Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
EnGarde Secure Linux v3.0.9 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.9 (Version 3.0, Release 9). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and a couple of new packages available for installation.
EnGarde Secure Community is a secure distribution of Linux engineered from the ground-up to provide organizations with the level of security required to create a corporate Web presence or even conduct e-business on the Web. It can be used as a Web, DNS, e-mail, database, e-commerce, and general Internet server where security is a primary concern.
All new users downloading EnGarde Secure Linux for the first time or users who use the LiveCD environment should download this release.
Users who are currently using EnGarde Secure Linux do not need to download this release -- they can update their machines via the Guardian Digital Secure Network WebTool module.
You may download this ISO image via FTP or BitTorrent by following the "Download Now!" link from engardelinux.org: /
news/vendors-products/engarde-secure-linux-v309-now-available
The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.
Guardian Digital Makes Email Safe For Business - Microsoft 365, Goo....
LinuxSecurity.com Feature Extras:
RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New openssl packages fix denial of service | ||
| 28th, September, 2006
Multiple vulnerabilities have been discovered in the OpenSSL cryptographic software package that could allow an attacker to launch a denial of service attack by exhausting system resources or crashing processes on a victim's computer. The following CVE IDs have been addressed: CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 CVE-2006-2937 advisories/debian/debian-new-openssl-packages-fix-denial-of-service |
||
| Debian: New cscope packages fix arbitrary code execution | ||
| 30th, September, 2006
Updated package. advisories/debian/debian-new-cscope-packages-fix-arbitrary-code-execution-15882 |
||
| Debian: New migrationtools packages fix denial of service | ||
| 30th, September, 2006
Updated package. advisories/debian/debian-new-migrationtools-packages-fix-denial-of-service |
||
| Debian: New openssl packages fix arbitrary code execution | ||
| 2nd, October, 2006
The fix used to correct CVE-2006-2940 introduced code that could lead to the use of uninitialized memory. Such use is likely to cause the application using the openssl library to crash, and has the potential to allow an attacker to cause the execution of arbitrary code. advisories/debian/debian-new-openssl-packages-fix-arbitrary-code-execution-75110 |
||
| Debian: New mailman packages fix several problems | ||
| 4th, October, 2006
Updated package. advisories/debian/debian-new-mailman-packages-fix-several-problems |
||
| Debian: New openssh-krb5 packages fix denial of service and potential execution of arbitrary code | ||
| 4th, October, 2006
Updated package. advisories/debian/debian-new-openssh-krb5-packages-fix-denial-of-service-and-potential-execution-of-arbitrary-code |
||
| Debian: New maxdb-7.5.00 packages fix execution of arbitrary code | ||
| 4th, October, 2006
Updated package. advisories/debian/debian-new-maxdb-7500-packages-fix-execution-of-arbitrary-code |
||
| Debian: New Mozilla Thunderbird packages fix several vulnerabilities | ||
| 5th, October, 2006
Updated package. advisories/debian/debian-new-mozilla-thunderbird-packages-fix-several-vulnerabilities-8356 |
||
| Gentoo | ||
| Gentoo: Opera RSA signature forgery | ||
| 28th, September, 2006
Opera fails to correctly verify certain signatures. |
||
| Gentoo: Mozilla Firefox Multiple vulnerabilities | ||
| 28th, September, 2006
The Mozilla Foundation has reported numerous vulnerabilities in Mozilla Firefox, including one that may allow execution of arbitrary code. |
||
| Gentoo: DokuWiki Shell command injection and Denial of | ||
| 28th, September, 2006
DokuWiki is vulnerable to shell command injection and Denial of Service attacks when using ImageMagick. |
||
| Gentoo: Mozilla Thunderbird Multiple vulnerabilities | ||
| 4th, October, 2006
The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
||
| Gentoo: Adobe Flash Player Arbitrary code execution | ||
| 4th, October, 2006
Multiple input validation errors have been identified that allow arbitrary code execution on a user's system via the handling of malicious Flash files. |
||
| Gentoo: Adobe Flash Player Arbitrary code execution | ||
| 5th, October, 2006
Multiple input validation errors have been identified that allow arbitrary code execution on a user's system via the handling of malicious Flash files. |
||
| Mandriva | ||
| Mandriva: Updated Fibric package interaction with curl | ||
| 28th, September, 2006
The Fibric tool, used for updating packages on Corporate Server 4.0, had difficulty with usernames that contained the '@' character when curl is installed. No such problem exists when Fibric uses wget. This update provides a fixed Fibric that better interacts with curl. |
||
| Mandriva: Updated webmin packages fix XSS vulnerability | ||
| 28th, September, 2006
Webmin before 1.296 and Usermin before 1.226 does not properly handle a URL with a null ("%00") character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs. Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated musicbrainz packages fix buffer overflow vulnerabilities | ||
| 28th, September, 2006
Multiple buffer overflows in libmusicbrainz (aka mb_client or MusicBrainz Client Library) 2.1.2 and earlier, and SVN 8406 and earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a long Location header by the HTTP server, which triggers an overflow in the MBHttp::Download function in lib/http.cpp; and (2) a long URL in RDF data, as demonstrated by a URL in an rdf:resource field in an RDF XML document, which triggers overflows in many functions in lib/rdfparse.c. |
||
| Mandriva: Updated openldap packages fixes ACL vulnerability | ||
| 28th, September, 2006
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN). |
||
| Mandriva: Updated openssl packages fix vulnerabilities | ||
| 28th, September, 2006
Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL two denial of service vulnerabilities were discovered. |
||
| Mandriva: Updated ffmpeg packages fix buffer overflow vulnerabilities | ||
| 28th, September, 2006
Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple nspecified vectors. |
||
| Mandriva: Update gstreamer-ffmpeg packages fix buffer overflow vulnerabilities | ||
| 28th, September, 2006
Gstreamer-ffmpeg uses an embedded copy of ffmpeg and as such has been updated. |
||
| Mandriva: Updated mplayer packages fix buffer overflow vulnerabilities | ||
| 28th, September, 2006
Mplayer uses an embedded copy of ffmpeg and as such has been updated. |
||
| Mandriva: Updated xine-lib packages fix buffer overflow vulnerabilities | ||
| 28th, September, 2006
Xine-lib uses an embedded copy of ffmpeg and as such has been updated. |
||
| Mandriva: Updated openssl packages fix vulnerabilities | ||
| 2nd, October, 2006
The following CVE IDs are covered by this vulnerability: CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 |
||
| Mandriva: Updated MySQL packages rebuilt against updated openssl. | ||
| 2nd, October, 2006
Openssl recently had several vulnerabilities which were patched CVE-2006-2937,2940,3738,4339, 4343). Some MySQL versions are built against a static copy of the SSL libraries. As a precaution an updated copy built against the new libraries in being made available. |
||
| Mandriva: Updated ntp packages rebuilt against updated openssl. | ||
| 2nd, October, 2006
Openssl recently had several vulnerabilities which were patched CVE-2006-2937,2940,3738,4339, 4343). Some versions of ntp are built against a static copy of the SSL libraries. As a precaution an updated copy built against the new libraries in being made available. |
||
| Mandriva: Updated openssh packages fix DoS vulnerabilities | ||
| 3rd, October, 2006
Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes. |
||
| Red Hat | ||
| RedHat: Important: openssl security update | ||
| 28th, September, 2006
Updated OpenSSL packages are now available to correct several security issues. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-openssl-security-update-98001 |
||
| RedHat: Important: openssh security update | ||
| 28th, September, 2006
Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-openssh-security-update-28385 |
||
| RedHat: Important: openssh security update | ||
| 28th, September, 2006
Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-openssh-security-update-28385 |
||
| RedHat: Important: php security update | ||
| 5th, October, 2006
Updated PHP packages that fix an integer overflow flaw are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-php-security-update-98171 |
||
| Slackware | ||
| Slackware: openssh | ||
| 29th, September, 2006
New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues. More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database: CVE-2006-4924 CVE-2006-5051 CVE-2006-5052 |
||
| Slackware: openssl | ||
| 29th, September, 2006
New openssl packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues. More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database: CVE-2006-2937 CVE-2006-3738 CVE-2006-2940 CVE-2006-4343 |
||
| SuSE | ||
| SuSE: kernel security problems | ||
| 28th, September, 2006
Various security problems were found and fixed in the Linux kernel. |
||
| SuSE: openssl security problems | ||
| 28th, September, 2006
Several security problems were found and fixed in the OpenSSL cryptographic library. |
||
