LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: May 14th, 2012
Linux Advisory Watch: May 10th, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: February 9th 2007 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for samba, mozilla, kdelibs, mpg123, wireshark, gd, libwmf, php, gtk, kernel, bind, java, postgresql, and dbus. The distributors include Debian, Mandriva, Red Hat, Slackware, and Ubuntu.

Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

LinuxSecurity.com Feature Extras:

    RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.

    Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

   Debian
  Debian: New samba packages fix several vulnerabilities
  5th, February, 2007

Updated package.

http://www.linuxsecurity.com/content/view/126891
 
  Debian: New Mozilla Firefox packages fix several vulnerabilities
  7th, February, 2007

Updated package.

http://www.linuxsecurity.com/content/view/126923
 
   Mandriva
  Mandriva: Updated kdelibs packages fix KHTML vulnerability
  2nd, February, 2007

FIXME Konqueror 3.5.5 does not properly parse HTML comments in title tags, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment, a related issue to CVE-2007-0478.

http://www.linuxsecurity.com/content/view/126861
 
  Mandriva: Updated mpg123 packages fix DoS vulnerability.
  2nd, February, 2007

The http_open function in httpget.c in mpg123 before 0.64 allows remote attackers to cause a denial of service (infinite loop) by closing the HTTP connection early. Packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/126862
 
  Mandriva: Updated wireshark packages fix multiple vulnerabilities
  3rd, February, 2007

Vulnerabilities in the LLT, IEEE 802.11, HTTP, and TCP dissectors were discovered in versions of wireshark less than 0.99.5, as well as various other bugs. This updated provides wireshark 0.99.5 which is not vulnerable to these issues.

http://www.linuxsecurity.com/content/view/126863
 
  Mandriva: Updated samba packages address multiple vulnerabilities
  5th, February, 2007

A logic error in the deferred open code for smbd may allow an authenticated user to exhaust resources such as memory and CPU on the server by opening multiple CIFS sessions, each of which will normally spawn a new smbd process, and sending each connection into an infinite..

http://www.linuxsecurity.com/content/view/126893
 
  Mandriva: Updated gd packages fix DoS vulnerability.
  6th, February, 2007

Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.

http://www.linuxsecurity.com/content/view/126919
 
  Mandriva: Updated libwmf packages fix embedded gd DoS vulnerability.
  6th, February, 2007

Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Libwmf uses an embedded copy of the gd source and may also be affected by this issue. Packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/126920
 
  Mandriva: Updated postgresql packages address multiple vulnerabilities
  6th, February, 2007

Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. A user could then exploit this to crash the database server or read out arbitrary locations of the server's memory, which could be used to retrieve database contents that the user should not be able to see. Note that a user must be authenticated in order to exploit this (CVE-2007-0555).

http://www.linuxsecurity.com/content/view/126921
 
  Mandriva: Updated php packages to address multiple issues
  6th, February, 2007

PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and open_basedir restrictions via a malicious path and a null byte before a ";" in a session_save_path argument, followed by an allowed path, which causes a parsing inconsistency in which PHP validates the allowed path but sets session.save_path to the malicious path. (CVE-2006-6383)

http://www.linuxsecurity.com/content/view/126922
 
  Mandriva: Updated gtk+2.0 packages address DoS, LSB issues, several bugs
  7th, February, 2007

The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. (CVE-2007-0010)

http://www.linuxsecurity.com/content/view/126933
 
  Mandriva: Updated kernel packages fix multiple vulnerabilities and bugs
  7th, February, 2007

The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4, as well as the 2.6 kernel, does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. (CVE-2006-5749)

http://www.linuxsecurity.com/content/view/126934
 
   Red Hat
  RedHat: Moderate: bind security update
  6th, February, 2007

Updated bind packages that fix a security issue and a bug are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/126914
 
  RedHat: Critical: java-1.4.2-ibm security update
  7th, February, 2007

Updated java-1.4.2-ibm packages to correct several security issues are now available for Red Hat Enterprise Linux 3 and 4 Extras. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/126930
 
  RedHat: Moderate: postgresql security update
  7th, February, 2007

Updated postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/126931
 
  RedHat: Moderate: postgresql security update
  7th, February, 2007

Updated postgresql packages that fix several security vulnerabilities are now available for the Red Hat Application Stack. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/126932
 
  RedHat: Moderate: dbus security update
  8th, February, 2007

Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/126936
 
   Slackware
  Slackware: samba
  7th, February, 2007

New samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue.

http://www.linuxsecurity.com/content/view/126935
 
   Ubuntu
  Ubuntu: GTK vulnerability
  1st, February, 2007

A flaw was discovered in the error handling of GTK's image loading library. Applications opening certain corrupted images could be made to crash, causing a denial of service.

http://www.linuxsecurity.com/content/view/126851
 
  Ubuntu: PostgreSQL vulnerabilities
  5th, February, 2007

Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. An authenticated attacker could exploit this to crash the database server or read out arbitrary locations in the server's memory, which could allow retrieving database content the attacker should not be able to see. (CVE-2007-0555)

http://www.linuxsecurity.com/content/view/126876
 
  Ubuntu: Bind vulnerabilities
  5th, February, 2007

A flaw was discovered in Bind's DNSSEC validation code. Remote attackers could send a specially crafted DNS query which would cause the Bind server to crash, resulting in a denial of service. Only servers configured to use DNSSEC extensions were vulnerable.

http://www.linuxsecurity.com/content/view/126894
 
  Ubuntu: Samba vulnerabilities
  6th, February, 2007

A flaw was discovered in Samba's file opening code, which in certain situations could lead to an endless loop, resulting in a denial of service.

http://www.linuxsecurity.com/content/view/126916
 
  Ubuntu: KDE library vulnerability
  6th, February, 2007

Jose Avila III and Robert Tasarz discovered that the KDE HTML library did not correctly parse HTML comments inside the "title" tag. By tricking a Konqueror user into visiting a malicious website, an attacker could bypass cross-site scripting protections.

http://www.linuxsecurity.com/content/view/126917
 
  Ubuntu: PostgreSQL 8.1 regression
  6th, February, 2007

USN-417-1 fixed several vulnerabilities in the PostgreSQL server. Unfortunately this update had a regression that caused some valid queries to be aborted with a type error. This update corrects that problem. We apologize for the inconvenience.

http://www.linuxsecurity.com/content/view/126918
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
New Nmap Probes IPv6 Networks
Anatomy of a hack: 6 separate bugs needed to bring down Google browser
Sony PS Vita Hacking Expands With Homebrew Loader
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.