Security on your mind?
Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data.
The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates.
The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.
Guardian Digital Makes Email Safe For Business - Microsoft 365, Goo....
How To Break Web Software
By: Eric Lubow
With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand.
Although this book may be geared more towards the developer, it is really a book for everyone. As I mentioned before, security is everyone's responsibility. The ideas, concepts, and procedures outlined in this book are things that even just the average user should be able to pick up on and alert the webmaster of in order to prevent potential disaster.
It is necessary to keep in mind that this book, although seemingly full of information on how to attack web sites and bring down servers is for informational and educational purposes. It is to inform the developers of common programming and design mistakes. It is also to ensure that common users with no malicious intent can spot problems in design and nip them in the bud before the problems become catastrophic.
The book begins by very basically showing the reader in no uncertain terms the basic concepts that are going to be outlined through the book. The first idea to geteveryone on the same page with client-server relationships and general information about the world wide web.
One of the most important aspects of an attack is knowing your victim. The first informational chapter in this book discusses gathering information on a potential target. Just as with all forthcoming chapters, this one begins with the obvious information and progresses into the more obscure, less thought about topics.
Once the information has been gathered, either via source code, URLs, or any other method that potentially puts information out in the open, the attacks can begin. There are many way in which these attacks can happen. The authors begin by discussing attacks on the user (client) input and how validation needs to occur or the input needs to be sanitized. They then move on to talk about state based attacks, either through CGI parameters or hidden fields within forms. These ideas were also extended to discuss cookie poisoning, URL jumping, and session hijacking (can also include man in the middle attacks). Without all this information consistently being checked and verified, it is possible to for those with malintent to inject information into a session.
LinuxSecurity.com Feature Extras:
EnGarde Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New freetype packages fix several vulnerabilities | ||
|
10th, June, 2006
Updated package. advisories/debian/debian-new-freetype-packages-fix-several-vulnerabilities |
||
| Debian: New webcalendar packages fix arbitrary code execution | ||
|
13th, June, 2006
Updated package. advisories/debian/debian-new-webcalendar-packages-fix-arbitrary-code-execution |
||
| Debian: New Kernel 2.4.27 packages fix several vulnerabilities | ||
|
14th, June, 2006
Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-0038 CVE-2006-0039 CVE-2006-0741 CVE-2006-0742 CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1368 CVE-2006-1524 CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 advisories/debian/debian-new-kernel-2427-packages-fix-several-vulnerabilities |
||
| Debian: New horde3 packages fix cross-site scripting | ||
|
14th, June, 2006
Updated package. advisories/debian/debian-new-horde3-packages-fix-cross-site-scripting-12224 |
||
| Debian: New horde2 packages fix cross-site scripting | ||
|
14th, June, 2006
Updated package. advisories/debian/debian-new-horde2-packages-fix-cross-site-scripting-76279 |
||
| Debian: New wv2 packages fix integer overflow | ||
|
15th, June, 2006
Updated package. advisories/debian/debian-new-wv2-packages-fix-integer-overflow |
||
| Fedora | ||
| Fedora Core 5 Update: subversion-1.3.2-2.1 | ||
|
9th, June, 2006
This update includes the latest upstream release of Subversion, which fixes a number of minor bugs. advisories/fedora/fedora-core-5-update-subversion-132-21-20-06-00-123068 |
||
| Fedora Core 4 Update: ruby-1.8.4-2.fc4 | ||
|
9th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-ruby-184-2fc4-20-06-00-123069 |
||
| Fedora Core 5 Update: squid-2.5.STABLE14-2.FC5 | ||
|
9th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-squid-25stable14-2fc5-20-06-00-123070 |
||
| Fedora Core 5 Update: ruby-1.8.4-5.fc5 | ||
|
9th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-ruby-184-5fc5-20-06-00-123071 |
||
| Fedora Core 5 Update: dovecot-1.0-0.beta8.2.fc5 | ||
|
9th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-dovecot-10-0beta82fc5-20-06-00-123072 |
||
| Fedora Core 5 Update: gdm-2.14.8-1 | ||
|
9th, June, 2006
This update also upgrades GDM to version 2.14.8. advisories/fedora/fedora-core-5-update-gdm-2148-1-20-06-00-123073 |
||
| Fedora Core 5 Update: autofs-4.1.4-25 | ||
|
11th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-autofs-414-25-11-13-00-123075 |
||
| Fedora Core 4 Update: autofs-4.1.4-24 | ||
|
11th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-autofs-414-24-11-13-00-123076 |
||
| Fedora Core 4 Update: kernel-2.6.16-1.2115_FC4 | ||
|
11th, June, 2006
An update to the upstream 2.6.16.20 release, fixing up a few more security related problems. advisories/fedora/fedora-core-4-update-kernel-2616-12115fc4-11-13-00-123077 |
||
| Fedora Core 5 Update: kernel-2.6.16-1.2133_FC5 | ||
|
11th, June, 2006
An update to the upstream 2.6.16.20 release, fixing up a few more security related problems. advisories/fedora/fedora-core-5-update-kernel-2616-12133fc5-11-13-00-123078 |
||
| Fedora Core 5 Update: shadow-utils-4.0.14-9.FC5 | ||
|
12th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-shadow-utils-4014-9fc5-13-32-00-123107 |
||
| Fedora Core 5 Update: rsync-2.6.8-1.FC5.1 | ||
|
12th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-rsync-268-1fc51-22-18-00-123112 |
||
| Fedora Core 4 Update: rsync-2.6.8-1.FC4.1 | ||
|
12th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-rsync-268-1fc41-22-33-00-123113 |
||
| Fedora Core 5 Update: mysql-5.0.22-1.FC5.1 | ||
|
13th, June, 2006
Repairs vulnerability in multibyte string escaping. advisories/fedora/fedora-core-5-update-mysql-5022-1fc51-22-35-00-123123 |
||
| Fedora Core 4 Update: mysql-4.1.20-1.FC4.1 | ||
|
13th, June, 2006
Repairs multibyte string escaping vulnerability. advisories/fedora/fedora-core-4-update-mysql-4120-1fc41-22-35-00-123124 |
||
| Fedora Core 5 Update: python-2.4.3-4.FC5 | ||
|
13th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-python-243-4fc5-22-35-00-123125 |
||
| Fedora Core 5 Update: scim-1.4.4-9.4.fc5 | ||
|
13th, June, 2006
This update fixes broken libtool linking of libs to be against libstdc++so7. advisories/fedora/fedora-core-5-update-scim-144-94fc5-22-35-00-123126 |
||
| Fedora Core 5 Update: python-docs-2.4.3-0.9.FC5 | ||
|
14th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-python-docs-243-09fc5-19-06-00-123158 |
||
| Mandriva | ||
| Mandriva: Updated freetype2 packages fixes multiple vulnerabilities. | ||
|
12th, June, 2006
Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. |
||
| Mandriva: Updated freetype2 packages fixes multiple vulnerabilities. | ||
|
14th, June, 2006
The previous update introduced some issues with other applications and libraries linked to libfreetype, that were missed in testing for the vulnerabilty issues. The new packages correct these issues. |
||
| Mandriva: Updated gdm packages fix vulnerability | ||
|
14th, June, 2006
A vulnerability in gdm could allow a user to activate the gdm setup program if the administrator configured a gdm theme that provided a user list. The user could do so by choosing the setup option from the menu, clicking the user list, then entering his own password instead of root's. The updated packages have been patched to correct this issue. |
||
| Mandriva: Updated squirrelmail packages fix vulnerabilities | ||
|
14th, June, 2006
A PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and agic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. |
||
| Mandriva: Updated libtiff packages fixes tiff2pdf vulnerability | ||
|
14th, June, 2006
A buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in a sprintf call. |
||
| Mandriva: Updated spamassassin packages fix vulnerability | ||
|
14th, June, 2006
A flaw was discovered in the way that spamd processes the virtual POP usernames passed to it. If running with the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running spamd. |
||
| Mandriva: Updated sendmail packages fix remotely exploitable vulnerability | ||
|
15th, June, 2006
A vulnerability in the way Sendmail handles multi-part MIME messages was discovered that could allow a remote attacker to create a carefully crafted message that could crash the sendmail process during delivery. The updated packages have been patched to correct these issues. |
||
| RedHat: Moderate: mailman security update | ||
|
9th, June, 2006
An updated mailman package that fixes a denial of service flaw is now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-mailman-security-update-3734 |
||
| Red Hat | ||
| RedHat: Important: mysql security update | ||
|
9th, June, 2006
Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-mysql-security-update-80062 |
||
| RedHat: Important: sendmail security update | ||
|
14th, June, 2006
Updated sendmail packages are now available to fix a denial of service security issue. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-sendmail-security-update-RHSA-2006-0515-01 |
||
| RedHat: Important: kdebase security update | ||
|
14th, June, 2006
Updated kdebase packages that correct a security flaw in kdm are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-kdebase-security-update-RHSA-2007-0494-01 |
||
| SuSE | ||
| SuSE: PostgreSQL SQL injection attacks | ||
|
9th, June, 2006
Two character set encoding related security problems were fixed in the PostgreSQL database server: CVE-2006-2313 and CVE-2006-2314. |
||
| SuSE: php4,php5 problems (SUSE-SA:2006:031) | ||
|
14th, June, 2006
This update fixes the following security issues in the PHP scripting language, both version 4 and 5: Invalid characters in session names were not blocked, CVE-2006-2657: A bug in zend_hash_del() allowed attackers to prevent, unsetting of some variables, CVE-2006-1991, CVE-2006-1990: Bugs in the substr_compare() and wordwrap function could crash the php interpreter, CVE-2006-2906: A CPU consumption denial of service attack in php-gd was fixed. |
||
| SuSE: sendmail remote denial of service | ||
|
14th, June, 2006
Updated package. |
||
