+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 22nd 2007 Volume 8, Number 25a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
This week advisories were released for the Linux kernel, postgreSQL,
libexif, libeapache, ClamAV, Firefox, and mod_perl. The distributors
include Debian, Gentoo, Mandriva, and Red Hat.
---
Hakin9 Magazine - Hacking, IT Security and More
Subscribe today and get 10% off! Covers all things hackers need
including techniques about breaking into computer systems, defense and
protection methods. A great new magazine that'll be sure to keep you on
the cutting edge. Want to learn more about the magazine?
Get 10% the regular subscription price if you sign up by
the end of June!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=30&zoneid=1
---
* EnGarde Secure Linux v3.0.13 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.13 (Version 3.0, Release 13). This release includes several
bug fixes and feature enhancements to the SELinux policy and several
updated packages.
http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13
---
Review: Practical Packet Analysis
In the introduction, McIlwraith points out that security awareness
training properly consists of communication, raising of issues, and
encouragement to modify behaviour. (This will come as no surprise
to those who recall the definition of training as the modification
of attitudes and behaviour.) He also notes that security professionals
frequently concentrate solely on presentation of problems. The
remainder of the introduction looks at other major security
activities, and the part that awareness plays in ensuring that
they actually work.
http://www.linuxsecurity.com/content/view/128459/171/
---
Robert Slade Review: "Information Security and Employee Behaviour"
The best way to secure you against sniffing is to use encryption. While
this won't prevent a sniffer from functioning, it will ensure that what a
sniffer reads is pure junk.
http://www.linuxsecurity.com/content/view/128404/171/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New Linux kernel 2.6.8 packages fix several
16th, June, 2007
Several local and remote vulnerabilities have been discovered in
the Linux kernel that may lead to a denial of service or the execution
of arbitrary code.Doug Chapman discovered a potential local DoS (deadlock)
in the mincore function caused by improper lock handling.
http://www.linuxsecurity.com/content/view/128557
* Debian: New PostgreSQL 8.1 packages fix privilege escalation
16th, June, 2007
It was discovered that the PostgreSQL database performs insufficient
validation of variables passed to privileged SQL statements, so
called "security definers", which could lead to SQL privilege
escalation.
http://www.linuxsecurity.com/content/view/128565
* Debian: New libexif packages fix integer overflow
16th, June, 2007
A vulnerability has been discovered in libexif, a library to parse
EXIF files, which allows denial of service and possible execution
of arbitary code via malformed EXIF data.
http://www.linuxsecurity.com/content/view/128567
* Debian: New libexif packages fix integer overflow
16th, June, 2007
A vulnerability has been discovered in libexif, a library to parse
EXIF files, which allows denial of service and possible execution of
arbitary code via malformed EXIF data.
http://www.linuxsecurity.com/content/view/128568
* Debian: New PostgreSQL 7.4 packages fix privilege escalation
17th, June, 2007
It was discovered that the PostgreSQL database performs insufficient
validation of variables passed to privileged SQL statement called
"security definers", which could lead to SQL privilege escalation.
http://www.linuxsecurity.com/content/view/128570
* Debian: New libapache-mod-jk packages fix information disclosure
17th, June, 2007
It was discovered that the Apache 1.3 connector for the Tomcat Java
servlet engine decoded request URLs multiple times, which can lead
to information disclosure.
http://www.linuxsecurity.com/content/view/128571
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: ClamAV Multiple Denials of Service
15th, June, 2007
ClamAV contains several vulnerabilities leading to a Denial of
Service. A remote attacker could send a specially crafted file to the
scanner, possibly triggering one of the vulnerabilities. The two
buffer overflows are reported to only cause Denial of Service. This
would lead to a Denial of Service by CPU consumption or a crash of
the scanner. The insecure temporary file creation vulnerability could
be used by a local user to access sensitive data.
http://www.linuxsecurity.com/content/view/128554
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated Firefox packages fix multiple
15th, June, 2007
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program, version 2.0.0.4.
This update provides the latest Firefox to correct these issues.
http://www.linuxsecurity.com/content/view/128556
* Mandriva: Updated Firefox packages fix multiple
16th, June, 2007
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program, version 2.0.0.4.
This update provides the latest Firefox to correct these issues.
http://www.linuxsecurity.com/content/view/128566
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Moderate: mod_perl security update
18th, June, 2007
Updated mod_perl packages that fix a security issue are now available
for Red Hat Enterprise Linux 2.1. This update has been rated as
having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/128573
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
