+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 2nd 2007 Volume 8, Number 5a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released vlc, firefox, bind, libtop2, gtk, libsoup, fetchmail, squid, cacti, thttpd, ksirc, elinks, xine, ulogd, libsoup, kernel, squirrelmail, and tetex. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec/ --- * EnGarde Secure Linux v3.0.11 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.11 (Version 3.0, Release 11). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.11 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New vlc packages fix arbitrary code execution 27th, January, 2007 Updated package. http://www.linuxsecurity.com/content/view/126779 * Debian: New Mozilla Firefox packages fix several vulnerabilities 27th, January, 2007 Updated package. http://www.linuxsecurity.com/content/view/126780 * Debian: New bind9 packages fix denial of service 28th, January, 2007 Updated package. http://www.linuxsecurity.com/content/view/126783 * Debian: New libgtop2 packages fix arbitrary code execution 31st, January, 2007 Updated package. http://www.linuxsecurity.com/content/view/126831 * Debian: New gtk+2.0 packages fix denial of service 31st, January, 2007 Updated package. http://www.linuxsecurity.com/content/view/126845 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: bind-9.3.4-1.fc6 29th, January, 2007 Updated to version 9.3.4 which contains two security bugfixes... http://www.linuxsecurity.com/content/view/126788 * Fedora Core 6 Update: libsoup-2.2.99-1.fc6 29th, January, 2007 Update to the latest libsoup 2.2 release. This release fixes a security flaw that causes the libsoup server to crash when it receives a malformed HTTP GET header. http://www.linuxsecurity.com/content/view/126790 * Fedora Core 5 Update: fetchmail-6.3.6-2.fc5 29th, January, 2007 Update to fetchmail-6.3.6 (CVE-2006-5867, CVE-2006-5974) http://www.linuxsecurity.com/content/view/126802 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Squid Multiple Denial of Service vulnerabilities 25th, January, 2007 Two vulnerabilities have been found in Squid which make it susceptible to Denial of Service attacks. http://www.linuxsecurity.com/content/view/126745 * Gentoo: Cacti Command execution and SQL injection 26th, January, 2007 Cacti has three vulnerabilities that could allow shell command execution or SQL injection. http://www.linuxsecurity.com/content/view/126750 * Gentoo: VLC media player Format string vulnerability 26th, January, 2007 VLC media player improperly handles format strings, allowing for the execution of arbitrary code. http://www.linuxsecurity.com/content/view/126751 * Gentoo: VLC media player Format string vulnerability 27th, January, 2007 VLC media player improperly handles format strings, allowing for the execution of arbitrary code. http://www.linuxsecurity.com/content/view/126781 * Gentoo: X.Org X server Multiple vulnerabilities 27th, January, 2007 Sean Larsson from iDefense Labs has found multiple vulnerabilities in the DBE and Render extensions. http://www.linuxsecurity.com/content/view/126782 * Gentoo: thttpd Unauthenticated remote file access 31st, January, 2007 The default configuration of the Gentoo thttpd package potentially allows unauthenticated access to system files when used with newer versions of baselayout. http://www.linuxsecurity.com/content/view/126842 * Gentoo: KSirc Denial of Service vulnerability 31st, January, 2007 KSirc is vulnerable to a Denial of Service attack. http://www.linuxsecurity.com/content/view/126843 * Gentoo: ELinks Arbitrary Samba command execution 31st, January, 2007 ELinks does not properly validate "smb://" URLs, making it vulnerable to the execution of arbitrary Samba commands. http://www.linuxsecurity.com/content/view/126844 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated xine-ui packages fix vulnerabilities 26th, January, 2007 Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors. http://www.linuxsecurity.com/content/view/126752 * Mandriva: Updated ulogd packaged to address buffer overflow vulnerability 27th, January, 2007 Buffer overflow in ulogd has unknown impact and attack vectors related to "improper string length calculations." The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/126776 * Mandriva: Updated libsoup packages fix DoS vulnerability 27th, January, 2007 The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/126777 * Mandriva: Updated bind packages fix DoS vulnerabilities 30th, January, 2007 Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context." <P> http://www.linuxsecurity.com/content/view/126819 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: kernel security update 30th, January, 2007 Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/126813 * RedHat: Moderate: fetchmail security update 31st, January, 2007 Updated fetchmail packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/126827 * RedHat: Moderate: squirrelmail security update 31st, January, 2007 A new squirrelmail package that fixes security issues is now available for Red Hat Enterprise Linux 3 and 4. http://www.linuxsecurity.com/content/view/126828 +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ * Slackware: bind 27th, January, 2007 New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix denial of service security issues. http://www.linuxsecurity.com/content/view/126778 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: bind remote denial of service 30th, January, 2007 Two security problems were fixed in the ISC BIND nameserver version 9.3.4, which are addressed by this advisory http://www.linuxsecurity.com/content/view/126809 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: teTeX vulnerability 25th, January, 2007 USN-410-1 fixed vulnerabilities in the poppler PDF loader library. This update provides the corresponding updates for a copy of this code in tetex-bin in Ubuntu 5.10. Versions of tetex-bin after Ubuntu 5.10 use poppler directly and do not need a separate update. http://www.linuxsecurity.com/content/view/126747 * Ubuntu: Firefox regression 26th, January, 2007 USN-398-2 fixed vulnerabilities in Firefox 1.5. However, when auto-filling saved-password login forms without a username field, Firefox would crash. This update fixes the problem. We apologize for the inconvenience. http://www.linuxsecurity.com/content/view/126775 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------