Linux Advisory Watch - August 11th 2006

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+---------------------------------------------------------------------+
|  LinuxSecurity.com                               Weekly Newsletter  |
|  August 11th 2006                             Volume 7, Number 33a  |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were relesed for ruby, gnupg, freeciv, dhcp,
chmlib, krb5, drupal, gallery, ncompress, seamonkey, firefox,
thunderbird, libvncserver, mta, libtiff, mysql, webmin, x11vnc,
clamav, dumb, kerberos, and apache.  The distributors include Debian,
Gentoo, Fedora, Mandriva, Red Hat and SuSE.

---

CRYPTOCard Two-Factor Authentication

Are you a Linux consultant with expertise in network security?
Join CRYPTOCard's Linux Consultants program and learn about how you can
help your clients implement secure authentication solutions. Click here
for more information:

http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=cc_nl

---

Goodbye, Netwosix.  Hello, EnGarde!

Linux Netwosix was originally created with the goal of providing
a security environment for building and creating new security-
related solutions. With the passing of time I realized that the
project has failed to achieve its goals within 3 years of hard
work. This, among many reasons, is the most important because I
never received help from anyone.  Regardless of the fact that
Netwosix has been downloaded by more than 60,000 users all
around the world, I'm here to announce the shutting down of
my dear project.  Day after day I understand that I can't
create a "valid security-oriented product" alone.

If people choose to join the project since I made this decision,
I choose the way.  I want to thank them but now I think that the
most important thing to do is this. There are a lot of GNU/Linux
distributions in the "arena" and I don't think that creating a
new one every day is a good move for GNU/Linux itself. So I
realized that it was better to help a well-known project to
realize something really important and big.

For this reason I decided to move to Guardian Digital, one of
the most important opensource security companies. It's really
growing quickly. I will work on their EnGarde Secure Linux and
in some way I am continuing to work on a really "secure" GNU/
Linux distribution. There I can work with a lot of good hackers
and it's a good possibility for me to exchange knowledge and
improve my skills.

With this letter, I would like to thank everyone who did
contribute to the project by downloading it and sending me
many comforting and encouraging email and my apologies for
the shutting down the project. I'd like to give my special
thanks to Dave Wreski, CEO of Guardian Digital, and
Ryan W. Maple for the great job position there.

Thanks,
Vincenzo Ciaglia - Guardian Digital, Inc.

----------------------


Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won.t prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.

http://www.linuxsecurity.com/content/view/123570/49/

---

Review: How To Break Web Software

With a tool so widely used by so many different types of
people like the World Wide Web, it is necessary for everyone
to understand as many aspects as possible about its
functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone
and How To Break Web Software by Mike Andrews and James A.
Whittaker is written for everyone to understand.

http://www.linuxsecurity.com/content/view/122713/49/

---

EnGarde Secure Linux v3.0.7 Now Available

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7).  This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.

http://www.linuxsecurity.com/content/view/123016/65/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New ruby1.6 packages fix privilege escalation
  3rd, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123948


* Debian: New GnuPG packages fix denial of service
  3rd, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123950


* Debian: New GnuPG2 packages fix denial of service
  4th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123956


* Debian: New freeciv packages fix arbitrary code execution
  4th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123959


* Debian: New dhcp packages fix denial of service
  4th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123960


* Debian: New chmlib packages fix denial of service
  7th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123982


* Debian: New krb5 packages fix privilege escalation
  9th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124013


* Debian: New drupal packages fix cross-site scripting
  9th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124437


* Debian: New gallery packages fix several vulnerabilities
  9th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124441


* Debian: New ncompress packages fix potential code execution
  10th, August, 2006

Tavis Ormandy from the Google Security Team discovered a missing
boundary check in ncompress, the original Lempel-Ziv compress and
uncompress programs, which allows a specially crafted datastream to
underflow a buffer with attacker controlled data.

http://www.linuxsecurity.com/content/view/124446



+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

* Fedora Core 5 Update: krb5-1.4.3-5.1
  9th, August, 2006

This update addresses MITKRB-SA-2006-001.

http://www.linuxsecurity.com/content/view/124436




+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: Mozilla SeaMonkey Multiple vulnerabilities
  3rd, August, 2006

The Mozilla Foundation has reported numerous security vulnerabilities
related to Mozilla SeaMonkey.

http://www.linuxsecurity.com/content/view/123949


* Gentoo: Mozilla Firefox Multiple vulnerabilities
  3rd, August, 2006

The Mozilla Foundation has reported numerous security vulnerabilities
related to Mozilla Firefox.

http://www.linuxsecurity.com/content/view/123951


* Gentoo: Mozilla Thunderbird Multiple vulnerabilities
  3rd, August, 2006

The Mozilla Foundation has reported numerous security vulnerabilities
related to Mozilla Thunderbird.

http://www.linuxsecurity.com/content/view/123953


* Gentoo: LibVNCServer Authentication bypass
  4th, August, 2006

VNC servers created with LibVNCServer accept insecure protocol types,
even when the server does not offer it, resulting in unauthorized
access to the server.

http://www.linuxsecurity.com/content/view/123957


* Gentoo: Courier MTA Denial of Service vulnerability
  4th, August, 2006

Courier MTA has fixed a DoS issue related to usernames containing a
"=" character.

http://www.linuxsecurity.com/content/view/123958


* Gentoo: libTIFF Multiple vulnerabilities
  4th, August, 2006

libTIFF contains several vulnerabilities that could result in
arbitrary code execution.

http://www.linuxsecurity.com/content/view/123972


* Gentoo: Mozilla Firefox Multiple vulnerabilities
  5th, August, 2006

The Mozilla Foundation has reported numerous security vulnerabilities
related to Mozilla Firefox.

http://www.linuxsecurity.com/content/view/123973


* Gentoo: GnuPG Integer overflow vulnerability
  5th, August, 2006

GnuPG is vulnerable to an integer overflow that could lead to the
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/123974


* Gentoo: MySQL Denial of Service
  6th, August, 2006

An authenticated user can crash MySQL through invalid parameters to
the date_format function.

http://www.linuxsecurity.com/content/view/123975


* Gentoo: pike SQL injection vulnerability
  6th, August, 2006

A flaw in the input handling could lead to the execution of arbitrary
SQL statements in the underlying PostgreSQL database.

http://www.linuxsecurity.com/content/view/123976


* Gentoo: Webmin, Usermin File Disclosure
  6th, August, 2006

Webmin and Usermin are vulnerable to an arbitrary file disclosure
through a specially crafted URL.

http://www.linuxsecurity.com/content/view/123977


* Gentoo: x11vnc Authentication bypass in included LibVNCServer code
  7th, August, 2006

VNC servers created with x11vnc accept insecure protocol types, even
when the server does not offer it, resulting in the possibility of
unauthorized access to the server.

http://www.linuxsecurity.com/content/view/123983


* Gentoo: ClamAV Heap buffer overflow
  8th, August, 2006

ClamAV is vulnerable to a heap-based buffer overflow resulting in a
Denial of Service and potentially remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/123995


* Gentoo: GnuPG Integer overflow vulnerability
  8th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123998


* Gentoo: DUMB Heap buffer overflow
  8th, August, 2006

A heap-based buffer overflow in DUMB could result in the execution of
arbitrary code.

http://www.linuxsecurity.com/content/view/124001


* Gentoo: MIT Kerberos 5 Multiple local privilege escalation (test
Falco for security@)
  10th, August, 2006

Some applications shipped with MIT Kerberos 5 are vulnerable to local
privilege escalation.

http://www.linuxsecurity.com/content/view/124448



+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated clamav packages fix vulnerability
  8th, August, 2006

Damian Put discovered a boundary error in the UPX extraction module
in ClamAV which is used to unpack PE Windows executables.  This could
be abused to cause a Denial of Service issue and potentially allow
for the execution of arbitrary code with the permissions of the user
running clamscan or clamd. Updated packages have been patched to
correct this issue.

http://www.linuxsecurity.com/content/view/124009


* Mandriva: Updated krb5 packages fix local privilege escalation
vulnerability
  9th, August, 2006

A flaw was discovered in some bundled Kerberos-aware packages that
would fail to check the results of the setuid() call.  This call can
fail in some circumstances on the Linux 2.6 kernel if certain user
limits are reached, which could be abused by a local attacker to get
the applications to continue to run as root, possibly leading to an
elevation of privilege.


http://www.linuxsecurity.com/content/view/124438


* Mandriva: Updated ncompress packages fix vulnerability
  9th, August, 2006

Tavis Ormandy, of the Google Security Team, discovered that
ncompress, when uncompressing data, performed no bounds checking,
which could allow a specially crafted datastream to underflow a .bss
buffer with attacker controlled data. Updated packages have been
patched to correct this issue.

http://www.linuxsecurity.com/content/view/124439



+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Important: krb5 security update
  8th, August, 2006

Updated krb5 packages are now available for Red Hat Enterprise Linux
4 to correct a privilege escalation security flaw. This update has
been rated as having important security impact by the Red Hat
Security Response Team.

http://www.linuxsecurity.com/content/view/124002


* RedHat: Important: apache security update
  8th, August, 2006

Updated Apache httpd packages that correct a security issue are now
available for Red Hat Enterprise Linux 2.1. This update has been
rated as having important security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/124003



+---------------------------------+
|  Distribution: SuSE             | ----------------------------//
+---------------------------------+

* SuSE: clamav (SUSE-SA:2006:046)
  9th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124385


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux