+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 26th, 2008 Volume 9, Number 52 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for courier-authlib, moodle, avahi, VLC, imlib2, ampache, clamav, powerdns, mailscanner, flash-plugin, java, firefox, nagios, blender, perl, mplayer, php and git. The distributors include Gentoo, Mandriva, Red Hat, Slackware, Ubuntu, and Pardus. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New courier-authlib packages fix regression (Dec 22) ------------------------------------------------------------ Two SQL injection vulnerabilities have beein found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database interface (CVE-2008-2667). http://www.linuxsecurity.com/content/view/146349 * Debian: New moodle packages fix several vulnerabilities (Dec 22) ---------------------------------------------------------------- Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution. http://www.linuxsecurity.com/content/view/146340 * Debian: New avahi packages fix denial of service (Dec 22) --------------------------------------------------------- Two denial of service conditions were discovered in avahi, a Multicast DNS implementation. Huge Dias discovered that the avahi daemon aborts with an assert error if it encounters a UDP packet with source port 0 (CVE-2008-5081). http://www.linuxsecurity.com/content/view/146339 * Debian: New courier-authlib packages fix SQL injection (Dec 20) --------------------------------------------------------------- Two SQL injection vulnerabilities have beein found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database interface (CVE-2008-2667). http://www.linuxsecurity.com/content/view/146064 ------------------------------------------------------------------------ * Gentoo: VLC Multiple vulnerabilities (Dec 23) --------------------------------------------- Multiple vulnerabilities in VLC may lead to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/146362 * Gentoo: Imlib2 User-assisted execution of arbitrary code (Dec 23) ----------------------------------------------------------------- A buffer overflow vulnerability has been discovered in Imlib2. http://www.linuxsecurity.com/content/view/146361 * Gentoo: Ampache Insecure temporary file usage (Dec 23) ------------------------------------------------------ An insecure temporary file usage has been reported in Ampache, allowing for symlink attacks. http://www.linuxsecurity.com/content/view/146360 * Gentoo: ClamAV Multiple vulnerabilities (Dec 23) ------------------------------------------------ Two vulnerabilities in ClamAV may allow for the remote execution of arbitrary code or a Denial of Service. http://www.linuxsecurity.com/content/view/146359 * Gentoo: PowerDNS Multiple vulnerabilities (Dec 19) -------------------------------------------------- Two vulnerabilities have been discovered in PowerDNS, possibly leading to a Denial of Service and easing cache poisoning attacks. http://www.linuxsecurity.com/content/view/146062 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2008:241 ] mailscanner (Dec 22) ----------------------------------------------------------------------------- Local users can use symlink attacks throughout a flaw on trend-autoupdate script of MailScanner by using /tmp/opr.ini.##### or /tmp/lpt temporary file (CVE-2008-5140). http://www.linuxsecurity.com/content/view/146348 ------------------------------------------------------------------------ * RedHat: Critical: flash-plugin security update (Dec 19) ------------------------------------------------------- An updated Adobe Flash Player package that fixes a security issue is now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/146061 * RedHat: Important: java-1.4.2-bea security update (Dec 18) ---------------------------------------------------------- java-1.4.2-bea as shipped in Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary, contains security flaws and should not be used. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/146053 * RedHat: Important: java-1.5.0-bea security update (Dec 18) ---------------------------------------------------------- java-1.5.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, contains security flaws and should not be used. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/146054 * RedHat: Important: java-1.6.0-bea security update (Dec 18) ---------------------------------------------------------- java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary, contains security flaws and should not be used.This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/146055 ------------------------------------------------------------------------ * Slackware: mozilla-firefox (Dec 18) ------------------------------------- New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/146060 ------------------------------------------------------------------------ * Ubuntu: OpenOffice.org Internationalization update (Dec 23) ------------------------------------------------------------ USN-677-1 fixed vulnerabilities in OpenOffice.org. The changes required that openoffice.org-l10n also be updated for the new version in Ubuntu 8.04 LTS. Original advisory details: Multiple memory overflow flaws were discovered in OpenOffice.org's handling of WMF and EMF files. If a user were tricked into opening a specially crafted document, a remote attacker might be able to execute arbitrary code with user privileges. (CVE-2008-2237, CVE-2008-2238) http://www.linuxsecurity.com/content/view/146358 * Ubuntu: Nagios vulnerabilities (Dec 23) ---------------------------------------- It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability. If an authenticated nagios user were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands to be processed by Nagios and execute arbitrary programs. This update alters Nagios behaviour by disabling submission of CMD_CHANGE commands. (CVE-2008-5028) http://www.linuxsecurity.com/content/view/146351 * Ubuntu: Blender vulnerabilities (Dec 22) ----------------------------------------- It was discovered that Blender did not correctly handle certain malformed Radiance RGBE images. If a user were tricked into opening a .blend file containing a specially crafted Radiance RGBE image, an attacker could execute arbitrary code with the user's privileges. (CVE-2008-1102) http://www.linuxsecurity.com/content/view/146342 * Ubuntu: Nagios3 vulnerabilities (Dec 22) ----------------------------------------- It was discovered that Nagios was vulnerable to a Cross-site request forgery (CSRF) vulnerability. If an authenticated nagios user were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands to be processed by Nagios and execute arbitrary programs. This update alters Nagios behaviour by disabling submission of CMD_CHANGE commands. (CVE-2008-5028) http://www.linuxsecurity.com/content/view/146343 * Ubuntu: Imlib2 vulnerability (Dec 22) -------------------------------------- It was discovered that Imlib2 did not correctly handle certain malformed XPM and PNG images. If a user were tricked into opening a specially crafted image with an application that uses Imlib2, an attacker could cause a denial of service and possibly execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/146344 * Ubuntu: Nagios vulnerability (Dec 22) -------------------------------------- It was discovered that Nagios did not properly parse commands submitted using the web interface. An authenticated user could use a custom form or a browser addon to bypass security restrictions and submit unauthorized commands. http://www.linuxsecurity.com/content/view/146345 ------------------------------------------------------------------------ * Pardus: Perl Symlink Attack (Dec 24) ------------------------------------ Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack. http://www.linuxsecurity.com/content/view/146388 * Pardus: Mplayer Buffer Overflow (Dec 24) ---------------------------------------- Stack-based buffer overflow in the demux_open_vqf function in libmpdemux/demux_vqf.c in MPlayer allows remote attackers to execute arbitrary code via a malformed TwinVQ file. http://www.linuxsecurity.com/content/view/146387 * Pardus: Flashplugin System access Vulnerability (Dec 23) -------------------------------------------------------- A vulnerability has been reported in Adobe Flash Player, which potentially can be exploited by malicious people to compromise a user's system. http://www.linuxsecurity.com/content/view/146357 * Pardus: Thunderbird Multiple Vulnerabilities (Dec 23) ----------------------------------------------------- Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. http://www.linuxsecurity.com/content/view/146356 * Pardus: Firefox Multiple Vulnerabilities (Dec 23) ------------------------------------------------- Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. http://www.linuxsecurity.com/content/view/146355 * Pardus: Sun-JDK Multiple Vulnerabilities (Dec 23) ------------------------------------------------- Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system. http://www.linuxsecurity.com/content/view/146354 * Pardus: Avahi Denial of Service Vulnerability (Dec 23) ------------------------------------------------------ The vulnerability is caused due to an error when processing multicast DNS (mDNS) data and can be exploited to terminate the application via an UDP packet having a source port equal to zero. http://www.linuxsecurity.com/content/view/146353 * Pardus: Php Multiple Vulnerabilities (Dec 23) --------------------------------------------- Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. http://www.linuxsecurity.com/content/view/146352 * Pardus: Git Privilege Escalation (Dec 23) ----------------------------------------- A security issue has been reported in GIT, which can be exploited by malicious, local users to gain escalated privileges. http://www.linuxsecurity.com/content/view/146389 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
