[ISN] Linux Advisory Watch - March 30th 2007

From: InfoSec News (alerts@private)
Date: Mon Apr 02 2007 - 02:15:39 PDT


+---------------------------------------------------------------------+
|  LinuxSecurity.com                               Weekly Newsletter  |
|  March 30th 2007                               Volume 8, Number 13a |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for nas, openoffice, mgv, file,
mozilla-firefox, libwpd, evolution, squid, xmms, and KDE library.
The distributors include Debian, Gentoo, Red Hat, Slackware, and
Ubuntu.

---

* EnGarde Secure Linux v3.0.13 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.13 (Version 3.0, Release 13). This release includes
several bug fixes and feature enhancements to the SELinux policy
and several updated packages.

http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13

---

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.

http://www.msia.norwich.edu/linsec/

---

RFID with Bio-Smart Card in Linux

In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access
conditions.

http://www.linuxsecurity.com/content/view/125052/171/

---

Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.

http://www.linuxsecurity.com/content/view/123570/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New nas packages fix multiple remote vulnerabilities
  27th, March, 2007

Several vulnerabilities have been discovered in nas, the Network
Audio System.

http://www.linuxsecurity.com/content/view/127593


* Debian: New OpenOffice.org packages fix several vulnerabilities
  28th, March, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127603


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

* Gentoo: mgv Stack overflow in included gv code
  26th, March, 2007

mgv improperly handles user-supplied data possibly allowing for the
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/127569



+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Moderate: file security update
  23rd, March, 2007

An updated file package that fixes a security flaw is now available for 
Red Hat Enterprise Linux 4 and 5.This update has been rated as having 
moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/127544



+---------------------------------+
|  Distribution: Slackware        | ----------------------------//
+---------------------------------+

* Slackware:   mozilla-firefox
  26th, March, 2007

New mozilla-firefox packages are available for Slackware 10.2, 11.0,
and -current to fix security issues.

http://www.linuxsecurity.com/content/view/127574


* Slackware:   libwpd
  26th, March, 2007

New libwpd packages are available for Slackware 10.2, 11.0, and
-current to fix security issues.

http://www.linuxsecurity.com/content/view/127575



+---------------------------------+
|  Distribution: Ubuntu           | ----------------------------//
+---------------------------------+

* Ubuntu:  Evolution vulnerability
  26th, March, 2007

Ulf Harnhammar of Secunia Research discovered that Evolution did not
correctly handle format strings when displaying shared memos.  If a
remote attacker tricked a user into viewing a specially crafted
shared memo, they could execute arbitrary code with user privileges.

http://www.linuxsecurity.com/content/view/127567


* Ubuntu:  Squid vulnerability
  26th, March, 2007

A flaw was discovered in Squid's handling of the TRACE request method
which could lead to a crash.  Remote attackers with access to the
Squid server could send malicious TRACE requests, and cause a denial
of service.

http://www.linuxsecurity.com/content/view/127568


* Ubuntu:  Firefox vulnerability
  27th, March, 2007

A flaw was discovered in how Firefox handled PASV FTP responses.  If
a user were tricked into visiting a malicious FTP server, a remote
attacker could perform a port-scan of machines within the user's
network, leading to private information disclosure.

http://www.linuxsecurity.com/content/view/127594


* Ubuntu:  XMMS vulnerabilities
  27th, March, 2007

Sven Krewitt of Secunia Research discovered that XMMS did not
correctly handle BMP images when loading GUI skins.  If a user were
tricked into loading a specially crafted skin, a remote attacker
could execute arbitrary code with user privileges.

http://www.linuxsecurity.com/content/view/127596


* Ubuntu:  OpenOffice.org vulnerabilities
  27th, March, 2007

A stack overflow was discovered in OpenOffice.org's StarCalc parser.
If a user were tricked into opening a specially crafted document, a
remote attacker could execute arbitrary code with user privileges.
(CVE-2007-0238) A flaw was discovered in OpenOffice.org's link
handling code.	If a user were tricked into clicking a link in a
specially crafted document, a remote attacker could execute arbitrary
shell commands with user privileges.

http://www.linuxsecurity.com/content/view/127597


* Ubuntu:  NAS vulnerabilities
  28th, March, 2007

Luigi Auriemma discovered multiple flaws in the Network Audio System
server.  Remote attackers could send specially crafted network
requests that could lead to a denial of service or execution of
arbitrary code.  Note that default Ubuntu installs do not include the
NAS server.

http://www.linuxsecurity.com/content/view/127600


* Ubuntu:  KDE library vulnerabilities
  28th, March, 2007

It was discovered that Konqueror did not correctly handle iframes
from JavaScript.  If a user were tricked into visiting a malicious
website, Konqueror could crash, resulting in a denial of service.
(CVE-2007-1308)A flaw was discovered in how Konqueror handled PASV
FTP responses.	If a user were tricked into visiting a malicious FTP
server, a remote attacker could perform a port-scan of machines
within the user's network, leading to private information disclosure.
(CVE-2007-1564)

http://www.linuxsecurity.com/content/view/127606

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Apr 02 2007 - 02:22:46 PDT