[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux Advisory Watch - June 23rd 2006



+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  June 23rd, 2006                            Volume 7, Number 26n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@xxxxxxxxxxxxxxxxx    |
|                   Benjamin D. Thomas      ben@xxxxxxxxxxxxxxxxx     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, updates were released for wv2, firefox, system-config-bind,
thunderbird, autofs, libselinux, arts, kdeaccessibility, kdeaddons,
kdeadmin, kdeartwork, kdebase, kdebase, kdebindings, kdeedu, kdegames,
kdegraphics, kde, kdelibs, kdemultimedia, kdenetwork, kdepim, kdesdk,
kdeutils, kdevelop, kdewebdev, kdeartwork, kdeedu, kdegames,
kde-il8n, qt, gtk, smartmontools, ruby, nss, autofs, glib-java,
cairo-java, libvte-java, libgnome-java, sendmail, kdebase, mdkkdm,
xine-lib, gnupg, and awstats.  The distributors include Debian,
Fedora, Mandriva, and SuSE.

---

Security on your mind?

Protect your home and business networks with the free, community
version of EnGarde Secure Linux.  Don't rely only on a firewall to
protect your network, because firewalls can be bypassed.  EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.

The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages.  Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more.  The result for you is high security, easy
administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi

---

How To Break Web Software, Part II
By: Eric Lubow

Another set of attacks that are covered are language attacks.
These can also occur as a result of poor or total lack of input
validation. These languages include CSS, XSS (Cross Site
Scripting for any number of languages), C, C++, or SQL, to name
just a few. It is to be noted that attacks via SQL involves
attacking the server and having a little knowledge about
databases, queries, and the way that databases function. Next,
the authors discuss authentication and cryptography. They make
it a point to prove to the reader and users that not just any
cryptography will do and that only proven tried and true
methods are acceptable for public use.

The book then goes into discussing privacy issues. It
discusses identifying information such as the referrer logs,
agent logs, web bugs, clipboard access (via Javascript), and
cached pages. It then finishes up by discussing various types
of web services (including XML, SOAP, WSDL, and UDDI) and the
inherent problems that can be around using each one of them.
The set of tools outlines at the end of the book to help in
bug testing web software is an excellent compilation.

Opinion:

Software testing and implementation theories have been around
for a long time. There has also been numerous writings, journals,
and theories published on how things should and shouldn't be
done. Mike Andrews and James Whittaker do an excellent job of
outlining the potential shortcomings of web programming. This
is an excellent jumping off point for anyone beginning on the
security side of web design.

To me, the most enjoyable part of the book is where the authors
discuss the "Key Principals for Quality" over the fifty years
of software design. I think they should have put that as part
of the introduction to outline their point of view on testing
as a necessary part of the design phase (which should be a more
widely shared view point). Other than that, I believe that this
is an excellent all around reference and should be read by
those involved in all aspects of the world wide web.

http://www.linuxsecurity.com/content/view/122713/49/

----------------------

Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.

http://www.linuxsecurity.com/content/view/119415/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New wv2 packages fix integer overflow
  15th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123160



+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

* Fedora Core 5 Update: firefox-1.5.0.4-1.2.fc5
  15th, June, 2006

Several security issues have been identified that are fixed in this
release.

http://www.linuxsecurity.com/content/view/123169


* Fedora Core 5 Update: system-config-bind-4.0.0-42_FC5
  15th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123170


* Fedora Core 5 Update: thunderbird-1.5.0.4-1.1.fc5
  15th, June, 2006

Several security issues have been identified that are fixed in this
release.

http://www.linuxsecurity.com/content/view/123171


* Fedora Core 5 Update: autofs-4.1.4-27
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123193


* Fedora Core 5 Update: libselinux-1.30.3-3.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123194


* Fedora Core 4 Update: arts-1.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123195


* Fedora Core 4 Update: kdeaccessibility-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123196


* Fedora Core 4 Update: kdeaddons-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123197


* Fedora Core 4 Update: kdeadmin-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123198


* Fedora Core 4 Update: kdeartwork-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123199


* Fedora Core 4 Update: kdebase-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123200


* Fedora Core 4 Update: kdebindings-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123201


* Fedora Core 4 Update: kdeedu-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123202


* Fedora Core 4 Update: kdegames-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123203


* Fedora Core 4 Update: kdegraphics-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123204


* Fedora Core 4 Update: kde-i18n-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123205


* Fedora Core 4 Update: kdelibs-3.5.3-0.2.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123206


* Fedora Core 4 Update: kdemultimedia-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123207


* Fedora Core 4 Update: kdenetwork-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123208


* Fedora Core 4 Update: kdepim-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123209


* Fedora Core 4 Update: kdesdk-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123210


* Fedora Core 4 Update: kdeutils-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123211


* Fedora Core 4 Update: kdevelop-3.3.3-0.1.fc4
  19th, June, 2006

Updated package.


http://www.linuxsecurity.com/content/view/123212


* Fedora Core 4 Update: kdewebdev-3.5.3-0.1.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123213


* Fedora Core 5 Update: arts-1.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123214


* Fedora Core 5 Update: kdeaccessibility-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123215


* Fedora Core 5 Update: kdeaddons-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123216


* Fedora Core 5 Update: kdeadmin-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123217


* Fedora Core 5 Update: kdebase-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123218


* Fedora Core 5 Update: kdeartwork-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123219


* Fedora Core 5 Update: kdebindings-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123220


* Fedora Core 5 Update: kdeedu-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123221


* Fedora Core 5 Update: kdegames-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123222


* Fedora Core 5 Update: kdegraphics-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123223


* Fedora Core 5 Update: kde-i18n-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123224


* Fedora Core 5 Update: kdelibs-3.5.3-0.2.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123225


* Fedora Core 5 Update: kdemultimedia-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123226


* Fedora Core 5 Update: kdenetwork-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123227


* Fedora Core 5 Update: kdepim-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123228


* Fedora Core 5 Update: kdesdk-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123229


* Fedora Core 5 Update: kdeutils-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123230


* Fedora Core 5 Update: kdevelop-3.3.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123231


* Fedora Core 5 Update: kdewebdev-3.5.3-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123232


* Fedora Core 5 Update: qt-3.3.6-0.1.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123233


* Fedora Core 5 Update: gtk2-2.8.19-2
  19th, June, 2006

Due to recent changes in the build system, the last gtk2 update lost
some dependencies, and e.g is not  Xinerama-aware anymore. This
update fixes this problem.

http://www.linuxsecurity.com/content/view/123234


* Fedora Core 5 Update: smartmontools-5.36-fc5.1
  19th, June, 2006

This is upgrade to a new upstream version which brings additional
hardware support.

http://www.linuxsecurity.com/content/view/123235


* Fedora Core 5 Update: ruby-1.8.4-6.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123236


* Fedora Core 4 Update: kdebase-3.5.3-0.2.fc4
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123240


* Fedora Core 5 Update: kdebase-3.5.3-0.3.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123241


* Fedora Core 5 Update: kdepim-3.5.3-0.2.fc5
  19th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123242


* Fedora Core 5 Update: nss-3.11.1-1.fc5
  19th, June, 2006

Update to version 3.11.1. This includes a fix for a serious memory
leak.

http://www.linuxsecurity.com/content/view/123243


* Fedora Core 4 Update: autofs-4.1.4-26
  20th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123254


* Fedora Core 5 Update: system-config-lvm-1.0.18-1.2.FC5
  20th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123255


* Fedora Core 5 Update: glib-java-0.2.5-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.

http://www.linuxsecurity.com/content/view/123270


* Fedora Core 5 Update: cairo-java-1.0.4-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.

http://www.linuxsecurity.com/content/view/123271


* Fedora Core 5 Update: libgtk-java-2.8.5-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.


http://www.linuxsecurity.com/content/view/123272


* Fedora Core 5 Update: libvte-java-0.12.0-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.


http://www.linuxsecurity.com/content/view/123273


* Fedora Core 5 Update: libgnome-java-2.12.3-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.

http://www.linuxsecurity.com/content/view/123274


* Fedora Core 5 Update: libglade-java-2.12.4-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.

http://www.linuxsecurity.com/content/view/123275


* Fedora Core 5 Update: frysk-0.0.1.2006.06.15.rh4-0.FC5
  21st, June, 2006

Make current version of frysk available to FC5 users.


http://www.linuxsecurity.com/content/view/123276


+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated sendmail packages fix remotely exploitable
vulnerability
  15th, June, 2006

A vulnerability in the way Sendmail handles multi-part MIME messages
was discovered that could allow a remote attacker to create a
carefully crafted message that could crash the sendmail process
during delivery. The updated packages have been patched to correct
these issues.

http://www.linuxsecurity.com/content/view/123159


* Mandriva: Updated kdebase packages fix local vulnerability in kdm
  15th, June, 2006

A problem with how kdm manages the ~/.dmrc file was discovered by
Ludwig Nussel.	By using a symlink attack, a local user could get kdm
to read arbitrary files on the system, including privileged system
files and those belonging to other users. The updated packages have
been patched to correct these issues.

http://www.linuxsecurity.com/content/view/123172


* Mandriva: Updated mdkkdm packages fix local vulnerability
  15th, June, 2006

A problem with how kdm manages the ~/.dmrc file was discovered by
Ludwig Nussel.	By using a symlink attack, a local user could get kdm
to read arbitrary files on the system, including privileged system
files and those belonging to other users.


http://www.linuxsecurity.com/content/view/123173


* Mandriva: Updated arts packages fix vulnerability in artswrapper
  20th, June, 2006

A vulnerability in the artswrapper program, when installed setuid
root, could enable a local user to elevate their privileges to that
of root. By default, Mandriva Linux does not ship artswrapper setuid
root, however if a user or system administrator enables the setuid
bit on artswrapper, their system could be at risk, The updated
packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/123256


* Mandriva: Updated xine-lib packages fix buffer overflow
vulnerabilities
  20th, June, 2006

A buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for
xine-lib 1.1.1 allows remote attackers to cause a denial of service
(application crash) via a long reply from an HTTP server, as
demonstrated using gxine 0.5.6. (CVE-2006-2802)

http://www.linuxsecurity.com/content/view/123257


* Mandriva: Updated wv2 packages fix vulnerability
  20th, June, 2006

A boundary checking error was discovered in the wv2 library, used for
accessing Microsoft Word documents.  This error can lead to an
integer overflow induced by processing certain Word files. The
updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/123258


* Mandriva: Updated gnupg packages fix vulnerability
  20th, June, 2006

A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and
earlier) that could allow a remote attacker to cause gpg to crash and
possibly overwrite memory via a message packet with a large length.
The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/123259


+---------------------------------+
|  Distribution: SuSE             | ----------------------------//
+---------------------------------+

* SuSE: awstats remote code execution
  20th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123244


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux