Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: July 28th 2006
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for hashcash, GnuPG2, gimp, Mozilla, hiki,
postgrey, libdumb, fbi, drupal, freetype2, kdelibs2, perl-Net-Server, openssh,
elfutils, seamonkey, kernel, php, and samba. The distributors include Debian,
Mandriva, Red Hat, and SuSE.
Improvements to LinuxSecurity.com Efren J. Belizario
The Linuxsecurity team has been busy lately enhancing the planet's premier
Open Source security site. The most conspicuous improvement is our new "ShoutBox"
that lets visitors exchange their views on security and other matters in real
time, so give us a "shout" and let us hear what you think.
Behind the scenes, we have just finished upgrading our site to the latest version of the Joomla! Open Source content management software, v 1.0.10, which brings many improvements to the security and performance of the site.
Our greatest effort has gone into the Resource pages. Now with nearly 500 articles, this section is your portal to the latest HOWTOs and documentation for everything Linux Security. More and more articles for hardening your Linux box are appearing, like Securing and Hardening Linux Production Systems. A firewall is a classic way to keep intruders from sneeking into your system and with so many options to choose from, reading a firewall primer is a good way to get started. If you need further assurance that your data will be protected, refer to this HOWTO on Data Encryption. Be sure to check out the latest tips, how-to's, and other explanations of the latest Open Source security technologies.
Two other features that we have added are comments for Polls and the User Rating System. The Polls are found on the left-hand side below the Members Menu. The User Rating System can be found after clicking on a specific news article. We truly want to get more feedback from our users and these tools will, hopefully, enable us to do so.
If you have any comments or suggestions concerning our site, please feel free to e-mail us or submit a comment below.
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to
announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release
7). This release includes several bug fixes and feature enhancements to
the Guardian Digital WebTool and the SELinux policy, several updated packages,
and several new packages available for installation.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New hashcash packages fix arbitrary
code execution
21st, July, 2006
Andreas Seltenreich discovered a buffer overflow in hashcash,
a postage payment scheme for email that is based on hash calculations,
which could allow attackers to execute arbitrary code via specially crafted
entries.
http://www.linuxsecurity.com/content/view/123680
Debian: New GnuPG2 packages fix denial
of service
21st, July, 2006
Evgeny Legerov discovered that gnupg, the GNU privacy guard,
a free PGP replacement contains an integer overflow that can cause a segmentation
fault and possibly overwrite memory via a large user ID strings.
http://www.linuxsecurity.com/content/view/123681
Debian: New gimp packages fix arbitrary
code execution
Debian: New postgrey packages fix denial
of service
24th, July, 2006
Peter Bieringer discovered that postgrey, an greylisting implementation
for Postfix, is vulnerable to a format string attack that allows remote
attackers to the daemon.
http://www.linuxsecurity.com/content/view/123710
Debian: New Net::Server packages fix
denial of service
24th, July, 2006
Peter Bieringer discovered that the "log" function in the Net::Server
Perl module, an extensible, general perl server engine, is not safe against
format string exploits.
http://www.linuxsecurity.com/content/view/123713
Debian: New libdumb packages fix arbitrary
code execution
24th, July, 2006
Luigi Auriemma discovered that DUMB, a tracker music library,
performs insufficient sanitising of values parsed from IT music files,
which might lead to a buffer overflow and execution of arbitrary code
if manipulated files are read.
http://www.linuxsecurity.com/content/view/123716
Debian: New fbi packages fix potential
deletion of user data
24th, July, 2006
Toth Andras discovered that the fbgs framebuffer postscript/PDF
viewer contains a typo, which prevents the intended filter against malicious
postscript commands from working correctly. This might lead to the deletion
of user data when displaying a postscript file. Fixes CVEID: CVE-2006-3119.
http://www.linuxsecurity.com/content/view/123717
Debian: New drupal packages fix execution
of arbitrary web script code
An additional overflow, similar to those corrected by patches
for CVE-2006-1861 was found in libfreetype. If a user loads a carefully
crafted font file with a program linked against FreeType, it could cause
the application to crash or execute arbitrary code as the user. Updated
packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/123671
KDE Konqueror 3.5.1 and earlier allows remote attackers to cause
a denial of service (application crash) by calling the replaceChild method
on a DOM object, which triggers a null dereference, as demonstrated by
calling document.replaceChild with a 0 (zero) argument. This issue does
not affect Corporate 3.0. Updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/123677
Mandriva: Updated imlib2 packages to
x86_64 tiff loader bug
21st, July, 2006
The tiff loader from imlib2 crashes when processing images on
the x86_64 platform. This was reported when using digikam on x86_64, which
uses this loader. Updated packages are provided that correct the issue.
http://www.linuxsecurity.com/content/view/123694
Mandriva: Updated perl-Net-Server packages
fix format string vulnerability
25th, July, 2006
Peter Bieringer discovered a flaw in the perl Net::Server module
where the "log" function was not safe against format string exploits in
version 0.87 and earlier. Updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/123734
Red
Hat
RedHat: Low: openssh security update
20th, July, 2006
Updated openssh packages that fix bugs in sshd are now available
for Red Hat Enterprise Linux 3. This update has been rated as having low
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123667
RedHat: Low: elfutils security update
20th, July, 2006
Updated elfutils packages that address a minor security issue
and various other issues are now available. This update has been rated
as having low security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123668
Updated seamonkey packages that fix several security bugs in
the mozilla package are now available for Red Hat Enterprise Linux 3.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123669
RedHat: Important: Updated kernel packages
for Red Hat
20th, July, 2006
Updated kernel packages are now available as part of ongoing
support and maintenance of Red Hat Enterprise Linux version 3. This is
the eighth regular update. This security advisory has been rated as having
important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123670
RedHat: Moderate: php security update
25th, July, 2006
Updated PHP packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 2.1 This update has been rated
as having moderate security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123726
RedHat: Moderate: kdebase security fix
25th, July, 2006
Updated kdebase packages that resolve a security issue are now
available. This update has been rated as having moderate security impact
by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123727
RedHat: Important: samba security update
25th, July, 2006
Updated samba packages that fix a denial of service vulnerability
are now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123728
