+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 22nd, 2008 Volume 9, Number 34 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for postfix, xine-lib, mtr, yelp, kernel, kdegraphics, amarok, cups, hplip, stunnel, yum-rhn-plugin, and openwsman. The distributors include Debian, Gentoo, Mandriva, Red Hat, SuSE, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Hacking Exposed Linux, Third Edition -------------------------------------------- "Hacking Exposed Linux" by ISECOM (Institute for Security and Open Methodologies) is a guide to help you secure your Linux environment. This book does not only help improve your security it looks at why you should. It does this by showing examples of real attacks and rates the importance of protecting yourself from being a victim of each type of attack. http://www.linuxsecurity.com/content/view/141165 --- Security Features of Firefox 3.0 -------------------------------- Lets take a look at the security features of the newly released Firefox 3.0. Since it's release on Tuesday I have been testing it out to see how the new security enhancements work and help in increase user browsing security. One of the exciting improvements for me was how Firefox handles SSL secured web sites while browsing the Internet. There are also many other security features that this article will look at. For example, improved plugin and addon security. Read on for more security features of Firefox 3.0. http://www.linuxsecurity.com/content/view/138972 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.20 Now Available (Aug 19) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.20 (Version 3.0, Release 20). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce. http://www.linuxsecurity.com/content/view/141173 ------------------------------------------------------------------------ * Debian: New postfix packages fix installability problem on i386 (Aug 19) ------------------------------------------------------------------------ Note that only specific configurations are vulnerable; the default Debian installation is not affected. Only a configuration meeting the following requirements is vulnerable: * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. http://www.linuxsecurity.com/content/view/141172 * Debian: New postfix packages fix privilege escalation (Aug 18) -------------------------------------------------------------- Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. http://www.linuxsecurity.com/content/view/141170 ------------------------------------------------------------------------ * Gentoo: Postfix Local privilege escalation (Aug 14) --------------------------------------------------- Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. http://www.linuxsecurity.com/content/view/141161 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVSA-2008:178 ] xine-lib (Aug 21) --------------------------------------------------------------------------- Alin Rad Pop found an array index vulnerability in the SDP parser of xine-lib. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker could possibly execute arbitrary code with the privileges of the user using the program (CVE-2008-0073). http://www.linuxsecurity.com/content/view/141183 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:177 ] xine-lib (Aug 20) --------------------------------------------------------------------------- Guido Landi found A stack-based buffer overflow in xine-lib that could allow a remote attacker to cause a denial of service (crash) and potentially execute arbitrary code via a long NSF title (CVE-2008-1878). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/141182 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:176 ] mtr (Aug 20) ---------------------------------------------------------------------- A stack-based buffer overflow was found in mtr prior to version 0.73 that allowed remote attackers to execute arbitrary code via a crafted DNS PTR record, when called with the --split option (CVE-2008-2357). The updated packages provide mtr 0.73 which corrects this issue. http://www.linuxsecurity.com/content/view/141181 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:175 ] yelp (Aug 20) ----------------------------------------------------------------------- A format string vulnerability was discovered in yelp after version 2.19.90 and before 2.24 that could allow remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command-line or via URI helpers in Firefox, Evolution, or possibly other programs (CVE-2008-3533). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/141180 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:174 ] kernel (Aug 19) ------------------------------------------------------------------------- Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset. (CVE-2008-0007) The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding. (CVE-2008-1673) http://www.linuxsecurity.com/content/view/141177 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:173 ] kdegraphics (Aug 19) ------------------------------------------------------------------------------ Kees Cook of Ubuntu security found a flaw in how poppler prior to version 0.6 displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause applications using poppler to crash, or possibly execute arbitrary code when opened (CVE-2008-1693). This vulnerability also affected older versions of kpdf, so the updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/141174 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:171 ] postfix (Aug 15) -------------------------------------------------------------------------- Sebastian Krahmer of the SUSE Security Team discovered a flaw in the way Postfix dereferenced symbolic links. If a local user had write access to a mail spool directory without a root mailbox file, it could be possible for them to append arbitrary data to files that root had write permissions to (CVE-2008-2936). http://www.linuxsecurity.com/content/view/141166 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:172 ] amarok (Aug 15) ------------------------------------------------------------------------- A flaw in Amarok prior to 1.4.10 would allow local users to overwrite arbitrary files via a symlink attack on a temporary file that Amarok created with a predictable name (CVE-2008-3699). http://www.linuxsecurity.com/content/view/141167 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:170 ] cups (Aug 14) ----------------------------------------------------------------------- Thomas Pollet discovered an integer overflow vulnerability in the PNG image handling filter in CUPS. This could allow a malicious user to execute arbitrary code with the privileges of the user running CUPS, or cause a denial of service by sending a specially crafted PNG image to the print server (CVE-2008-1722). http://www.linuxsecurity.com/content/view/141154 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:169 ] hplip (Aug 14) ------------------------------------------------------------------------ Marc Schoenefeld of the Red Hat Security Response Team discovered a vulnerability in the hplip alert-mailing functionality that could allow a local attacker to elevate their privileges by using specially-crafted packets to trigger alert mails that are sent by the root account (CVE-2008-2940). http://www.linuxsecurity.com/content/view/141153 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:168 ] stunnel (Aug 14) -------------------------------------------------------------------------- A vulnerability was found in the OCSP search functionality in stunnel that could allow a remote attacker to use a revoked certificate that would be successfully authenticated by stunnel (CVE-2008-2420). This flaw only concerns users who have enabled OCSP validation http://www.linuxsecurity.com/content/view/141152 ------------------------------------------------------------------------ * RedHat: Moderate: postfix security update (Aug 14) -------------------------------------------------- Updated postfix packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. A flaw was found in the way Postfix dereferences symbolic links. If a local user has write access to a mail spool directory with no root mailbox, it may be possible for them to append arbitrary data to files that root has write permission to. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/141159 * RedHat: Moderate: yum-rhn-plugin security update (Aug 14) --------------------------------------------------------- Updated yum-rhn-plugin packages that fix a security issue are now available for Red Hat Enterprise Linux 5. It was discovered that yum-rhn-plugin did not verify the SSL certificate for all communication with a Red Hat Network server. An attacker able to redirect the network communication between a victim and an RHN server could use this flaw to provide malicious repository metadata. This metadata could be used to block the victim from receiving specific security updates. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/141157 ------------------------------------------------------------------------ * SuSE: openwsman (SUSE-SA:2008:041) (Aug 14) ------------------------------------------- The SuSE Security-Team has found two critical issues in the code: - two remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233) http://www.linuxsecurity.com/content/view/141158 * SuSE: postfix (SUSE-SA:2008:040) (Aug 14) ----------------------------------------- Postfix is a well known MTA. During a source code audit the SuSE Security-Team discovered a local privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership problem (CVE-2008-2937) in postfix. The first bug allowed local users to execute arbitrary commands as root while the second one allowed local users to read other users mail http://www.linuxsecurity.com/content/view/141156 ------------------------------------------------------------------------ * Ubuntu: xine-lib vulnerabilities (Aug 19) ------------------------------------------ Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) http://www.linuxsecurity.com/content/view/141176 * Ubuntu: Postfix vulnerability (Aug 19) --------------------------------------- Sebastian Krahmer discovered that Postfix was not correctly handling mailbox ownership when dealing with Linux's implementation of hardlinking to symlinks. In certain mail spool configurations, a local attacker could exploit this to append data to arbitrary files as the root user. The default Ubuntu configuration was not vulnerable. http://www.linuxsecurity.com/content/view/141175 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------