[ISN] Linux Advisory Watch - February 16th 2007

From: InfoSec News (alerts@private)
Date: Mon Feb 19 2007 - 01:29:28 PST

|  LinuxSecurity.com                               Weekly Newsletter  |
|  February 16th 2007                            Volume 8, Number 7a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for fetchmail, imagemagick,
eclipse, netkit, samba, proftpd, snort, rar, postgresql, smb4k,
dbus, java, moinmoin, the the Linux kernel.  The distributors
include Debian, Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



* EnGarde Secure Linux v3.0.12 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.11 (Version 3.0, Release 12). This release includes
several bug fixes and feature enhancements to the SELinux policy
and several updated packages.



RFID with Bio-Smart Card in Linux

In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access



Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New fetchmail packages fix information disclosure
  14th, February, 2007

Updated package.


* Debian: New imagemagick package fix arbitrary code execution
  14th, February, 2007

Updated package.


|  Distribution: Fedora           | ----------------------------//

* Fedora Core 6 Update: eclipse-cdt-3.1.1-8.fc6
  14th, February, 2007

This updates the Autotools sub-component plugin to 0.0.7.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: Netkit FTP Server Privilege escalation
  13th, February, 2007

The original fix introduced a new vulnerability allowing the listing
of any arbitrary directory with root group permissions due to a typo
in the setgid() call. New fixed packages are available. Also, this
update adds a second CVE reference which was not originally
mentionned while it was covered by the original fix.


* Gentoo: Samba Multiple vulnerabilities
  13th, February, 2007

Multiple flaws exist in the Samba suite of programs, the most serious
of which could result in the execution of arbitrary code.


* Gentoo: ProFTPD Local privilege escalation
  13th, February, 2007

A flaw in ProFTPD may allow a local attacker to obtain root


* Gentoo: Snort Denial of Service
  13th, February, 2007

Snort contains a vulnerability in the rule matching algorithm that
could result in a Denial of Service.


* Gentoo: RAR, UnRAR Buffer overflow
  13th, February, 2007

RAR and UnRAR contain a buffer overflow allowing the execution of
arbitrary code.


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated postgresql packages address multiple
  8th, February, 2007

Jeff Trout discovered that the PostgreSQL server did not sufficiently
check data types of SQL function arguments in some cases.  A user
could then exploit this to crash the database server or read out
arbitrary locations of the server's memory, which could be used to
retrieve database contents that the user should not be able to see.
Note that a user must be authenticated in order to exploit this


* Mandriva: Updated ImageMagick packages fix buffer overflow
  9th, February, 2007

Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and
ImageMagick allows user-assisted attackers to cause a denial of
service and possibly execute execute arbitrary code via a PALM image
that is not properly handled by the ReadPALMImage function in
coders/palm.c. This is related to an earlier fix for CVE-2006-5456
that did not fully
correct the issue.


* Mandriva: Updated smb4k packages fix numerous vulnerabilities
  12th, February, 2007

Kees Cook performed an audit on the Smb4K program and discovered a
number of vulnerabilities and security weaknesses that have been
addressed and corrected in Smb4K 0.8.0 which is being provided with
this update.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Moderate: dbus security update
  8th, February, 2007

Updated dbus packages that fix a security issue are now available for
Red Hat Enterprise Linux 4. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.


* RedHat: Critical: IBMJava2 security update
  8th, February, 2007

IBMJava2-JRE and IBMJava2-SDK packages that correct several security
issues are available for Red Hat Enterprise Linux 2.1. This update
has been rated as having critical security impact by the Red Hat
Security Response Team.


* RedHat: Critical: java-1.5.0-ibm security update
  9th, February, 2007

java-1.5.0-ibm packages that correct several security issues are
available for Red Hat Enterprise Linux 4 Extras. This update has been
rated as having critical security impact by the Red Hat Security
Response Team.


|  Distribution: Ubuntu           | ----------------------------//

* Ubuntu:  MoinMoin vulnerability
  9th, February, 2007

A flaw was discovered in MoinMoin's page name sanitizer which could
lead to a cross-site scripting attack.	By tricking a user into
viewing a crafted MoinMoin page, an attacker could execute arbitrary
JavaScript as the current MoinMoin user, possibly exposing the user's
authentication information for the domain where MoinMoin was hosted.


* Ubuntu:  Linux kernel vulnerabilities
  10th, February, 2007

Mark Dowd discovered that the netfilter iptables module did not
correcly handle fragmented IPv6 packets.


* Ubuntu:  PostgreSQL regression
  12th, February, 2007

USN-417-2 fixed a severe regression in the PostgreSQL server that was
introduced in USN-417-1 and caused some valid queries to be aborted
with a type error. This update fixes a similar (but much less
prominent) error.  At the same time, PostgreSQL is updated to version
8.1.8, which fixes a range of important bugs.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 01:40:24 PST