+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 25th, 2008 Volume 9, Number 30 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for clamav, xulrunner, iceweasel, lighthttpd, libgd2, ruby, xemacs, wireshark, mysql, thunderbird, php, acroread, dnsmasq, firefox, and seamonkey. The distributors include Debian, Mandriva, Red Hat, Slackware, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Security Features of Firefox 3.0 -------------------------------- Lets take a look at the security features of the newly released Firefox 3.0. Since it's release on Tuesday I have been testing it out to see how the new security enhancements work and help in increase user browsing security. One of the exciting improvements for me was how Firefox handles SSL secured web sites while browsing the Internet. There are also many other security features that this article will look at. For example, improved plugin and addon security. Read on for more security features of Firefox 3.0. http://www.linuxsecurity.com/content/view/138972 --- Review: The Book of Wireless ---------------------------- "The Book of Wireless" by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks. http://www.linuxsecurity.com/content/view/136167 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.19 Now Available! (Apr 15) ------------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/136174 ------------------------------------------------------------------------ * Debian: new clamav packages fix denial of service (Jul 24) ---------------------------------------------------------- Damian Put discovered a vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. In some configurations, such as when clamav is used in combination with mail servers, this could cause a system to "fail open," facilitating a follow-on viral attack. http://www.linuxsecurity.com/content/view/140238 * Debian: New xulrunner packages fix several vulnerabilities (Jul 23) ------------------------------------------------------------------- Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/140196 * Debian: New iceweasel packages fix several vulnerabilities (Jul 23) ------------------------------------------------------------------- Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser.It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/140194 * Debian: New lighttpd packages fix regression (Jul 23) ----------------------------------------------------- It was discovered that lighttpd, a fast webserver with minimal memory footprint, was didn't correctly handle SSL errors. This could allow a remote attacker to disconnect all active SSL connections. http://www.linuxsecurity.com/content/view/140193 * Debian: new libgd2 packages fix multiple vulnerabilities (Jul 22) ----------------------------------------------------------------- Grayscale PNG files containing invalid tRNS chunk CRC values could cause a denial of service (crash), if a maliciously crafted image is loaded into an application using libgd. http://www.linuxsecurity.com/content/view/140069 * Debian: New ruby1.8 packages fix several vulnerabilities (Jul 21) ----------------------------------------------------------------- Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/140064 ------------------------------------------------------------------------ * Mandriva: Updated xemacs packages fix vulnerability (Jul 23) ------------------------------------------------------------ A vulnerability in xemacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by xemacs (CVE-2008-2142). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/140198 * Mandriva: Updated emacs packages fix vulnerability (Jul 23) ----------------------------------------------------------- A vulnerability in emacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by emacs (CVE-2008-2142). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/140197 * Mandriva: Updated wireshark packages fix denial of service vulnerability (Jul 22) --------------------------------------------------------------------------------- A vulnerability was found in Wireshark, that could cause it to crash while processing malicious packets. This update provides Wireshark 1.0.2, which is not vulnerable to that. http://www.linuxsecurity.com/content/view/140073 * Mandriva: Updated libxslt packages fix buffer overflow vulnerability (Jul 21) ----------------------------------------------------------------------------- A buffer overflow vulnerability in libxslt could be exploited via an XSL style sheet file with a long XLST transformation match condition, which could possibly lead to the execution of arbitrary code (CVE-2008-1767). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/140068 * Mandriva: Updated mysql packages fix vulnerabilities (Jul 19) ------------------------------------------------------------- Multiple buffer overflows in yaSSL, which is used in MySQL, allowed remote attackers to execute arbitrary code (CVE-2008-0226) or cause a denial of service via a special Hello packet (CVE-2008-0227). Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/140060 * Mandriva: Updated mysql packages fix vulnerabilities (Jul 19) ------------------------------------------------------------- Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/140059 * Mandriva: Updated Firefox packages fix vulnerabilities (Jul 17) --------------------------------------------------------------- Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.16 (CVE-2008-2785, CVE-2008-2933). http://www.linuxsecurity.com/content/view/140006 ------------------------------------------------------------------------ * RedHat: Moderate: thunderbird security update (Jul 23) ------------------------------------------------------ Updated thunderbird packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/140199 * RedHat: Important: kernel security and bug fix update (Jul 23) -------------------------------------------------------------- Updated kernel packages that fix a security issue and several bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/140191 * RedHat: Moderate: php security update (Jul 22) ---------------------------------------------- Updated PHP packages that fix several security issues are now available for Red Hat Application Stack v1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/140070 * RedHat: Critical: acroread security update (Jul 21) --------------------------------------------------- Updated acroread packages that fix various security issues are now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/140063 ------------------------------------------------------------------------ * Slackware: dnsmasq (Jul 23) ----------------------------- New dnsmasq packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to address possible DNS cache poisoning issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.linuxsecurity.com/content/view/140200 * Slackware: mozilla-firefox (Jul 17) ------------------------------------- New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, and 12.1 to fix security issues. More details about the issues may be found on the Mozilla site: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html http://www.linuxsecurity.com/content/view/139938 * Slackware: seamonkey (Jul 17) ------------------------------- New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found here: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm l http://www.linuxsecurity.com/content/view/139939 ------------------------------------------------------------------------ * Ubuntu: PHP vulnerabilities (Jul 23) ------------------------------------- It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) http://www.linuxsecurity.com/content/view/140195 * Ubuntu: Dnsmasq vulnerability (Jul 22) --------------------------------------- Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic. http://www.linuxsecurity.com/content/view/140072 * Ubuntu: Firefox vulnerabilities (Jul 17) ----------------------------------------- A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785) http://www.linuxsecurity.com/content/view/140005 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
