Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: March 23rd 2007
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for webcalendar, libwpd, lookup-el, openoffice,
openafs, tcpdump,asterisk, postgresql, thunderbird, LTSP, LSAT, php, Mozilla,
wordpress, nufw, libwpd, nas, openafs, libwpd, php, libwpd, Inkscape, file,
and mysql. The distributors include Debain, Gentoo, Mandriva, Red Hat, SuSE,
and Ubuntu.
RFID
with Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification.
The fingerprint verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire parameters
of smart security controller like PIN options, Reader delay, real-time clock,
alarm option and cardholder access conditions.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Debian
Debian: New webcalendar packages fix
remote file inclusion
Debian: New OpenOffice.org packages fix
several vulnerabilities
20th, March, 2007
Several security related problems have been discovered in OpenOffice.org,
the free office suite. The Common Vulnerabilities and Exposures project
identifies the following problems.
http://www.linuxsecurity.com/content/view/127511
Debian: New openafs packages fix remote
privilege escalation bug
20th, March, 2007
A design error has been identified in the OpenAFS, a cross-platform
distributed filesystem included with Debian. It's possible for an attacker
with knowledge of AFS to forge an AFS FetchStatus call and make an arbitrary
binary file appear to an AFS client host to be setuid. If they can then
arrange for that binary to be executed, they will be able to achieve privilege
escalation.
http://www.linuxsecurity.com/content/view/127512
Debian: New tcpdump packages fix denial
of service
22nd, March, 2007
Moritz Jodeit discovered an off-by-one buffer overflow in tcpdump,
a powerful tool for network monitoring and data acquisition, which allows
denial of service.
http://www.linuxsecurity.com/content/view/127539
PHP contains several vulnerabilities including a heap buffer
overflow, potentially leading to the remote execution of arbitrary code
under certain conditions.
http://www.linuxsecurity.com/content/view/127514
Gentoo: Mozilla Network Security Service
Remote execution of arbitrary code
20th, March, 2007
The Mozilla Network Security Services libraries are vulnerable
to two buffer overflows that could result in the remote execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/127515
Mandriva: Updated libwpd packages to
address heap overflow vulnerabilities
16th, March, 2007
iDefense reported several overflow bugs in libwpd. An attacker
could create a carefully crafted Word Perfect file that could cause an
application linked with libwpd, such as OpenOffice, to crash or possibly
execute arbitrary code if the file was opened by a victim. Updated packages
have been patched to address this issue.
http://www.linuxsecurity.com/content/view/127475
Mandriva: Updated openoffice.org packages
to address libwpd heap overflow vulnerabilities
16th, March, 2007
iDefense reported several overflow bugs in libwpd. An attacker
could create a carefully crafted Word Perfect file that could cause an
application linked with libwpd, such as OpenOffice, to crash or possibly
execute arbitrary code if the file was opened by a victim. OpenOffice.org-2.X
contains an embedded copy of libpwd, and as such is susceptible to the
same issues. Updated packages have been rebuilt using the system libwpd
to address this issue.
http://www.linuxsecurity.com/content/view/127476
Mandriva: Updated nas packages address
multiple vulnerabilities
20th, March, 2007
Luigi Auriemma discovered a number of problems with the nas
(Network Audio System) daemon that could be used to crash nasd. Updated
packages have been patched to address this issue.
http://www.linuxsecurity.com/content/view/127518
By default, OpenAFS prior to 1.44 and 1.5.17 supports setuid
programs within the local cell, which could allow attackers to obtain
privileges. Updated packages have been patched to address this issue.
http://www.linuxsecurity.com/content/view/127519
Red
Hat
RedHat: Important: libwpd security update
16th, March, 2007
Updated libwpd packages to correct a security issue are now
available for Red Hat Enterprise Linux 5. This update has been rated as
having important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/127472
Sean Larsson of iDefense Labs discovered that libwpd was vulnerable
to integer overflows. If a user were tricked into opening a specially
crafted WordPerfect document with an application that used libwpd, an
attacker could execute arbitrary code with user privileges.
http://www.linuxsecurity.com/content/view/127492
Ubuntu: Inkscape vulnerability
20th, March, 2007
A flaw was discovered in Inkscape's use of format strings. If
a user were tricked into opening a specially crafted URI in Inkscape,
a remote attacker could execute arbitrary code with user privileges.
http://www.linuxsecurity.com/content/view/127517
Ubuntu: file vulnerability
21st, March, 2007
Jean-Sebastien Guay-Leroux discovered that "file" did not correctly
check the size of allocated heap memory. If a user were tricked into examining
a specially crafted file with the "file" utility, a remote attacker could
execute arbitrary code with user privileges.
http://www.linuxsecurity.com/content/view/127526
Ubuntu: MySQL vulnerability
21st, March, 2007
Stefan Streichbier and B. Mueller of SEC Consult discovered
that MySQL subselect queries using "ORDER BY" could be made to crash the
MySQL server. An attacker with access to a MySQL instance could cause
an intermitant denial of service.
http://www.linuxsecurity.com/content/view/127527
Only registered users can write comments. Please login or register.
