+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 30th, 2009 Volume 10, Number 5 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for moin, rt, typo3, ganglia-monitor-core, dia, kernel, vnc, ntp, tor, libnasl, nessus, drupal, amaorok, mumbles, moodle, uw-imap, cups, phpMyAdmin, pidgin, java, openssl, bind, vim, ktorrent, xine-lib, libpng, python, and dbus. The distributors include Debian, Fedora, Mandriva, Red Hat, SuSE, and Pardus. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New moin packages fix insufficient input sanitising (Jan 29) -------------------------------------------------------------------- It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260). Another cross-site scripting vulnerability was discovered in the antispam feature (CVE-2009-0312). http://www.linuxsecurity.com/content/view/147871 * Debian: New rt2570 packages fix arbitrary code execution (Jan 28) ----------------------------------------------------------------- It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/147870 * Debian: New rt2500 packages fix arbitrary code execution (Jan 28) ----------------------------------------------------------------- It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/147869 * Debian: New rt2400 packages fix arbitrary code execution (Jan 28) ----------------------------------------------------------------- It was discovered that an integer overflow in the "Probe Request" packet parser of the Ralinktech wireless drivers might lead to remote denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/147868 * Debian: New TYPO3 packages fix remote code execution (Jan 26) ------------------------------------------------------------- Several remotely exploitable vulnerabilities have been discovered in the TYPO3 web content management framework. The Common Vulnerabilities and Exposures project identifies the following problems... http://www.linuxsecurity.com/content/view/147856 * Debian: New ganglia-monitor-core packages fix remote code execution (Jan 25) ---------------------------------------------------------------------------- Spike Spiegel discovered a stack-based buffer overflow in gmetad, the meta-daemon for the ganglia cluster monitoring toolkit, which could be triggered via a request with long path names and might enable arbitrary code execution. http://www.linuxsecurity.com/content/view/147842 ------------------------------------------------------------------------ * Fedora 9 Update: dia-0.96.1-7.fc9 (Jan 26) ------------------------------------------ Filter out untrusted python modules search path to remove the possibility to run arbitrary code on the user's system if there is a python file in dia's working directory named the same as one that dia's python scripts try to import. http://www.linuxsecurity.com/content/view/147862 * Fedora 9 Update: kernel-2.6.27.12-78.2.8.fc9 (Jan 26) ----------------------------------------------------- Includes security fixes: CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID Also fixes bug 478299, reported against Fedora 10: AVC denials on kernel 2.6.27.9-159.fc10.x86_64 Reverts ALSA driver to the version that is upstream in kernel 2.6.27. This should fix lack of audio on headphone outputs for some notebooks. http://www.linuxsecurity.com/content/view/147861 * Fedora 9 Update: vnc-4.1.3-1.fc9 (Jan 26) ----------------------------------------- Update to 4.1.3 maintenance release which contains fix for CVE-2008-4770 http://www.linuxsecurity.com/content/view/147860 * Fedora 10 Update: vnc-4.1.3-1.fc10 (Jan 26) ------------------------------------------- Update to 4.1.3 maintenance release which contains fix for CVE-2008-4770 http://www.linuxsecurity.com/content/view/147859 * Fedora 10 Update: kernel-2.6.27.12-170.2.5.fc10 (Jan 26) -------------------------------------------------------- Includes security fixes: CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID Reverts ALSA driver to the version that is upstream in kernel 2.6.27. This should be the last 2.6.27 kernel update for Fedora 10. A 2.6.28 update kernel is being tested. http://www.linuxsecurity.com/content/view/147858 * Fedora 10 Update: dia-0.96.1-9.fc10 (Jan 26) -------------------------------------------- Filter out untrusted python modules search path to remove the possibility to run arbitrary code on the user's system if there is a python file in dia's working directory named the same as one that dia's python scripts try to import. http://www.linuxsecurity.com/content/view/147857 * Fedora 9 Update: ntp-4.2.4p6-1.fc9 (Jan 26) ------------------------------------------- This update fixes CVE-2009-0021: NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. http://www.linuxsecurity.com/content/view/147844 * Fedora 10 Update: ntp-4.2.4p6-1.fc10 (Jan 26) --------------------------------------------- This update fixes CVE-2009-0021: NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. http://www.linuxsecurity.com/content/view/147845 * Fedora 9 Update: tor-0.2.0.33-1.fc9 (Jan 26) -------------------------------------------- New upstream release 0.2.0.33, with lots of bug fixes and one security fix: https://blog.torproject.org/blog/tor-0.2.0.33-stable-released http://www.linuxsecurity.com/content/view/147846 * Fedora 10 Update: libnasl-2.2.11-3.fc10 (Jan 26) ------------------------------------------------ libnasl: OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479655 http://www.linuxsecurity.com/content/view/147847 * Fedora 10 Update: nessus-core-2.2.11-1.fc10 (Jan 26) ---------------------------------------------------- OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479655 http://www.linuxsecurity.com/content/view/147848 * Fedora 10 Update: nessus-libraries-2.2.11-1.fc10 (Jan 26) --------------------------------------------------------- libnasl: OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479655 http://www.linuxsecurity.com/content/view/147849 * Fedora 10 Update: tor-0.2.0.33-1.fc10 (Jan 26) ---------------------------------------------- New upstream release 0.2.0.33, with lots of bug fixes and one security fix: https://blog.torproject.org/blog/tor-0.2.0.33-stable-released http://www.linuxsecurity.com/content/view/147850 * Fedora 9 Update: libnasl-2.2.11-3.fc9 (Jan 26) ---------------------------------------------- libnasl: OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479655 http://www.linuxsecurity.com/content/view/147851 * Fedora 9 Update: nessus-core-2.2.11-1.fc9 (Jan 26) -------------------------------------------------- libnasl: OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479655 http://www.linuxsecurity.com/content/view/147852 * Fedora 9 Update: nessus-libraries-2.2.11-1.fc9 (Jan 26) ------------------------------------------------------- libnasl: OpenSSL incorrect checks for malformed signatures https://bugzilla.redhat.com/show_bug.cgi?id=479655 http://www.linuxsecurity.com/content/view/147853 * Fedora 10 Update: drupal-6.9-1.fc10 (Jan 22) -------------------------------------------- SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script. http://www.linuxsecurity.com/content/view/147690 * Fedora 9 Update: drupal-6.9-1.fc9 (Jan 22) ------------------------------------------ SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script. http://www.linuxsecurity.com/content/view/147691 * Fedora 9 Update: amarok-1.4.10-2.fc9 (Jan 22) --------------------------------------------- This build includes a security fix concerning the parsing of malformed Audible digital audio files. http://www.linuxsecurity.com/content/view/147692 * Fedora 10 Update: mumbles-0.4-9.fc10 (Jan 22) --------------------------------------------- - Fixed path to make mumbles run on x86_64 bug #479158 - Security fix for Firefox plugin bug #479171 http://www.linuxsecurity.com/content/view/147693 * Fedora 9 Update: moodle-1.9.3-5.fc9 (Jan 22) -------------------------------------------- Fix for spellcheck security flaw, and some font correction. http://www.linuxsecurity.com/content/view/147694 * Fedora 10 Update: moodle-1.9.3-5.fc10 (Jan 22) ---------------------------------------------- Fix for spellcheck security flaw, and some font correction. http://www.linuxsecurity.com/content/view/147695 * Fedora 10 Update: uw-imap-2007e-1.fc10 (Jan 22) ----------------------------------------------- Update to new upstream version - 2007e. Contains fix for a security issue - buffer overflow in rfc822_output_char / rfc822_output_data (CVE-2008-5514). http://www.linuxsecurity.com/content/view/147696 * Fedora 9 Update: DevIL-1.7.5-2.fc9 (Jan 22) ------------------------------------------- - Fix missing symbols (rh 480269) - Fix off by one error in CVE-2008-5262 check (rh 479864) http://www.linuxsecurity.com/content/view/147697 * Fedora 9 Update: uw-imap-2007e-1.fc9 (Jan 22) --------------------------------------------- Update to new upstream version - 2007e. Contains fix for a security issue - buffer overflow in rfc822_output_char / rfc822_output_data (CVE-2008-5514). http://www.linuxsecurity.com/content/view/147698 * Fedora 10 Update: DevIL-1.7.5-2.fc10 (Jan 22) --------------------------------------------- - Fix missing symbols (rh 480269) - Fix off by one error in CVE-2008-5262 check (rh 479864) http://www.linuxsecurity.com/content/view/147699 ------------------------------------------------------------------------ * Mandriva: [ MDVSA-2009:030 ] amarok (Jan 27) -------------------------------------------- Data length values in metadata Audible Audio media file (.aa) can lead to an integer overflow enabling remote attackers use it to trigger an heap overflow and enabling the possibility to execute arbitrary code (CVE-2009-0135). Failure on checking heap allocation on Audible Audio media files (.aa) allows remote attackers either to cause denial of service or execute arbitrary code via a crafted media file (CVE-2009-0136). This update provide the fix for these security issues. http://www.linuxsecurity.com/content/view/147865 * Mandriva: [ MDVSA-2009:029 ] cups (Jan 24) ------------------------------------------ Security vulnerabilities have been discovered and corrected in CUPS. CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). CUPS shipped with Mandriva Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147841 * Mandriva: [ MDVSA-2009:028 ] cups (Jan 24) ------------------------------------------ Security vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). CUPS shipped with Mandriva Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147840 * Mandriva: [ MDVSA-2009:027 ] cups (Jan 24) ------------------------------------------ A vulnerability has been discovered in CUPS shipped with Mandriva Linux which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147839 * Mandriva: [ MDVSA-2009:026 ] phpMyAdmin (Jan 23) ------------------------------------------------ Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows remote attackers to inject arbitrary web script or HTML by using db script parameter when register_global php parameter is enabled (CVE-2008-4775). Cross-site request forgery (CSRF) vulnerability in tbl_structure.php allows remote attackers perform SQL injection and execute arbitrary code by using table script parameter (CVE-2008-5621). Multiple cross-site request forgery (CSRF) vulnerabilities in allows remote attackers perform SQL injection by using unknown vectors related to table script parameter (CVE-2008-5622). This update provide the fix for these security issues. http://www.linuxsecurity.com/content/view/147710 * Mandriva: [ MDVSA-2009:025 ] pidgin (Jan 22) -------------------------------------------- The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service... The updated packages have been patched to fix these issues. http://www.linuxsecurity.com/content/view/147700 ------------------------------------------------------------------------ * RedHat: Moderate: ntp security update (Jan 29) ---------------------------------------------- Updated ntp packages to correct a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147875 * RedHat: Important: kernel security and bug fix update (Jan 22) -------------------------------------------------------------- Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise MRG 1.0. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147689 ------------------------------------------------------------------------ * SuSE: Linux kernel (SUSE-SA:2009:008) (Jan 29) ---------------------------------------------- The SUSE Linux Enterprise 10 Service Pack 2 kernel was updated to version 2.6.16.60-0.34 to fix some security issues and various bugs. The following security problems have been fixed... http://www.linuxsecurity.com/content/view/147877 * SuSE: IBM Java 5 (SUSE-SA:2009:007) (Jan 29) -------------------------------------------- The IBM Java JRE 5 was brought to Service Release 9 fixing quite a number of security issues and bugs. The update fixes the following security problems... http://www.linuxsecurity.com/content/view/147876 * SuSE: OpenSSL certificate verification (Jan 23) ----------------------------------------------- The OpenSSL certificate checking routines EVP_VerifyFinal can return negative values and 0 on failure. In some places negative values were not checked and considered successful verification. Prior to this update it was possible to bypass the certification chain checks of openssl. This advisory is for the updates that improve the verification of return values inside the OpenSSL library itself. http://www.linuxsecurity.com/content/view/147709 * SuSE: bind (SUSE-SA:2009:005) (Jan 22) -------------------------------------- The DNS daemon bind is used to resolve and lookup addresses on the inter- net. Some month ago a vulnerability in the DNS protocol and its numbers was published that allowed easy spoofing of DNS entries. The only way to pro- tect against spoofing is to use DNSSEC. Unfortunately the bind code that verifys the certification chain of a DNS- SEC zone transfer does not properly check the return value of function DSA_do_verify(). This allows the spoofing of records signed with DSA or NSEC3DSA. http://www.linuxsecurity.com/content/view/147688 ------------------------------------------------------------------------ * Ubuntu: Vim vulnerabilities (Jan 27) ------------------------------------- Jan Minar discovered that Vim did not properly sanitize inputs before invoking the execute or system functions inside Vim scripts. If a user were tricked into running Vim scripts with a specially crafted input, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2712) Ben Schmidt discovered that Vim did not properly escape characters when performing keyword or tag lookups. If a user were tricked into running specially crafted commands, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4101) http://www.linuxsecurity.com/content/view/147863 * Ubuntu: KTorrent vulnerabilities (Jan 26) ------------------------------------------ It was discovered that KTorrent did not properly restrict access when using the web interface plugin. A remote attacker could use a crafted http request and upload arbitrary torrent files to trigger the start of downloads and seeding. (CVE-2008-5905) It was discovered that KTorrent did not properly handle certain parameters when using the web interface plugin. A remote attacker could use crafted http requests to execute arbitrary PHP code. (CVE-2008-5906) http://www.linuxsecurity.com/content/view/147854 * Ubuntu: xine-lib vulnerabilities (Jan 26) ------------------------------------------ It was discovered that xine-lib did not correctly handle certain malformed Ogg and Windows Media files. If a user or automated system were tricked into opening a specially crafted Ogg or Windows Media file, an attacker could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)... http://www.linuxsecurity.com/content/view/147855 ------------------------------------------------------------------------ * Pardus: gst-plugins-good: Denial of Service (Jan 29) ---------------------------------------------------- Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins, which can potentially be exploited by malicious people to compromise a vulnerable system. http://www.linuxsecurity.com/content/view/147874 * Pardus: nsf-utils: Security Bypass (Jan 29) ------------------------------------------- There is a weakness in nfs-utils, which can be exploited by malicious people to bypass certain security restrictions. http://www.linuxsecurity.com/content/view/147873 * Pardus: xine-lib: Multiple Overflows (Jan 29) --------------------------------------------- There are multiple overflows in xine-lib. http://www.linuxsecurity.com/content/view/147872 * Pardus: Kernel: Multiple Denial of Service (Jan 23) --------------------------------------------------- There are multiple Denial of Service and buffer overflow vulnerabilities in Linux kernel. http://www.linuxsecurity.com/content/view/147706 * Pardus: Libmikmod: Denial of Service (Jan 23) --------------------------------------------- Some vulnerabilities have been reported in libmikmod, which can be exploited by malicious people to cause a DoS (Denial of Service). http://www.linuxsecurity.com/content/view/147705 * Pardus: DevIL: Multiple Buffer Overflows (Jan 23) ------------------------------------------------- The vulnerabilities are caused due to boundary errors within the "iGetHdrHeader()" function in src-IL/src/il_hdr.c. These can be exploited to cause a stack-based buffer overflow when processing specially crafted Radiance RGBE files. http://www.linuxsecurity.com/content/view/147704 * Pardus: Libpng: Memory Overwrite (Jan 23) ----------------------------------------- The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. http://www.linuxsecurity.com/content/view/147703 * Pardus: Python: Multiple Integer Overflows (Jan 23) --------------------------------------------------- Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. http://www.linuxsecurity.com/content/view/147702 * Pardus: Dbus: Security Bypass (Jan 23) -------------------------------------- The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules. http://www.linuxsecurity.com/content/view/147701 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------