Linux Advisory Watch - October 27th 2006

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+---------------------------------------------------------------------+
|  LinuxSecurity.com                               Weekly Newsletter  |
|  October 27th 2006                            Volume 7, Number 44a  |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for clamav, python, webmin,
libmusicbrainz, ClamAV, OpenSSL, mod_tcl, kdelibs, sshd-monitor,
subversion, xinetd, coreutils, bootsplash, Qt, opera, openssh,
and PostgreSQL.  The distributors include Debian, Gentoo, Mandriva,
Red Hat, Slackware, SuSE, and Ubuntu.

---

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.

http://www.msia.norwich.edu/linsec/

---

EnGarde Secure Linux v3.0.9 Now Available

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.9 (Version 3.0, Release 9). This release
includes several bug fixes and feature enhancements to the
Guardian Digital WebTool and the SELinux policy, several
updated packages, and a couple of new packages available for
installation.

http://www.linuxsecurity.com/content/view/125147/169/

---

RFID with Bio-Smart Card in Linux

In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access
conditions.

http://www.linuxsecurity.com/content/view/125052/171/

---

Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.

http://www.linuxsecurity.com/content/view/123570/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New clamav packages fix arbitrary code execution
  19th, October, 2006

Updated package.

http://www.linuxsecurity.com/content/view/125310


* Debian: New python2.4 packages fix arbitrary code execution
  22nd, October, 2006

Updated package.

http://www.linuxsecurity.com/content/view/125338


* Debian: New python2.3 packages fix arbitrary code execution
  23rd, October, 2006

Updated package.

http://www.linuxsecurity.com/content/view/125348


* Debian: New webmin packages fix input validation problems
  23rd, October, 2006

Updated package.

http://www.linuxsecurity.com/content/view/125350




+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: Cscope Multiple buffer overflows
  20th, October, 2006

Cscope is vulnerable to multiple buffer overflows that could lead to
the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/125332


* Gentoo: libmusicbrainz Multiple buffer overflows
  22nd, October, 2006

Multiple buffer overflows have been found in libmusicbrainz, which
could lead to a Denial of Service or possibly the execution of
arbitrary code.

http://www.linuxsecurity.com/content/view/125337


* Gentoo: ClamAV Multiple Vulnerabilities
  24th, October, 2006

ClamAV is vulnerable to a heap-based buffer overflow potentially
allowing remote execution of arbitrary code and a Denial of Service.

http://www.linuxsecurity.com/content/view/125355


* Gentoo: OpenSSL Multiple vulnerabilities
  24th, October, 2006

OpenSSL contains multiple vulnerabilities including the possible
remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/125356


* Gentoo: Apache mod_tcl Format string vulnerability
  24th, October, 2006

A format string vulnerabilty has been found in Apache mod_tcl, which
could lead to the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/125357


* Gentoo: Cheese Tracker Buffer Overflow
  26th, October, 2006

Cheese Tracker contains a buffer overflow allowing the remote
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/125409




+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated kdelibs packages fix KHTML vulnerability
  19th, October, 2006

A vulnerability was discovered in the way that Qt handled pixmap
images and the KDE khtml library used Qt in such a way that untrusted
parameters could be passed to Qt, resulting in an integer overflow.
This flaw could be exploited by a remote attacker in a malicious
website that, when viewed by an individual using Konqueror, would
cause Konqueror to crash or possibly execute arbitrary code with the
privileges of the user.

http://www.linuxsecurity.com/content/view/125322


* Mandriva: Updated sshd-monitor corrects connection bug
  19th, October, 2006

The sshd-monitor as provided with Mandriva's Corporate Server and
Desktop 3.0 would fill /var/log/messages with error messages about
not receiving an identification string from the localhost due to a
timing issue.

http://www.linuxsecurity.com/content/view/125323


* Mandriva: Updated subversion package /etc/services entries
  19th, October, 2006

One of subversion's operating modes, svnserve, needs some entries in
the /etc/services file.  These entries are created during package
installation, but under some conditions this procedure fails and
/etc/services remains without them.

http://www.linuxsecurity.com/content/view/125324


* Mandriva: Updated xinetd package corrects initscript language bug
  19th, October, 2006

The initscript for xinetd incorrectly set the locale to en_US.	If
the localesn-en package is not installed on the system, some xinetd
services may not work properly.  This was first noted with the
svnserve program from subversion.

http://www.linuxsecurity.com/content/view/125325


* Mandriva: Updated coreutils package correctly links against PAM
  23rd, October, 2006

The coreutils package lacked several features due to a build
deficiency. As a result, the su program was not linked against the
PAM library, making it impossible for su to make use of advanced
authentication features that rely on the PAM library.  As well, the
cp system utility did not keep extended attributes and ACLs in file
copies. This has been corrected in the updated packages.

http://www.linuxsecurity.com/content/view/125349


* Mandriva: Updated bootsplash package brings back the fbmenu command
  24th, October, 2006

When multiple profiles are configured, they can be choosen in the
bootloader with the PROFILE keyword, but this needs a dedicated entry
or to append manually the profile at each boot.  To ease the choice
of the profile during the boot time, Mandriva developed a frame
buffer menu in GTK to choose the profile.

http://www.linuxsecurity.com/content/view/125369


* Mandriva: Updated Qt packages fix vulnerability
  24th, October, 2006

An integer overflow was discovered in the way that Qt handled pixmap
images. This flaw could be exploited by a remote attacker in a
malicious website that, when viewed by an individual using an
application that uses Qt (like Konqueror), would cause it to crash or
possibly execute arbitrary code with the privileges of the user.

http://www.linuxsecurity.com/content/view/125381



+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Important: kernel security update
  19th, October, 2006

Updated kernel packages that fix several security issues in the Red
Hat Enterprise Linux 3 kernel are now available. This security
advisory has been rated as having important security impact by the
Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/125317



+---------------------------------+
|  Distribution: Slackware        | ----------------------------//
+---------------------------------+

* Slackware:   qt
  25th, October, 2006

New qt packages are available for Slackware 10.0, 10.1, 10.2, and
11.0 to fix a possible security issue.

http://www.linuxsecurity.com/content/view/125398



+---------------------------------+
|  Distribution: SuSE             | ----------------------------//
+---------------------------------+

* SuSE: opera (SUSE-SA:2006:061)
  19th, October, 2006

Updated package.

http://www.linuxsecurity.com/content/view/125318


* SuSE: openssh (SUSE-SA:2006:062)
  20th, October, 2006

There are multiple vulnerabilities in openssh 4.4.  The following
vulnerabilities are addressed in this advisory: CVE-2006-4924,
CVE-2006-4925, CVE-2006-5051, CVE-2006-5052.


http://www.linuxsecurity.com/content/view/125335


* SuSE: Qt image handling problems
  25th, October, 2006

Updated package.

http://www.linuxsecurity.com/content/view/125392



+---------------------------------+
|  Distribution: Ubuntu           | ----------------------------//
+---------------------------------+

* Ubuntu:  Qt vulnerability
  23rd, October, 2006

An integer overflow was discovered in Qt's image loader. By
processing a specially crafted image with an application that uses
this library (like Konqueror), a remote attacker could exploit this
to execute arbitrary code with the application's privileges.


http://www.linuxsecurity.com/content/view/125342


* Ubuntu:  PostgreSQL vulnerabilities
  24th, October, 2006

Michael Fuhr discovered an incorrect type check when handling unknown
literals. By attempting to coerce such a literal to the ANYARRAY
type, a local authenticated attacker could cause a server crash. Josh
Drake and Alvaro Herrera reported a crash when using aggregate
functions in UPDATE statements. A local authenticated attacker could
exploit this to crash the server backend. This update disables this
construct, since it is not very well defined and forbidden by the SQL
standard.

http://www.linuxsecurity.com/content/view/125361

kk
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux