[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux Advisory Watch - September 1st 2006



+---------------------------------------------------------------------+
|  LinuxSecurity.com                               Weekly Newsletter  |
|  September 1st 2006                           Volume 7, Number 36a  |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for sendmail, libmusicbrainz,
firefox, kdebase, ruby, streamripper, Motor, PHP, Wireshark,
Heimdal, Heartbeat, AlsaPlayer, ImageMagick, lesstif, binutils,
xorg-x11, MySQL, kernel, seakmonkey, and kdegraphics. The
distributors include Debian, Gentoo, Mandriva, and Red Hat.

---

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.

http://www.msia.norwich.edu/linsec/

---

Steganography and Cyber Terrorism Communications
By: Dancho Danchev

Following my previous post on Cyber Terrorism Communications and
Propaganda, I'm continuing to summarize interesting findings on the
topic. The use of encryption to ensure the confidentiality of a
communication, be it criminals or terrorists taking advantage of
the speed and cheap nature of Internet communications, is often
taken as the de-facto type of communication. I feel that it's
steganographic communication in all of its variety that's playing
a crucial role in terrorist communications. It's never been about
the lack of publicly or even commercially obtainable steganographic
tools, but the ability to know where and what to look for. Here's
a brief comment on a rather hard to intercept communication tool:
SSSS - Shamir's Secret Sharing Scheme : "No other medium can
provide better speed, connectivity, and most importantly anonymity,
given it.s achieved and understood, and it often is.

Plain encryption might seem the obvious answer, but to me it.s
steganography,   having the potential to fully hide within
legitimate (at least looking) data flow. Another possibility
is the use secret sharing schemes. A bit of a relevant tool
that can be fully utilized by any group of people wanting to
ensure their authenticity and perhaps everyone.s pulse, is
SSSS - Shamir's Secret Sharing Scheme. And no, I.m not giving
tips, just shredding light on the potential in here! The
way botnets of malware can use public forums to get commands,
in this very same fashion, terrorists could easily hide
sensitive communications by mixing it with huge amounts of
public data, while still keeping it secret."

Read More
http://ddanchev.blogspot.com/2006/08/steganography-and-cyber-terrorism.html

----------------------

* EnGarde Secure Community 3.0.8 Released
  1st, August, 2006

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.8 (Version 3.0, Release 8).  This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool, several updated packages, and several new packages available
for installation.

http://www.linuxsecurity.com/content/view/123902

---

Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won.t prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.

http://www.linuxsecurity.com/content/view/123570/49/

---

Review: How To Break Web Software

With a tool so widely used by so many different types of
people like the World Wide Web, it is necessary for everyone
to understand as many aspects as possible about its
functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone
and How To Break Web Software by Mike Andrews and James A.
Whittaker is written for everyone to understand.

http://www.linuxsecurity.com/content/view/122713/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New sendmail packages fix denial of service
  31st, August, 2006

A programming error has been discovered in sendmail, an alternative
mail transport agent for Debian, that could allow a remote attacker
to crash the sendmail process by sending a specially crafted email
message. Please note that in order to install this update you also
need libsasl2 library from proposed updates as outlined in DSA
1155-2.

http://www.linuxsecurity.com/content/view/124772


* Debian: New libmusicbrainz packages fix arbitrary code execution
  30th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124762


* Debian: New Mozilla packages fix several vulnerabilities
  29th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124741


* Debian: New Mozilla Firefox packages fix several vulnerabilities
  29th, August, 2006

Several security related problems have been discovered in Mozilla and
derived products like Mozilla Firefox.	The Common Vulnerabilities
and Exposures project identifies the following vulnerabilities:
CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809
CVE-2006-3811

http://www.linuxsecurity.com/content/view/124752


* Debian: New sendmail packages fix denial of service
  24th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124677


* Debian: New kdebase packages fix information disclosure
  27th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124717


* Debian: New ruby1.8 packages fix several vulnerabilities
  27th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124718


* Debian: New streamripper packages fix arbitrary code execution
  27th, August, 2006

Updated package.

http://www.linuxsecurity.com/content/view/124721


* Debian: New Mozilla Thunderbird packages fix several problems
  28th, August, 2006

everal security related problems have been discovered in Mozilla and
derived products such as Mozilla Thunderbird.  The Common
Vulnerabilities and Exposures project identifies the following
vulnerabilities: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806
CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810

http://www.linuxsecurity.com/content/view/124724


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: Motor Execution of arbitrary code
  29th, August, 2006

Motor uses a vulnerable ktools library, which could lead to the
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/124761


* Gentoo: Motor Execution of arbitrary code
  29th, August, 2006

Motor uses a vulnerable ktools library, which could lead to the
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/124747


* Gentoo: PHP Arbitary code execution
  29th, August, 2006

PHP contains a function that, when used, could allow a remote
attacker to execute arbitrary code.

http://www.linuxsecurity.com/content/view/124751


* Gentoo: Wireshark Multiple vulnerabilities
  29th, August, 2006

Wireshark is vulnerable to several security issues that may lead to a
Denial of Service and/or the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/124746


* Gentoo: Heimdal Multiple local privilege escalation vulnerabilities
  24th, August, 2006

Certain Heimdal components, ftpd and rcp, are vulnerable to a local
privilege escalation.

http://www.linuxsecurity.com/content/view/124682


* Gentoo: Heartbeat Denial of Service
  24th, August, 2006

Heartbeat is vulnerable to a Denial of Service which can be triggered
by a remote attacker without authentication.

http://www.linuxsecurity.com/content/view/124688


* Gentoo: AlsaPlayer Multiple buffer overflows
  26th, August, 2006

AlsaPlayer is vulnerable to multiple buffer overflows which could
lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/124716


* Gentoo: AlsaPlayer Multiple buffer
  27th, August, 2006

AlsaPlayer is vulnerable to multiple buffer overflows which could
lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/124720


+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated musicbrainz packages fix buffer overflow
vulnerabilities
  30th, August, 2006

Multiple buffer overflows in libmusicbrainz (aka mb_client or
MusicBrainz Client Library) 2.1.2 and earlier, and SVN 8406 and
earlier, allow remote attackers to cause a denial of service (crash)
or execute arbitrary code via (1) a long Location header by the HTTP
server, which triggers an overflow in the MBHttp::Download function
in lib/http.cpp; and (2) a long URL in RDF data, as demonstrated by a
URL in an rdf:resource field in an RDF XML document, which triggers
overflows in many functions in lib/rdfparse.c. The updated packages
have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/124768


* Mandriva: Updated sendmail packages fix DoS vulnerabilities
  30th, August, 2006

Moritz Jodeit discovered a vulnerability in sendmail when processing
very long header lines that could be exploited to cause a Denial of
Service by crashing sendmail. The updated packages have been patched
to correct this issue.

http://www.linuxsecurity.com/content/view/124767


* Mandriva: Updated ImageMagick packages fix vulnerabilities
  29th, August, 2006

Multiple buffer overflows in ImageMagick before 6.2.9 allow
user-assisted attackers to execute arbitrary code via crafted XCF
images. (CVE-2006-3743) Multiple integer overflows in ImageMagick
before 6.2.9 allows user-assisted attackers to execute arbitrary code
via crafted Sun bitmap images that trigger heap-based buffer
overflows. (CVE-2006-3744) Integer overflow in the ReadSGIImage
function in sgi.c in ImageMagick before  6.2.9 allows user-assisted
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via large (1) bytes_per_pixel, (2) columns, and (3)
rows values, which trigger a heap-based buffer overflow.
(CVE-2006-4144) The updated packages have been patched to correct
these issues.

http://www.linuxsecurity.com/content/view/124750


* Mandriva: Updated lesstif packages fix potential local root
vulnerability
  29th, August, 2006

The libXm library in LessTif 0.95.0 and earlier allows local users to
gain privileges via the DEBUG_FILE environment variable, which is
used to create world-writable files when libXm is run from a setuid
program. The updated packages have been rebuilt with the
--enable-production configure switch in order to correct this issue.

http://www.linuxsecurity.com/content/view/124740


* Mandriva: Updated binutils packages fix multiple vulnerabilities
  29th, August, 2006

A stack-based buffer overflow in messages.c in the GNU as (gas)
assembler in Free Software Foundation GNU Binutils before 20050721
allows attackers to execute arbitrary code via a .c file with crafted
inline assembly code (CVE-2005-4807).

http://www.linuxsecurity.com/content/view/124739


* Mandriva: Updated xorg-x11 packages fix vulnerabilities
  24th, August, 2006

An integer overflow flaw was discovered in how xorg-x11/XFree86
handles PCF files.  A malicious authorized client could exploit the
issue to cause a DoS (crash) or potentially execute arbitrary code
with root privileges on the xorg-x11/XFree86 server. Updated packages
are patched to address this issue.

http://www.linuxsecurity.com/content/view/124693


* Mandriva: Updated MySQL packages fix user privilege vulnerabilities
  24th, August, 2006

MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to
access a table through a previously created MERGE table, even after
the user's privileges are revoked for the original table, which might
violate intended security policy (CVE-2006-4031).

http://www.linuxsecurity.com/content/view/124694


* Mandriva: Updated kernel packages fix multiple vulnerabilities
  25th, August, 2006

Prior to and including 2.6.16-rc2, when running on x86_64 systems
with preemption enabled, local users can cause a DoS (oops) via
multiple ptrace tasks that perform single steps (CVE-2006-1066).

http://www.linuxsecurity.com/content/view/124704


* Mandriva: Updated wireshark packages fix multiple vulnerabilities
  25th, August, 2006

Vulnerabilities in the SCSI, DHCP, and SSCOP dissectors were
discovered in versions of wireshark less than 0.99.3, as well as an
off-by-one error in the IPsec ESP preference parser if compiled with
ESP decryption support.

http://www.linuxsecurity.com/content/view/124706


+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Moderate: ImageMagick security update
  24th, August, 2006

Updated ImageMagick packages that fix several security issues are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/124681


* RedHat: Critical: seamonkey security update (was
  28th, August, 2006

Updated seamonkey packages that fix several security bugs in the
mozilla packages are now available for Red Hat Enterprise Linux 2.1.
This update has been rated as having critical security impact by the
Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/124725


* RedHat: Moderate: kdegraphics security update
  28th, August, 2006

Updated kdegraphics packages that fix several security flaws in kfax
are now available for Red Hat Enterprise Linux 2.1, and 3.  This
update has been rated as having moderate security impact by the Red
Hat Security Response Team.

http://www.linuxsecurity.com/content/view/124726

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux