Linux Advisory Watch – November 18, 2005

37

Author: Benjamin D. Thomas

This week, advisories were released for awstats, kdelibs, acidlab, AbiWord,
uim, ftpd-ssl, phpsysinfo, phpgroupware, lynx, rar, sylpheed, gtk, egroupware,
cpio, lm_sensors, and gdk-pixpuf. The distributors include Debian, Gentoo, Mandriva,
and Red Hat.SELinux Administration, Part II
By: Pax Dickinson

Policy booleans are sections of policy that can be switched on or
off, providing a basic level of policy configurability at runtime
without requiring the recompilation of the entire security policy.
For example, you might be running a webmail application on your
server that requires the webserver process to be able to connect
to your mail server ports and read mail files out of user’s home
directories. Rather than adding those permissions to the security
policy where they would reduce security for those not running
webmail, a policy developer would create a boolean that the local
administrator could enable only if it is required. This helps
maintain a high level of security and follows the principle of
least privilege.

To view a list of the policy booleans in your running policy
and their current states, use the sestatus command. This command
will list your current enforcing mode and the enforcing mode
from the /etc/selinux/config file among other information, and
a list of all policy booleans and whether they are active or
inactive.

You can view the current status of a single boolean by using
the command getsebool and passing it the name of the boolean
you want to view the state of. Booleans are set using the
setsebool command, and passing it the name of the boolean
you want to set followed by a 1 or 0 to set the boolean
active or inactive respectively.

Some sample booleans from the EnGarde Secure Linux SELinux
policy are httpd_webmail and user_ping. The httpd_webmail
boolean is used for the exact situation used as an example
above, while the user_ping boolean determines whether or not
regular users are able to send ping packets over the network.
Booleans can be as simple as a single allow statement, or
can enable or disable large swathes of the policy depending
on their purpose.

Our SELinux journey is almost done. Next time, we’ll discuss
policy development basics and see how we can troubleshoot
policy denials and write new SELinux policy or modify existing
policy to allow our SELinux system to get its jobs done while
maintaining a high level of security. Until then, farewell
and remember to stay secure.

Read Entire Article:
http://www.linuxsecurity.com/content/view/120700/49/


   Debian
  Debian: New awstats packages fix arbitrary
command execution
  10th, November, 2005

Updated package.

 
  Debian: New kdelibs packages fix backup
file information leak
  10th, November, 2005

Updated package.

 
  Debian: New acidlab packages fix SQL
injection
  14th, November, 2005

Updated package.

 
  Debian: New AbiWord packages fix arbitrary
code execution
  14th, November, 2005

Updated package.

 
  Debian: New uim packages fix privilege
escalation
  14th, November, 2005

Updated package.

 
  Debian: New ftpd-ssl packages fix arbitrary
code execution
  15th, November, 2005

Updated package.

 
  Debian: New phpsysinfo packages fix several
vulnerabilities
  15th, November, 2005

Updated package.

 
  Debian: New phpgroupware packages fix
several vulnerabilities
  17th, November, 2005

Updated package.

 
   Gentoo
  Gentoo: PHP Multiple vulnerabilities
  13th, November, 2005

PHP suffers from multiple issues, resulting in security functions
bypass, local Denial of service, cross-site scripting or PHP variables
overwrite.

 
  Gentoo: Lynx Arbitrary command execution
  13th, November, 2005

Lynx is vulnerable to an issue which allows the remote execution
of arbitrary commands.

 
  Gentoo: RAR Format string and buffer
overflow vulnerabilities
  13th, November, 2005

RAR contains a format string error and a buffer overflow vulnerability
that may be used to execute arbitrary code.

 
  Gentoo: linux-ftpd-ssl Remote buffer
overflow
  13th, November, 2005

A buffer overflow vulnerability has been found, allowing a remote
attacker to execute arbitrary code with escalated privileges on the local
system.

 
  Gentoo: Scorched 3D Multiple vulnerabilities
  15th, November, 2005

Multiple vulnerabilities in Scorched 3D allow a remote attacker
to deny service or execute arbitrary code on game servers.

 
  Gentoo: Sylpheed, Sylpheed-Claws Buffer
overflow in LDIF
  15th, November, 2005

Sylpheed and Sylpheed-Claws contain a buffer overflow vulnerability
which may lead to the execution of arbitrary code.

 
  Gentoo: GTK+ 2, GdkPixbuf Multiple XPM
decoding vulnerabilities
  16th, November, 2005

The GdkPixbuf library, that is also included in GTK+ 2, contains
vulnerabilities that could lead to a Denial of Service or the execution
of arbitrary code.

 
   Mandriva
  Mandriva: Updated lynx packages fix critical
vulnerability
  12th, November, 2005

An arbitrary command execution vulnerability was discovered
in the lynx “lynxcgi:” URI handler. An attacker could create a web page
that redirects to a malicious URL which could then execute arbitrary code
as the user running lynx. The updated packages have been patched to address
this issue.

 
  Mandriva: Updated egroupware packages
to address phpldapadmin, phpsysinfo vulnerabilities
  16th, November, 2005

The updated packages have new versions of these subsystems to
correct these issues.

 
  Mandriva: Updated php packages fix multiple
vulnerabilities
  17th, November, 2005

Updated package.

 
  Mandriva: Updated autofs packages fix
problem with LDAP
  16th, November, 2005

A problem with how autofs was linked with the LDAP libraries
would cause autofs to segfault on startup. The updated package has been
fixed to correct this problem.

 
  Mandriva: Updated acpid package fixes
various bugs
  16th, November, 2005

A number of bugs have been fixed in this new acpid package:
Correct an error in the initscript, to look for lm_battery.sh rather than
battery.sh.

 
   Red
Hat
  RedHat: Critical: lynx security update
  11th, November, 2005

An updated lynx package that corrects a security flaw is now
available. This update has been rated as having critical security impact
by the Red Hat Security Response Team.

 
  RedHat: Low: cpio security update
  10th, November, 2005

An updated cpio package that fixes multiple issues is now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.

 
  RedHat: Low: lm_sensors security update
  10th, November, 2005

Updated lm_sensors packages that fix an insecure file issue
are now available. This update has been rated as having low security impact
by the Red Hat Security Response Team.

 
  RedHat: Moderate: php security update
  10th, November, 2005

Updated PHP packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 3 and 4. This update has been rated
as having moderate security impact by the Red Hat Security Response Team.

 
  RedHat: Moderate: php security update
  10th, November, 2005

Updated PHP packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 2.1 This update has been rated
as having moderate security impact by the Red Hat Security Response Team.

 
  RedHat: Important: gdk-pixbuf security
update
  15th, November, 2005

Updated gdk-pixbuf packages that fix several security issues
are now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.

 
  RedHat: Important: gtk2 security update
  15th, November, 2005

Updated gtk2 packages that fix two security issues are now available.
This update has been rated as having important security impact by the
Red Hat Security Response Team.