Security on your mind?
Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data.
The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates.
The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.
Guardian Digital Makes Email Safe For Business - Microsoft 365, Goo....
How To Break Web Software, Part II
By: Eric Lubow
Another set of attacks that are covered are language attacks. These can also occur as a result of poor or total lack of input validation. These languages include CSS, XSS (Cross Site Scripting for any number of languages), C, C++, or SQL, to name just a few. It is to be noted that attacks via SQL involves attacking the server and having a little knowledge about databases, queries, and the way that databases function. Next, the authors discuss authentication and cryptography. They make it a point to prove to the reader and users that not just any cryptography will do and that only proven tried and true methods are acceptable for public use.
The book then goes into discussing privacy issues. It discusses identifying information such as the referrer logs, agent logs, web bugs, clipboard access (via Javascript), and cached pages. It then finishes up by discussing various types of web services (including XML, SOAP, WSDL, and UDDI) and the inherent problems that can be around using each one of them. The set of tools outlines at the end of the book to help in bug testing web software is an excellent compilation.
Opinion:
Software testing and implementation theories have been around for a long time. There has also been numerous writings, journals, and theories published on how things should and shouldn't be done. Mike Andrews and James Whittaker do an excellent job of outlining the potential shortcomings of web programming. This is an excellent jumping off point for anyone beginning on the security side of web design.
To me, the most enjoyable part of the book is where the authors discuss the "Key Principals for Quality" over the fifty years of software design. I think they should have put that as part of the introduction to outline their point of view on testing as a necessary part of the design phase (which should be a more widely shared view point). Other than that, I believe that this is an excellent all around reference and should be read by those involved in all aspects of the world wide web.
LinuxSecurity.com Feature Extras:
EnGarde Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New wv2 packages fix integer overflow | ||
|
15th, June, 2006
Updated package. advisories/debian/debian-new-wv2-packages-fix-integer-overflow |
||
| Fedora | ||
| Fedora Core 5 Update: firefox-1.5.0.4-1.2.fc5 | ||
|
15th, June, 2006
Several security issues have been identified that are fixed in this release. advisories/fedora/fedora-core-5-update-firefox-1504-12fc5-15-44-00-123169 |
||
| Fedora Core 5 Update: system-config-bind-4.0.0-42_FC5 | ||
|
15th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-system-config-bind-400-42fc5-15-44-00-123170 |
||
| Fedora Core 5 Update: thunderbird-1.5.0.4-1.1.fc5 | ||
|
15th, June, 2006
Several security issues have been identified that are fixed in this release. advisories/fedora/fedora-core-5-update-thunderbird-1504-11fc5-15-44-00-123171 |
||
| Fedora Core 5 Update: autofs-4.1.4-27 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-autofs-414-27-14-58-00-123193 |
||
| Fedora Core 5 Update: libselinux-1.30.3-3.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-libselinux-1303-3fc5-14-58-00-123194 |
||
| Fedora Core 4 Update: arts-1.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-arts-153-01fc4-14-58-00-123195 |
||
| Fedora Core 4 Update: kdeaccessibility-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdeaccessibility-353-01fc4-14-58-00-123196 |
||
| Fedora Core 4 Update: kdeaddons-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdeaddons-353-01fc4-14-58-00-123197 |
||
| Fedora Core 4 Update: kdeadmin-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdeadmin-353-01fc4-14-58-00-123198 |
||
| Fedora Core 4 Update: kdeartwork-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdeartwork-353-01fc4-14-58-00-123199 |
||
| Fedora Core 4 Update: kdebase-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdebase-353-01fc4-14-59-00-123200 |
||
| Fedora Core 4 Update: kdebindings-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdebindings-353-01fc4-14-59-00-123201 |
||
| Fedora Core 4 Update: kdeedu-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdeedu-353-01fc4-14-59-00-123202 |
||
| Fedora Core 4 Update: kdegames-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdegames-353-01fc4-14-59-00-123203 |
||
| Fedora Core 4 Update: kdegraphics-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdegraphics-353-01fc4-14-59-00-123204 |
||
| Fedora Core 4 Update: kde-i18n-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kde-i18n-353-01fc4-14-59-00-123205 |
||
| Fedora Core 4 Update: kdelibs-3.5.3-0.2.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdelibs-353-02fc4-14-59-00-123206 |
||
| Fedora Core 4 Update: kdemultimedia-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdemultimedia-353-01fc4-14-59-00-123207 |
||
| Fedora Core 4 Update: kdenetwork-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdenetwork-353-01fc4-14-59-00-123208 |
||
| Fedora Core 4 Update: kdepim-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdepim-353-01fc4-14-59-00-123209 |
||
| Fedora Core 4 Update: kdesdk-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdesdk-353-01fc4-14-59-00-123210 |
||
| Fedora Core 4 Update: kdeutils-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdeutils-353-01fc4-14-59-00-123211 |
||
| Fedora Core 4 Update: kdevelop-3.3.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdevelop-333-01fc4-14-59-00-123212 |
||
| Fedora Core 4 Update: kdewebdev-3.5.3-0.1.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdewebdev-353-01fc4-15-00-00-123213 |
||
| Fedora Core 5 Update: arts-1.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-arts-153-01fc5-15-00-00-123214 |
||
| Fedora Core 5 Update: kdeaccessibility-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdeaccessibility-353-01fc5-15-00-00-123215 |
||
| Fedora Core 5 Update: kdeaddons-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdeaddons-353-01fc5-15-00-00-123216 |
||
| Fedora Core 5 Update: kdeadmin-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdeadmin-353-01fc5-15-00-00-123217 |
||
| Fedora Core 5 Update: kdebase-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdebase-353-01fc5-15-00-00-123218 |
||
| Fedora Core 5 Update: kdeartwork-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdeartwork-353-01fc5-15-00-00-123219 |
||
| Fedora Core 5 Update: kdebindings-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdebindings-353-01fc5-15-00-00-123220 |
||
| Fedora Core 5 Update: kdeedu-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdeedu-353-01fc5-15-00-00-123221 |
||
| Fedora Core 5 Update: kdegames-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdegames-353-01fc5-15-00-00-123222 |
||
| Fedora Core 5 Update: kdegraphics-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdegraphics-353-01fc5-15-01-00-123223 |
||
| Fedora Core 5 Update: kde-i18n-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kde-i18n-353-01fc5-15-01-00-123224 |
||
| Fedora Core 5 Update: kdelibs-3.5.3-0.2.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdelibs-353-02fc5-15-01-00-123225 |
||
| Fedora Core 5 Update: kdemultimedia-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdemultimedia-353-01fc5-15-01-00-123226 |
||
| Fedora Core 5 Update: kdenetwork-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdenetwork-353-01fc5-15-01-00-123227 |
||
| Fedora Core 5 Update: kdepim-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdepim-353-01fc5-15-01-00-123228 |
||
| Fedora Core 5 Update: kdesdk-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdesdk-353-01fc5-15-01-00-123229 |
||
| Fedora Core 5 Update: kdeutils-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdeutils-353-01fc5-15-01-00-123230 |
||
| Fedora Core 5 Update: kdevelop-3.3.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdevelop-333-01fc5-15-01-00-123231 |
||
| Fedora Core 5 Update: kdewebdev-3.5.3-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdewebdev-353-01fc5-15-01-00-123232 |
||
| Fedora Core 5 Update: qt-3.3.6-0.1.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-qt-336-01fc5-15-02-00-123233 |
||
| Fedora Core 5 Update: gtk2-2.8.19-2 | ||
|
19th, June, 2006
Due to recent changes in the build system, the last gtk2 update lost some dependencies, and e.g is not Xinerama-aware anymore. This update fixes this problem. advisories/fedora/fedora-core-5-update-gtk2-2819-2-15-02-00-123234 |
||
| Fedora Core 5 Update: smartmontools-5.36-fc5.1 | ||
|
19th, June, 2006
This is upgrade to a new upstream version which brings additional hardware support. advisories/fedora/fedora-core-5-update-smartmontools-536-fc51-15-02-00-123235 |
||
| Fedora Core 5 Update: ruby-1.8.4-6.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-ruby-184-6fc5-15-02-00-123236 |
||
| Fedora Core 4 Update: kdebase-3.5.3-0.2.fc4 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-kdebase-353-02fc4-20-10-00-123240 |
||
| Fedora Core 5 Update: kdebase-3.5.3-0.3.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdebase-353-03fc5-20-10-00-123241 |
||
| Fedora Core 5 Update: kdepim-3.5.3-0.2.fc5 | ||
|
19th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-kdepim-353-02fc5-20-10-00-123242 |
||
| Fedora Core 5 Update: nss-3.11.1-1.fc5 | ||
|
19th, June, 2006
Update to version 3.11.1. This includes a fix for a serious memory leak. advisories/fedora/fedora-core-5-update-nss-3111-1fc5-20-10-00-123243 |
||
| Fedora Core 4 Update: autofs-4.1.4-26 | ||
|
20th, June, 2006
Updated package. advisories/fedora/fedora-core-4-update-autofs-414-26-17-40-00-123254 |
||
| Fedora Core 5 Update: system-config-lvm-1.0.18-1.2.FC5 | ||
|
20th, June, 2006
Updated package. advisories/fedora/fedora-core-5-update-system-config-lvm-1018-12fc5-17-40-00-123255 |
||
| Fedora Core 5 Update: glib-java-0.2.5-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-glib-java-025-0fc5-15-08-00-123270 |
||
| Fedora Core 5 Update: cairo-java-1.0.4-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-cairo-java-104-0fc5-15-08-00-123271 |
||
| Fedora Core 5 Update: libgtk-java-2.8.5-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-libgtk-java-285-0fc5-15-08-00-123272 |
||
| Fedora Core 5 Update: libvte-java-0.12.0-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-libvte-java-0120-0fc5-15-08-00-123273 |
||
| Fedora Core 5 Update: libgnome-java-2.12.3-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-libgnome-java-2123-0fc5-15-08-00-123274 |
||
| Fedora Core 5 Update: libglade-java-2.12.4-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-libglade-java-2124-0fc5-15-08-00-123275 |
||
| Fedora Core 5 Update: frysk-0.0.1.2006.06.15.rh4-0.FC5 | ||
|
21st, June, 2006
Make current version of frysk available to FC5 users. advisories/fedora/fedora-core-5-update-frysk-00120060615rh4-0fc5-15-08-00-123276 |
||
| Mandriva | ||
| Mandriva: Updated sendmail packages fix remotely exploitable vulnerability | ||
|
15th, June, 2006
A vulnerability in the way Sendmail handles multi-part MIME messages was discovered that could allow a remote attacker to create a carefully crafted message that could crash the sendmail process during delivery. The updated packages have been patched to correct these issues. |
||
| Mandriva: Updated kdebase packages fix local vulnerability in kdm | ||
|
15th, June, 2006
A problem with how kdm manages the ~/.dmrc file was discovered by Ludwig Nussel. By using a symlink attack, a local user could get kdm to read arbitrary files on the system, including privileged system files and those belonging to other users. The updated packages have been patched to correct these issues. |
||
| Mandriva: Updated mdkkdm packages fix local vulnerability | ||
|
15th, June, 2006
A problem with how kdm manages the ~/.dmrc file was discovered by Ludwig Nussel. By using a symlink attack, a local user could get kdm to read arbitrary files on the system, including privileged system files and those belonging to other users. |
||
| Mandriva: Updated arts packages fix vulnerability in artswrapper | ||
|
20th, June, 2006
A vulnerability in the artswrapper program, when installed setuid root, could enable a local user to elevate their privileges to that of root. By default, Mandriva Linux does not ship artswrapper setuid root, however if a user or system administrator enables the setuid bit on artswrapper, their system could be at risk, The updated packages have been patched to correct these issues. |
||
| Mandriva: Updated xine-lib packages fix buffer overflow vulnerabilities | ||
|
20th, June, 2006
A buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for xine-lib 1.1.1 allows remote attackers to cause a denial of service (application crash) via a long reply from an HTTP server, as demonstrated using gxine 0.5.6. (CVE-2006-2802) |
||
| Mandriva: Updated wv2 packages fix vulnerability | ||
|
20th, June, 2006
A boundary checking error was discovered in the wv2 library, used for accessing Microsoft Word documents. This error can lead to an integer overflow induced by processing certain Word files. The updated packages have been patched to correct these issues. |
||
| Mandriva: Updated gnupg packages fix vulnerability | ||
|
20th, June, 2006
A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that could allow a remote attacker to cause gpg to crash and possibly overwrite memory via a message packet with a large length. The updated packages have been patched to correct these issues. |
||
| SuSE | ||
| SuSE: awstats remote code execution | ||
|
20th, June, 2006
Updated package. |
||
