot, gdm, autofs, shadow-utils, rsync, mysql, python, scim, freetype2, squirrelmail, libtiff, spamassassin, sendmail, mailman, kdebase, postgresql, and php. The distributors include Debian, Fedora, Mandriva, Red Hat, and SuSE.


Security on your mind?

Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data.

The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi


How To Break Web Software
By: Eric Lubow

With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand.

Although this book may be geared more towards the developer, it is really a book for everyone. As I mentioned before, security is everyone's responsibility. The ideas, concepts, and procedures outlined in this book are things that even just the average user should be able to pick up on and alert the webmaster of in order to prevent potential disaster.

It is necessary to keep in mind that this book, although seemingly full of information on how to attack web sites and bring down servers is for informational and educational purposes. It is to inform the developers of common programming and design mistakes. It is also to ensure that common users with no malicious intent can spot problems in design and nip them in the bud before the problems become catastrophic.

The book begins by very basically showing the reader in no uncertain terms the basic concepts that are going to be outlined through the book. The first idea to geteveryone on the same page with client-server relationships and general information about the world wide web.

One of the most important aspects of an attack is knowing your victim. The first informational chapter in this book discusses gathering information on a potential target. Just as with all forthcoming chapters, this one begins with the obvious information and progresses into the more obscure, less thought about topics.

Once the information has been gathered, either via source code, URLs, or any other method that potentially puts information out in the open, the attacks can begin. There are many way in which these attacks can happen. The authors begin by discussing attacks on the user (client) input and how validation needs to occur or the input needs to be sanitized. They then move on to talk about state based attacks, either through CGI parameters or hidden fields within forms. These ideas were also extended to discuss cookie poisoning, URL jumping, and session hijacking (can also include man in the middle attacks). Without all this information consistently being checked and verified, it is possible to for those with malintent to inject information into a session.

http://www.linuxsecurity.com/content/view/122713/49/


LinuxSecurity.com Feature Extras:

    EnGarde Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.

    Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New freetype packages fix several vulnerabilities
  10th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123074
 
  Debian: New webcalendar packages fix arbitrary code execution
  13th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123114
 
  Debian: New Kernel 2.4.27 packages fix several vulnerabilities
  14th, June, 2006

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-0038 CVE-2006-0039 CVE-2006-0741 CVE-2006-0742 CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1368 CVE-2006-1524 CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274

http://www.linuxsecurity.com/content/view/123139
 
  Debian: New horde3 packages fix cross-site scripting
  14th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123152
 
  Debian: New horde2 packages fix cross-site scripting
  14th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123153
 
  Debian: New wv2 packages fix integer overflow
  15th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123160
 
   Fedora
  Fedora Core 5 Update: subversion-1.3.2-2.1
  9th, June, 2006

This update includes the latest upstream release of Subversion, which fixes a number of minor bugs.

http://www.linuxsecurity.com/content/view/123068
 
  Fedora Core 4 Update: ruby-1.8.4-2.fc4
  9th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123069
 
  Fedora Core 5 Update: squid-2.5.STABLE14-2.FC5
  9th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123070
 
  Fedora Core 5 Update: ruby-1.8.4-5.fc5
  9th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123071
 
  Fedora Core 5 Update: dovecot-1.0-0.beta8.2.fc5
  9th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123072
 
  Fedora Core 5 Update: gdm-2.14.8-1
  9th, June, 2006

This update also upgrades GDM to version 2.14.8.

http://www.linuxsecurity.com/content/view/123073
 
  Fedora Core 5 Update: autofs-4.1.4-25
  11th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123075
 
  Fedora Core 4 Update: autofs-4.1.4-24
  11th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123076
 
  Fedora Core 4 Update: kernel-2.6.16-1.2115_FC4
  11th, June, 2006

An update to the upstream 2.6.16.20 release, fixing up a few more security related problems.

http://www.linuxsecurity.com/content/view/123077
 
  Fedora Core 5 Update: kernel-2.6.16-1.2133_FC5
  11th, June, 2006

An update to the upstream 2.6.16.20 release, fixing up a few more security related problems.

http://www.linuxsecurity.com/content/view/123078
 
  Fedora Core 5 Update: shadow-utils-4.0.14-9.FC5
  12th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123107
 
  Fedora Core 5 Update: rsync-2.6.8-1.FC5.1
  12th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123112
 
  Fedora Core 4 Update: rsync-2.6.8-1.FC4.1
  12th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123113
 
  Fedora Core 5 Update: mysql-5.0.22-1.FC5.1
  13th, June, 2006

Repairs vulnerability in multibyte string escaping.

http://www.linuxsecurity.com/content/view/123123
 
  Fedora Core 4 Update: mysql-4.1.20-1.FC4.1
  13th, June, 2006

Repairs multibyte string escaping vulnerability.

http://www.linuxsecurity.com/content/view/123124
 
  Fedora Core 5 Update: python-2.4.3-4.FC5
  13th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123125
 
  Fedora Core 5 Update: scim-1.4.4-9.4.fc5
  13th, June, 2006

This update fixes broken libtool linking of libs to be against libstdc++so7.

http://www.linuxsecurity.com/content/view/123126
 
  Fedora Core 5 Update: python-docs-2.4.3-0.9.FC5
  14th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123158
 
   Mandriva
  Mandriva: Updated freetype2 packages fixes multiple vulnerabilities.
  12th, June, 2006

Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values.

http://www.linuxsecurity.com/content/view/123110
 
  Mandriva: Updated freetype2 packages fixes multiple vulnerabilities.
  14th, June, 2006

The previous update introduced some issues with other applications and libraries linked to libfreetype, that were missed in testing for the vulnerabilty issues. The new packages correct these issues.

http://www.linuxsecurity.com/content/view/123127
 
  Mandriva: Updated gdm packages fix vulnerability
  14th, June, 2006

A vulnerability in gdm could allow a user to activate the gdm setup program if the administrator configured a gdm theme that provided a user list. The user could do so by choosing the setup option from the menu, clicking the user list, then entering his own password instead of root's. The updated packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/123128
 
  Mandriva: Updated squirrelmail packages fix vulnerabilities
  14th, June, 2006

A PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and agic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter.

http://www.linuxsecurity.com/content/view/123155
 
  Mandriva: Updated libtiff packages fixes tiff2pdf vulnerability
  14th, June, 2006

A buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in a sprintf call.

http://www.linuxsecurity.com/content/view/123156
 
  Mandriva: Updated spamassassin packages fix vulnerability
  14th, June, 2006

A flaw was discovered in the way that spamd processes the virtual POP usernames passed to it. If running with the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running spamd.

http://www.linuxsecurity.com/content/view/123157
 
  Mandriva: Updated sendmail packages fix remotely exploitable vulnerability
  15th, June, 2006

A vulnerability in the way Sendmail handles multi-part MIME messages was discovered that could allow a remote attacker to create a carefully crafted message that could crash the sendmail process during delivery. The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/123159
 
  RedHat: Moderate: mailman security update
  9th, June, 2006

An updated mailman package that fixes a denial of service flaw is now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/123064
 
   Red Hat
  RedHat: Important: mysql security update
  9th, June, 2006

Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/123065
 
  RedHat: Important: sendmail security update
  14th, June, 2006

Updated sendmail packages are now available to fix a denial of service security issue. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/123150
 
  RedHat: Important: kdebase security update
  14th, June, 2006

Updated kdebase packages that correct a security flaw in kdm are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/123151
 
   SuSE
  SuSE: PostgreSQL SQL injection attacks
  9th, June, 2006

Two character set encoding related security problems were fixed in the PostgreSQL database server: CVE-2006-2313 and CVE-2006-2314.

http://www.linuxsecurity.com/content/view/123061
 
  SuSE: php4,php5 problems (SUSE-SA:2006:031)
  14th, June, 2006

This update fixes the following security issues in the PHP scripting language, both version 4 and 5: Invalid characters in session names were not blocked, CVE-2006-2657: A bug in zend_hash_del() allowed attackers to prevent, unsetting of some variables, CVE-2006-1991, CVE-2006-1990: Bugs in the substr_compare() and wordwrap function could crash the php interpreter, CVE-2006-2906: A CPU consumption denial of service attack in php-gd was fixed.

http://www.linuxsecurity.com/content/view/123136
 
  SuSE: sendmail remote denial of service
  14th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123149
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System
NIST to hypervisor admins: secure your systems
Quick PHP patch beats slow research reveal
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.