+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 14th, 2006 Volume 7, Number 16n | | | | Editorial Team: Dave Wreski dave@xxxxxxxxxxxxxxxxx | | Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for dia, sash, mailman, libimager, libphp, moodle, cacti, sudo, zope, horde, xscreensaver, gnome, alsa-utils, system-config-printer, xsane, cario, subversion, netpbm, gnbd-kernel,shadow-utils, cman-kernel, ghostscript, checkpolicy, libsemanage, selinux-policy, eclipse-changelog, gaim, squirrelmail, ClamAV, mplayer, and openvpn. The distributors include Debian, Fedora, Gentoo, Mandriva, and SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Developing A Security Policy Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding, as well as the privacy of the users. Some things to consider adding are who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system. A generally accepted security policy starts with the phrase: "That which is not expressly permitted is prohibited" This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account, Saying, ''Ah, I can't figure this permissions problem out, I'll just do it as root'' can lead to security holes that are very obvious, and even ones that haven't been exploited yet. Additionally, there are several questions you will need to answer to successfully develop a security policy: * What level of security do your users expect? * How much is there to protect, and what is it worth? * Can you afford the down-time of an intrusion? * Should there be different levels of security for different groups? * Do you trust your internal users? * Have you found the balance between acceptable risk and secure? You should develop a plan on who to contact when there is a security problem that needs attention. There are quite a few documents available on developing a Site Security Policy. You can start with the SANS Security Policy Project. http://www.sans.org/resources/policies/ Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx) ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New dia packages fix arbitrary code execution 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122244 * Debian: New sash packages fix potential arbitrary code execution 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122245 * Debian: New mailman packages fix denial of service 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122246 * Debian: New libimager-perl packages fix denial of service 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122274 * Debian: New libphp-adodb packages fix several vulnerabilities 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122279 * Debian: New moodle packages fix several vulnerabilities 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122280 * Debian: New cacti packages fix several vulnerabilities 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122281 * Debian: New sudo packages fix privilege escalation 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122282 * Debian: New zope-cmfplone packages fix unprivileged data manipulation 12th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122324 * Debian: New horde3 packages fix several vulnerabilities 12th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122327 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: xscreensaver-4.24-2 6th, April, 2006 Don't leak zombie processes with the GL SlideShow ScreenSaver http://www.linuxsecurity.com/content/view/122254 * Fedora Core 5 Update: GConf2-2.14.0-1 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122255 * Fedora Core 5 Update: liboil-0.3.8-1.fc5 6th, April, 2006 This update rebases liboil to 0.3.8 to help resolve issues required by packages in Fedora Extras. http://www.linuxsecurity.com/content/view/122256 * Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5 6th, April, 2006 This update corrects a problem where kerberos credentials weren't being properly refreshed when a user successfully authenticates in the unlock dialog. http://www.linuxsecurity.com/content/view/122257 * Fedora Core 5 Update: alsa-utils-1.0.11-4.rc2 6th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122258 * Fedora Core 5 Update: system-config-printer-0.6.151.2-1 6th, April, 2006 With no configured printers, it was not possible to disable automatic browsing for shared printers. http://www.linuxsecurity.com/content/view/122259 * Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5.1 6th, April, 2006 This update fixes problems detecting idle activity. http://www.linuxsecurity.com/content/view/122260 * Fedora Core 5 Update: xsane-0.99-2.2.fc5.4 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122269 * Fedora Core 5 Update: cairo-1.0.4-1 7th, April, 2006 An updated version of the cairo package fixes several bugs, among them a bug which could lead to Pango crashes with corrupt fonts. http://www.linuxsecurity.com/content/view/122270 * Fedora Core 4 Update: sane-backends-1.0.17-0.fc4.2 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122271 * Fedora Core 5 Update: subversion-1.3.1-2.1 7th, April, 2006 This update includes the latest upstream release of Subversion, version 1.3.1. This release includes a number of minor bug fixes and improvements. http://www.linuxsecurity.com/content/view/122272 * Fedora Core 5 Update: netpbm-10.33-0.fc5 7th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122273 * Fedora Core 5 Update: gnbd-kernel-2.6.15-5.FC5.25 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122283 * Fedora Core 4 Update: netpbm-10.33-0.FC4 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122284 * Fedora Core 5 Update: shadow-utils-4.0.14-6.FC5 8th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122285 * Fedora Core 5 Update: cman-kernel-2.6.15.1-0.FC5.18 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122286 * Fedora Core 5 Update: dlm-kernel-2.6.15.1-0.FC5.16 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122287 * Fedora Core 5 Update: GFS-kernel-2.6.15.1-5.FC5.19 8th, April, 2006 Packages update to the latest kernel (2.6.16-1.2080_FC5) and now include xen packages for x86_64. http://www.linuxsecurity.com/content/view/122288 * Fedora Core 5 Update: ghostscript-8.15.1-7.2 10th, April, 2006 A problem with converting PS and EPS files into PDF has been fixed. Also, Japanese fonts have been added to the default font path. http://www.linuxsecurity.com/content/view/122300 * Fedora Core 5 Update: checkpolicy-1.30.3-1.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122309 * Fedora Core 5 Update: libsemanage-1.6.2-2.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122310 * Fedora Core 5 Update: libsepol-1.12.4-1.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122311 * Fedora Core 5 Update: selinux-policy-2.2.29-3.fc5 11th, April, 2006 Update SELinux policy to current rawhide to fix many policy problems http://www.linuxsecurity.com/content/view/122312 * Fedora Core 5 Update: eclipse-changelog-2.0.2_fc-1 11th, April, 2006 This is a bug-fix update for the Eclipse ChangeLog plugin. It includes fixes to the formatting of multiple ChangeLog entries by the same person. http://www.linuxsecurity.com/content/view/122314 * Fedora Core 4 Update: gaim-1.5.0-16.fc4 11th, April, 2006 This update fixes Bug #185222 where gaim would crash when you use the buddy blocking feature with the MSN protocol. It also contains a minor logging fix. http://www.linuxsecurity.com/content/view/122315 * Fedora Core 5 Update: gaim-1.5.0-16.fc5 11th, April, 2006 This update fixes Bug #185222 where gaim would crash when you use the buddy blocking feature with the MSN protocol. http://www.linuxsecurity.com/content/view/122316 * Fedora Core 4 Update: squirrelmail-1.4.6-5.fc4 12th, April, 2006 This update fixes revert Squirrelmail encoding behavior for Chinese and Korean languages, in addition to the Japanese fix of the previous update. http://www.linuxsecurity.com/content/view/122325 * Fedora Core 5 Update: squirrelmail-1.4.6-5.fc5 12th, April, 2006 This update fixes revert Squirrelmail encoding behavior for Chinese and Korean languages, in addition to the Japanese fix of the previous update. http://www.linuxsecurity.com/content/view/122326 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: ClamAV Multiple vulnerabilities 7th, April, 2006 ClamAV contains multiple vulnerabilities that could lead to remote execution of arbitrary code or cause an application crash. http://www.linuxsecurity.com/content/view/122275 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated clamav packages fix vulnerabilities 7th, April, 2006 Damian Put discovered an integer overflow in the PE header parser in ClamAV that could be exploited if the ArchiveMaxFileSize option was disabled (CVE-2006-1614). http://www.linuxsecurity.com/content/view/122276 * Mandriva: Updated mplayer packages fix integer overflow vulnerabilities 7th, April, 2006 Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attackers to cause a denial of service and trigger heap-based buffer overflows via (1) a certain ASF file handled by asfheader.c that causes the asf_descrambling function to be passed a negative integer after the conversion from a char to an int or (2) an AVI file with a crafted wLongsPerEntry or nEntriesInUse value in the indx chunk, which is handled in aviheader.c. http://www.linuxsecurity.com/content/view/122277 * Mandriva: Updated openvpn packages fix vulnerability 10th, April, 2006 A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable. Updated packages have been patched to correct this issue by removing setenv support. http://www.linuxsecurity.com/content/view/122302 * Mandriva: Updated openvpn packages fix vulnerability 10th, April, 2006 Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib where a certain data stream would cause zlib to corrupt a data structure, resulting in the linked application to dump core (CVE-2005-2096). http://www.linuxsecurity.com/content/view/122303 * Mandriva: Updated xscreensaver packages fix clear-text password vulnerability 11th, April, 2006 Rdesktop, with xscreensaver < 4.18, does not release the keyboard focus when xscreensaver starts, which causes the password to be entered into the active window when the user unlocks the screen. Updated xscreensaver packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/122313 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: clamav various problems 11th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122308 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------