+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 7th 2006 Volume 7, Number 28a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for openoffice, libwfm, kernel,
opera, kdebase, and acroread. The distributors include Debian,
Mandriva, and SuSE.
---
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec/
---
Sarbanes-Oxley Act Overview
Looking at the integrity and accountability of financial reporting
has become headline news. Widely publicized financial scandals have
caused damage to investor, employee, and customer confidence.
Government and regulatory agencies have enacted and are starting to
enforce new regulations for corporate governance to restore
confidence and trust. The response from the United States government
regarding the Enron, WorldCom, and Tyco accounting scandals of the
late 1990's was the Sarbanes-Oxley Act (The Act) of 2002. It
establishes standards for maintaining and preserving electronic
and paper records in addition to the accountability of corporate
executives, employees, and auditors. The Act contains11 titles and
also established new standards for corporate accountability and
penalties of fines and imprisonment. Under the act, companies must
validate financial statements, maintain auditing practices, report
on the effectiveness of the internal controls, and assure integrity
and timeliness of data.
The main purpose of the legislation is to make organizations and
their executives be held responsible for the validity of corporate
reporting. The reporting requires all companies with public
interests to require executives to attest to the accuracy of
the financial conditions and disclosure of internal weaknesses.
An article written by Guardian Digital Inc. says that, "As mandated
by SOX (the Sarbanes-Oxley Act), corporations can accommodate these
regulations through the design, implementation, and maintenance of
efficient and effective internal controls."
There are many sections to the SOA that President Bush signed.
According to Mathew Bender in the book, "The Sarbanes Oxley Act
of 2002 with Analysis", SOA contains two provisions requiring CEOs
and CFOs to certify certain SEC filings. The first section requires
them to certify that annual and quarterly reports have been reviewed
by themselves, does not contain any untrue statement or omit to
state a material fact, information fairly represents the situation,
and they must disclose any deficiencies or changes to the internal
controls. The second section requires that when a report is filed,
the CEO or CFO must have a written statement saying that fully
complies with the requirements and that it fairly represents the
financial and operational results. If they certify the report
knowing that it is false, they can face criminal penalties.
----------------------
Security on your mind?
The Community edition of EnGarde Secure Linux is completely
free and open source. Updates are also freely available when
you register with the Guardian Digital Secure Network.
http://www.engardelinux.org/modules/index/register.cgi
---
Linux File & Directory Permissions Mistakes
One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.
http://www.linuxsecurity.com/content/view/119415/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New OpenOffice.org packages fix several vulnerabilities
29th, June, 2006
Several vulnerabilities have been discovered in OpenOffice.org, a
free office suite. The Common Vulnerabilities and Exposures Project
identifies the following problems: CVE-2006-2198 CVE-2006-2199
CVE-2006-3117
http://www.linuxsecurity.com/content/view/123375
* Debian: New OpenOffice.org packages fix arbitrary code execution
6th, July, 2006
Loading malformed XML documents can cause buffer overflows in
OpenOffice.org, a free office suite, and cause a denial of service or
execute arbitrary code. It turned out that the correction in DSA
1104-1 was not sufficient, hence, another update.
http://www.linuxsecurity.com/content/view/123458
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated libwmf packages fixes embedded GD vulnerability
29th, June, 2006
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21
and earlier may allow remote attackers to execute arbitrary code via
malformed image files that trigger the overflows due to improper
calls to the gdMalloc function.
http://www.linuxsecurity.com/content/view/123371
* Mandriva: Updated kernel packages fixes multiple vulnerabilities
5th, July, 2006
A number of vulnerabilities were discovered and corrected in the
Linux
2.6 kernel.
http://www.linuxsecurity.com/content/view/123449
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: Opera 9.0 security upgrade
3rd, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123416
* SuSE: kdebase3-kdm information disclosure
3rd, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123417
* SuSE: OpenOffice_org remote code execution
3rd, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123423
* SuSE: acroread remote code execution
4th, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123429
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
