+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 18th 2006 Volume 7, Number 34a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for ncompress, shadow, heartbeat, kerberos, warzone, libwmf, wordpress, gnupg, firefox, elfutils, ntp, kdebase, perl, httpd, and wireshark. The distributors include Debian, Gentoo, Mandriva, Red Hat, and SuSE. --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec/ --- Build a Case for Security Establishing a business case is perhaps the first phase in any project initiation. Organizations that are successful maintain full justification for all business expenditure. An information security project is no different. An effective information security program requires visible support from executive management. To gain support, a persuasive business case is often necessary. An information security program will have numerous tangible and intangible benefits to any organization. It is the role of a business case to document these. To build a persuasive case for information security, it is important for practitioners to "to become more managerial in outlook, speech, and perspectives." (Information Security Management Handbook 4th Edition, Volume 2.) Stressing the technical benefits of information security is no longer sufficient because of the size and expenditure of information security programs. When making a case for information security, an emphasis should be placed on how proactive security mechanisms ensure that senior management will not be held liable for negligence. As IT has become more prominent in organizations, so have compliance and regulatory requirements. Today, senior management personnel are expected to demonstrate due care and due diligence in relation to information security. With this, information security must become an essential aspect of management. Addressing the overall benefits of information security is important as well. A business case should stress how information security can become a business enabler. It can be a company differentiator by offering increased levels of customer satisfaction and contributing overall to total quality management. Information security also provides a means to ensure against unauthorized behavior. Often trusting that internal employees will "do the right thing" is not enough. Information security related business cases should be written in a way that emphasizes all benefits of information security. ---------------------- * EnGarde Secure Community 3.0.8 Released 1st, August, 2006 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.8 (Version 3.0, Release 8). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, several updated packages, and several new packages available for installation. http://www.linuxsecurity.com/content/view/123902 --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won.t prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ --- Review: How To Break Web Software With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand. http://www.linuxsecurity.com/content/view/122713/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New ncompress packages fix potential code execution 10th, August, 2006 Tavis Ormandy from the Google Security Team discovered a missing boundary check in ncompress, the original Lempel-Ziv compress and uncompress programs, which allows a specially crafted datastream to underflow a buffer with attacker controlled data. http://www.linuxsecurity.com/content/view/124446 * Debian: New shadow packages fix privilege escalation 12th, August, 2006 Updated package. http://www.linuxsecurity.com/content/view/124477 * Debian: New heartbeat packages fix denial of service 15th, August, 2006 Updated package. http://www.linuxsecurity.com/content/view/124515 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: MIT Kerberos 5 Multiple local privilege escalation (test Falco for security) 10th, August, 2006 Some applications shipped with MIT Kerberos 5 are vulnerable to local privilege escalation. http://www.linuxsecurity.com/content/view/124448 * Gentoo: Warzone 2100 Resurrection Multiple buffer overflows 10th, August, 2006 Warzone 2100 Resurrection server and client are vulnerable to separate buffer overflows, potentially allowing remote code execution. http://www.linuxsecurity.com/content/view/124452 * Gentoo: libwmf Buffer overflow vulnerability 10th, August, 2006 libwmf is vulnerable to an integer overflow potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/124453 * Gentoo: Net:Server: Format string vulnerability 10th, August, 2006 A format string vulnerability has been reported in Net::Server which can be exploited to cause a Denial of Service. http://www.linuxsecurity.com/content/view/124455 * Gentoo: WordPress Privilege escalation 10th, August, 2006 A flaw in WordPress allows registered WordPress users to elevate privileges. http://www.linuxsecurity.com/content/view/124456 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated gnupg packages fix vulnerability 14th, August, 2006 An integer overflow vulnerability was discovered in gnupg where an attacker could create a carefully-crafted message packet with a large length that could cause gnupg to crash or possibly overwrite memory when opened. Updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/124512 * Mandriva: Updated heartbeat packages fix vulnerability 14th, August, 2006 Two vulnerabilities in heartbeat prior to 2.0.6 was discovered by Yan Rong Ge. The first is that heartbeat would set insecure permissions in an shmget call for shared memory, allowing a local attacker to cause an unspecified denial of service via unknown vectors (CVE-2006-3815). The second is a remote vulnerability that could allow allow the master control process to read invalid memory due to a specially crafted heartbeat message and die of a SEGV, all prior to any authentication. http://www.linuxsecurity.com/content/view/124513 * Mandriva: Updated Firefox packages fix multiple vulnerabilities 16th, August, 2006 A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program. http://www.linuxsecurity.com/content/view/124539 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Low: elfutils security update 10th, August, 2006 Updated elfutils packages that address a minor security issue and various other issues are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/124459 * RedHat: Low: ntp security update 10th, August, 2006 Updated ntp packages that fix several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/124460 * RedHat: Updated kernel packages available for Red Hat 10th, August, 2006 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. http://www.linuxsecurity.com/content/view/124461 * RedHat: Low: kdebase security fix 10th, August, 2006 Updated kdebase packages that resolve several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/124462 * RedHat: Important: perl security update 10th, August, 2006 Updated Perl packages that fix security a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/124463 * RedHat: Moderate: httpd security update 10th, August, 2006 Updated Apache httpd packages that correct security issues and resolve bugs are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/124464 * RedHat: Moderate: wireshark security update (was 16th, August, 2006 New Wireshark packages that fix various security vulnerabilities in Ethereal are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/124533 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: kernel security problems 11th, August, 2006 Multiple security vulnerabilities in the kernel are addressed. http://www.linuxsecurity.com/content/view/124469 * SuSE: MozillaFirefox, MozillaThunderbird, 16th, August, 2006 To fix various security problems we released update packages that bring Mozilla Firefox to version 1.5.0.6, MozillaThunderdbird to version 1.5.0.5 and the Seamonkey Suite to version 1.0.3. http://www.linuxsecurity.com/content/view/124535 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------