Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: August 18th 2006
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for ncompress, shadow, heartbeat, kerberos,
warzone, libwmf, wordpress, gnupg, firefox, elfutils, ntp, kdebase, perl, httpd,
and wireshark. The distributors include Debian, Gentoo, Mandriva, Red Hat, and
SuSE.
Establishing a business case is perhaps the first phase in any
project initiation. Organizations that are successful maintain full
justification for all business expenditure. An information security
project is no different. An effective information security program
requires visible support from executive management. To gain support,
a persuasive business case is often necessary. An information
security program will have numerous tangible and intangible benefits
to any organization. It is the role of a business case to document
these.
To build a persuasive case for information security, it is important
for practitioners to "to become more managerial in outlook, speech,
and perspectives." (Information Security Management Handbook 4th
Edition, Volume 2.) Stressing the technical benefits of information
security is no longer sufficient because of the size and expenditure
of information security programs. When making a case for information
security, an emphasis should be placed on how proactive security
mechanisms ensure that senior management will not be held liable
for negligence. As IT has become more prominent in organizations,
so have compliance and regulatory requirements. Today, senior
management personnel are expected to demonstrate due care and due
diligence in relation to information security. With this,
information security must become an essential aspect of management.
Addressing the overall benefits of information security is important
as well. A business case should stress how information security can
become a business enabler. It can be a company differentiator by
offering increased levels of customer satisfaction and contributing
overall to total quality management. Information security also
provides a means to ensure against unauthorized behavior. Often
trusting that internal employees will "do the right thing" is not
enough. Information security related business cases should be
written in a way that emphasizes all benefits of information security.
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
EnGarde Secure
Community 3.0.8- Guardian Digital is happy to announce the
release of EnGarde Secure Community 3.0.8 (Version 3.0, Release 8). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool, several updated packages, and several new packages available
for installation.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New ncompress packages fix potential
code execution
10th, August, 2006
Tavis Ormandy from the Google Security Team discovered a missing
boundary check in ncompress, the original Lempel-Ziv compress and uncompress
programs, which allows a specially crafted datastream to underflow a buffer
with attacker controlled data.
http://www.linuxsecurity.com/content/view/124446
Debian: New shadow packages fix privilege
escalation
An integer overflow vulnerability was discovered in gnupg where
an attacker could create a carefully-crafted message packet with a large
length that could cause gnupg to crash or possibly overwrite memory when
opened. Updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/124512
Two vulnerabilities in heartbeat prior to 2.0.6 was discovered
by Yan Rong Ge. The first is that heartbeat would set insecure permissions
in an shmget call for shared memory, allowing a local attacker to cause
an unspecified denial of service via unknown vectors (CVE-2006-3815).
The second is a remote vulnerability that could allow allow the master
control process to read invalid memory due to a specially crafted heartbeat
message and die of a SEGV, all prior to any authentication.
http://www.linuxsecurity.com/content/view/124513
Updated elfutils packages that address a minor security issue
and various other issues are now available. This update has been rated
as having low security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124459
RedHat: Low: ntp security update
10th, August, 2006
Updated ntp packages that fix several bugs are now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124460
RedHat: Updated kernel packages available
for Red Hat
Updated kdebase packages that resolve several bugs are now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124462
RedHat: Important: perl security update
10th, August, 2006
Updated Perl packages that fix security a security issue are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124463
RedHat: Moderate: httpd security update
10th, August, 2006
Updated Apache httpd packages that correct security issues and
resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This
update has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124464
RedHat: Moderate: wireshark security
update (was
16th, August, 2006
New Wireshark packages that fix various security vulnerabilities
in Ethereal are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124533
To fix various security problems we released update packages
that bring Mozilla Firefox to version 1.5.0.6, MozillaThunderdbird to
version 1.5.0.5 and the Seamonkey Suite to version 1.0.3.
http://www.linuxsecurity.com/content/view/124535
Write Comment
Please keep the topic of messages relevant to the subject of the article.
Personal verbal attacks will be deleted.
Please don't use comments to plug your web site.. Such material will be removed.
