Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
EnGarde Secure Linux v3.0.9 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.9 (Version 3.0, Release 9). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and a couple of new packages available for installation.
news/vendors-products/engarde-secure-linux-v309-now-available
LinuxSecurity.com Feature Extras:
RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New clamav packages fix arbitrary code execution | ||
| 19th, October, 2006
Updated package. advisories/debian/debian-new-clamav-packages-fix-arbitrary-code-execution-21324 |
||
| Debian: New python2.4 packages fix arbitrary code execution | ||
| 22nd, October, 2006
Updated package. advisories/debian/debian-new-python24-packages-fix-arbitrary-code-execution |
||
| Debian: New python2.3 packages fix arbitrary code execution | ||
| 23rd, October, 2006
Updated package. advisories/debian/debian-new-python23-packages-fix-arbitrary-code-execution-76982 |
||
| Debian: New webmin packages fix input validation problems | ||
| 23rd, October, 2006
Updated package. advisories/debian/debian-new-webmin-packages-fix-input-validation-problems |
||
| Gentoo | ||
| Gentoo: Cscope Multiple buffer overflows | ||
| 20th, October, 2006
Cscope is vulnerable to multiple buffer overflows that could lead to the execution of arbitrary code. |
||
| Gentoo: libmusicbrainz Multiple buffer overflows | ||
| 22nd, October, 2006
Multiple buffer overflows have been found in libmusicbrainz, which could lead to a Denial of Service or possibly the execution of arbitrary code. |
||
| Gentoo: ClamAV Multiple Vulnerabilities | ||
| 24th, October, 2006
ClamAV is vulnerable to a heap-based buffer overflow potentially allowing remote execution of arbitrary code and a Denial of Service. |
||
| Gentoo: OpenSSL Multiple vulnerabilities | ||
| 24th, October, 2006
OpenSSL contains multiple vulnerabilities including the possible remote execution of arbitrary code. |
||
| Gentoo: Apache mod_tcl Format string vulnerability | ||
| 24th, October, 2006
A format string vulnerabilty has been found in Apache mod_tcl, which could lead to the remote execution of arbitrary code. |
||
| Gentoo: Cheese Tracker Buffer Overflow | ||
| 26th, October, 2006
Cheese Tracker contains a buffer overflow allowing the remote execution of arbitrary code. |
||
| Mandriva | ||
| Mandriva: Updated kdelibs packages fix KHTML vulnerability | ||
| 19th, October, 2006
A vulnerability was discovered in the way that Qt handled pixmap images and the KDE khtml library used Qt in such a way that untrusted parameters could be passed to Qt, resulting in an integer overflow. This flaw could be exploited by a remote attacker in a malicious website that, when viewed by an individual using Konqueror, would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the user. |
||
| Mandriva: Updated sshd-monitor corrects connection bug | ||
| 19th, October, 2006
The sshd-monitor as provided with Mandriva's Corporate Server and Desktop 3.0 would fill /var/log/messages with error messages about not receiving an identification string from the localhost due to a timing issue. |
||
| Mandriva: Updated subversion package /etc/services entries | ||
| 19th, October, 2006
One of subversion's operating modes, svnserve, needs some entries in the /etc/services file. These entries are created during package installation, but under some conditions this procedure fails and /etc/services remains without them. |
||
| Mandriva: Updated xinetd package corrects initscript language bug | ||
| 19th, October, 2006
The initscript for xinetd incorrectly set the locale to en_US. If the localesn-en package is not installed on the system, some xinetd services may not work properly. This was first noted with the svnserve program from subversion. |
||
| Mandriva: Updated coreutils package correctly links against PAM | ||
| 23rd, October, 2006
The coreutils package lacked several features due to a build deficiency. As a result, the su program was not linked against the PAM library, making it impossible for su to make use of advanced authentication features that rely on the PAM library. As well, the cp system utility did not keep extended attributes and ACLs in file copies. This has been corrected in the updated packages. |
||
| Mandriva: Updated bootsplash package brings back the fbmenu command | ||
| 24th, October, 2006
When multiple profiles are configured, they can be choosen in the bootloader with the PROFILE keyword, but this needs a dedicated entry or to append manually the profile at each boot. To ease the choice of the profile during the boot time, Mandriva developed a frame buffer menu in GTK to choose the profile. |
||
| Mandriva: Updated Qt packages fix vulnerability | ||
| 24th, October, 2006
An integer overflow was discovered in the way that Qt handled pixmap images. This flaw could be exploited by a remote attacker in a malicious website that, when viewed by an individual using an application that uses Qt (like Konqueror), would cause it to crash or possibly execute arbitrary code with the privileges of the user. |
||
| Red Hat | ||
| RedHat: Important: kernel security update | ||
| 19th, October, 2006
Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-kernel-security-update-85756 |
||
| Slackware | ||
| Slackware: qt | ||
| 25th, October, 2006
New qt packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a possible security issue. |
||
| SuSE | ||
| SuSE: opera (SUSE-SA:2006:061) | ||
| 19th, October, 2006
Updated package. |
||
| SuSE: openssh (SUSE-SA:2006:062) | ||
| 20th, October, 2006
There are multiple vulnerabilities in openssh 4.4. The following vulnerabilities are addressed in this advisory: CVE-2006-4924, CVE-2006-4925, CVE-2006-5051, CVE-2006-5052. |
||
| SuSE: Qt image handling problems | ||
| 25th, October, 2006
Updated package. |
||
| Ubuntu | ||
| Ubuntu: Qt vulnerability | ||
| 23rd, October, 2006
An integer overflow was discovered in Qt's image loader. By processing a specially crafted image with an application that uses this library (like Konqueror), a remote attacker could exploit this to execute arbitrary code with the application's privileges. advisories/ubuntu/ubuntu-qt-vulnerability-40968 |
||
| Ubuntu: PostgreSQL vulnerabilities | ||
| 24th, October, 2006
Michael Fuhr discovered an incorrect type check when handling unknown literals. By attempting to coerce such a literal to the ANYARRAY type, a local authenticated attacker could cause a server crash. Josh Drake and Alvaro Herrera reported a crash when using aggregate functions in UPDATE statements. A local authenticated attacker could exploit this to crash the server backend. This update disables this construct, since it is not very well defined and forbidden by the SQL standard. advisories/ubuntu/ubuntu-postgresql-vulnerabilities |
||
