+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 19th, 2008 Volume 9, Number 43 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for libxml2, ruby, openldap, squid, pulseaudio, mon, dbus, libxml2, mono, and cups. The distributors include Debian and Mandriva. --- Earn your MS in Info Assurance online Norwich University's Master of Science in Information Assurance (MSIA) program, designated by the National Security Agency as providing academically excellent education in Information Assurance, provides you with the skills to manage and lead an organization-wide information security program and the tools to fluently communicate the intricacies of information security at an executive level. http://www.linuxsecurity.com/ads/adclick.php?bannerid=12 --- Never Installed a Firewall on Ubuntu? Try Firestarter ----------------------------------------------------- When I typed on Google "Do I really need a firewall?" 695,000 results came across. And I'm pretty sure they must be saying "Hell yeah!". In my opinion, no one would ever recommend anyone to sit naked on the internet keeping in mind the insecurity internet carries these days, unless you really know what you are doing. Read on for more information on Firestarter. http://www.linuxsecurity.com/content/view/142641 --- Review: Hacking Exposed Linux, Third Edition -------------------------------------------- "Hacking Exposed Linux" by ISECOM (Institute for Security and Open Methodologies) is a guide to help you secure your Linux environment. This book does not only help improve your security it looks at why you should. It does this by showing examples of real attacks and rates the importance of protecting yourself from being a victim of each type of attack. http://www.linuxsecurity.com/content/view/141165 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.21 Now Available (Oct 7) ----------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.21 (Version 3.0, Release 21). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce. http://www.linuxsecurity.com/content/view/143039 ------------------------------------------------------------------------ * Debian: New Linux 2.6.24 packages fix several vulnerabilities (Oct 16) ---------------------------------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a leak of sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/143327 * Debian: New libxml2 packages fix execution of arbitrary code (Oct 14) --------------------------------------------------------------------- It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file. http://www.linuxsecurity.com/content/view/143143 * Debian: New Linux 2.6.18 packages fix several vulnerabilities (Oct 13) ---------------------------------------------------------------------- Joe Jin reported a local denial of service vulnerability that allows system users to trigger an oops due to an improperly initialized data structure. http://www.linuxsecurity.com/content/view/143139 * Debian: New ruby1.9 packages fix several vulnerabilities (Oct 12) ----------------------------------------------------------------- Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. http://www.linuxsecurity.com/content/view/143137 * Debian: New ruby1.8 packages fix several vulnerabilities (Oct 12) ----------------------------------------------------------------- Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. Christian Neukirchen discovered that the WebRick module uses inefficient algorithms for HTTP header splitting, resulting in denial of service through resource exhaustion. http://www.linuxsecurity.com/content/view/143136 * Debian: New openldap2.3 packags fix denial of service (Oct 12) -------------------------------------------------------------- Cameron Hotchkies discovered that the OpenLDAP server slapd, a free implementation of the Lightweight Directory Access Protocol, could be crashed by sending malformed ASN1 requests. http://www.linuxsecurity.com/content/view/143135 * Debian: New squid packages fix array bounds check (Oct 11) ---------------------------------------------------------- In DSA 1646-1, an update was announced for a denial of service vulnerability in squid, a caching proxy server. Due to an error in packaging and in testing, the updated packages did not correct the weakness. An updated release is available which corrects the error. For reference, the original advisory text follows. http://www.linuxsecurity.com/content/view/143132 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2008:148 ] pulseaudio (Oct 17) ---------------------------------------------------------------------------- Some issues relating to thread cancellation have been discovered in the pulseaudio package shipped with Mandriva Linux 2009.0. These issues could result in the crash of an application acting as a pulseaudio client. This condition is greatly exacerbated when the client is unable to connect to the pulseaudio server. Due to the fact that libcanberra is used to play event sounds in GTK apps, this problem could present itself when running GTK applications as root which, under some circumstances, was unable to connect to the user's pulseaudio daemon. http://www.linuxsecurity.com/content/view/143331 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:214 ] mon (Oct 16) ---------------------------------------------------------------------- Dmitry E. Oboukhov found that the test.alert script used in one of the alert functions in mon created temporary files insecurely, which could lead to a local denial of service or arbitrary file overwrite via a symlink attack (CVE-2008-4477). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/143326 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:213 ] dbus (Oct 15) ----------------------------------------------------------------------- The D-Bus library did not correctly validate certain corrupted signatures which could cause a crash of applications linked against the D-Bus library if a local user were to send a specially crafted D-Bus request (CVE-2008-3834). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/143149 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:212 ] libxml2 (Oct 15) -------------------------------------------------------------------------- libxml2 version 2.7.0 and 2.7.1 did not properly handle predefined entities definitions in entities, which allowed context-dependent attackers to cause a denial of service (memory consumption and application crash) via certain XML documents (CVE-2008-4409). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/143147 * Mandriva: Subject: [Security Announce] [ MDVA-2008:143 ] x11-driver-video-intel (Oct 15) ------------------------------------------------------------------------- Some recent intel graphics cards (Series 4) triggered a random freeze or a reboot of some machines when the graphical interface was loaded. Some affected machines include the Dell Latitude E6500 and Lenovo Thinkpad X200. http://www.linuxsecurity.com/content/view/143146 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:210-1 ] mono (Oct 11) ------------------------------------------------------------------------- CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue. http://www.linuxsecurity.com/content/view/143134 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:211 ] cups (Oct 11) ----------------------------------------------------------------------- A buffer overflow in the SGI image format decoding routines used by the CUPS image converting filter imagetops was discovered. An attacker could create malicious SGI image files that could possibly execute arbitrary code if the file was printed (CVE-2008-3639). An integer overflow flaw leading to a heap buffer overflow was found in the Text-to-PostScript texttops filter. http://www.linuxsecurity.com/content/view/143133 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------