AOH :: ISNQ3874.HTM

Linux Advisory Watch - April 5th 2007




Linux Advisory Watch - April 5th 2007
Linux Advisory Watch - April 5th 2007



+---------------------------------------------------------------------+
|  LinuxSecurity.com                               Weekly Newsletter  |
|  April 5th 2007                                Volume 8, Number 14a |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
dave@linuxsecurity.com ben@linuxsecurity.com 

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for file, zope, krb, XMMS, Ekiga,
Squid, CUPS, Asterisk, Kerberos, OpenAFS, OpenPBS, zziplib, kdelibs,
openoffice, qt3, qt4, XFree86, xorg-x11, libXfont, mysql, ktorrent,
and gpg.  The distributors include Debian, Gentoo, Mandriva,
Red Hat, Slackware, SuSE, and Ubuntu.

---

* EnGarde Secure Linux v3.0.13 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.13 (Version 3.0, Release 13). This release includes
several bug fixes and feature enhancements to the SELinux policy
and several updated packages.

http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 

---

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.

http://www.msia.norwich.edu/linsec/ 

---

RFID with Bio-Smart Card in Linux

In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access
conditions.

http://www.linuxsecurity.com/content/view/125052/171/ 

---

Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.

http://www.linuxsecurity.com/content/view/123570/49/ 

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf 


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+


* Debian: New file packages fix arbitrary code execution
  2nd, April, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127643 


* Debian: New zope2.7 packages fix cross-site scripting flaw
  2nd, April, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127653 


* Debian: New krb5 packages fix several vulnerabilities
  3rd, April, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127671 


* Debian: New XMMS packages fix arbitrary code execution
  4th, April, 2007

Multiple errors have been found in the skin handling routines in xmms, 
the X Multimedia System.  These vulnerabilities could allow an attacker 
to run arbitrary code as the user running xmms by inducing the victim to 
load specially crafted interface skin files.


http://www.linuxsecurity.com/content/view/127695 


* Gentoo: Ekiga Format string vulnerability
  29th, March, 2007

A format string vulnerability in Ekiga may allow the remote execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/127613 


* Gentoo: file Integer underflow
  30th, March, 2007

A buffer underflow vulnerability has been reported in file allowing
for the user-assisted execution of arbitrary code.

http://www.linuxsecurity.com/content/view/127634 


* Gentoo: Squid Denial of Service
  31st, March, 2007

Squid is affected by a Denial of Service vulnerability.

http://www.linuxsecurity.com/content/view/127638 


* Gentoo: CUPS Denial of Service
  31st, March, 2007

CUPS incorrectly handles partially-negotiated SSL connections
allowing for a Denial of Service.

http://www.linuxsecurity.com/content/view/127639 


* Gentoo: Asterisk Two SIP Denial of Service vulnerabilities
  2nd, April, 2007

Asterisk is vulnerable to two Denial of Service issues in the SIP
channel.

http://www.linuxsecurity.com/content/view/127651 


* Gentoo: MIT Kerberos 5 Arbitrary remote code execution
  3rd, April, 2007

Multiple vulnerabilities in MIT Kerberos 5 could potentially result
in unauthenticated remote root code execution.

http://www.linuxsecurity.com/content/view/127670 


* Gentoo: OpenAFS Privilege escalation
  3rd, April, 2007

OpenAFS is subject to a design flaw that could allow privilege
escalation on the client.

http://www.linuxsecurity.com/content/view/127672 


* Gentoo: OpenPBS Multiple vulnerabilities
  3rd, April, 2007

OpenPBS contains unspecified vulnerabilities which may allow for the
remote execution of arbitrary code or a Denial of Service.

http://www.linuxsecurity.com/content/view/127673 


* Gentoo: zziplib Buffer Overflow
  3rd, April, 2007

The zziplib library contains a buffer overflow vulnerability that
could lead to user-assisted remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/127674 


* Mandriva: Updated xmms packages to address integer vulnerabilities
  29th, March, 2007

Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly
other versions, allows user-assisted remote attackers to execute
arbitrary code via crafted header information in a skin bitmap image,
which triggers memory corruption. (CVE-2007-0653)
Integer underflow in X MultiMedia System (xmms) 1.2.10 allows
user-assisted remote attackers to execute arbitrary code via crafted
header information in a skin bitmap image, which results in a
stack-based buffer overflow. (CVE-2007-0654) Updated packages have
been patched to correct these issues.

http://www.linuxsecurity.com/content/view/127612 


* Mandriva: Updated kdelibs packages to address FTP PASV issue in konqueror
  29th, March, 2007

The FTP protocol implementation in Konqueror 3.5.5 allows remote
servers to force the client to connect to other servers, perform a
proxied port scan, or obtain sensitive information by specifying an
alternate server address in a FTP PASV command. Updated packages have
been patched to address this issue.

http://www.linuxsecurity.com/content/view/127614 


* Mandriva: Updated openoffice.org packages to address
vulnerabilities
  29th, March, 2007

Stack-based buffer overflow in the StarCalc parser in OpenOffice.org
(OOo) Office Suite allows user-assisted remote attackers to execute
arbitrary code via a crafted document. (CVE-2007-0238) OpenOffice.org
(OOo) Office Suite allows user-assisted remote attackers to execute
arbitrary commands via shell metacharacters in a prepared
link in a crafted document. (CVE-2007-0239) Updated packages have
been patched to correct these issues.

http://www.linuxsecurity.com/content/view/127615 


* Mandriva: Updated qt3 packages to address utf8 decoder bug
  3rd, April, 2007

Andreas Nolden discover a bug in qt3, where the UTF8 decoder does not
reject overlong sequences, which can cause "/../" injection or (in
the case of konqueror) a "


Site design & layout copyright © 1986-2014 CodeGods