+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 4th, 2008 Volume 9, Number 27 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for sympa, dbus, selinux-policy, libetpan, perl, python, libgnomeeui, xine-lib, firefox, seamonkey, ruby, samba, and openssl. The distributors include Debian, Fedora, Gentoo, Red Hat, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Security Features of Firefox 3.0 -------------------------------- Lets take a look at the security features of the newly released Firefox 3.0. Since it's release on Tuesday I have been testing it out to see how the new security enhancements work and help in increase user browsing security. One of the exciting improvements for me was how Firefox handles SSL secured web sites while browsing the Internet. There are also many other security features that this article will look at. For example, improved plugin and addon security. Read on for more security features of Firefox 3.0. http://www.linuxsecurity.com/content/view/138972 --- Review: The Book of Wireless ---------------------------- "The Book of Wireless" by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks. http://www.linuxsecurity.com/content/view/136167 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.19 Now Available! (Apr 15) ------------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/136174 ------------------------------------------------------------------------ * Debian: New sympa packages fix denial of service (Jul 1) -------------------------------------------------------- It was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages. http://www.linuxsecurity.com/content/view/139296 * Debian: New dbus packages fix privilege escalation (Jun 26) ----------------------------------------------------------- Havoc Pennington discovered that DBus, a simple interprocess messaging system, performs insufficient validation of security policies, which might allow local privilege escalation. http://www.linuxsecurity.com/content/view/139131 ------------------------------------------------------------------------ * Fedora 9 Update: selinux-policy-3.3.1-72.fc9 (Jul 1) ---------------------------------------------------- SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2624. http://www.linuxsecurity.com/content/view/139248 * Fedora 8 Update: libetpan-0.54-1.fc8 (Jun 26) --------------------------------------------- Update to new upstream version 0.54 fixing a crash (NULL pointer dereference) in the mail message header parser. Note: There is no application in Fedora using libetpan library for which such crash could be considered a security issue. This can only be a security sensitive issue for some 3rd party, not packages applications. http://www.linuxsecurity.com/content/view/139125 * Fedora 9 Update: perl-5.10.0-27.fc9 (Jun 26) -------------------------------------------- CVE-2008-2827 perl: insecure use of chmod in rmtree http://www.linuxsecurity.com/content/view/139106 ------------------------------------------------------------------------ * Gentoo: Motion Execution of arbitrary code (Jul 1) -------------------------------------------------- Multiple vulnerabilities in Motion might result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/139295 * Gentoo: Python Multiple integer overflows (Jul 1) ------------------------------------------------- Multiple integer overflows may allow for Denial of Service. http://www.linuxsecurity.com/content/view/139294 ------------------------------------------------------------------------ * Mandriva: Updated libgnomeui2 packages fix text rendering bug (Jun 30) ---------------------------------------------------------------------- A missing initialization was preventing correct text rendering in the GTK2 file selector, when using non-UTF8 locales. This updated package fixes this issue, as well as memory leaks and also includes new translations from the GNOME 2.22.2 release. http://www.linuxsecurity.com/content/view/139239 * Mandriva: Updated xine-lib packages fix vulnerability in (Jun 26) ----------------------------------------------------------------- A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). http://www.linuxsecurity.com/content/view/139134 ------------------------------------------------------------------------ * RedHat: Critical: firefox security update (Jul 2) ------------------------------------------------- Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139334 * RedHat: Moderate: Red Hat Application Stack v1.3 (Jul 2) -------------------------------------------------------- Red Hat Application Stack v1.3 is now available. This update fixes a security issue and adds several enhancements. This updated has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139335 * RedHat: Moderate: Red Hat Application Stack v2.1 (Jul 2) -------------------------------------------------------- Red Hat Application Stack v2.1 is now available. This update fixes various security issues and adds several enhancements. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139336 * RedHat: Critical: seamonkey security update (Jul 2) --------------------------------------------------- This update has been rated as having critical security impact by the Red Hat Security Response Team.Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. http://www.linuxsecurity.com/content/view/139332 * RedHat: Critical: firefox security update (Jul 2) ------------------------------------------------- An updated firefox package that fixes several security issues is now available for Red Hat Enterprise Linux 4. Multiple flaws were found in the processing of malformed JavaScript content. A web page containing such malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. http://www.linuxsecurity.com/content/view/139333 ------------------------------------------------------------------------ * Slackware: ruby (Jun 28) -------------------------- New ruby packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726 http://www.linuxsecurity.com/content/view/139178 ------------------------------------------------------------------------ * Ubuntu: Firefox vulnerabilities (Jul 2) ---------------------------------------- Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799) http://www.linuxsecurity.com/content/view/139331 * Ubuntu: Samba regression (Jun 30) ---------------------------------- Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) http://www.linuxsecurity.com/content/view/139235 * Ubuntu: Ruby vulnerabilities (Jun 26) -------------------------------------- Drew Yao discovered several vulnerabilities in Ruby which lead to integer overflows. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or execute arbitrary code with the privileges of the user invoking the program. http://www.linuxsecurity.com/content/view/139133 * Ubuntu: OpenSSL vulnerabilities (Jun 26) ----------------------------------------- It was discovered that OpenSSL was vulnerable to a double-free when using TLS server extensions. A remote attacker could send a crafted packet and cause a denial of service via application crash in applications linked against OpenSSL. Ubuntu 8.04 LTS does not compile TLS server extensions by default. (CVE-2008-0891) It was discovered that OpenSSL could dereference a NULL pointer. If a user or automated system were tricked into connecting to a malicious server with particular cipher suites, a remote attacker could cause a denial of service via application crash. (CVE-2008-1672) http://www.linuxsecurity.com/content/view/139127 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------