Linux Advisory Watch: October 19th, 2008

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| October 19th, 2008                               Volume 9, Number 43 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for libxml2, ruby, openldap, squid,
pulseaudio, mon, dbus, libxml2, mono, and cups.  The distributors
include Debian and Mandriva.

---

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance
(MSIA) program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides you
with the skills to manage and lead an organization-wide information
security program and the tools to fluently communicate the intricacies of
information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641

---

Review: Hacking Exposed Linux, Third Edition
--------------------------------------------
"Hacking Exposed Linux" by  ISECOM (Institute for Security and Open
Methodologies) is a guide to help you secure your Linux environment.
This book does not only help improve your security it looks at why you
should. It does this by showing examples of real attacks and rates the
importance of protecting yourself from being a victim of each type of
attack.

http://www.linuxsecurity.com/content/view/141165

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
  -----------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.21 (Version 3.0, Release 21). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

  http://www.linuxsecurity.com/content/view/143039

------------------------------------------------------------------------

* Debian: New Linux 2.6.24 packages fix several vulnerabilities (Oct 16)
  ----------------------------------------------------------------------
  Several vulnerabilities have been discovered in the Linux kernel that
  may lead to a denial of service, privilege escalation or a leak of
  sensitive data. The Common Vulnerabilities and Exposures project
  identifies the following problems:

  http://www.linuxsecurity.com/content/view/143327

* Debian: New libxml2 packages fix execution of arbitrary code (Oct 14)
  ---------------------------------------------------------------------
  It was discovered that libxml2, the GNOME XML library, didn't
  correctly handle long entity names.  This could allow the execution
  of arbitrary code via a malicious XML file.

  http://www.linuxsecurity.com/content/view/143143

* Debian: New Linux 2.6.18 packages fix several vulnerabilities (Oct 13)
  ----------------------------------------------------------------------
  Joe Jin reported a local denial of service vulnerability that
  allows system users to trigger an oops due to an improperly
  initialized data structure.

  http://www.linuxsecurity.com/content/view/143139

* Debian: New ruby1.9 packages fix several vulnerabilities (Oct 12)
  -----------------------------------------------------------------
  Several vulnerabilities have been discovered in the interpreter for
  the Ruby language, which may lead to denial of service and other
  security problems.

  http://www.linuxsecurity.com/content/view/143137

* Debian: New ruby1.8 packages fix several vulnerabilities (Oct 12)
  -----------------------------------------------------------------
  Several vulnerabilities have been discovered in the interpreter for
  the Ruby language, which may lead to denial of service and other
  security problems. Christian Neukirchen discovered that the WebRick
  module uses	  inefficient algorithms for HTTP header splitting,
  resulting in	   denial of service through resource exhaustion.

  http://www.linuxsecurity.com/content/view/143136

* Debian: New openldap2.3 packags fix denial of service (Oct 12)
  --------------------------------------------------------------
  Cameron Hotchkies discovered that the OpenLDAP server slapd, a free
  implementation of the Lightweight Directory Access Protocol, could be
  crashed by sending malformed ASN1 requests.

  http://www.linuxsecurity.com/content/view/143135

* Debian: New squid packages fix array bounds check (Oct 11)
  ----------------------------------------------------------
  In DSA 1646-1, an update was announced for a denial of service
  vulnerability in squid, a caching proxy server.  Due to an error in
  packaging and in testing, the updated packages did not correct the
  weakness.  An updated release is available which corrects the error.
  For reference, the original advisory text follows.

  http://www.linuxsecurity.com/content/view/143132

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2008:148 ] pulseaudio (Oct 17)
  ----------------------------------------------------------------------------
  Some issues relating to thread cancellation have been discovered in
  the pulseaudio package shipped with Mandriva Linux 2009.0. These
  issues could result in the crash of an application acting as a
  pulseaudio client. This condition is greatly exacerbated when the
  client is unable to connect to the pulseaudio server. Due to the fact
  that libcanberra is used to play event sounds in GTK apps, this
  problem could present itself when running GTK applications as root
  which, under some circumstances, was unable to connect to the user's
  pulseaudio daemon.

  http://www.linuxsecurity.com/content/view/143331

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:214 ] mon (Oct 16)
  ----------------------------------------------------------------------
  Dmitry E. Oboukhov found that the test.alert script used in one of
  the alert functions in mon created temporary files insecurely, which
  could lead to a local denial of service or arbitrary file overwrite
  via a symlink attack (CVE-2008-4477). The updated packages have been
  patched to prevent this issue.

  http://www.linuxsecurity.com/content/view/143326

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:213 ] dbus (Oct 15)
  -----------------------------------------------------------------------
  The D-Bus library did not correctly validate certain corrupted
  signatures which could cause a crash of applications linked against
  the D-Bus library if a local user were to send a specially crafted
  D-Bus request (CVE-2008-3834). The updated packages have been patched
  to prevent this issue.

  http://www.linuxsecurity.com/content/view/143149

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:212 ] libxml2 (Oct 15)
  --------------------------------------------------------------------------
  libxml2 version 2.7.0 and 2.7.1 did not properly handle predefined
  entities definitions in entities, which allowed context-dependent
  attackers to cause a denial of service (memory consumption and
  application crash) via certain XML documents (CVE-2008-4409). The
  updated packages have been patched to prevent this issue.

  http://www.linuxsecurity.com/content/view/143147

* Mandriva: Subject: [Security Announce] [ MDVA-2008:143 ]
  x11-driver-video-intel (Oct 15)
  -------------------------------------------------------------------------
  Some recent intel graphics cards (Series 4) triggered a random freeze
  or a reboot of some machines when the graphical interface was loaded.
  Some affected machines include the Dell Latitude E6500 and Lenovo
  Thinkpad X200.

  http://www.linuxsecurity.com/content/view/143146

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:210-1 ] mono (Oct 11)
  -------------------------------------------------------------------------
  CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier
  allows remote attackers to inject arbitrary HTTP headers and conduct
  HTTP response splitting attacks via CRLF sequences in the query
  string. The updated packages have been patched to fix the issue.

  http://www.linuxsecurity.com/content/view/143134

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:211 ] cups (Oct 11)
  -----------------------------------------------------------------------
  A buffer overflow in the SGI image format decoding routines used by
  the CUPS image converting filter imagetops was discovered.  An
  attacker could create malicious SGI image files that could possibly
  execute arbitrary code if the file was printed (CVE-2008-3639). An
  integer overflow flaw leading to a heap buffer overflow was found in
  the Text-to-PostScript texttops filter.

  http://www.linuxsecurity.com/content/view/143133

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux