+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 22nd 2007 Volume 8, Number 25a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for the Linux kernel, postgreSQL, libexif, libeapache, ClamAV, Firefox, and mod_perl. The distributors include Debian, Gentoo, Mandriva, and Red Hat. --- Hakin9 Magazine - Hacking, IT Security and More Subscribe today and get 10% off! Covers all things hackers need including techniques about breaking into computer systems, defense and protection methods. A great new magazine that'll be sure to keep you on the cutting edge. Want to learn more about the magazine? Get 10% the regular subscription price if you sign up by the end of June! http://www.linuxsecurity.com/ads/adclick.php?bannerid=30&zoneid=1 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- Review: Practical Packet Analysis In the introduction, McIlwraith points out that security awareness training properly consists of communication, raising of issues, and encouragement to modify behaviour. (This will come as no surprise to those who recall the definition of training as the modification of attitudes and behaviour.) He also notes that security professionals frequently concentrate solely on presentation of problems. The remainder of the introduction looks at other major security activities, and the part that awareness plays in ensuring that they actually work. http://www.linuxsecurity.com/content/view/128459/171/ --- Robert Slade Review: "Information Security and Employee Behaviour" The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/128404/171/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New Linux kernel 2.6.8 packages fix several 16th, June, 2007 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.Doug Chapman discovered a potential local DoS (deadlock) in the mincore function caused by improper lock handling. http://www.linuxsecurity.com/content/view/128557 * Debian: New PostgreSQL 8.1 packages fix privilege escalation 16th, June, 2007 It was discovered that the PostgreSQL database performs insufficient validation of variables passed to privileged SQL statements, so called "security definers", which could lead to SQL privilege escalation. http://www.linuxsecurity.com/content/view/128565 * Debian: New libexif packages fix integer overflow 16th, June, 2007 A vulnerability has been discovered in libexif, a library to parse EXIF files, which allows denial of service and possible execution of arbitary code via malformed EXIF data. http://www.linuxsecurity.com/content/view/128567 * Debian: New libexif packages fix integer overflow 16th, June, 2007 A vulnerability has been discovered in libexif, a library to parse EXIF files, which allows denial of service and possible execution of arbitary code via malformed EXIF data. http://www.linuxsecurity.com/content/view/128568 * Debian: New PostgreSQL 7.4 packages fix privilege escalation 17th, June, 2007 It was discovered that the PostgreSQL database performs insufficient validation of variables passed to privileged SQL statement called "security definers", which could lead to SQL privilege escalation. http://www.linuxsecurity.com/content/view/128570 * Debian: New libapache-mod-jk packages fix information disclosure 17th, June, 2007 It was discovered that the Apache 1.3 connector for the Tomcat Java servlet engine decoded request URLs multiple times, which can lead to information disclosure. http://www.linuxsecurity.com/content/view/128571 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: ClamAV Multiple Denials of Service 15th, June, 2007 ClamAV contains several vulnerabilities leading to a Denial of Service. A remote attacker could send a specially crafted file to the scanner, possibly triggering one of the vulnerabilities. The two buffer overflows are reported to only cause Denial of Service. This would lead to a Denial of Service by CPU consumption or a crash of the scanner. The insecure temporary file creation vulnerability could be used by a local user to access sensitive data. http://www.linuxsecurity.com/content/view/128554 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated Firefox packages fix multiple 15th, June, 2007 A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.4. This update provides the latest Firefox to correct these issues. http://www.linuxsecurity.com/content/view/128556 * Mandriva: Updated Firefox packages fix multiple 16th, June, 2007 A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.4. This update provides the latest Firefox to correct these issues. http://www.linuxsecurity.com/content/view/128566 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: mod_perl security update 18th, June, 2007 Updated mod_perl packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128573 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------