+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 25th 2006 Volume 7, Number 35a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for trac, ClamAV, squirrelmail,
sendmail, heimdal, fbida, firefox, XFree86, xorg-x11, kernel,
and ImageMagick. The distributors include Debian, Gentoo,
Mandriva, Red Hat, and SuSE
---
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec/
---
LinuxSecurity.com Launches New Web Site
Allendale, New Jersey, August 21, 2006-LinuxSecurity.com, the
definitive source for Linux and open source security news, today
launched its new website. Founded by Guardian Digital CEO
Dave Wreski in 1996, LinuxSecurity.com has become the pre-eminent
information resource for IT professionals and open source community
members alike. The site, which is supported and maintained by
Guardian Digital staff members, employs a global network of expert
and volunteer contributors to develop feature articles, commentaries
and reviews as well as compile extensive collections of the latest
security updates to help readers keep up with the latest
advancements in Linux and open source security.
The new site includes:
* Comprehensive resource archives of whitepapers, HOWTOs,
open source documentation and more
* Latest industry news stories and in-depth feature articles,
organized by topic
* Interactive comments to all resources and news posts
* Extensive databases of local user groups and Linux-related
event listings
* Regularly updated polls and surveys
* Live chat using "Shoutbox" technology
Linuxsecurity.com now offers all users the ability to browse and
comment on news posts, polls and HOWTOS. The has been extensively
redesigned to enhance the experience of our registered users, an
elite group of security-minded engineers, programmers, Web
designers, system administrators and open source enthusiasts.
The redesign has greatly improved the look and feel of the site,
focusing on its navigation and menu structures. New areas of
interest have been added, including an SELinux news section and
a Tips section. Under the hood, the site's code has been
optimized and URLs have been shortened and made user-readable.
About LinuxSecurity.com
Headquartered in Guardian Digital's offices in Allendale,
New Jersey, LinuxSecurity.com's global network of editors and
web development staff creates feature articles, commentaries
and surveys designed to keep readers informed of the latest
Linux advancements and to promote the general growth of
Linux around the world.
About Guardian Digital, Inc.
Leveraging the inherent benefits of open source architecture
and the knowledge of security experts around the world,
Guardian Digital has engineered the first, truly secure open
source operating platform - EnGarde Secure Linux. The secure
Internet infrastructure of the award-winning EnGarde platform
and its accompanying suite of applications guarantee online
information assets remain protected - even as Internet threats
continue to evolve. Customized to meet the specific needs of
any size enterprise, Guardian Digital's solution portfolio
includes intrusion detection, Web and email services,
secure remote access, information privacy and electronic
commerce products. For additional information,
please visit: http://www.guardiandigital.com
http://www.linuxsecurity.com/content/view/124607/169/
----------------------
* EnGarde Secure Community 3.0.8 Released
1st, August, 2006
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.8 (Version 3.0, Release 8). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool, several updated packages, and several new packages available
for installation.
http://www.linuxsecurity.com/content/view/123902
---
Packet Sniffing Overview
The best way to secure you against sniffing is to use encryption.
While this won.t prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.
http://www.linuxsecurity.com/content/view/123570/49/
---
Review: How To Break Web Software
With a tool so widely used by so many different types of
people like the World Wide Web, it is necessary for everyone
to understand as many aspects as possible about its
functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone
and How To Break Web Software by Mike Andrews and James A.
Whittaker is written for everyone to understand.
http://www.linuxsecurity.com/content/view/122713/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New trac packages fix information disclosure
18th, August, 2006
Felix Wiemann discovered that trac, an enhanced Wiki and issue
tracking system for software development projects, can be used to
disclose arbitrary local files. To fix this problem, python-docutils
needs to be updated as well.
http://www.linuxsecurity.com/content/view/124572
* Debian: New ClamAV packages fix arbitrary code execution
18th, August, 2006
Damian Put discovered a heap overflow vulneravility in the UPX
unpacker of the ClamAV anti-virus toolkit which could allow remote
attackers to execute arbitrary code or cause denial of service.
http://www.linuxsecurity.com/content/view/124583
* Debian: New squirrelmail packages fix information disclosure
20th, August, 2006
Updated package.
http://www.linuxsecurity.com/content/view/124585
* Debian: New sendmail packages fix denial of service
24th, August, 2006
Updated package.
http://www.linuxsecurity.com/content/view/124677
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: Heimdal Multiple local privilege escalation vulnerabilities
23rd, August, 2006
Certain Heimdal components, ftpd and rcp, are vulnerable to a local
privilege escalation.
http://www.linuxsecurity.com/content/view/124667
* Gentoo: fbida Arbitrary command execution
23rd, August, 2006
The fbgs script provided by fbida allows the execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/124675
* Gentoo: Heimdal Multiple local privilege escalation vulnerabilities
24th, August, 2006
Certain Heimdal components, ftpd and rcp, are vulnerable to a local
privilege escalation.
http://www.linuxsecurity.com/content/view/124682
* Gentoo: Heartbeat Denial of Service
24th, August, 2006
Heartbeat is vulnerable to a Denial of Service which can be triggered
by a remote attacker without authentication.
http://www.linuxsecurity.com/content/view/124688
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated Thunderbird packages fix multiple vulnerabilities
21st, August, 2006
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Thunderbird program. Corporate 3 had
contained the Mozilla suite however, due to the support
cycle for Mozilla, it was felt that upgrading Mozilla to Firefox and
Thunderbird would allow for better future support for Corporate 3
users.
http://www.linuxsecurity.com/content/view/124617
* Mandriva: Updated Firefox packages fix multiple vulnerabilities
21st, August, 2006
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program. Corporate 3 had
contained the Mozilla suite however, due to the support cycle for
Mozilla, it was felt that upgrading Mozilla to Firefox and
Thunderbird would allow for better future support for Corporate 3
users.
http://www.linuxsecurity.com/content/view/124616
* Mandriva: Updated php packages fix vulnerability
21st, August, 2006
A vulnerability was discovered in the sscanf function that could
allow attackers in certain circumstances to execute arbitrary code
via argument swapping which incremented an index past the end of an
array and triggered a buffer over-read. Updated packages have been
patched to correct these issues.
http://www.linuxsecurity.com/content/view/124614
* Mandriva: Updated Firefox packages fix multiple vulnerabilities
18th, August, 2006
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program. Previous updates to
Firefox were patch fixes to Firefox 1.0.6 that brought it in sync
with 1.0.8 in terms of security fixes.
http://www.linuxsecurity.com/content/view/124571
* Mandriva: Updated squirrelmail packages fix vulnerabilities
22nd, August, 2006
Cross-site scripting (XSS) vulnerability in search.php in
SquirrelMail 1.5.1 and earlier, when register_globals is enabled,
allows remote attackers to inject arbitrary HTML via the mailbox
parameter (CVE-2006-3174).
http://www.linuxsecurity.com/content/view/124640
* Mandriva: Updated epiphany-extensions packages for new epiphany
23rd, August, 2006
Recently, epiphany was updated to work with the latest Mozilla
Firefox however new epiphany-extensions packages were not available.
This update provides updated epiphany-extensions for epiphany.
http://www.linuxsecurity.com/content/view/124676
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: XFree86 security update
21st, August, 2006
Updated XFree86 packages that fix a security issue are now available
for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as
having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124613
* RedHat: Important: xorg-x11 security update
21st, August, 2006
Updated X.org packages that fix a security issue are now available
for Red Hat Enterprise Linux 4. This update has been rated as having
important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124612
* RedHat: Important: kernel security update
22nd, August, 2006
Updated kernel packages that fix several security issues in the Red
Hat Enterprise Linux 4 kernel are now available. This security advisory
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/124639
* RedHat: Moderate: ImageMagick security update
24th, August, 2006
Updated ImageMagick packages that fix several security issues are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/124681
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: kernel (SUSE-SA:2006:049)
18th, August, 2006
There are multiple vulnerabilities that have been fixed in the
kernel.
http://www.linuxsecurity.com/content/view/124576
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
