Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: March 2nd 2007
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for Nexuiz, mplayer, chmlib, php, spamassassin,
gnome-terminal, snort, tcpdump, timezone, seamonkey, firefox, clamav, ekiga,
enigmail, and nvidia-glx-config. The distributors include Gentoo, Mandriva,
Red Hat, Slackware, SuSE, and Ubuntu.
RFID
with Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification.
The fingerprint verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire parameters
of smart security controller like PIN options, Reader delay, real-time clock,
alarm option and cardholder access conditions.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
A number of vulnerabilities were discovered in PHP language.
Many buffer overflow flaws were discovered in the PHP session extension,
the str_replace() function, and the imap_mail_compose() function. An attacker
able to use a PHP application using any of these functions could trigger
these flaws and possibly execute arbitrary code as the apache user (CVE-2007-0906).
http://www.linuxsecurity.com/content/view/127174
Mandriva: Updated spamassassin packages
fix DoS vulnerability
23rd, February, 2007
A bug in the way that SpamAssassin processes HTML emails containing
URIs was discovered in versions 3.1.x. A carefully crafted mail message
could make SpamAssassin consume significant amounts of CPU resources that
could delay or prevent the delivery of mail if a number of these messages
were sent at once.
http://www.linuxsecurity.com/content/view/127191
A bug was causing incorrect window resizing when switching between
multiple tabs in GNOME-Terminal. This bug, as well as memory leaks, has
been fixed with this update.
http://www.linuxsecurity.com/content/view/127205
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program, version 1.5.0.10. This
update provides the latest Firefox to correct these issues.
Mandriva: Updated snort packages fix
DoS vulnerability
28th, February, 2007
Algorithmic complexity vulnerability in Snort before 2.6.1,
during predicate evaluation in rule matching for certain rules, allows
remote attackers to cause a denial of service (CPU consumption and detection
outage) via crafted network traffic, aka a backtracking attack. Updated
packages have been patched to address this issue.
http://www.linuxsecurity.com/content/view/127251
Mandriva: Updated tcpdump packages fix
segfault
1st, March, 2007
Tcpdump would cause a segmentation fault on certain packets
when reading back a captured tcpdump file. This update corrects that problem.
Mandriva: Updated timezone packages provide
updated DST information
1st, March, 2007
Updated timezone packages are being provided for older Mandriva
Linux systems that do not contain the new Daylight Savings Time information
for 2007 for certain time zones. These updated packages contain the new
information.
Updated PHP packages that fix several security issues are now
available for Red Hat Application Stack v1.1. This update has been rated
as having important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/127157
RedHat: Critical: seamonkey security
update
23rd, February, 2007
Updated seamonkey packages that fix several security bugs are
now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update
has been rated as having critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/127192
RedHat: Critical: Firefox security update
23rd, February, 2007
Updated firefox packages that fix several security bugs are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having critical security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/127193
RedHat: Important: kernel security update
27th, February, 2007
Updated kernel packages that fix two security issues and a bug
in the Red Hat Enterprise Linux 4 kernel are now available. This update
has been rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/127223
Slackware
Slackware: php
23rd, February, 2007
New php packages are available for Slackware 10.2 and 11.0 to
improve the stability and security of PHP. Quite a few bugs were fixed
-- please see http://www.php.net for a detailed list.
http://www.linuxsecurity.com/content/view/127175
Mu Security discovered a format string vulnerability in Ekiga.
If a user was running Ekiga and listening for incoming calls, a remote
attacker could send a crafted call request, and execute arbitrary code
with the user's privileges.
http://www.linuxsecurity.com/content/view/127156
Ubuntu: enigmail vulnerability
23rd, February, 2007
Mikhail Markin reported that enigmail incorrectly handled memory
allocations for certain large encrypted attachments. This caused Thunderbird
to crash and thus caused the entire message to be inaccessible.
http://www.linuxsecurity.com/content/view/127176
Ubuntu: Firefox vulnerabilities
28th, February, 2007
Several flaws have been found in Firefox that could be used
to perform Cross-site scripting attacks.
USN-416-1 fixed various vulnerabilities in the Linux kernel.
Unfortunately that update caused the 'nvidia-glx-config' script to not
work any more. The new version fixes the problem. We apologize for the
inconvenience.
http://www.linuxsecurity.com/content/view/127252
Only registered users can write comments. Please login or register.
