|
This week, advisories were released for ncompress, shadow, heartbeat, kerberos,
warzone, libwmf, wordpress, gnupg, firefox, elfutils, ntp, kdebase, perl, httpd,
and wireshark. The distributors include Debian, Gentoo, Mandriva, Red Hat, and
SuSE.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich
University a center of Academic Excellence in Information Security.
Our program offers unparalleled Infosec management education and the case study
affords you unmatched consulting experience. Using interactive e-Learning technology,
you can earn this esteemed degree,
without disrupting your career or home life.
Build a Case for Security
Establishing a business case is perhaps the first phase in any
project initiation. Organizations that are successful maintain full
justification for all business expenditure. An information security
project is no different. An effective information security program
requires visible support from executive management. To gain support,
a persuasive business case is often necessary. An information
security program will have numerous tangible and intangible benefits
to any organization. It is the role of a business case to document
these.
To build a persuasive case for information security, it is important
for practitioners to "to become more managerial in outlook, speech,
and perspectives." (Information Security Management Handbook 4th
Edition, Volume 2.) Stressing the technical benefits of information
security is no longer sufficient because of the size and expenditure
of information security programs. When making a case for information
security, an emphasis should be placed on how proactive security
mechanisms ensure that senior management will not be held liable
for negligence. As IT has become more prominent in organizations,
so have compliance and regulatory requirements. Today, senior
management personnel are expected to demonstrate due care and due
diligence in relation to information security. With this,
information security must become an essential aspect of management.
Addressing the overall benefits of information security is important
as well. A business case should stress how information security can
become a business enabler. It can be a company differentiator by
offering increased levels of customer satisfaction and contributing
overall to total quality management. Information security also
provides a means to ensure against unauthorized behavior. Often
trusting that internal employees will "do the right thing" is not
enough. Information security related business cases should be
written in a way that emphasizes all benefits of information security.
Security
on your mind?
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
http://www.engardelinux.org/modules/index/register.cgi
LinuxSecurity.com
Feature Extras:
EnGarde Secure
Community 3.0.8 - Guardian Digital is happy to announce the
release of EnGarde Secure Community 3.0.8 (Version 3.0, Release 8). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool, several updated packages, and several new packages available
for installation.
Linux
File & Directory Permissions Mistakes - One common mistake Linux
administrators make is having file and directory permissions that are far
too liberal and allow access beyond that which is needed for proper system
operations. A full explanation of unix file permissions is beyond the scope
of this article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one is available
right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
| |
Debian |
| |
Debian: New ncompress packages fix potential
code execution |
| |
10th, August, 2006
Tavis Ormandy from the Google Security Team discovered a missing
boundary check in ncompress, the original Lempel-Ziv compress and uncompress
programs, which allows a specially crafted datastream to underflow a buffer
with attacker controlled data.
http://www.linuxsecurity.com/content/view/124446
|
| |
| |
Debian: New shadow packages fix privilege
escalation |
| |
12th, August, 2006
Updated package.
http://www.linuxsecurity.com/content/view/124477
|
| |
| |
Debian: New heartbeat packages fix denial
of service |
| |
15th, August, 2006
Updated package.
http://www.linuxsecurity.com/content/view/124515
|
| |
| |
Gentoo |
| |
Gentoo: MIT Kerberos 5 Multiple local
privilege escalation (test Falco for security@) |
| |
10th, August, 2006
Some applications shipped with MIT Kerberos 5 are vulnerable
to local privilege escalation.
http://www.linuxsecurity.com/content/view/124448
|
| |
| |
Gentoo: Warzone 2100 Resurrection Multiple
buffer overflows |
| |
10th, August, 2006
Warzone 2100 Resurrection server and client are vulnerable to
separate buffer overflows, potentially allowing remote code execution.
http://www.linuxsecurity.com/content/view/124452
|
| |
| |
Gentoo: libwmf Buffer overflow vulnerability |
| |
10th, August, 2006
libwmf is vulnerable to an integer overflow potentially resulting
in the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/124453
|
| |
| |
Gentoo: Net:Server: Format string vulnerability |
| |
10th, August, 2006
A format string vulnerability has been reported in Net::Server
which can be exploited to cause a Denial of Service.
http://www.linuxsecurity.com/content/view/124455
|
| |
| |
Gentoo: WordPress Privilege escalation |
| |
10th, August, 2006
A flaw in WordPress allows registered WordPress users to elevate
privileges.
http://www.linuxsecurity.com/content/view/124456
|
| |
| |
Mandriva |
| |
Mandriva: Updated gnupg packages fix
vulnerability |
| |
14th, August, 2006
An integer overflow vulnerability was discovered in gnupg where
an attacker could create a carefully-crafted message packet with a large
length that could cause gnupg to crash or possibly overwrite memory when
opened. Updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/124512
|
| |
| |
Mandriva: Updated heartbeat packages
fix vulnerability |
| |
14th, August, 2006
Two vulnerabilities in heartbeat prior to 2.0.6 was discovered
by Yan Rong Ge. The first is that heartbeat would set insecure permissions
in an shmget call for shared memory, allowing a local attacker to cause
an unspecified denial of service via unknown vectors (CVE-2006-3815).
The second is a remote vulnerability that could allow allow the master
control process to read invalid memory due to a specially crafted heartbeat
message and die of a SEGV, all prior to any authentication.
http://www.linuxsecurity.com/content/view/124513
|
| |
| |
Mandriva: Updated Firefox packages fix
multiple vulnerabilities |
| |
16th, August, 2006
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program.
http://www.linuxsecurity.com/content/view/124539
|
| |
| |
Red
Hat |
| |
RedHat: Low: elfutils security update |
| |
10th, August, 2006
Updated elfutils packages that address a minor security issue
and various other issues are now available. This update has been rated
as having low security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124459
|
| |
| |
RedHat: Low: ntp security update |
| |
10th, August, 2006
Updated ntp packages that fix several bugs are now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124460
|
| |
| |
RedHat: Updated kernel packages available
for Red Hat |
| |
10th, August, 2006
Updated kernel packages are now available as part of ongoing
support and maintenance of Red Hat Enterprise Linux version 4.
http://www.linuxsecurity.com/content/view/124461
|
| |
| |
RedHat: Low: kdebase security fix |
| |
10th, August, 2006
Updated kdebase packages that resolve several bugs are now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124462
|
| |
| |
RedHat: Important: perl security update |
| |
10th, August, 2006
Updated Perl packages that fix security a security issue are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124463
|
| |
| |
RedHat: Moderate: httpd security update |
| |
10th, August, 2006
Updated Apache httpd packages that correct security issues and
resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This
update has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124464
|
| |
| |
RedHat: Moderate: wireshark security
update (was |
| |
16th, August, 2006
New Wireshark packages that fix various security vulnerabilities
in Ethereal are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124533
|
| |
| |
SuSE |
| |
SuSE: kernel security problems |
| |
11th, August, 2006
Multiple security vulnerabilities in the kernel are addressed.
http://www.linuxsecurity.com/content/view/124469
|
| |
| |
SuSE: MozillaFirefox, MozillaThunderbird, |
| |
16th, August, 2006
To fix various security problems we released update packages
that bring Mozilla Firefox to version 1.5.0.6, MozillaThunderdbird to
version 1.5.0.5 and the Seamonkey Suite to version 1.0.3.
http://www.linuxsecurity.com/content/view/124535
|
| |
Powered by AkoComment! |
