[ISN] Linux Advisory Watch - April 14th 2006

From: InfoSec News (isn@private)
Date: Sun Apr 16 2006 - 23:34:36 PDT


+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  April 14th, 2006                           Volume 7, Number 16n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin D. Thomas      ben@private     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for dia, sash, mailman, libimager,
libphp, moodle, cacti, sudo, zope, horde, xscreensaver, gnome,
alsa-utils, system-config-printer, xsane, cario, subversion, netpbm,
gnbd-kernel,shadow-utils, cman-kernel, ghostscript, checkpolicy,
libsemanage, selinux-policy, eclipse-changelog, gaim, squirrelmail,
ClamAV, mplayer, and openvpn.  The distributors include Debian,
Fedora, Gentoo, Mandriva, and SuSE.

---

EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared
toward providing a open source platform that is highly secure by default
as well as easy to administer. EnGarde Secure Linux includes a select
group of open source packages configured to provide maximum security
for tasks such as serving dynamic websites, high availability mail
transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source,
and online security and application updates are also freely
available with GDSN registration.

http://www.engardelinux.org/modules/index/register.cgi

---

Developing A Security Policy

Create a simple, generic policy for your system that your users can
readily understand and follow. It should protect the data you're
safeguarding, as well as the privacy of the users. Some things to
consider adding are who has access to the system (Can my friend
use my account?), who's allowed to install software on the system,
who owns what data, disaster recovery, and appropriate use of
the system.

A generally accepted security policy starts with the phrase: "That
which is not expressly permitted is prohibited"

This means that unless you grant access to a service for a user,
that user shouldn't be using that service until you do grant access.
Make sure the policies work on your regular user account, Saying,
''Ah, I can't figure this permissions problem out, I'll just do it
as root'' can lead to security holes that are very obvious, and
even ones that haven't been exploited yet.

Additionally, there are several questions you will need to answer
to successfully develop a security policy:

    * What level of security do your users expect?
    * How much is there to protect, and what is it worth?
    * Can you afford the down-time of an intrusion?
    * Should there be different levels of security for
      different groups?
    * Do you trust your internal users?
    * Have you found the balance between acceptable risk
      and secure?

You should develop a plan on who to contact when there is a
security problem that needs attention.

There are quite a few documents available on developing a Site
Security Policy. You can start with the SANS Security Policy Project.

    http://www.sans.org/resources/policies/

Excerpt from the LinuxSecurity Administrator's Guide:

http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@private)

----------------------

EnGarde Secure Community 3.0.4 Released

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.4 (Version 3.0, Release 4). This release
includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, and several new packages
available for installation.

http://www.linuxsecurity.com/content/view/121560/65/

---

Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.

http://www.linuxsecurity.com/content/view/119415/49/

---

Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to
store more data in a temporary data storage area than it was
intended to hold. Since buffers are created to contain a finite
amount of data, the extra information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.

http://www.linuxsecurity.com/content/view/119087/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New dia packages fix arbitrary code execution
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122244


* Debian: New sash packages fix potential arbitrary code execution
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122245


* Debian: New mailman packages fix denial of service
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122246


* Debian: New libimager-perl packages fix denial of service
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122274


* Debian: New libphp-adodb packages fix several vulnerabilities
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122279


* Debian: New moodle packages fix several vulnerabilities
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122280


* Debian: New cacti packages fix several vulnerabilities
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122281


* Debian: New sudo packages fix privilege escalation
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122282


* Debian: New zope-cmfplone packages fix unprivileged data
manipulation
  12th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122324


* Debian: New horde3 packages fix several vulnerabilities
  12th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122327


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

* Fedora Core 5 Update: xscreensaver-4.24-2
  6th, April, 2006

Don't leak zombie processes with the GL SlideShow ScreenSaver

http://www.linuxsecurity.com/content/view/122254


* Fedora Core 5 Update: GConf2-2.14.0-1
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122255


* Fedora Core 5 Update: liboil-0.3.8-1.fc5
  6th, April, 2006

This update rebases liboil to 0.3.8 to help resolve issues required
by packages in Fedora Extras.

http://www.linuxsecurity.com/content/view/122256


* Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5
  6th, April, 2006

This update corrects a problem where kerberos credentials weren't
being properly refreshed when a user successfully authenticates in
the unlock dialog.

http://www.linuxsecurity.com/content/view/122257


* Fedora Core 5 Update: alsa-utils-1.0.11-4.rc2
  6th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122258


* Fedora Core 5 Update: system-config-printer-0.6.151.2-1
  6th, April, 2006

With no configured printers, it was not possible to disable automatic
browsing for shared printers.

http://www.linuxsecurity.com/content/view/122259


* Fedora Core 5 Update: gnome-screensaver-2.14.0-1.fc5.1
  6th, April, 2006

This update fixes problems detecting idle activity.

http://www.linuxsecurity.com/content/view/122260


* Fedora Core 5 Update: xsane-0.99-2.2.fc5.4
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122269


* Fedora Core 5 Update: cairo-1.0.4-1
  7th, April, 2006

An updated version of the cairo package fixes several bugs, among
them a bug which could lead to Pango crashes with corrupt fonts.

http://www.linuxsecurity.com/content/view/122270


* Fedora Core 4 Update: sane-backends-1.0.17-0.fc4.2
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122271


* Fedora Core 5 Update: subversion-1.3.1-2.1
  7th, April, 2006

This update includes the latest upstream release of Subversion,
version 1.3.1.	This release includes a number of minor bug fixes and
improvements.

http://www.linuxsecurity.com/content/view/122272


* Fedora Core 5 Update: netpbm-10.33-0.fc5
  7th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122273


* Fedora Core 5 Update: gnbd-kernel-2.6.15-5.FC5.25
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now
include xen packages for x86_64.

http://www.linuxsecurity.com/content/view/122283


* Fedora Core 4 Update: netpbm-10.33-0.FC4
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122284


* Fedora Core 5 Update: shadow-utils-4.0.14-6.FC5
  8th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122285


* Fedora Core 5 Update: cman-kernel-2.6.15.1-0.FC5.18
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now
include xen packages for x86_64.

http://www.linuxsecurity.com/content/view/122286


* Fedora Core 5 Update: dlm-kernel-2.6.15.1-0.FC5.16
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now
include xen packages for x86_64.


http://www.linuxsecurity.com/content/view/122287


* Fedora Core 5 Update: GFS-kernel-2.6.15.1-5.FC5.19
  8th, April, 2006

Packages update to the latest kernel (2.6.16-1.2080_FC5) and now
include xen packages for x86_64.


http://www.linuxsecurity.com/content/view/122288


* Fedora Core 5 Update: ghostscript-8.15.1-7.2
  10th, April, 2006

A problem with converting PS and EPS files into PDF has been fixed.
Also, Japanese fonts have been added to the default font path.

http://www.linuxsecurity.com/content/view/122300


* Fedora Core 5 Update: checkpolicy-1.30.3-1.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems

http://www.linuxsecurity.com/content/view/122309


* Fedora Core 5 Update: libsemanage-1.6.2-2.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems

http://www.linuxsecurity.com/content/view/122310


* Fedora Core 5 Update: libsepol-1.12.4-1.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems


http://www.linuxsecurity.com/content/view/122311


* Fedora Core 5 Update: selinux-policy-2.2.29-3.fc5
  11th, April, 2006

Update SELinux policy to current rawhide to fix many policy problems


http://www.linuxsecurity.com/content/view/122312


* Fedora Core 5 Update: eclipse-changelog-2.0.2_fc-1
  11th, April, 2006

This is a bug-fix update for the Eclipse ChangeLog plugin.  It
includes fixes to the formatting of multiple ChangeLog entries by the
same person.

http://www.linuxsecurity.com/content/view/122314


* Fedora Core 4 Update: gaim-1.5.0-16.fc4
  11th, April, 2006

This update fixes Bug #185222 where gaim would crash when you use the
buddy blocking feature with the MSN protocol.  It also contains a
minor logging fix.

http://www.linuxsecurity.com/content/view/122315


* Fedora Core 5 Update: gaim-1.5.0-16.fc5
  11th, April, 2006

This update fixes Bug #185222 where gaim would crash when you use the
buddy blocking feature with the MSN protocol.

http://www.linuxsecurity.com/content/view/122316


* Fedora Core 4 Update: squirrelmail-1.4.6-5.fc4
  12th, April, 2006

This update fixes revert Squirrelmail encoding behavior for Chinese
and Korean languages, in addition to the Japanese fix of the previous
update.

http://www.linuxsecurity.com/content/view/122325


* Fedora Core 5 Update: squirrelmail-1.4.6-5.fc5
  12th, April, 2006

This update fixes revert Squirrelmail encoding behavior for Chinese
and Korean languages, in addition to the Japanese fix of the previous
update.

http://www.linuxsecurity.com/content/view/122326


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: ClamAV Multiple vulnerabilities
  7th, April, 2006

ClamAV contains multiple vulnerabilities that could lead to remote
execution of arbitrary code or cause an application crash.

http://www.linuxsecurity.com/content/view/122275



+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated clamav packages fix vulnerabilities
  7th, April, 2006

Damian Put discovered an integer overflow in the PE header parser in
ClamAV that could be exploited if the ArchiveMaxFileSize option was
disabled (CVE-2006-1614).

http://www.linuxsecurity.com/content/view/122276


* Mandriva: Updated mplayer packages fix integer overflow
vulnerabilities
  7th, April, 2006

Multiple integer overflows in MPlayer 1.0pre7try2 allow remote
attackers to cause a denial of service and trigger heap-based buffer
overflows via (1) a certain ASF file handled by asfheader.c that
causes the asf_descrambling function to be passed a negative integer
after the conversion from a char to an int or (2) an AVI file with a
crafted wLongsPerEntry or nEntriesInUse value in the indx chunk,
which is handled in aviheader.c.

http://www.linuxsecurity.com/content/view/122277


* Mandriva: Updated openvpn packages fix vulnerability
  10th, April, 2006

A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious
server to execute arbitrary code on the client by using setenv with
the LD_PRELOAD environment variable. Updated packages have been
patched to correct this issue by removing setenv support.

http://www.linuxsecurity.com/content/view/122302


* Mandriva: Updated openvpn packages fix vulnerability
  10th, April, 2006

Tavis Ormandy of the Gentoo Security Project discovered a
vulnerability in zlib where a certain data stream would cause zlib to
corrupt a data structure, resulting in the linked application to dump
core (CVE-2005-2096).

http://www.linuxsecurity.com/content/view/122303


* Mandriva: Updated xscreensaver packages fix clear-text password
vulnerability
  11th, April, 2006

Rdesktop, with xscreensaver < 4.18, does not release the keyboard
focus when xscreensaver starts, which causes the password to be
entered into the active window when the user unlocks the screen.
Updated xscreensaver packages have been patched to correct this
issue.

http://www.linuxsecurity.com/content/view/122313


+---------------------------------+
|  Distribution: SuSE             | ----------------------------//
+---------------------------------+

* SuSE: clamav various problems
  11th, April, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122308
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------



_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info



This archive was generated by hypermail 2.1.3 : Sun Apr 16 2006 - 23:55:54 PDT