+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 28th 2006 Volume 7, Number 31a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for hashcash, GnuPG2, gimp,
Mozilla, hiki, postgrey, libdumb, fbi, drupal, freetype2, kdelibs2,
perl-Net-Server, openssh, elfutils, seamonkey, kernel, php, and
samba. The distributors include Debian, Mandriva, Red Hat, and SuSE.
---
CRYPTOCard Two-Factor Authentication
Are you a Linux consultant with expertise in network security?
Join CRYPTOCard's Linux Consultants program and learn about how you can
help your clients implement secure authentication solutions. Click here
for more information:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=cc_nl
---
Improvements to LinuxSecurity.com
Efren J. Belizario
The Linuxsecurity team has been busy lately enhancing the planet's
premier Open Source security site. The most conspicuous improvement
is our new "ShoutBox" that lets visitors exchange their views on
security and other matters in real time, so give us a "shout" and
let us hear what you think.
Behind the scenes, we have just finished upgrading our site to the
latest version of the Joomla! Open Source content management
software, v 1.0.10, which brings many improvements to the security
and performance of the site.
Our greatest effort has gone into the Resource pages. Now with
nearly 500 articles, this section is your portal to the latest
HOWTOs and documentation for everything Linux Security. More and
more articles for hardening your Linux box are appearing, like
Securing and Hardening Linux Production Systems. A firewall is a
classic way to keep intruders from sneeking into your system and
with so many options to choose from, reading a firewall primer is
a good way to get started. If you need further assurance that
your data will be protected, refer to this HOWTO on Data
Encryption. Be sure to check out the latest tips, how-to's,
and other explanations of the latest Open Source security
technologies.
Two other features that we have added are comments for Polls and
the User Rating System. The Polls are found on the left-hand side
below the Members Menu. The User Rating System can be found after
clicking on a specific news article. We truly want to get more
feedback from our users and these tools will, hopefully, enable
us to do so.
If you have any comments or suggestions concerning our site,
please feel free to e-mail us or submit a comment below.
Read Full Article:
http://www.linuxsecurity.com/content/view/123639/65/
----------------------
Packet Sniffing Overview
The best way to secure you against sniffing is to use encryption.
While this won.t prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.
http://www.linuxsecurity.com/content/view/123570/49/
---
Review: How To Break Web Software
With a tool so widely used by so many different types of
people like the World Wide Web, it is necessary for everyone
to understand as many aspects as possible about its
functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone
and How To Break Web Software by Mike Andrews and James A.
Whittaker is written for everyone to understand.
http://www.linuxsecurity.com/content/view/122713/49/
---
EnGarde Secure Linux v3.0.7 Now Available
Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.
http://www.linuxsecurity.com/content/view/123016/65/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New hashcash packages fix arbitrary code execution
21st, July, 2006
Andreas Seltenreich discovered a buffer overflow in hashcash, a
postage payment scheme for email that is based on hash calculations,
which could allow attackers to execute arbitrary code via specially
crafted entries.
http://www.linuxsecurity.com/content/view/123680
* Debian: New GnuPG2 packages fix denial of service
21st, July, 2006
Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free
PGP replacement contains an integer overflow that can cause a
segmentation fault and possibly overwrite memory via a large user ID
strings.
http://www.linuxsecurity.com/content/view/123681
* Debian: New gimp packages fix arbitrary code execution
21st, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123689
* Debian: New Mozilla packages fix several vulnerabilities
22nd, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123697
* Debian: New hiki packages fix denial of service
22nd, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123698
* Debian: New Mozilla Firefox packages fix several vulnerabilities
23rd, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123706
* Debian: New postgrey packages fix denial of service
24th, July, 2006
Peter Bieringer discovered that postgrey, an greylisting
implementation for Postfix, is vulnerable to a format string attack
that allows remote attackers to the daemon.
http://www.linuxsecurity.com/content/view/123710
* Debian: New Net::Server packages fix denial of service
24th, July, 2006
Peter Bieringer discovered that the "log" function in the Net::Server
Perl module, an extensible, general perl server engine, is not safe
against format string exploits.
http://www.linuxsecurity.com/content/view/123713
* Debian: New libdumb packages fix arbitrary code execution
24th, July, 2006
Luigi Auriemma discovered that DUMB, a tracker music library,
performs insufficient sanitising of values parsed from IT music
files, which might lead to a buffer overflow and execution of
arbitrary code if manipulated files are read.
http://www.linuxsecurity.com/content/view/123716
* Debian: New fbi packages fix potential deletion of user data
24th, July, 2006
Toth Andras discovered that the fbgs framebuffer postscript/PDF
viewer contains a typo, which prevents the intended filter against
malicious postscript commands from working correctly. This might lead
to the deletion of user data when displaying a postscript file.
Fixes CVEID: CVE-2006-3119.
http://www.linuxsecurity.com/content/view/123717
* Debian: New drupal packages fix execution of arbitrary web script
code
26th, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123748
* Debian: New Asterisk packages fix denial of service
27th, July, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123749
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated freetype2 packages fixes overflow vulnerability.
20th, July, 2006
An additional overflow, similar to those corrected by patches for
CVE-2006-1861 was found in libfreetype. If a user loads a carefully
crafted font file with a program linked against FreeType, it could
cause the application to crash or execute arbitrary code as the user.
Updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/123671
* Mandriva: Updated kdelibs packages fix konqueror crash
vulnerability.
20th, July, 2006
KDE Konqueror 3.5.1 and earlier allows remote attackers to cause a
denial of service (application crash) by calling the replaceChild
method on a DOM object, which triggers a null dereference, as
demonstrated by calling
document.replaceChild with a 0 (zero) argument. This issue does not
affect Corporate 3.0. Updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/123677
* Mandriva: Updated imlib2 packages to x86_64 tiff loader bug
21st, July, 2006
The tiff loader from imlib2 crashes when processing images on the
x86_64 platform. This was reported when using digikam on x86_64,
which uses this loader. Updated packages are provided that correct
the issue.
http://www.linuxsecurity.com/content/view/123694
* Mandriva: Updated perl-Net-Server packages fix format string
vulnerability
25th, July, 2006
Peter Bieringer discovered a flaw in the perl Net::Server module
where the "log" function was not safe against format string exploits
in version 0.87 and earlier. Updated packages have been patched to
correct this issue.
http://www.linuxsecurity.com/content/view/123734
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Low: openssh security update
20th, July, 2006
Updated openssh packages that fix bugs in sshd are now available for
Red Hat Enterprise Linux 3. This update has been rated as having low
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123667
* RedHat: Low: elfutils security update
20th, July, 2006
Updated elfutils packages that address a minor security issue and
various other issues are now available. This update has been rated
as having low security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123668
* RedHat: Critical: seamonkey security update (was mozilla)
20th, July, 2006
Updated seamonkey packages that fix several security bugs in the
mozilla package are now available for Red Hat Enterprise Linux 3.
This update has been rated as having critical security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123669
* RedHat: Important: Updated kernel packages for Red Hat
20th, July, 2006
Updated kernel packages are now available as part of ongoing support
and maintenance of Red Hat Enterprise Linux version 3. This is the
eighth regular update. This security advisory has been rated as
having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/123670
* RedHat: Moderate: php security update
25th, July, 2006
Updated PHP packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 2.1 This update has been rated
as having moderate security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123726
* RedHat: Moderate: kdebase security fix
25th, July, 2006
Updated kdebase packages that resolve a security issue are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123727
* RedHat: Important: samba security update
25th, July, 2006
Updated samba packages that fix a denial of service vulnerability are
now available. This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123728
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: kernel security problems
26th, July, 2006
The Linux kernel has been updated to fix several security issues.
This advisory refers to kernel updates for SUSE Linux 9.1 - 10.1.
http://www.linuxsecurity.com/content/view/123738
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
