+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 16th 2007 Volume 8, Number 7a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for fetchmail, imagemagick, eclipse, netkit, samba, proftpd, snort, rar, postgresql, smb4k, dbus, java, moinmoin, the the Linux kernel. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu. --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec/ --- * EnGarde Secure Linux v3.0.12 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.11 (Version 3.0, Release 12). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.12 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New fetchmail packages fix information disclosure 14th, February, 2007 Updated package. http://www.linuxsecurity.com/content/view/127068 * Debian: New imagemagick package fix arbitrary code execution 14th, February, 2007 Updated package. http://www.linuxsecurity.com/content/view/127069 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: eclipse-cdt-3.1.1-8.fc6 14th, February, 2007 This updates the Autotools sub-component plugin to 0.0.7. http://www.linuxsecurity.com/content/view/127070 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Netkit FTP Server Privilege escalation 13th, February, 2007 The original fix introduced a new vulnerability allowing the listing of any arbitrary directory with root group permissions due to a typo in the setgid() call. New fixed packages are available. Also, this update adds a second CVE reference which was not originally mentionned while it was covered by the original fix. http://www.linuxsecurity.com/content/view/127043 * Gentoo: Samba Multiple vulnerabilities 13th, February, 2007 Multiple flaws exist in the Samba suite of programs, the most serious of which could result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/127046 * Gentoo: ProFTPD Local privilege escalation 13th, February, 2007 A flaw in ProFTPD may allow a local attacker to obtain root privileges. http://www.linuxsecurity.com/content/view/127047 * Gentoo: Snort Denial of Service 13th, February, 2007 Snort contains a vulnerability in the rule matching algorithm that could result in a Denial of Service. http://www.linuxsecurity.com/content/view/127048 * Gentoo: RAR, UnRAR Buffer overflow 13th, February, 2007 RAR and UnRAR contain a buffer overflow allowing the execution of arbitrary code. http://www.linuxsecurity.com/content/view/127049 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated postgresql packages address multiple vulnerabilities 8th, February, 2007 Jeff Trout discovered that the PostgreSQL server did not sufficiently check data types of SQL function arguments in some cases. A user could then exploit this to crash the database server or read out arbitrary locations of the server's memory, which could be used to retrieve database contents that the user should not be able to see. Note that a user must be authenticated in order to exploit this (CVE-2007-0555). http://www.linuxsecurity.com/content/view/126948 * Mandriva: Updated ImageMagick packages fix buffer overflow vulnerability 9th, February, 2007 Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and ImageMagick allows user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. This is related to an earlier fix for CVE-2006-5456 that did not fully correct the issue. http://www.linuxsecurity.com/content/view/126967 * Mandriva: Updated smb4k packages fix numerous vulnerabilities 12th, February, 2007 Kees Cook performed an audit on the Smb4K program and discovered a number of vulnerabilities and security weaknesses that have been addressed and corrected in Smb4K 0.8.0 which is being provided with this update. http://www.linuxsecurity.com/content/view/127034 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: dbus security update 8th, February, 2007 Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/126936 * RedHat: Critical: IBMJava2 security update 8th, February, 2007 IBMJava2-JRE and IBMJava2-SDK packages that correct several security issues are available for Red Hat Enterprise Linux 2.1. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/126942 * RedHat: Critical: java-1.5.0-ibm security update 9th, February, 2007 java-1.5.0-ibm packages that correct several security issues are available for Red Hat Enterprise Linux 4 Extras. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/126959 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: MoinMoin vulnerability 9th, February, 2007 A flaw was discovered in MoinMoin's page name sanitizer which could lead to a cross-site scripting attack. By tricking a user into viewing a crafted MoinMoin page, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted. http://www.linuxsecurity.com/content/view/126969 * Ubuntu: Linux kernel vulnerabilities 10th, February, 2007 Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented IPv6 packets. http://www.linuxsecurity.com/content/view/126970 * Ubuntu: PostgreSQL regression 12th, February, 2007 USN-417-2 fixed a severe regression in the PostgreSQL server that was introduced in USN-417-1 and caused some valid queries to be aborted with a type error. This update fixes a similar (but much less prominent) error. At the same time, PostgreSQL is updated to version 8.1.8, which fixes a range of important bugs. http://www.linuxsecurity.com/content/view/126977 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------