Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
LinuxSecurity.com Feature Extras:
RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New gnomemeeting packages fix arbitrary code execution | ||
| 4th, March, 2007
Updated package. advisories/debian/debian-new-gnomemeeting-packages-fix-arbitrary-code-execution |
||
| Debian: New clamav packages fix denial of service | ||
| 6th, March, 2007
Updated package. advisories/debian/debian-new-clamav-packages-fix-denial-of-service-32713 |
||
| Debian: New php4 packages fix several vulnerabilities | ||
| 7th, March, 2007
Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. |
||
| Fedora | ||
| Fedora Core 6 Update: kernel-2.6.19-1.2911.6.4.fc6 | ||
| 2nd, March, 2007
Unspecified vulnerability in the listxattr system call in Linux kernel, when a "bad inode" is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges via unknown vectors. advisories/fedora/fedora-core-6-update-kernel-2619-1291164fc6-12-26-00-127272 |
||
| Fedora Core 5 Update: kernel-2.6.19-1.2288.2.1.fc5 | ||
| 2nd, March, 2007
The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer. advisories/fedora/fedora-core-5-update-kernel-2619-1228821fc5-12-26-00-127273 |
||
| Fedora Core 6 Update: selinux-policy-2.4.6-41.fc6 | ||
| 2nd, March, 2007
Updates the SELinux policy configuration. This update allows samba to run as domain controller - execute useradd advisories/fedora/fedora-core-6-update-selinux-policy-246-41fc6-12-26-00-127274 |
||
| Gentoo | ||
| Gentoo: Snort Remote execution of arbitrary code | ||
| 1st, March, 2007
The Snort DCE/RPC preprocessor contains a buffer overflow that could result in the remote execution of arbitrary code. |
||
| Gentoo: SpamAssassin Long URI Denial of Service | ||
| 1st, March, 2007
SpamAssassin is vulnerable to a Denial of Service attack. |
||
| Gentoo: ClamAV Denial of Service | ||
| 1st, March, 2007
ClamAV contains two vulnerabilities allowing a Denial of Service. |
||
| Gentoo: Mozilla Firefox Multiple vulnerabilities | ||
| 2nd, March, 2007
Multiple vulnerabilities have been reported in Mozilla Firefox, some of which may allow user-assisted arbitrary remote code execution. |
||
| Gentoo: Mozilla Suite Multiple vulnerabilities | ||
| 3rd, March, 2007
Several vulnerabilities exist in the Mozilla Suite, which is no longer supported by the Mozilla project. |
||
| Gentoo: Snort Remote execution of arbitrary code | ||
| 3rd, March, 2007
Updated package. |
||
| Gentoo: AMD64 x86 emulation Qt library Integer overflow | ||
| 3rd, March, 2007
The AMD64 x86 emulation Qt library makes use of an insecure version of the Qt library, potentially allowing for the remote execution of arbitrary code. |
||
| Gentoo: STLport Possible remote execution of arbitrary | ||
| 6th, March, 2007
Two buffer overflows have been discovered in STLport possibly leading to the remote execution of arbitrary code. |
||
| Mandriva | ||
| Mandriva: Updated tcpdump packages fix segfault | ||
| 1st, March, 2007
Tcpdump would cause a segmentation fault on certain packets when reading back a captured tcpdump file. This update corrects that problem. |
||
| Mandriva: Updated timezone packages provide updated DST information | ||
| 1st, March, 2007
Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 for certain time zones. These updated packages contain the new information. |
||
| Mandriva: Updated Firefox packages fix multiple vulnerabilities | ||
| 2nd, March, 2007
A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.10. This update provides the latest Firefox to correct these issues. |
||
| Mandriva: Updated Thunderbird packages fix multiple vulnerabilities | ||
| 6th, March, 2007
A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 1.5.0.10. This update provides the latest Thunderbird to correct these issues. |
||
| Mandriva: Updated util-linux packages address umount crash issue | ||
| 6th, March, 2007
Umount allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents. Updated packages have been patched to address this issue. |
||
| Red Hat | ||
| RedHat: Critical: thunderbird security update | ||
| 2nd, March, 2007
Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-thunderbird-security-update-41360 |
||
| RedHat: Critical: mod_jk security update | ||
| 2nd, March, 2007
Updated the mod_jk packages this fixes a security issue are now available for Red Hat Application Stack v1.1. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-modjk-security-update-RHSA-2007-0096-01 |
||
| RedHat: Important: gnupg security update | ||
| 6th, March, 2007
Updated GnuPG packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-gnupg-security-update-90286 |
||
| Slackware | ||
| Slackware: mozilla-firefox | ||
| 7th, March, 2007
New mozilla-firefox packages are available for Slackware 10.2, and 11.0 to fix security issues. |
||
| Slackware: x11 | ||
| 7th, March, 2007
New x11 packages are available for Slackware 10.2 and 11.0. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database. |
||
| Slackware: seamonkey | ||
| 7th, March, 2007
A new seamonkey package is available for Slackware 11.0 to fix security issues. |
||
| Slackware: imagemagick | ||
| 7th, March, 2007
A new imagemagick package is available for Slackware 11.0 to fix security issues. |
||
| Slackware: mozilla-thunderbird | ||
| 7th, March, 2007
New mozilla-thunderbird packages are available for Slackware 10.2, and 11.0 to fix security issues. |
||
| Slackware: gnupg | ||
| 7th, March, 2007
New gnupg packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security ramifications of incorrect gpg usage. |
||
| SuSE: MozillaFirefox (SUSE-SA:2007:019) | ||
| 6th, March, 2007
Updated package. |
||
| Ubuntu | ||
| Ubuntu: nvidia-glx-config regression | ||
| 1st, March, 2007
USN-416-1 fixed various vulnerabilities in the Linux kernel. Unfortunately that update caused the 'nvidia-glx-config' script to not work any more. The new version fixes the problem. We apologize for the inconvenience. advisories/ubuntu/ubuntu-nvidia-glx-config-regression |
||
| Ubuntu: Firefox regression | ||
| 2nd, March, 2007
USN-428-1 fixed vulnerabilities in Firefox 1.5. However, changes to library paths caused applications depending on libnss3 to fail to start up. This update fixes the problem. advisories/ubuntu/ubuntu-firefox-regression-4717 |
||
| Ubuntu: mod_python vulnerability | ||
| 6th, March, 2007
Miles Egan discovered that mod_python, when used in output filter mode, did not handle output larger than 16384 bytes, and would display freed memory, possibly disclosing private data. Thanks to Jim Garrison of the Software Freedom Law Center for identifying the original bug as a security vulnerability. advisories/ubuntu/ubuntu-modpython-vulnerability |
||
| Ubuntu: tcpdump vulnerability | ||
| 6th, March, 2007
Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service. advisories/ubuntu/ubuntu-tcpdump-vulnerability |
||
| Ubuntu: Thunderbird vulnerabilities | ||
| 6th, March, 2007
The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library. advisories/ubuntu/ubuntu-thunderbird-vulnerabilities-67510 |
||
| Ubuntu: GnuPG vulnerability | ||
| 8th, March, 2007
Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without --status-fd, there is no way to distinguish initial unsigned messages from a following signed message. advisories/ubuntu/ubuntu-gnupg-vulnerability-58303 |
||
| Ubuntu: PHP regression | ||
| 8th, March, 2007
USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes were not included, which caused errors in the stream filters. This update fixes the problem. advisories/ubuntu/ubuntu-php-regression |
||
