Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
LinuxSecurity.com Feature Extras:
RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New webcalendar packages fix cross-site scripting | ||
| 22nd, April, 2007
It was discovered that WebCalendar, a PHP-based calendar application, performs insufficient sanitising in the exports handler, which allows injection of web script. advisories/debian/debian-new-webcalendar-packages-fix-cross-site-scripting |
||
| Debian: New aircrack-ng packages fix arbitrary code execution | ||
| 24th, April, 2007
It was discovered that aircrack-ng, a WEP/WPA security analysis tool, performs insufficient validation of 802.11 authentication packets, which allows the execution of arbitrary code. advisories/debian/debian-new-aircrack-ng-packages-fix-arbitrary-code-execution |
||
| Debian: New clamav packages fix several vulnerabilities | ||
| 25th, April, 2007
Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems. advisories/debian/debian-new-clamav-packages-fix-several-vulnerabilities-27806 |
||
| Debian: New php4 packages fix several vulnerabilities | ||
| 26th, April, 2007
Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: advisories/debian/debian-new-php4-packages-fix-several-vulnerabilities-67618 |
||
| Gentoo | ||
| Gentoo: Aircrack-ng Remote execution of arbitrary code | ||
| 22nd, April, 2007
Aircrack-ng contains a buffer overflow that could lead to the remote execution of arbitrary code with root privileges. |
||
| Gentoo: 3proxy Buffer overflow | ||
| 22nd, April, 2007
A vulnerability has been discovered in 3proxy allowing for the remote execution of arbitrary code. |
||
| Gentoo: Courier-IMAP Remote execution of arbitrary code | ||
| 22nd, April, 2007
A vulnerability has been discovered in Courier-IMAP allowing for remote code execution with root privileges. |
||
| Gentoo: Blender User-assisted remote execution of arbitrary code | ||
| 23rd, April, 2007
A vulnerability has been discovered in Blender allowing for user-assisted arbitrary code execution. |
||
| Gentoo: NAS Multiple vulnerabilities | ||
| 23rd, April, 2007
The Network Audio System is vulnerable to a buffer overflow that could result in the execution of arbitrary code with root privileges. |
||
| Gentoo: ClamAV Multiple vulnerabilities | ||
| 24th, April, 2007
Multiple vulnerabilities have been discovered in ClamAV allowing for the remote execution of arbitrary code. iDefense Labs have reported a stack-based buffer overflow in the cab_unstore() function when processing negative values in .cab files. Multiple file descriptor leaks have also been reported in chmunpack.c, pdf.c and dblock.c when processing .chm files. |
||
| Mandriva | ||
| Mandriva: Updated php packages fix multiple vulnerabilities | ||
| 19th, April, 2007
A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). |
||
| Mandriva: Updated php packages fix multiple vulnerabilities | ||
| 19th, April, 2007
A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). |
||
| Mandriva: Updated php packages fix multiple vulnerabilities | ||
| 19th, April, 2007
A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). |
||
| Mandriva: Updated php packages fix multiple vulnerabilities | ||
| 19th, April, 2007
A heap-based buffer overflow vulnerability was found in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution (CVE-2007-1001). A DoS flaw was found in how PHP processed a deeply nested array. A remote attacker could cause the PHP intrerpreter to creash by submitting an input variable with a deeply nested array (CVE-2007-1285). |
||
| Mandriva: Updated sqlite packages fix vulnerability | ||
| 19th, April, 2007
A buffer overflow in sqlite could allow context-dependent attackers to execute arbitrary code via an empty value of the 'in' parameter. Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated freeradius packages fix vulnerability | ||
| 23rd, April, 2007
Multiple buffer overflows were found in the FreeRADIUS package version 1.0.4 and prior that could allow a remote attacker to cause a crash via the rlm_sqlcounter module (CVE-2005-4746). As well, an SQL injection vulnerability was also found in the rlm_sqlcounter that could allow a remote attacker to execute arbitrary SQL commands via unknown attack vectors (CVE-2005-4745). Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated zziplib packages fix vulnerability | ||
| 23rd, April, 2007
A stack-based buffer overflow in the ZZIPlib library could allow user-assisted remote attackers to cause an application crash (DoS) or execute arbitrary code via a long filename. Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated postgresql packages fix vulnerability | ||
| 26th, April, 2007
A weakness in previous versions of PostgreSQL was found in the security definer functions in which an authenticated but otherwise unprivileged SQL user could use temporary objects to execute arbitrary code with the privileges of the security-definer function. |
||
| Red Hat | ||
| RedHat: Moderate: php security update | ||
| 20th, April, 2007
Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. HTTP Web server. A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583) advisories/red-hat/redhat-moderate-php-security-update-38610 |
||
| RedHat: Critical: java-1.4.2-ibm security update | ||
| 25th, April, 2007
Updated java-1.4.2-ibm packages to correct a security issue are now available for Red Hat Enterprise Linux 3 and 4 Extras. A flaw in GIF image handling was found in the SUN Java Runtime Environment that has now been reported as also affecting IBM Java 2. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code. advisories/red-hat/redhat-critical-java-142-ibm-security-update-6214 |
||
| RedHat: Critical: java-1.5.0-ibm security update | ||
| 25th, April, 2007
java-1.5.0-ibm packages that correct a security issue are available for Red Hat Enterprise Linux 5 Supplementary and Enterprise Linux 4 Extras. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-java-150-ibm-security-update-89380 |
||
| Slackware | ||
| Slackware: xine-lib | ||
| 20th, April, 2007
New xine-lib packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and -current to fix security issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 |
||
| Slackware: freetype | ||
| 20th, April, 2007
New x11 and/or freetype and fontconfig packages are available for Slackware 10.1, 10.2, 11.0, and -current to fix security issues in freetype. Freetype was packaged with X11 prior to Slackware version 11.0. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: |
||
| SuSE | ||
| SuSE: clamav update (SUSE-SA:2007:026) | ||
| 20th, April, 2007
The AntiVirus scan engine clamav was updated to version 0.90.2. Among other bugs two security problems were fixed which could cause a remote denial of service attack against clamav or potentially be used to execute code. |
||
| SuSE: XFree86,Xorg (SUSE-SA:2007:027) | ||
| 20th, April, 2007
Several X security problems were fixed that could be used by local attackers to crash the X server or potentially to execute code as root user. |
||
| SuSE: Opera 9.20 (SUSE-SA:2007:028) | ||
| 24th, April, 2007
Avoided a vulnerability in Adobe Flash Player. |
||
| Ubuntu | ||
| Ubuntu: rdesktop regression | ||
| 26th, April, 2007
USN-453-1 provided an updated libx11 package to fix a security vulnerability. This triggered an error in rdesktop so that it crashed on startup. This update fixes the problem. advisories/ubuntu/ubuntu-rdesktop-regression |
||
