LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: December 22nd, 2014
Linux Advisory Watch: December 19th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: June 30th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for courier, pinball, kernel, mysql, gd, tete, libwmf, mutt, php4, mozilla, and freetype2. The distributors include Debian, Mandriva, and SuSE.


Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/linsec/


Review: Object-Oriented PHP
By: Efren J. Belizario

PHP has grown to become one of the most popular scripting languages on the web. It offers many possibilities to its users, from building a complex and innovative content management system to forming a simplistic family photo album. PHP is also a useful programming language in that it helps eliminate redundancy while promoting time-saving and dynamic methodology. With PHP and an object-oriented approach (OO), using PHP has countless advantages. Peter Lavin's highlights this and more in Object-Oriented PHP.

Audience:

Lavin's approach makes this book very easy to read, however, this is not meant for the novice programmer. Lavin expects that the reader has some knowledge of PHP or C, HTML, and CSS. Lavin is not shy about jumping right into the programming terminology as he warns the reader of this in the opening chapter. If you are familiar with PHP, read it. If you are familiar with OO, read it. This will get your feet wet and eventually soak you all the way through. If you plan on using PHP to create your dynamic website, have this book ready.

Summary:

Lavin begins with the cliche "What Does This Book Have to Offer?" and "Why Should I Read This Book?". Naturally, an advanced programmer would overlook these sections, but it is surprising how much OO and PHP go hand-in-hand (even without realizing it). He also gives a quick rundown of each chapter and the histories of PHP and OO.

The purpose of OO is to help simplify your work with PHP. Lavin uses the example of a global menu - instead of copying and pasting the same snippet of code for each page, use an include and, viola, your keystrokes and right mouse clicks do not have to be used in vain. Simplicity cuts down the losses in time and energy objects that programmers cannot spare.

Chapters 2 through 9 are overviews of object orientation, OO features in PHP 5, and classes. The first sightings of actual code do not appear until the fourth chapter when Lavin introduces his DirectoryItems class. Eventually, he offers enough code for the reader to create his/her own image navigation interface to begin a working photo album (complete with file browsing, pagination, and, of course, use of MySQL).

Later chapters dive deeper into the concepts and tools learned from the first half of the book. MySQL exceptions and trappings are covered in Chapter 10, while Lavin introduces advanced methods and techniques, such as reflection classes, using XML and CSS, in Chapters 11 through 16.

Opinion:

What I would like to see more of is AJAX and PHP. Peter Lavin admits that he is not the one to give a tutorial on such a subject, however, he does tease us with a paragraph that sets us up for building a foundation on AJAX. He also graciously provides us with a URL for further investigation.

As you continue your journey with PHP, do so with the use of OO and the inheritance of effective, time-saving methods. PHP and OO allow you to do so as Lavin clearly suggests in Object-Oriented PHP. This is not a PHP Bible, by any means, but it is a useful book to add to your library.

http://www.linuxsecurity.com/content/view/123179/49/


Security on your mind?

The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi

LinuxSecurity.com Feature Extras:

    EnGarde Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.

    Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New courier packages fix denial of service
  23rd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123289
 
  Debian: New pinball packages fix privilege escalation
  26th, June, 2006

Steve Kemp from the Debian Security Audit project discovered that pinball, a pinball simulator, can be tricked into loading level plugins from user-controlled directories without dropping privileges.

http://www.linuxsecurity.com/content/view/123316
 
  Debian: New Linux kernel 2.6.8 packages fix several vulnerabilities
  27th, June, 2006

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/123335
 
   Mandriva
  Mandriva: Updated MySQL packages fixes authorized user DoS(crash) vulnerability.
  23rd, June, 2006

Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before 5.1.6 allows remote authorized users to cause a denial of service (crash) via a NULL second argument to the str_to_date function. MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/123305
 
  Mandriva: Updated gd packages fix DoS vulnerability.
  27th, June, 2006

The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote attackers to cause a denial of service (CPU consumption) via malformed GIF data that causes an infinite loop. gd-2.0.15 in Corporate 3.0 is not affected by this issue. Packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/123346
 
  Mandriva: Updated tetex packages fix embedded GD vulnerabilities
  27th, June, 2006

Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. Tetex contains an embedded copy of the GD library code.

http://www.linuxsecurity.com/content/view/123347
 
  Mandriva: Updated libwmf packages fixes embedded GD vulnerability
  28th, June, 2006

Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function. Libwmf contains an embedded copy of the GD library code. (CAN-2004-0941) Updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/123348
 
  Mandriva: Updated mutt packages fix buffer overflow vulnerability
  28th, June, 2006

A stack-based buffer overflow in the browse_get_namespace function in imap/browse.c of Mutt allows remote attackers to cause a denial of service (crash) or execute arbitrary code via long namespaces received from the IMAP server. Updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/123364
 
   SuSE
  SuSE: php4 bugfix update (SUSE-SA:2006:034)
  22nd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123284
 
  SuSE: various Mozilla browser security
  23rd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123290
 
  SuSE: mysql remote code execution
  23rd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123291
 
  SuSE: freetype2 (SUSE-SA:2006:037)
  27th, June, 2006

The freetype2 library renders TrueType fonts for open source projects. More than 900 packages on SUSE Linux use this library. Therefore the integer overflows in this code found by Josh Bressers and Chris Evans might have a high impact on the security of a desktop system. The bugs can lead to a remote denial-of-service attack and may lead to remote command execution. The user needs to use a program that uses freetype2 (almost all GUI applications do) and let this program process malicious font data.

http://www.linuxsecurity.com/content/view/123336
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.