Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
LinuxSecurity.com Feature Extras:
RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New proftpd packages fix denial of service | ||
| 7th, January, 2007
Updated package. advisories/debian/debian-new-proftpd-packages-fix-denial-of-service-12671 |
||
| Debian: New OpenOffice.org packages fix arbitrary code execution | ||
| 8th, January, 2007
John Heasman from Next Generation Security Software discovered a heap overflow in the handling of Windows Metafiles in OpenOffice.org, the free office suite, which could lead to a denial of service and potentially execution of arbitrary code. advisories/debian/debian-new-openofficeorg-packages-fix-arbitrary-code-execution-79391 |
||
| Debian: New libapache-mod-auth-kerb packages fix remote denial of service | ||
| 8th, January, 2007
An off-by-one error leading to a heap-based buffer overflow has been identified in libapache-mod-auth-kerb, an Apache module for Kerberos authentication. The error could allow an attacker to trigger an application crash or potentially execute arbitrary code by sending a specially crafted kerberos message. advisories/debian/debian-new-libapache-mod-auth-kerb-packages-fix-remote-denial-of-service |
||
| Gentoo | ||
| Gentoo: Mozilla Firefox Multiple vulnerabilities | ||
| 4th, January, 2007
Multiple vulnerabilities have been reported in Mozilla Firefox, some of which may allow the remote execution of arbitrary code. |
||
| Gentoo: Mozilla Thunderbird Multiple vulnerabilities | ||
| 4th, January, 2007
Multiple vulnerabilities have been reported in Mozilla Thunderbird, some of which may allow the remote execution of arbitrary code. |
||
| Gentoo: SeaMonkey Multiple vulnerabilities | ||
| 10th, January, 2007
Multiple vulnerabilities have been reported in the SeaMonkey project, some of which may allow the remote execution of arbitrary code. |
||
| Mandriva | ||
| Mandriva: Updated samba packages to provide minor bug fixes | ||
| 4th, January, 2007
A number of minor issues were present in the samba packages shipped with Mandriva 2007.0. For users with filesystem quotas, samba would not indicate the remaining quota as the free disk space (as intended). |
||
| Mandriva: Updated kdeutils packages to fix issues with ark | ||
| 4th, January, 2007
A bug in the kdeutils-ark package prevented the creation of a zip format archive using Konqueror, or from ark directly. Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated postfix and cyrus-sasl packages are provided to fix minor bugs | ||
| 5th, January, 2007
A functional update for postfix and cyrus-sasl is being provided. Postfix is receiving a major update from 2.2.x to the 2.3 branch. |
||
| Mandriva: Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities | ||
| 9th, January, 2007
Local exploitation of a memory corruption vulnerability in the 'ProcRenderAddGlyphs()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. (CVE-2006-6101 |
||
| Mandriva: Updated avahi packages fix DoS vulnerability | ||
| 8th, January, 2007
The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself. Updated packages are patched to address this issue. |
||
| Mandriva: Updated geoip packages fix geoipupdate vulnerability | ||
| 9th, January, 2007
Dean Gaudet discovered the geoipupdate utility fails to do sanity checking on the filename returned by "GET /app/update_getfilename?product_id=%s". Updated packages are patched to address this issue. |
||
| Mandriva: Updated mesa packages provided to fix issues with some i965G chipsets | ||
| 9th, January, 2007
There was a problem with mesa, where OpenGL applications would crash for users having some i965G chipsets. Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated OpenOffice.org packages fix WMF vulnerability | ||
| 10th, January, 2007
Several integer overflows were discovered in the OpenOffice.org WMF file processor. An attacker could create a carefully crafted WMF file that would cause OpenOffice.org to execute arbitrary code when opened. Updated packages are patched to address this issue. |
||
| Mandriva: Updated nvidia driver packages fix vulnerability | ||
| 10th, January, 2007
A vulnerability in the NVIDIA Xorg driver was discovered by Derek Abdine who found that it did not correctly verify the size of buffers used to render text glyphs, resulting in a crash of the server when displaying very long strings of text. If a user was triced into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges. |
||
| Mandriva: Updated kerberos packages fix vulnerability | ||
| 10th, January, 2007
A vulnerability in the RPC library in Kerberos 1.4.x and 1.5.x as used in the kadmind administration daemon calls an uninitialized function pointer in freed memory, which could allow a remote attacker to cause a Denial of Service and possibly execute arbitrary code via unspecified vectors. Updated packages are patched to address this issue. |
||
| Mandriva: Updated kdenetwork packages fix ksirc vulnerability | ||
| 11th, January, 2007
KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. Updated packages are patched to address this issue. |
||
| Mandriva: Updated nmap packages to resolve issue using nmap as root | ||
| 11th, January, 2007
The version of nmap shipped with Mandriva Linux 2007 was built against the system copies of the libpcap and libdnet libraries. However, nmap actually requires changes to be made to these libraries which have not yet been made to the upstream versions, and consequently should be compiled against its own built-in copies of these libraries. This problem causes nmap not to work as the root user: it would simply freeze up. The updated package fixes this problem. It also fixes the menu entry for the package. |
||
| Mandriva: Updated desktop-common-data packages add Writer menu item | ||
| 11th, January, 2007
When using "Discovery" menus, there is no menu item for Writer in the Office category. Updated packages correct this issue. |
||
| Mandriva: Updated Firefox packages fix multiple vulnerabilities | ||
| 11th, January, 2007
A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.9. This update provides the latest Firefox to correct these issues. |
||
| Mandriva: Updated lirc packages fixes issue with dkms-lirc and SMP kernels | ||
| 11th, January, 2007
Dkms-lirc allows one to install LIRC drivers on non-Mandriva kernels. It contains a driver named lirc_parallel.ko which does not work on SMP-enabled kernels, preventing the driver installation on such kernels. The lirc_parallel.ko driver has been removed from the updated package and moved to a separate package named dkms-lirc-parallel. |
||
| SuSE | ||
| SuSE: OpenOffice_org WMF buffer overflows | ||
| 4th, January, 2007
Security problems were fixed in the WMF and Enhanced WMF handling in OpenOffice_org These could potentially be used to execute code or crash OpenOffice when a user could be convinced to open specially crafted document (for instance a document sent by E-mail). This issue is tracked by the Mitre CVE ID CVE-2006-5870. openSUSE 10.2 is not affected by this problem, it already contains the fixed OpenOffice_org 2.1 version. Additionally the OpenOffice_org 2.0 version in SLED 10 was fitted with hooks to add OfficeXML support with a later update. Due to the very large size of this update and mirror lag it might take some hours or days until the updates are available on our mirrors. |
||
| SuSE: mono-web ASP.net sourcecode | ||
| 4th, January, 2007
A security problem was found and fixed in the Mono / C# web server implementation. By appending spaces to URLs attackers could download the source code of ASP.net scripts that would normally get executed by the web server. This issue is tracked by the Mitre CVE ID CVE-2006-6104 and only affects SUSE Linux 10.1, openSUSE 10.2 and SUSE Linux Enterprise 10. Older products are not affected. The updated packages for this problem were released on December 29th 2006. |
||
| SuSE: Sun Java security update | ||
| 9th, January, 2007
Updated package. |
||
| SuSE: krb5 security problems | ||
| 10th, January, 2007
Updated package. |
||
| SuSE: w3m (SUSE-SA:2007:005) | ||
| 10th, January, 2007
A format string problem in w3m -dump / -backend mode could be used by a malicious server to crash w3m or execute code. In SUSE Linux 10.1, openSUSE 10.2 and SUSE Linux Enterprise Server and Desktop 10 this problem was not exploitable to execute code due to use of the FORTIFY SOURCE extensions. |
||
| Ubuntu | ||
| Ubuntu: Firefox theme regression | ||
| 4th, January, 2007
USN-398-1 fixed vulnerabilities in Firefox. Due to the updated version, a flaw was uncovered in the Firefox Themes bundle, which erroneously reported to be incompatible with the updated Firefox. This update fixes the problem. We apologize for the inconvenience. advisories/ubuntu/ubuntu-firefox-theme-regression |
||
| Ubuntu: D-Bus vulnerability | ||
| 4th, January, 2007
Kimmo H | ||
