+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 23rd, 2006 Volume 7, Number 26n | | | | Editorial Team: Dave Wreski dave@xxxxxxxxxxxxxxxxx | | Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, updates were released for wv2, firefox, system-config-bind, thunderbird, autofs, libselinux, arts, kdeaccessibility, kdeaddons, kdeadmin, kdeartwork, kdebase, kdebase, kdebindings, kdeedu, kdegames, kdegraphics, kde, kdelibs, kdemultimedia, kdenetwork, kdepim, kdesdk, kdeutils, kdevelop, kdewebdev, kdeartwork, kdeedu, kdegames, kde-il8n, qt, gtk, smartmontools, ruby, nss, autofs, glib-java, cairo-java, libvte-java, libgnome-java, sendmail, kdebase, mdkkdm, xine-lib, gnupg, and awstats. The distributors include Debian, Fedora, Mandriva, and SuSE. --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- How To Break Web Software, Part II By: Eric Lubow Another set of attacks that are covered are language attacks. These can also occur as a result of poor or total lack of input validation. These languages include CSS, XSS (Cross Site Scripting for any number of languages), C, C++, or SQL, to name just a few. It is to be noted that attacks via SQL involves attacking the server and having a little knowledge about databases, queries, and the way that databases function. Next, the authors discuss authentication and cryptography. They make it a point to prove to the reader and users that not just any cryptography will do and that only proven tried and true methods are acceptable for public use. The book then goes into discussing privacy issues. It discusses identifying information such as the referrer logs, agent logs, web bugs, clipboard access (via Javascript), and cached pages. It then finishes up by discussing various types of web services (including XML, SOAP, WSDL, and UDDI) and the inherent problems that can be around using each one of them. The set of tools outlines at the end of the book to help in bug testing web software is an excellent compilation. Opinion: Software testing and implementation theories have been around for a long time. There has also been numerous writings, journals, and theories published on how things should and shouldn't be done. Mike Andrews and James Whittaker do an excellent job of outlining the potential shortcomings of web programming. This is an excellent jumping off point for anyone beginning on the security side of web design. To me, the most enjoyable part of the book is where the authors discuss the "Key Principals for Quality" over the fifty years of software design. I think they should have put that as part of the introduction to outline their point of view on testing as a necessary part of the design phase (which should be a more widely shared view point). Other than that, I believe that this is an excellent all around reference and should be read by those involved in all aspects of the world wide web. http://www.linuxsecurity.com/content/view/122713/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New wv2 packages fix integer overflow 15th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123160 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: firefox-1.5.0.4-1.2.fc5 15th, June, 2006 Several security issues have been identified that are fixed in this release. http://www.linuxsecurity.com/content/view/123169 * Fedora Core 5 Update: system-config-bind-4.0.0-42_FC5 15th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123170 * Fedora Core 5 Update: thunderbird-1.5.0.4-1.1.fc5 15th, June, 2006 Several security issues have been identified that are fixed in this release. http://www.linuxsecurity.com/content/view/123171 * Fedora Core 5 Update: autofs-4.1.4-27 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123193 * Fedora Core 5 Update: libselinux-1.30.3-3.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123194 * Fedora Core 4 Update: arts-1.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123195 * Fedora Core 4 Update: kdeaccessibility-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123196 * Fedora Core 4 Update: kdeaddons-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123197 * Fedora Core 4 Update: kdeadmin-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123198 * Fedora Core 4 Update: kdeartwork-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123199 * Fedora Core 4 Update: kdebase-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123200 * Fedora Core 4 Update: kdebindings-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123201 * Fedora Core 4 Update: kdeedu-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123202 * Fedora Core 4 Update: kdegames-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123203 * Fedora Core 4 Update: kdegraphics-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123204 * Fedora Core 4 Update: kde-i18n-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123205 * Fedora Core 4 Update: kdelibs-3.5.3-0.2.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123206 * Fedora Core 4 Update: kdemultimedia-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123207 * Fedora Core 4 Update: kdenetwork-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123208 * Fedora Core 4 Update: kdepim-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123209 * Fedora Core 4 Update: kdesdk-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123210 * Fedora Core 4 Update: kdeutils-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123211 * Fedora Core 4 Update: kdevelop-3.3.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123212 * Fedora Core 4 Update: kdewebdev-3.5.3-0.1.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123213 * Fedora Core 5 Update: arts-1.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123214 * Fedora Core 5 Update: kdeaccessibility-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123215 * Fedora Core 5 Update: kdeaddons-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123216 * Fedora Core 5 Update: kdeadmin-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123217 * Fedora Core 5 Update: kdebase-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123218 * Fedora Core 5 Update: kdeartwork-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123219 * Fedora Core 5 Update: kdebindings-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123220 * Fedora Core 5 Update: kdeedu-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123221 * Fedora Core 5 Update: kdegames-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123222 * Fedora Core 5 Update: kdegraphics-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123223 * Fedora Core 5 Update: kde-i18n-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123224 * Fedora Core 5 Update: kdelibs-3.5.3-0.2.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123225 * Fedora Core 5 Update: kdemultimedia-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123226 * Fedora Core 5 Update: kdenetwork-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123227 * Fedora Core 5 Update: kdepim-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123228 * Fedora Core 5 Update: kdesdk-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123229 * Fedora Core 5 Update: kdeutils-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123230 * Fedora Core 5 Update: kdevelop-3.3.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123231 * Fedora Core 5 Update: kdewebdev-3.5.3-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123232 * Fedora Core 5 Update: qt-3.3.6-0.1.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123233 * Fedora Core 5 Update: gtk2-2.8.19-2 19th, June, 2006 Due to recent changes in the build system, the last gtk2 update lost some dependencies, and e.g is not Xinerama-aware anymore. This update fixes this problem. http://www.linuxsecurity.com/content/view/123234 * Fedora Core 5 Update: smartmontools-5.36-fc5.1 19th, June, 2006 This is upgrade to a new upstream version which brings additional hardware support. http://www.linuxsecurity.com/content/view/123235 * Fedora Core 5 Update: ruby-1.8.4-6.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123236 * Fedora Core 4 Update: kdebase-3.5.3-0.2.fc4 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123240 * Fedora Core 5 Update: kdebase-3.5.3-0.3.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123241 * Fedora Core 5 Update: kdepim-3.5.3-0.2.fc5 19th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123242 * Fedora Core 5 Update: nss-3.11.1-1.fc5 19th, June, 2006 Update to version 3.11.1. This includes a fix for a serious memory leak. http://www.linuxsecurity.com/content/view/123243 * Fedora Core 4 Update: autofs-4.1.4-26 20th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123254 * Fedora Core 5 Update: system-config-lvm-1.0.18-1.2.FC5 20th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123255 * Fedora Core 5 Update: glib-java-0.2.5-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123270 * Fedora Core 5 Update: cairo-java-1.0.4-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123271 * Fedora Core 5 Update: libgtk-java-2.8.5-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123272 * Fedora Core 5 Update: libvte-java-0.12.0-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123273 * Fedora Core 5 Update: libgnome-java-2.12.3-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123274 * Fedora Core 5 Update: libglade-java-2.12.4-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123275 * Fedora Core 5 Update: frysk-0.0.1.2006.06.15.rh4-0.FC5 21st, June, 2006 Make current version of frysk available to FC5 users. http://www.linuxsecurity.com/content/view/123276 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated sendmail packages fix remotely exploitable vulnerability 15th, June, 2006 A vulnerability in the way Sendmail handles multi-part MIME messages was discovered that could allow a remote attacker to create a carefully crafted message that could crash the sendmail process during delivery. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/123159 * Mandriva: Updated kdebase packages fix local vulnerability in kdm 15th, June, 2006 A problem with how kdm manages the ~/.dmrc file was discovered by Ludwig Nussel. By using a symlink attack, a local user could get kdm to read arbitrary files on the system, including privileged system files and those belonging to other users. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/123172 * Mandriva: Updated mdkkdm packages fix local vulnerability 15th, June, 2006 A problem with how kdm manages the ~/.dmrc file was discovered by Ludwig Nussel. By using a symlink attack, a local user could get kdm to read arbitrary files on the system, including privileged system files and those belonging to other users. http://www.linuxsecurity.com/content/view/123173 * Mandriva: Updated arts packages fix vulnerability in artswrapper 20th, June, 2006 A vulnerability in the artswrapper program, when installed setuid root, could enable a local user to elevate their privileges to that of root. By default, Mandriva Linux does not ship artswrapper setuid root, however if a user or system administrator enables the setuid bit on artswrapper, their system could be at risk, The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/123256 * Mandriva: Updated xine-lib packages fix buffer overflow vulnerabilities 20th, June, 2006 A buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for xine-lib 1.1.1 allows remote attackers to cause a denial of service (application crash) via a long reply from an HTTP server, as demonstrated using gxine 0.5.6. (CVE-2006-2802) http://www.linuxsecurity.com/content/view/123257 * Mandriva: Updated wv2 packages fix vulnerability 20th, June, 2006 A boundary checking error was discovered in the wv2 library, used for accessing Microsoft Word documents. This error can lead to an integer overflow induced by processing certain Word files. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/123258 * Mandriva: Updated gnupg packages fix vulnerability 20th, June, 2006 A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that could allow a remote attacker to cause gpg to crash and possibly overwrite memory via a message packet with a large length. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/123259 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: awstats remote code execution 20th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123244 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
