[ISN] Linux Advisory Watch - August 18th 2006

From: InfoSec News (alerts@private)
Date: Sun Aug 20 2006 - 23:45:50 PDT

|  LinuxSecurity.com                               Weekly Newsletter  |
|  August 18th 2006                             Volume 7, Number 34a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for ncompress, shadow, heartbeat,
kerberos, warzone, libwmf, wordpress, gnupg, firefox, elfutils, ntp,
kdebase, perl, httpd, and wireshark.  The distributors include
Debian, Gentoo, Mandriva, Red Hat, and SuSE.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



Build a Case for Security

Establishing a business case is perhaps the first phase in any
project initiation. Organizations that are successful maintain full
justification for all business expenditure. An information security
project is no different. An effective information security program
requires visible support from executive management. To gain support,
a persuasive business case is often necessary. An information
security program will have numerous tangible and intangible benefits
to any organization. It is the role of a business case to document

To build a persuasive case for information security, it is important
for practitioners to "to become more managerial in outlook, speech,
and perspectives." (Information Security Management Handbook 4th
Edition, Volume 2.) Stressing the technical benefits of information
security is no longer sufficient because of the size and expenditure
of information security programs. When making a case for information
security, an emphasis should be placed on how proactive security
mechanisms ensure that senior management will not be held liable
for negligence. As IT has become more prominent in organizations,
so have compliance and regulatory requirements. Today, senior
management personnel are expected to demonstrate due care and due
diligence in relation to information security. With this,
information security must become an essential aspect of management.

Addressing the overall benefits of information security is important
as well. A business case should stress how information security can
become a business enabler. It can be a company differentiator by
offering increased levels of customer satisfaction and contributing
overall to total quality management. Information security also
provides a means to ensure against unauthorized behavior. Often
trusting that internal employees will "do the right thing" is not
enough. Information security related business cases should be
written in a way that emphasizes all benefits of information security.


* EnGarde Secure Community 3.0.8 Released
  1st, August, 2006

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.8 (Version 3.0, Release 8).  This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool, several updated packages, and several new packages available
for installation.



Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won.t prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.



Review: How To Break Web Software

With a tool so widely used by so many different types of
people like the World Wide Web, it is necessary for everyone
to understand as many aspects as possible about its
functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone
and How To Break Web Software by Mike Andrews and James A.
Whittaker is written for everyone to understand.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New ncompress packages fix potential code execution
  10th, August, 2006

Tavis Ormandy from the Google Security Team discovered a missing
boundary check in ncompress, the original Lempel-Ziv compress and
uncompress programs, which allows a specially crafted datastream to
underflow a buffer with attacker controlled data.


* Debian: New shadow packages fix privilege escalation
  12th, August, 2006

Updated package.


* Debian: New heartbeat packages fix denial of service
  15th, August, 2006

Updated package.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: MIT Kerberos 5 Multiple local privilege escalation (test
Falco for security)
  10th, August, 2006

Some applications shipped with MIT Kerberos 5 are vulnerable to local
privilege escalation.


* Gentoo: Warzone 2100 Resurrection Multiple buffer overflows
  10th, August, 2006

Warzone 2100 Resurrection server and client are vulnerable to
separate buffer overflows, potentially allowing remote code


* Gentoo: libwmf Buffer overflow vulnerability
  10th, August, 2006

libwmf is vulnerable to an integer overflow potentially resulting in
the execution of arbitrary code.


* Gentoo: Net:Server: Format string vulnerability
  10th, August, 2006

A format string vulnerability has been reported in Net::Server which
can be exploited to cause a Denial of Service.


* Gentoo: WordPress Privilege escalation
  10th, August, 2006

A flaw in WordPress allows registered WordPress users to elevate


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated gnupg packages fix vulnerability
  14th, August, 2006

An integer overflow vulnerability was discovered in gnupg where an
attacker could create a carefully-crafted message packet with a large
length that could cause gnupg to crash or possibly overwrite memory
when opened. Updated packages have been patched to correct this


* Mandriva: Updated heartbeat packages fix vulnerability
  14th, August, 2006

Two vulnerabilities in heartbeat prior to 2.0.6 was discovered by Yan
Rong Ge.  The first is that heartbeat would set insecure permissions
in an shmget call for shared memory, allowing a local attacker to
cause an unspecified denial of service via unknown vectors
(CVE-2006-3815). The second is a remote vulnerability that could
allow allow the master control process to read invalid memory due to
a specially crafted heartbeat message and die of a SEGV, all prior to
any authentication.


* Mandriva: Updated Firefox packages fix multiple vulnerabilities
  16th, August, 2006

A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Low: elfutils security update
  10th, August, 2006

Updated elfutils packages that address a minor security issue and
various other issues are now available. This update has been rated as
having low security impact  by the Red Hat Security Response Team.


* RedHat: Low: ntp security update
  10th, August, 2006

Updated ntp packages that fix several bugs are now available. This
update has been rated as having low security impact by the Red Hat
Security Response Team.


* RedHat: Updated kernel packages available for Red Hat
  10th, August, 2006

Updated kernel packages are now available as part of ongoing support
and maintenance of Red Hat Enterprise Linux version 4.


* RedHat: Low: kdebase security fix
  10th, August, 2006

Updated kdebase packages that resolve several bugs are now available.
This update has been rated as having low security impact by the Red
Hat Security Response Team.


* RedHat: Important: perl security update
  10th, August, 2006

Updated Perl packages that fix security a security issue are now
available for Red Hat Enterprise Linux 4. This update has been rated
as having important security  impact by the Red Hat Security Response


* RedHat: Moderate: httpd security update
  10th, August, 2006

Updated Apache httpd packages that correct security issues and
resolve bugs
are now available for Red Hat Enterprise Linux 3 and 4. This update
has been rated as having moderate security impact by the Red Hat
Security Response Team.


* RedHat: Moderate: wireshark security update (was
  16th, August, 2006

New Wireshark packages that fix various security vulnerabilities in
Ethereal are now available. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.


|  Distribution: SuSE             | ----------------------------//

* SuSE: kernel security problems
  11th, August, 2006

Multiple security vulnerabilities in the kernel are addressed.


* SuSE: MozillaFirefox, MozillaThunderbird,
  16th, August, 2006

To fix various security problems we released update packages that
bring Mozilla Firefox to version, MozillaThunderdbird to
version and the Seamonkey Suite to version 1.0.3.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

This archive was generated by hypermail 2.1.3 : Sun Aug 20 2006 - 23:56:02 PDT