+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 3rd, 2008 Volume 9, Number 45 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for openoffice, libspf2, mdkonline, eterm, aterm, mplayer, kernel, lynx, emacs, and wireshark. This distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat. --- Earn your MS in Info Assurance online Norwich University's Master of Science in Information Assurance (MSIA) program, designated by the National Security Agency as providing academically excellent education in Information Assurance, provides you with the skills to manage and lead an organization-wide information security program and the tools to fluently communicate the intricacies of information security at an executive level. http://www.linuxsecurity.com/ads/adclick.php?bannerid=12 --- Never Installed a Firewall on Ubuntu? Try Firestarter ----------------------------------------------------- When I typed on Google "Do I really need a firewall?" 695,000 results came across. And I'm pretty sure they must be saying "Hell yeah!". In my opinion, no one would ever recommend anyone to sit naked on the internet keeping in mind the insecurity internet carries these days, unless you really know what you are doing. Read on for more information on Firestarter. http://www.linuxsecurity.com/content/view/142641 --- Review: Hacking Exposed Linux, Third Edition -------------------------------------------- "Hacking Exposed Linux" by ISECOM (Institute for Security and Open Methodologies) is a guide to help you secure your Linux environment. This book does not only help improve your security it looks at why you should. It does this by showing examples of real attacks and rates the importance of protecting yourself from being a victim of each type of attack. http://www.linuxsecurity.com/content/view/141165 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.21 Now Available (Oct 7) ----------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.21 (Version 3.0, Release 21). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce. http://www.linuxsecurity.com/content/view/143039 ------------------------------------------------------------------------ * Debian: New OpenOffice.org packages fix several vulnerabilities (Oct 29) ------------------------------------------------------------------------ The SureRun Security team discovered a bug in the WMF file parser that can be triggered by manipulated WMF files and can lead to heap overflows and arbitrary code execution. http://www.linuxsecurity.com/content/view/143700 * Debian: New clamav packages fix denial of service (Oct 26) ---------------------------------------------------------- Several denial-of-service vulnerabilities have been discovered in the ClamAV anti-virus toolkit: Insufficient checking for out-of-memory conditions results in null pointer derefences (CVE-2008-3912). http://www.linuxsecurity.com/content/view/143686 ------------------------------------------------------------------------ * Fedora 8 Update: openoffice.org-2.3.0-6.17.fc8 (Oct 31) ------------------------------------------------------- A security release to address: - CVE-2008-2237: Manipulated WMF files - CVE-2008-2238: Manipulated EMF files as described at http://www.openoffice.org/security/bulletin.html http://www.linuxsecurity.com/content/view/143832 * Fedora 9 Update: openoffice.org-2.4.2-18.1.fc9 (Oct 31) ------------------------------------------------------- Security update to address - CVE-2008-2237: Manipulated WMF files - CVE-2008-2238: Manipulated EMF files as described at http://www.openoffice.org/security/bulletin.html http://www.linuxsecurity.com/content/view/143813 ------------------------------------------------------------------------ * Gentoo: libspf2 DNS response buffer overflow (Oct 30) ----------------------------------------------------- A memory management error in libspf2 might allow for remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/143806 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2008:163 ] mdkonline (Oct 30) --------------------------------------------------------------------------- This update ensures that the distribution upgrade notification is not detected in incorrect cases, and ensures that a distribution upgrade is only suggested after all security updates have been applied. It also improves the distribution upgrade confirmation dialog and reliability of network package installation. http://www.linuxsecurity.com/content/view/143805 * Mandriva: Subject: [Security Announce] [ MDVA-2008:162 ] openoffice.org (Oct 30) -------------------------------------------------------------------------------- This update provides a new upstream version of OpenOffice.org - 2.4.1.10. It also corrects the following bugs: Under 2.4 versions of OpenOffice.org, the Orientation option was removed from printer properties which prevented users from printing on a booklet format in a way they were used to do. This OpenOffice.org update enables the Orientation printer option again. http://www.linuxsecurity.com/content/view/143804 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:222 ] Eterm (Oct 29) ------------------------------------------------------------------------ A vulnerability in Eterm allowed it to open a terminal on :0 if the environment variable was not set or the -display option was not specified, which could be used by a local user to hijack X11 connections (CVE-2008-1692). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/143704 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:221 ] aterm (Oct 29) ------------------------------------------------------------------------ A vulnerability in rxvt allowed it to open a terminal on :0 if the environment variable was not set, which could be used by a local user to hijack X11 connections (CVE-2008-1142). This issue also affects aterm. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/143703 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:219 ] mplayer (Oct 29) -------------------------------------------------------------------------- A vulnerability that was discovered in xine-lib that allowed remote RTSP servers to execute arbitrary code via a large streamid SDP parameter also affects MPlayer (CVE-2008-0073). http://www.linuxsecurity.com/content/view/143702 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:220 ] kernel (Oct 29) ------------------------------------------------------------------------- Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information. http://www.linuxsecurity.com/content/view/143701 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:218 ] lynx (Oct 28) ----------------------------------------------------------------------- A vulnerability was found in the Lynxcgi: URI handler that could allow an attacker to create a web page redirecting to a malicious URL that would execute arbitrary code as the user running Lynx, if they were using the non-default Advanced user mode (CVE-2008-4690). This update corrects these issues and, in addition, makes Lynx always prompt the user before loading a lynxcgi: URI. As well, the default lynx.cfg configuration file marks all lynxcgi: URIs as untrusted. http://www.linuxsecurity.com/content/view/143698 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:217 ] lynx (Oct 28) ----------------------------------------------------------------------- A flaw was found in the way Lynx handled .mailcap and .mime.types configuration files. If these files were present in the current working directory, they would be loaded prior to similar files in the user's home directory. This could allow a local attacker to possibly execute arbitrary code as the user running Lynx, if they could convince the user to run Lynx in a directory under their control (CVE-2006-7234) http://www.linuxsecurity.com/content/view/143697 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:216 ] emacs (Oct 27) ------------------------------------------------------------------------ A vulnerability was found in how Emacs would import python scripts from the current working directory during the editing of a python file. This could allow a local user to execute arbitrary code via a trojan python file (CVE-2008-3949). http://www.linuxsecurity.com/content/view/143693 * Mandriva: Subject: [Security Announce] [ MDVSA-2008:215 ] wireshark (Oct 27) ---------------------------------------------------------------------------- A number of vulnerabilities were discovered in Wireshark that could cause it to crash or abort while processing malicious packets http://www.linuxsecurity.com/content/view/143690 ------------------------------------------------------------------------ * RedHat: Important: flash-plugin security update (Oct 28) -------------------------------------------------------- An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary. A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF file could populate the clipboard with a URL that could cause the user to mistakenly load an attacker-controlled URL. http://www.linuxsecurity.com/content/view/143695 * RedHat: Important: lynx security update (Oct 27) ------------------------------------------------ An updated lynx package that corrects two security issues is now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/143689 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------