RFID
with Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification.
The fingerprint verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire parameters
of smart security controller like PIN options, Reader delay, real-time clock,
alarm option and cardholder access conditions.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian: New pstotext packages fix arbitrary shell command execution
Debian: New texinfo packages fix multiple vulnerabilities
27th, November, 2006
Multiple vulnerabilities have been found in the GNU texinfo package, a documentation system for on-line information and printed output. CVE-2005-3011: Handling of temporary files is performed in an insecure manner, allowing an attacker to overwrite any file writable by the victim. CVE-2006-4810: A buffer overflow in util/texindex.c could allow an attacker to execute arbitrary code with the victim's access rights by inducing the victim to run texindex or tex2dvi on a specially crafted texinfo file.
http://www.linuxsecurity.com/content/view/125934
Debian: New libgsf packages fix arbitrary code execution
Debian: New proftpd packages fix several vulnerabilities
30th, November, 2006
Several remote vulnerabilities have been discovered in the proftpd FTP daemon, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5815 It was discovered that a buffer overflow in the sreplace() function may lead to denial of service and possibly the execution of arbitrary code. CVE-2006-6170 It was discovered that a buffer overflow in the mod_tls addon module may lead to the execution of arbitrary code. CVE-2006-6171 It was discovered that insufficient validation of FTP command buffer size limits may lead to denial of service. Due to unclear information this issue was already fixed in DSA-1218 as CVE-2006-5815.
http://www.linuxsecurity.com/content/view/125994
Mandriva: Updated apache-mod_auth_kerb packages fixes DoS vulnerability
23rd, November, 2006
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows remote attackers to cause a denial of service (crash) via a crafted Kerberos message that triggers a heap-based buffer overflow in the component array. Packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/125887
On Mandriva Linux 2007.0, the path for D-Bus system bus socket was not following D-Bus specification. This could cause some implementation of the D-Bus specification to not detect the system bus correctly. This updated package ensures the location of the system bus is exported through BUS_SYSTEM_BUS_ADDRESS, in compliance with D-Bus specification.
http://www.linuxsecurity.com/content/view/125897
Mandriva: Updated audacity packages fixes menu issues with French locale
28th, November, 2006
For the French locale, menu items which contained accented characters do not show up in the Audacity sound editor. This is because the French translation file was not in the correct character encoding. This issue is corrected in the updated packages.
http://www.linuxsecurity.com/content/view/125945
Mandriva: Updated tar packages fix vulnerability
28th, November, 2006
GNU tar 1.16 and 1.15.1, and possibly other versions, allows user-assisted attackers to overwrite arbitrary files via a tar file that contains a GNUTYPE_NAMES record with a symbolic link, which is not properly handled by the extract_archive function in extract.c and extract_mangle function in mangle.c, a variant of CVE-2002-1216. The updated packages have been patched to address this issue.
http://www.linuxsecurity.com/content/view/125963
Mandriva: Updated rpmdrake packages address several issues
29th, November, 2006
Several bugs were fixed in rpmdrake: - various people saw crashes due to invalid UTF-8 strings (#26099) - edit-urpm-sources.pl didn't start if urpmi.cfg did not exist (#27336) - MandrivaUpdate got several fixes: o it was impossible to select an update where there was only one group (#26135) o all updates are preselected by default (#25271) o all security, bugfix & normal updates were not displayed in "all updates" mode (#27268) o default is now "all updates" rather than "security updates"
http://www.linuxsecurity.com/content/view/125985
Mandriva: Updated drakxtools packages address several issues
An updated jbossas package that corrects a security vulnerability is now available for Red Hat Application Stack. This update has been rated as having critical security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/125904
Teemu Salmela discovered that tar still handled the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.
http://www.linuxsecurity.com/content/view/125941
Ubuntu: ImageMagick vulnerability
27th, November, 2006
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user's privileges.
http://www.linuxsecurity.com/content/view/125942
Ubuntu: Dovecot vulnerability
28th, November, 2006
Dovecot was discovered to have an error when handling its index cache files. This error could be exploited by authenticated POP and IMAP users to cause a crash of the Dovecot server, or possibly to execute arbitrary code. Only servers using the non-default option "mmap_disable=yes" were vulnerable.
http://www.linuxsecurity.com/content/view/125961
Ubuntu: KOffice vulnerability
29th, November, 2006
An integer overflow was discovered in KOffice's filtering code. By tricking a user into opening a specially crafted PPT file, attackers could crash KOffice or possibly execute arbitrary code with the user's privileges.
http://www.linuxsecurity.com/content/view/125973
Ubuntu: GnuPG vulnerability
29th, November, 2006
A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user's privileges. This vulnerability is not exposed when running gpg in batch mode.
http://www.linuxsecurity.com/content/view/125975
Only registered users can write comments. Please login or register.
