+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 9th, 2009 Volume 10, Number 2 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for icedove, ruby, xterm, proftpd, thunderbird, dovecove, samba, wireshark, kernel, msec, bind, lcms, handterm-xf, openssl, xen, and gnome-vfs. The distributors include Debian, Fedora, Red Hat, Slackware, Ubuntu, and Pardus. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New icedove packages fix several vulnerabilities (Jan 7) ---------------------------------------------------------------- Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. http://www.linuxsecurity.com/content/view/147033 * Debian: New Ruby packages fix denial of service (Jan 2) ------------------------------------------------------- The regular expression engine of Ruby, a scripting language, contains a memory leak which can be triggered remotely under certain circumstances, leading to a denial of service condition (CVE-2008-3443). http://www.linuxsecurity.com/content/view/146706 * Debian: New xterm packages fix remote code execution (Jan 2) ------------------------------------------------------------ Paul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences (CVE-2008-2383). http://www.linuxsecurity.com/content/view/146705 ------------------------------------------------------------------------ * Fedora 8 Update: proftpd-1.3.1-8.fc8 (Jan 7) -------------------------------------------- This update fixes a security issue where an attacker could conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands. It also fixes some SSL shutdown issues seen with certain clients. http://www.linuxsecurity.com/content/view/146968 * Fedora 9 Update: thunderbird-2.0.0.19-1.fc9 (Jan 7) --------------------------------------------------- Update to the new upstream Thunderbird 2.0.0.19 fixing multiple security issues: http://www.mozilla.org/security/known- vulnerabilities/thunderbird20.html#thunderbird2.0.0.19 Note: after the updated packages are installed, Thunderbird must be restarted for the update to take effect. http://www.linuxsecurity.com/content/view/146962 * Fedora 10 Update: thunderbird-2.0.0.19-1.fc10 (Jan 7) ----------------------------------------------------- Update to the new upstream Thunderbird 2.0.0.19 fixing multiple security issues: http://www.mozilla.org/security/known- vulnerabilities/thunderbird20.html#thunderbird2.0.0.19 Note: after the updated packages are installed, Thunderbird must be restarted for the update to take effect. http://www.linuxsecurity.com/content/view/146956 * Fedora 8 Update: xterm-238-1.fc8 (Jan 7) ---------------------------------------- This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. http://www.linuxsecurity.com/content/view/146907 * Fedora 8 Update: dovecot-1.0.15-16.fc8 (Jan 7) ---------------------------------------------- new possibility to store ssl passwords in different file linked to dovecot.conf via !include_try directive change permissions of deliver and dovecot.conf to prevent possible password exposure change permissions of deliver and dovecot.conf to prevent possible password exposure http://www.linuxsecurity.com/content/view/146910 * Fedora 10 Update: samba-3.2.7-0.25.fc10 (Jan 7) ----------------------------------------------- Security fix for CVE-2009-0022 http://www.linuxsecurity.com/content/view/146912 * Fedora 9 Update: dovecot-1.0.15-16.fc9 (Jan 7) ---------------------------------------------- new possibility to store ssl passwords in different file linked to dovecot.conf via !include_try directive change permissions of deliver and dovecot.conf to prevent possible password exposure http://www.linuxsecurity.com/content/view/146902 * Fedora 10 Update: xterm-238-1.fc10 (Jan 7) ------------------------------------------ This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. http://www.linuxsecurity.com/content/view/146834 * Fedora 9 Update: wireshark-1.0.5-1.fc9 (Jan 7) ---------------------------------------------- Various minor security flaws were fixed in wireshark 1.0.5 http://www.linuxsecurity.com/content/view/146824 * Fedora 8 Update: thunderbird-2.0.0.19-1.fc8 (Jan 7) --------------------------------------------------- Update to the new upstream Thunderbird 2.0.0.19 fixing multiple security issues: http://www.mozilla.org/security/known- vulnerabilities/thunderbird20.html#thunderbird2.0.0.19 Note: after the updated packages are installed, Thunderbird must be restarted for the update to take effect. http://www.linuxsecurity.com/content/view/146828 * Fedora 10 Update: proftpd-1.3.1-8.fc10 (Jan 7) ---------------------------------------------- This update fixes a security issue where an attacker could conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands. It also fixes some SSL shutdown issues seen with certain clients. http://www.linuxsecurity.com/content/view/146829 * Fedora 9 Update: xterm-238-1.fc9 (Jan 7) ---------------------------------------- This update fixes the following security issue: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. http://www.linuxsecurity.com/content/view/146795 * Fedora 9 Update: proftpd-1.3.1-8.fc9 (Jan 7) -------------------------------------------- This update fixes a security issue where an attacker could conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands. It also fixes some SSL shutdown issues seen with certain clients. http://www.linuxsecurity.com/content/view/146800 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2009:007 ] kernel (Jan 7) ----------------------------------------------------------------------- The security fix for CVE-2007-6716 in previous kernel update introduced a problem in directio, when calling pvcreate. This update provides an updated patch fixing it. http://www.linuxsecurity.com/content/view/147078 * Mandriva: Subject: [Security Announce] [ MDVA-2009:002 ] msec (Jan 5) --------------------------------------------------------------------- This update fixes the following two issues with msec: when changing to a higher security level, permit_root_login is not handled correctly (bug #19726) http://www.linuxsecurity.com/content/view/146710 ------------------------------------------------------------------------ * RedHat: Moderate: bind security update (Jan 8) ---------------------------------------------- Updated Bind packages to correct a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. (CVE-2009-0025) This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147114 * RedHat: Important: kernel security update (Jan 8) ------------------------------------------------- Updated kernel packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 running on 32-bit architectures. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147112 * RedHat: Moderate: lcms security update (Jan 7) ---------------------------------------------- Updated lcms packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. Multiple insufficient input validation flaws were discovered in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened. http://www.linuxsecurity.com/content/view/147029 * RedHat: Important: hanterm-xf security update (Jan 7) ----------------------------------------------------- An updated hanterm-xf package to correct a security issue is now available for Red Hat Enterprise Linux 2.1. A flaw was found in the Hanterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside a Hanterm window. (CVE-2008-2383) http://www.linuxsecurity.com/content/view/147030 * RedHat: Important: openssl security update (Jan 7) -------------------------------------------------- Updated OpenSSL packages that correct a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147027 * RedHat: Moderate: dbus security update (Jan 7) ---------------------------------------------- Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5. A denial-of-service flaw was discovered in the system for sending messages between applications. A local user could send a message with a malformed signature to the bus causing the bus (and, consequently, any process using libdbus to receive messages) to abort. http://www.linuxsecurity.com/content/view/147028 * RedHat: Important: xterm security update (Jan 7) ------------------------------------------------ An updated xterm package to correct a security issue is now available for Red Hat Enterprise Linux 3, 4, and 5. A flaw was found in the xterm handling of Device Control Request Status String (DECRQSS) escape sequences. An attacker could create a malicious text file (or log entry, if unfiltered) that could run arbitrary commands if read by a victim inside an xterm window. (CVE-2008-2383) http://www.linuxsecurity.com/content/view/147026 * RedHat: Moderate: thunderbird security update (Jan 7) ----------------------------------------------------- Updated thunderbird packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2008-5500, http://www.linuxsecurity.com/content/view/147023 * RedHat: Moderate: xen security and bug fix update (Jan 7) --------------------------------------------------------- Updated xen packages that resolve several security issues and a bug are now available for Red Hat Enterprise Linux 5. Xen was found to allow unprivileged DomU domains to overwrite xenstore values which should only be changeable by the privileged Dom0 domain. An attacker controlling a DomU domain could, potentially, use this flaw to kill arbitrary processes in Dom0 or trick a Dom0 user into accessing the text console of a different domain running on the same host. This update makes certain parts of the xenstore tree read-only to the unprivileged DomU domains. (CVE-2008-4405) http://www.linuxsecurity.com/content/view/147024 * RedHat: Moderate: gnome-vfs, gnome-vfs2 security update (Jan 7) --------------------------------------------------------------- Updated GNOME VFS packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1, 3 and 4. A buffer overflow flaw was discovered in the GNOME virtual file system when handling data returned by CDDB servers. If a user connected to a malicious CDDB server, an attacker could use this flaw to execute arbitrary code on the victim's machine. http://www.linuxsecurity.com/content/view/147025 * RedHat: Important: kernel security update (Jan 5) ------------------------------------------------- Updated kernel packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 running on 64-bit architectures. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/146707 ------------------------------------------------------------------------ * Slackware: samba (Jan 5) -------------------------- New samba packages are available for Slackware 12.2 and -current to fix a security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0022 http://www.linuxsecurity.com/content/view/146715 ------------------------------------------------------------------------ * Ubuntu: Samba vulnerability (Jan 5) ------------------------------------ Gunter Hckel discovered that Samba with registry shares enabled did not properly validate share names. An authenticated user could gain access to the root filesystem by using an older version of smbclient and specifying an empty string as a share name. This is only an issue if registry shares are enabled on the server by setting "registry shares = yes", "include = registry", or "config backend = registry", which is not the default. http://www.linuxsecurity.com/content/view/146709 ------------------------------------------------------------------------ * Pardus: Samba Security Bypass (Jan 8) ------------------------------------- A security issue has been reported in Samba, which can be exploited by malicious users to bypass certain security restrictions. http://www.linuxsecurity.com/content/view/147113 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------