+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 23rd, 2009 Volume 10, Number 4 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for iceweasel, amarok, netatalk, drupal, mumbles, moodle, uw-imap, devIL, net-snmp, scilab, php, xine-lib, kdebase, ffmpeg, mplayer, thunderbird, bind, ntp, and perl. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New iceweasel packages fix several vulnerabilities (Jan 15) ------------------------------------------------------------------- Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems... http://www.linuxsecurity.com/content/view/147395 * Debian: New amarok packages fix arbitrary code execution (Jan 15) ----------------------------------------------------------------- Tobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/147394 * Debian: New netatalk packages fix arbitrary code execution (Jan 15) ------------------------------------------------------------------- It was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job. http://www.linuxsecurity.com/content/view/147391 ------------------------------------------------------------------------ * Fedora 10 Update: drupal-6.9-1.fc10 (Jan 22) -------------------------------------------- SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script. http://www.linuxsecurity.com/content/view/147690 * Fedora 9 Update: drupal-6.9-1.fc9 (Jan 22) ------------------------------------------ SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script. http://www.linuxsecurity.com/content/view/147691 * Fedora 9 Update: amarok-1.4.10-2.fc9 (Jan 22) --------------------------------------------- This build includes a security fix concerning the parsing of malformed Audible digital audio files. http://www.linuxsecurity.com/content/view/147692 * Fedora 10 Update: mumbles-0.4-9.fc10 (Jan 22) --------------------------------------------- - Fixed path to make mumbles run on x86_64 bug #479158 - Security fix for Firefox plugin bug #479171 http://www.linuxsecurity.com/content/view/147693 * Fedora 9 Update: moodle-1.9.3-5.fc9 (Jan 22) -------------------------------------------- Fix for spellcheck security flaw, and some font correction. http://www.linuxsecurity.com/content/view/147694 * Fedora 10 Update: moodle-1.9.3-5.fc10 (Jan 22) ---------------------------------------------- Fix for spellcheck security flaw, and some font correction. http://www.linuxsecurity.com/content/view/147695 * Fedora 10 Update: uw-imap-2007e-1.fc10 (Jan 22) ----------------------------------------------- Update to new upstream version - 2007e. Contains fix for a security issue - buffer overflow in rfc822_output_char / rfc822_output_data (CVE-2008-5514). http://www.linuxsecurity.com/content/view/147696 * Fedora 9 Update: DevIL-1.7.5-2.fc9 (Jan 22) ------------------------------------------- - Fix missing symbols (rh 480269) - Fix off by one error in CVE-2008-5262 check (rh 479864) http://www.linuxsecurity.com/content/view/147697 * Fedora 9 Update: uw-imap-2007e-1.fc9 (Jan 22) --------------------------------------------- Update to new upstream version - 2007e. Contains fix for a security issue - buffer overflow in rfc822_output_char / rfc822_output_data (CVE-2008-5514). http://www.linuxsecurity.com/content/view/147698 * Fedora 10 Update: DevIL-1.7.5-2.fc10 (Jan 22) --------------------------------------------- - Fix missing symbols (rh 480269) - Fix off by one error in CVE-2008-5262 check (rh 479864) http://www.linuxsecurity.com/content/view/147699 ------------------------------------------------------------------------ * Gentoo: Net-SNMP Denial of Service (Jan 21) ------------------------------------------- A vulnerability in Net-SNMP could lead to a Denial of Service. http://www.linuxsecurity.com/content/view/147682 * Gentoo: Scilab Insecure temporary file usage (Jan 21) ----------------------------------------------------- An insecure temporary file usage has been reported in Scilab, allowing for symlink attacks. http://www.linuxsecurity.com/content/view/147681 ------------------------------------------------------------------------ * Mandriva: [ MDVSA-2009:024 ] php4 (Jan 21) ------------------------------------------ A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/147687 * Mandriva: [ MDVSA-2009:023 ] php (Jan 21) ----------------------------------------- A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782)... The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/147686 * Mandriva: [ MDVSA-2009:022 ] php (Jan 21) ----------------------------------------- A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782).. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/147685 * Mandriva: [ MDVSA-2009:021 ] php (Jan 21) ----------------------------------------- A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658)... The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/147684 * Mandriva: [ MDVSA-2009:020 ] xine-lib (Jan 21) ---------------------------------------------- Failure on Ogg files manipulation can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-3231).... This update provides the fix for all these security issues found in xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities: CVE-2008-5234, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240, CVE-2008-5243 are found in xine-lib 1.1.15 of Mandriva 2009.0 and are also fixed by this update. http://www.linuxsecurity.com/content/view/147683 * Mandriva: [ MDVSA-2009:017 ] kdebase (Jan 16) --------------------------------------------- A vulnerability in KDM allowed a local user to cause a denial of service via unknown vectors (CVE-2007-5963). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/147405 * Mandriva: [ MDVSA-2009:016 ] xen (Jan 16) ----------------------------------------- Ian Jackson found a security issue in the QEMU block device drivers backend that could allow a guest operating system to issue a block device request and read or write arbitrary memory locations, which could then lead to privilege escalation (CVE-2008-0928)... The updated packages have been patched to prevent these issues. http://www.linuxsecurity.com/content/view/147404 * Mandriva: [ MDVSA-2009:015 ] ffmpeg (Jan 15) -------------------------------------------- Several vulnerabilities have been discovered in ffmpeg, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147401 * Mandriva: [ MDVSA-2009:014 ] mplayer (Jan 15) --------------------------------------------- Several vulnerabilities have been discovered in mplayer, which could allow remote attackers to execute arbitrary code via a malformed TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer, related to the execution of DTS generation code (CVE-2008-4866). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147400 * Mandriva: [ MDVSA-2009:013 ] mplayer (Jan 15) --------------------------------------------- Several vulnerabilities have been discovered in mplayer, which could allow remote attackers to execute arbitrary code via a malformed TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147399 * Mandriva: [ MDVSA-2009:012 ] mozilla-thunderbird (Jan 15) --------------------------------------------------------- A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.19 (CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512). This update provides the latest Thunderbird to correct these issues. http://www.linuxsecurity.com/content/view/147396 * Mandriva: [ MDVA-2009:012 ] kphotoalbum (Jan 15) ------------------------------------------------ Kphotoalbum in Mandriva Linux 2009.0 had some unimplemented functions that could lead to crashes. This new package implements those functions and fixes the crashes. http://www.linuxsecurity.com/content/view/147393 * Mandriva: [ MDVA-2009:011 ] kdegraphics4 (Jan 15) ------------------------------------------------- This package updates the libkdraw and libkexiv2 libraries making it possible to build newer versions of digikam. http://www.linuxsecurity.com/content/view/147392 ------------------------------------------------------------------------ * RedHat: Important: kernel security and bug fix update (Jan 22) -------------------------------------------------------------- Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise MRG 1.0. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147689 ------------------------------------------------------------------------ * Slackware bind 10.2/11.0 recompile (Jan 15) ------------------------------------------- Updated bind packages are available for Slackware 10.2 and 11.0 to address a load problem. It was reported that the initial build of these updates complained that the Linux capability module was not present and would refuse to load. It was determined that the packages which were compiled on 10.2 and 11.0 systems running 2.6 kernels, and although the installed kernel headers are from 2.4.x, it picked up on this resulting in packages that would only run under 2.4 kernels. These new packages address the issue. As always, any problems noted with update patches should be reported to security@xxxxxxxxxxxxx, and we will do our best to address them as quickly as possible. http://www.linuxsecurity.com/content/view/147398 * Slackware: ntp (Jan 15) ------------------------- New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security issue. http://www.linuxsecurity.com/content/view/147388 * Slackware: openssl (Jan 15) ----------------------------- New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue when connecting to an SSL/TLS server that uses a certificate containing a DSA or ECDSA key. http://www.linuxsecurity.com/content/view/147389 * Slackware: bind (Jan 15) -------------------------- New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue. http://www.linuxsecurity.com/content/view/147387 ------------------------------------------------------------------------ * SuSE: bind (SUSE-SA:2009:005) (Jan 22) -------------------------------------- The DNS daemon bind is used to resolve and lookup addresses on the inter- net. Some month ago a vulnerability in the DNS protocol and its numbers was published that allowed easy spoofing of DNS entries. The only way to pro- tect against spoofing is to use DNSSEC. Unfortunately the bind code that verifys the certification chain of a DNS- SEC zone transfer does not properly check the return value of function DSA_do_verify(). This allows the spoofing of records signed with DSA or NSEC3DSA. http://www.linuxsecurity.com/content/view/147688 ------------------------------------------------------------------------ * Ubuntu:Perl regression (Jan 15) ------------------------------- USN-700-1 fixed vulnerabilities in Perl. Due to problems with the Ubuntu 8.04 build, some Perl .ph files were missing from the resulting update. This update fixes the problem. We apologize for the inconvenience. http://www.linuxsecurity.com/content/view/147397 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------