Linux Advisory Watch: February 23rd 2007 - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Security Week: May 14th, 2012

Linux Advisory Watch: May 10th, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Linux Advisory Watch: February 23rd 2007

User Rating:

How can I rate this item?

Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas

This week, advisories were released for postgresql, fail2ban, bind, jdk/jre, openssh, amavisd-new, clamav, akiga, gnomemeeting, gnucash, Imagemagick, samba, mysql, php, kofice, spamassassin, apparmor, moinmoin, slocate, and ekiga. The distributors include Debian, Gentoo, Mandriva, Red Hat, SuSE, and Ubuntu.

Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

LinuxSecurity.com Feature Extras:

RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

	Debian
	Debian: New PostgreSQL packages fix several vulnerabilities
	15th, February, 2007 Updated package. http://www.linuxsecurity.com/content/view/127090

	Gentoo
	Gentoo: Fail2ban Denial of Service
	15th, February, 2007 A flaw in Fail2ban may allow remote attackers to deny access to arbitrary hosts. http://www.linuxsecurity.com/content/view/127091

	Gentoo: BIND Denial of Service
	17th, February, 2007 ISC BIND contains two vulnerabilities allowing a Denial of Service under certain conditions. http://www.linuxsecurity.com/content/view/127101

	Gentoo: Sun JDK/JRE Execution of arbitrary code
	17th, February, 2007 Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) contain a memory corruption flaw that allows the applets to gain elevated privileges potentially leading to the execute of arbitrary code. http://www.linuxsecurity.com/content/view/127102

	Gentoo: AMD64 x86 emulation Sun's J2SE Development Kit Multiple vulnerabilities
	17th, February, 2007 Multiple unspecified vulnerabilities have been identified in Sun Java Development Kit (JDK) and Sun Java Runtime Environment (JRE). http://www.linuxsecurity.com/content/view/127103

	Gentoo: OpenSSH Denial of Service
	20th, February, 2007 A flaw in the OpenSSH daemon allows remote unauthenticated attackers to cause a Denial of Service. http://www.linuxsecurity.com/content/view/127128

	Mandriva
	Mandriva: Updated amavisd-new packages fix configuration
	15th, February, 2007 The default configuration for Amavisd had an incorrect location for the ClamAV socket file. This update corrects the default configuration so it looks in the correct place, thus letting the AV scanner function work. http://www.linuxsecurity.com/content/view/127089

	Mandriva: Updated clamav packages address multiple issues.
	19th, February, 2007 Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. http://www.linuxsecurity.com/content/view/127121

	Mandriva: Updated ekiga packages fix string vulnerabilities.
	21st, February, 2007 A format string flaw was discovered in how ekiga processes certain messages, which could permit a remote attacker that can connect to ekiga to potentially execute arbitrary code with the privileges of the user running ekiga. Updated package have been patched to correct this issue. http://www.linuxsecurity.com/content/view/127144

	Mandriva: Updated gnomemeeting packages fix string vulnerabilities
	21st, February, 2007 A format string flaw was discovered in how GnomeMeeting process is certain messages, which could permit a remote attacker that can connect to GnomeMeeting to potentially execute arbitrary code with the privileges of the user running GnomeMeeting. Updated package have been patched to correct this issue. http://www.linuxsecurity.com/content/view/127145

	Mandriva: Updated gnucash packages fix temp file issues.
	21st, February, 2007 Gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files. Updated package have been patched to correct this issue. http://www.linuxsecurity.com/content/view/127146

	Mandriva: Updated kernel packages fix multiple vulnerabilities and bugs
	21st, February, 2007 A double free vulnerability in the squashfs module could allow a local user to cause a Denial of Service by mounting a crafted squashfs filesystem (CVE-2006-5701). http://www.linuxsecurity.com/content/view/127154

	Red Hat
	RedHat: Moderate: ImageMagick security update
	15th, February, 2007 Updated ImageMagick packages that correct several security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127080

	RedHat: Moderate: samba security update
	15th, February, 2007 Updated samba packages that fix a denial of service vulnerability are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127081

	RedHat: Low: mysql security update
	19th, February, 2007 Updated MySQL packages for the Red Hat Application Stack comprising the v1.1 release are now available. This update also resolves some minor security issues rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127117

	RedHat: Important: php security update
	19th, February, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127120

	RedHat: Critical: gnomemeeting security update
	20th, February, 2007 Updated gnomemeeting packages that fix a security issue are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127124

	RedHat: Moderate: koffice security update
	20th, February, 2007 Updated KOffice packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127127

	RedHat: Important: php security update
	21st, February, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127134

	RedHat: Important: spamassassin security update
	21st, February, 2007 Updated spamassassin packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127148

	RedHat: Important: php security update
	22nd, February, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Application Stack v1.1. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127157

	SuSE
	SuSE: AppArmor (SUSE-SA:2007:015)
	15th, February, 2007 Updated package. http://www.linuxsecurity.com/content/view/127074

	SuSE: samba remote denial of service
	15th, February, 2007 Updated package. http://www.linuxsecurity.com/content/view/127077

	Ubuntu
	Ubuntu: ImageMagick vulnerabilities
	15th, February, 2007 Vladimir Nadvornik discovered that the fix for CVE-2006-5456, released in USN-372-1, did not correctly solve the original flaw in PALM image handling. By tricking a user into processing a specially crafted image with an application that uses imagemagick, an attacker could execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/127088

	Ubuntu: MoinMoin vulnerabilities
	20th, February, 2007 A flaw was discovered in MoinMoin's debug reporting sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted. http://www.linuxsecurity.com/content/view/127131

	Ubuntu: PHP vulnerabilities
	21st, February, 2007 Multiple buffer overflows have been discovered in various PHP modules. If a PHP application processes untrusted data with functions of the session or zip module, or various string functions, a remote attacker could exploit this to execute arbitrary code with the privileges of the web server. http://www.linuxsecurity.com/content/view/127147

	Ubuntu: slocate vulnerability
	21st, February, 2007 A flaw was discovered in the permission checking code of slocate. When reporting matching files, locate would not correctly respect the parent directory's "read" bits. This could result in filenames being displayed when the file owner had expected them to remain hidden from other system users. http://www.linuxsecurity.com/content/view/127155

	Ubuntu: Ekiga vulnerabilities
	22nd, February, 2007 Mu Security discovered a format string vulnerability in Ekiga. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/127156