Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: February 16th 2007
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for fetchmail, imagemagick, eclipse, netkit,
samba, proftpd, snort, rar, postgresql, smb4k, dbus, java, moinmoin, the the
Linux kernel. The distributors include Debian, Fedora, Gentoo, Mandriva, Red
Hat, and Ubuntu.
RFID
with Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification.
The fingerprint verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire parameters
of smart security controller like PIN options, Reader delay, real-time clock,
alarm option and cardholder access conditions.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New fetchmail packages fix information
disclosure
The original fix introduced a new vulnerability allowing the
listing of any arbitrary directory with root group permissions due to
a typo in the setgid() call. New fixed packages are available. Also, this
update adds a second CVE reference which was not originally mentionned
while it was covered by the original fix.
http://www.linuxsecurity.com/content/view/127043
Jeff Trout discovered that the PostgreSQL server did not sufficiently
check data types of SQL function arguments in some cases. A user could
then exploit this to crash the database server or read out arbitrary locations
of the server's memory, which could be used to retrieve database contents
that the user should not be able to see. Note that a user must be authenticated
in order to exploit this (CVE-2007-0555).
http://www.linuxsecurity.com/content/view/126948
Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick
and ImageMagick allows user-assisted attackers to cause a denial of service
and possibly execute execute arbitrary code via a PALM image that is not
properly handled by the ReadPALMImage function in coders/palm.c. This
is related to an earlier fix for CVE-2006-5456 that did not fully correct
the issue.
http://www.linuxsecurity.com/content/view/126967
Kees Cook performed an audit on the Smb4K program and discovered
a number of vulnerabilities and security weaknesses that have been addressed
and corrected in Smb4K 0.8.0 which is being provided with this update.
http://www.linuxsecurity.com/content/view/127034
Red
Hat
RedHat: Moderate: dbus security update
8th, February, 2007
Updated dbus packages that fix a security issue are now available
for Red Hat Enterprise Linux 4. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/126936
RedHat: Critical: IBMJava2 security update
8th, February, 2007
IBMJava2-JRE and IBMJava2-SDK packages that correct several
security issues are available for Red Hat Enterprise Linux 2.1. This update
has been rated as having critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/126942
RedHat: Critical: java-1.5.0-ibm security
update
9th, February, 2007
java-1.5.0-ibm packages that correct several security issues
are available for Red Hat Enterprise Linux 4 Extras. This update has been
rated as having critical security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/126959
Ubuntu
Ubuntu: MoinMoin vulnerability
9th, February, 2007
A flaw was discovered in MoinMoin's page name sanitizer which
could lead to a cross-site scripting attack. By tricking a user into viewing
a crafted MoinMoin page, an attacker could execute arbitrary JavaScript
as the current MoinMoin user, possibly exposing the user's authentication
information for the domain where MoinMoin was hosted.
http://www.linuxsecurity.com/content/view/126969
USN-417-2 fixed a severe regression in the PostgreSQL server
that was introduced in USN-417-1 and caused some valid queries to be aborted
with a type error. This update fixes a similar (but much less prominent)
error. At the same time, PostgreSQL is updated to version 8.1.8, which
fixes a range of important bugs.
http://www.linuxsecurity.com/content/view/126977
Only registered users can write comments. Please login or register.
