≡ Menu


Red Hat Enterprise Linux Security: An Updated autofs Package Available

An updated autofs package that fixes a bug is now available. The autofs utility controls the operation of the automount daemon, which automatically mounts, and then unmounts file systems after a period of inactivity. File systems can include network file systems, CD-ROMs, diskettes, and other media.

How do I update my autofs package?

Simply type the following command:
# yum update

Security Alert: Red hat / CentOS Linux Freetype Various Security Issues

Red hat issued important security update for freetype package that that fix various security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. Multiple flaws were discovered in FreeType's Printer Font Binary (PFB) font-file format parser. If a user loaded a carefully crafted font-file with a program linked against FreeType, it could cause the application to crash, or possibly execute arbitrary code

The FreeType engine is a free and portable font rendering engine, developed to provide advanced font support for a variety of platforms and environments. FreeType is a library which can open and manages font files as well as efficiently load, hint and render individual glyphs. FreeType is not a font server or a complete text-rendering library.

How do I fix this issue?

Simply type the following command at a shell promot:
# yum update
Sample output:

Loading "rhnplugin" plugin
Loading "security" plugin
rhel-x86_64-server-vt-5   100% |=========================| 1.2 kB    00:00
rhel-x86_64-server-5      100% |=========================| 1.2 kB    00:00
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package freetype.i386 0:2.2.1-20.el5_2 set to be updated
---> Package freetype.x86_64 0:2.2.1-20.el5_2 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
 Package                 Arch       Version          Repository        Size
 freetype                i386       2.2.1-20.el5_2   rhel-x86_64-server-5  313 k
 freetype                x86_64     2.2.1-20.el5_2   rhel-x86_64-server-5  311 k
Transaction Summary
Install      0 Package(s)
Update       2 Package(s)
Remove       0 Package(s)
Total download size: 624 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): freetype-2.2.1-20. 100% |=========================| 311 kB    00:00
(2/2): freetype-2.2.1-20. 100% |=========================| 313 kB    00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : freetype                     ######################### [1/4]
  Updating  : freetype                     ######################### [2/4]
  Cleanup   : freetype                     ######################### [3/4]
  Cleanup   : freetype                     ######################### [4/4]
Updated: freetype.i386 0:2.2.1-20.el5_2 freetype.x86_64 0:2.2.1-20.el5_2

Red Hat Enterprise Linux 5.2 Released

Red Hat enterprise Linux version 5.2 has been released and available via a Red Hat Network subscription. This update brings broad refresh of hardware support and improved quality, combined with new features and enhancements in areas such as virtualization, desktop, networking, storage & clustering and security.

Virtualization of very large systems, with up to 64 CPUs and 512 GB of memory, is now possible. Virtualization support for NUMA-based architectures is provided, as well as security, performance, manageability and robustness improvements. CPU frequency scaling support for virtualized environments also allows for reduced power consumption.

Red Hat Enterprise Linux 5.2 provides enhanced capabilities for several hardware architectures, covering x86/x86-64, Itanium, IBM POWER and IBM System z, which provide improved performance, power usage, scalability and manageability. For example, support for Intel's Dynamic Acceleration Technology permits power saving by quiescing idle CPU cores, and offers performance gains by potentially overclocking busy cores within safe thermal levels. Other hardware enhancements include extensive device driver updates, covering storage, network and graphics devices, and certification of IBM's new Cell Blade systems.

Red Hat Enterprise Linux becomes a certified operating system for IBM's new high-performance blade server based on Cell Broadband Engine (Cell/B.E) Architecture.

Desktop version includes latest cutting edge softwares:

  • Evolution 2.12.3
  • Firefox 3
  • OpenOffice 2.3.0
  • Thunderbird 2.0

Red Hat Cluster Suite, which is included in Red Hat Enterprise Linux 5 Advanced Platform, now has a Resource Event Scripting Language that enables sophisticated application failover capabilities. It also newly supports SCSI-3 reservation fencing support for active/active and active/passive DM/MPIO (multipathing), which widens the range of storage devices that can be used in clusters.

Improved iSCSI support allows users to set-up diskless systems with a root volume on the iSCSI server, a common requirement in high-density Blade environments.

How do I upgrade my system?

First, make sure you backup existing configuration and data. Next, simply type the following two commands:
# yum update
# reboot

Verify that everything is working fine including all services:
# netstat -tulpn
# netstat -nat
# tail -f /var/log/messages
# egrep -i 'error|warn' /var/log/messages
# egrep -i 'error|warn' /path/to/apps/log/file

Alternatively, you can click on the "Red Hat Network Alert Notification GUI Tool" - which is a notifier that appears on the panel and alerts users when software package updates are available for the systems. This is point and click method.

If you are CentOS Linux user wait for some time to get all updates. More information available at Red Hat web site.

Security buffer overflow: libtk-img packages arbitrary code execution

It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code. This is affected on all Linux / UNIX distributions.


Package : libtk-img
Vulnerability : buffer overflow
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-0553

Debian / Ubuntu Linux Fix

Type the following command:
# apt-get update
# apt-get upgrade

Ubuntu Linux Security Update: Samba regression ( CVE-2008-1105 )

A security issue affects the following Ubuntu releases:

=> Ubuntu 6.06 LTS
=> Ubuntu 7.04
=> Ubuntu 7.10
=> Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller,
a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572)

Alin Rad Pop of Secunia Research discovered that Samba did not properly perform bounds checking when parsing SMB replies. A remote attacker could send crafted SMB packets and execute arbitrary code. (CVE-2008-1105)

How do I fix this issue?

Login as root and type the following two commands:
$ sudo apt-get update
$ sudo apt-get upgrade

Linux Failed Login Control: Lock and Unlock User Accounts Using PAM

Under CentOS Linux it is possible to lock out a user login after failed login attempts. This is a security feature. You can also automatically unlock account after some time.

pam_tally - login counter (tallying) module

This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.


Use /etc/pam.d/system-auth configuration file to configure attempted login accesses and other related activities. Append following AUTH configuration to /etc/pam.d/system-auth file:
auth required pam_tally.so onerr=fail deny=5 unlock_time=21600
(a)deny=5 - Deny access if tally for this user exceeds 5 times.

(b) unlock_time=21600 - Allow access after 21600 seconds (6 hours) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.

(c) onerr=fail - If something weird happens (like unable to open the file), return with PAM_SUCESS if onerr=succeed is given, else with the corresponding PAM error code.

Default file /var/log/faillog is used to keep login counts.

The above PAM module is part of all Linux distribution and configuration should work with any Linux distribution.

See also:

  1. man pages faillog, pam.conf, pam.d, pam, and pam_tally
  2. pam_tally - login counter (tallying) module documentation.
  3. CentOS Linux project

Linux Kernel v2.6 Local Root Exploit ( vmsplice ) Found

Linux kernel version from 2.6.17 to all are affected because of vmsplice bug. The exploit code can be used to test if a kernel is vulnerable and it can start a root shell.

=> Debian Bug report logs

=> Fix 1 and Fix 2

Update: See how to apply a patch to kernel source tree.