+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 10th, 2008 Volume 9, Number 41 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for iceweasel, mon, mplayer, feta, postfix, libxml, wordnet, portage, rpm, timezone, drakxtools, mono, pam_krb5, cups, condor, kernel, and tomcat. The distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat. --- Earn your MS in Info Assurance online Norwich University's Master of Science in Information Assurance (MSIA) program, designated by the National Security Agency as providing academically excellent education in Information Assurance, provides you with the skills to manage and lead an organization-wide information security program and the tools to fluently communicate the intricacies of information security at an executive level. http://www.linuxsecurity.com/ads/adclick.php?bannerid=12 --- Never Installed a Firewall on Ubuntu? Try Firestarter ----------------------------------------------------- When I typed on Google "Do I really need a firewall?" 695,000 results came across. And I'm pretty sure they must be saying "Hell yeah!". In my opinion, no one would ever recommend anyone to sit naked on the internet keeping in mind the insecurity internet carries these days, unless you really know what you are doing. Read on for more information on Firestarter. http://www.linuxsecurity.com/content/view/142641 --- Review: Hacking Exposed Linux, Third Edition -------------------------------------------- "Hacking Exposed Linux" by ISECOM (Institute for Security and Open Methodologies) is a guide to help you secure your Linux environment. This book does not only help improve your security it looks at why you should. It does this by showing examples of real attacks and rates the importance of protecting yourself from being a victim of each type of attack. http://www.linuxsecurity.com/content/view/141165 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.21 Now Available (Oct 7) ----------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.21 (Version 3.0, Release 21). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce. http://www.linuxsecurity.com/content/view/143039 ------------------------------------------------------------------------ * Debian: New iceweasel packages fix several vulnerabilities (Oct 8) ------------------------------------------------------------------ Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/143053 * Debian: New mon packages fix insecure temporary files (Oct 8) ------------------------------------------------------------- Dmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks. http://www.linuxsecurity.com/content/view/143051 * Debian: New mplayer packages fix integer overflows (Oct 5) ---------------------------------------------------------- Felipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable to several integer overflows in the Real video stream demuxing code. These flaws could allow an attacker to cause a denial of service (a crash) or potentially the execution of arbitrary code by supplying a maliciously crafted video file. http://www.linuxsecurity.com/content/view/142955 * Debian: New feta packages fix denial of service (Oct 5) ------------------------------------------------------- Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks. http://www.linuxsecurity.com/content/view/142954 ------------------------------------------------------------------------ * Fedora 9 Update: postfix-2.5.5-1.fc9 (Oct 9) -------------------------------------------- New upstream patch level version 2.5.5, including multiple security fixes detailed in upstream announcements: http://www.postfix.org/announcements/20080814.html http://www.postfix.org/announcements/20080902.html http://www.linuxsecurity.com/content/view/143104 * Fedora 8 Update: postfix-2.5.5-1.fc8 (Oct 9) -------------------------------------------- New upstream patch level version 2.5.5, including multiple security fixes detailed in upstream announcements: http://www.postfix.org/announcements/20080814.html http://www.postfix.org/announcements/20080902.html http://www.linuxsecurity.com/content/view/143089 * Fedora 9 Update: libxml2-2.7.1-2.fc9 (Oct 3) -------------------------------------------- This is an urgent security fix for a bug newly introduced in libxml2-2.7.x leading to CPU and memory exhaustion. See upstream bug report for further details: https://bugzilla.gnome.org/show_bug.cgi?id=554660 http://www.linuxsecurity.com/content/view/142907 ------------------------------------------------------------------------ * Gentoo: Portage Untrusted search path local root vulnerability (Oct 9) ---------------------------------------------------------------------- A search path vulnerability in Portage allows local attackers to execute commands with root privileges if emerge is called from untrusted directories. http://www.linuxsecurity.com/content/view/143057 * Gentoo: WordNet Execution of arbitrary code (Oct 7) --------------------------------------------------- Multiple vulnerabilities were found in WordNet, possibly allowing for the execution of arbitrary code. http://www.linuxsecurity.com/content/view/143040 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2008:134 ] rpm (Oct 7) -------------------------------------------------------------------- This package update adds support for LZMA compression in rpm. This will allow users of Mandriva Linux 2007.1 to upgrade to the Mandriva Linux 2009.0 release. http://www.linuxsecurity.com/content/view/143045 * Mandriva: Subject: [Security Announce] [ MDVA-2008:133 ] timezone (Oct 7) ------------------------------------------------------------------------- Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. http://www.linuxsecurity.com/content/view/143044 * Mandriva: Subject: [Security Announce] [ MDVA-2008:132 ] mandriva-release (Oct 3) --------------------------------------------------------------------------------- mandriva-release for Mandriva 2008 Spring should contain a product_branch set to Official, and not devel, otherwise it could lead to an error with the new mdkonline. The updated package fixes it. http://www.linuxsecurity.com/content/view/142953 * Mandriva: Subject: [Security Announce] [ MDVA-2008:131 ] rpmdrake (Oct 3) ------------------------------------------------------------------------- This update fixes several minor issues in rpmdrake: - it fixes a crash due to bad timing with the X server (#41010) - it fix empty per importance lists of updates in rpmdrake (list of all updates was OK, MandrivaUpdate was OK) (#41331) (regression introduced in 3.95 on 2007-09-14) http://www.linuxsecurity.com/content/view/142952 * Mandriva: Subject: [Security Announce] [ MDVA-2008:130 ] drakxtools (Oct 3) --------------------------------------------------------------------------- This update fixes several minor issues in drakxtools: - it fixes management of XEN kernels in bootloader-config, when adding a new kernel, a xen entry should not replace an existing 'linux' (#40865) - it fixes a crash in rpmdrake when description begins by Gtk2::.. (#43802) It also really enable draksnapashot to use Gtk+-2's new FileChooserDialog in future. http://www.linuxsecurity.com/content/view/142951 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:210 ] mono (Oct 3) ---------------------------------------------------------------------- CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue. http://www.linuxsecurity.com/content/view/142950 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:209 ] pam_krb5 (Oct 3) -------------------------------------------------------------------------- Stphane Bertin discovered a flaw in the pam_krb5 existing_ticket configuration option where, if enabled and using an existing credential cache, it was possible for a local user to gain elevated privileges by using a different, local user's credential cache (CVE-2008-3825). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/142949 ------------------------------------------------------------------------ * RedHat: Important: cups security update (Oct 10) ------------------------------------------------ Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. A buffer overflow flaw was discovered in the SGI image format decoding routines used by the CUPS image converting filter "imagetops". An attacker could create a malicious SGI image file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. http://www.linuxsecurity.com/content/view/143128 * RedHat: Moderate: condor security, (Oct 7) ------------------------------------------ Updated condor packages that fix multiple security issues, several bugs and introduce feature enhancements are now available for Red Hat Enterprise MRG 1.0 for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/143043 * RedHat: Moderate: condor security, (Oct 7) ------------------------------------------ Updated condor packages that address multiple security issues, fix several bugs, and introduce feature enhancements are now available for Red Hat Enterprise MRG 1.0 for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/143042 * RedHat: Important: kernel security and bug fix update (Oct 7) ------------------------------------------------------------- Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise MRG 1.0. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/143041 * RedHat: Important: tomcat security update (Oct 2) ------------------------------------------------- Updated tomcat packages that fix multiple security issues are now available for Red Hat Developer Suite 3. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/142866 * RedHat: Moderate: pam_krb5 security update (Oct 2) -------------------------------------------------- An updated pam_krb5 package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/142867 * RedHat: Important: tomcat security update (Oct 2) ------------------------------------------------- Updated tomcat packages that fix several security issues are now available for Red Hat Application Server v2. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/142865 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
