Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch - August 10th 2006
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were relesed for ruby, gnupg, freeciv, dhcp, chmlib,
krb5, drupal, gallery, ncompress, seamonkey, firefox, thunderbird, libvncserver,
mta, libtiff, mysql, webmin, x11vnc, clamav, dumb, kerberos, and apache. The
distributors include Debian, Gentoo, Fedora, Mandriva, Red Hat and SuSE.
Linux Netwosix was originally created with the goal of providing
a security environment for building and creating new security-
related solutions. With the passing of time I realized that the
project has failed to achieve its goals within 3 years of hard
work. This, among many reasons, is the most important because I
never received help from anyone. Regardless of the fact that
Netwosix has been downloaded by more than 60,000 users all
around the world, I'm here to announce the shutting down of
my dear project. Day after day I understand that I can't
create a "valid security-oriented product" alone.
If people choose to join the project since I made this decision,
I choose the way. I want to thank them but now I think that the
most important thing to do is this. There are a lot of GNU/Linux
distributions in the "arena" and I don't think that creating a
new one every day is a good move for GNU/Linux itself. So I
realized that it was better to help a well-known project to
realize something really important and big.
For this reason I decided to move to Guardian Digital, one of
the most important opensource security companies. It's really
growing quickly. I will work on their EnGarde Secure Linux and
in some way I am continuing to work on a really "secure" GNU/
Linux distribution. There I can work with a lot of good hackers
and it's a good possibility for me to exchange knowledge and
improve my skills.
With this letter, I would like to thank everyone who did
contribute to the project by downloading it and sending me
many comforting and encouraging email and my apologies for
the shutting down the project. I'd like to give my special
thanks to Dave Wreski, CEO of Guardian Digital, and
Ryan W. Maple for the great job position there.
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to
announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release
7). This release includes several bug fixes and feature enhancements to
the Guardian Digital WebTool and the SELinux policy, several updated packages,
and several new packages available for installation.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New ruby1.6 packages fix privilege
escalation
Debian: New ncompress packages fix potential
code execution
10th, August, 2006
Tavis Ormandy from the Google Security Team discovered a missing
boundary check in ncompress, the original Lempel-Ziv compress and uncompress
programs, which allows a specially crafted datastream to underflow a buffer
with attacker controlled data.
http://www.linuxsecurity.com/content/view/124446
VNC servers created with LibVNCServer accept insecure protocol
types, even when the server does not offer it, resulting in unauthorized
access to the server.
http://www.linuxsecurity.com/content/view/123957
Gentoo: Courier MTA Denial of Service
vulnerability
Gentoo: x11vnc Authentication bypass
in included LibVNCServer code
7th, August, 2006
VNC servers created with x11vnc accept insecure protocol types,
even when the server does not offer it, resulting in the possibility of
unauthorized access to the server.
http://www.linuxsecurity.com/content/view/123983
Damian Put discovered a boundary error in the UPX extraction
module in ClamAV which is used to unpack PE Windows executables. This
could be abused to cause a Denial of Service issue and potentially allow
for the execution of arbitrary code with the permissions of the user running
clamscan or clamd. Updated packages have been patched to correct this
issue.
http://www.linuxsecurity.com/content/view/124009
Mandriva: Updated krb5 packages fix local
privilege escalation vulnerability
9th, August, 2006
A flaw was discovered in some bundled Kerberos-aware packages
that would fail to check the results of the setuid() call. This call can
fail in some circumstances on the Linux 2.6 kernel if certain user limits
are reached, which could be abused by a local attacker to get the applications
to continue to run as root, possibly leading to an elevation of privilege.
http://www.linuxsecurity.com/content/view/124438
Tavis Ormandy, of the Google Security Team, discovered that
ncompress, when uncompressing data, performed no bounds checking, which
could allow a specially crafted datastream to underflow a .bss buffer
with attacker controlled data. Updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/124439
Red
Hat
RedHat: Important: krb5 security update
8th, August, 2006
Updated krb5 packages are now available for Red Hat Enterprise
Linux 4 to correct a privilege escalation security flaw. This update has
been rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/124002
RedHat: Important: apache security update
8th, August, 2006
Updated Apache httpd packages that correct a security issue
are now available for Red Hat Enterprise Linux 2.1. This update has been
rated as having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/124003
