+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 13th, 2009 Volume 10, Number 7 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for phpmyadmin, libpam-heimdal, libpam-krb5, gnutls13, boinc, devil, mozvoikko, ruby-gnome2, mugshot, totem, yelp, cairo-dock, blam, galeon, devhelp, evolution, google-gadgets, kazehakase, miro, xulrunner, firefox, epiphany, chmsee, kazehakase, evolution, blam, sudo, python, drakxtools, glibc, squid, clamav, mod_auth_mysql, vnc, netpbm, and wicd. The distributors include Debian, Fedora, Mandriva, Red Hat, Slackware, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New phpmyadmin packages fix arbitrary code execution (Feb 11) --------------------------------------------------------------------- Michael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver. http://www.linuxsecurity.com/content/view/147974 * Debian: New libpam-heimdal packages fix local privilege (Feb 11) ---------------------------------------------------------------- Derek Chan discovered that the PAM module for the Heimdal Kerberos implementation allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to local privilege escalation. http://www.linuxsecurity.com/content/view/147973 * Debian: New libpam-krb5 packages fix local privilege (Feb 11) ------------------------------------------------------------- Several local vulnerabilities have been discovered in the PAM module for MIT Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems... http://www.linuxsecurity.com/content/view/147972 * Debian: New TYPO3 packages fix several vulnerabilities (Feb 10) --------------------------------------------------------------- Several remote vulnerabilities have been discovered in the TYPO3 web content management framework. http://www.linuxsecurity.com/content/view/147967 * Debian: New gnutls13 packages fix certificate validation (Feb 10) ----------------------------------------------------------------- Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X.509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate. This could cause clients to accept forged server certificates as genuine. http://www.linuxsecurity.com/content/view/147964 * Debian: New boinc packages fix validation bypass (Feb 8) -------------------------------------------------------- It was discovered that the core client for the BOINC distributed computing infrastructure performs incorrect validation of the return values of OpenSSL's RSA functions. http://www.linuxsecurity.com/content/view/147961 * Debian: New devil packages fix buffer overflow (Feb 5) ------------------------------------------------------ Stefan Cornelius discovered a buffer overflow in devil, a cross-platform image loading and manipulation toolkit, which could be triggered via a crafted Radiance RGBE file. This could potentially lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/147912 ------------------------------------------------------------------------ * Fedora 9 Update: mozvoikko-0.9.5-6.fc9 (Feb 6) ---------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147949 * Fedora 9 Update: gtkmozembedmm-1.4.2.cvs20060817-25.fc9 (Feb 6) --------------------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147950 * Fedora 9 Update: ruby-gnome2-0.17.0-5.fc9 (Feb 6) ------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147951 * Fedora 9 Update: mugshot-1.2.2-5.fc9 (Feb 6) -------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147952 * Fedora 9 Update: totem-2.23.2-10.fc9 (Feb 6) -------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147953 * Fedora 9 Update: yelp-2.22.1-8.fc9 (Feb 6) ------------------------------------------ Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147954 * Fedora 9 Update: cairo-dock-1.6.3.1-1.fc9.3 (Feb 6) --------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147939 * Fedora 9 Update: gnome-python2-extras-2.19.1-23.fc9 (Feb 6) ----------------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147940 * Fedora 9 Update: blam-1.8.5-5.fc9.1 (Feb 6) ------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147941 * Fedora 9 Update: galeon-2.0.7-5.fc9 (Feb 6) ------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147942 * Fedora 9 Update: gnome-web-photo-0.3-17.fc9 (Feb 6) --------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147943 * Fedora 9 Update: devhelp-0.19.1-8.fc9 (Feb 6) --------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147944 * Fedora 9 Update: evolution-rss-0.1.0-6.fc9 (Feb 6) -------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147945 * Fedora 9 Update: google-gadgets-0.10.5-2.fc9 (Feb 6) ---------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147946 * Fedora 9 Update: kazehakase-0.5.6-1.fc9.3 (Feb 6) ------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147947 * Fedora 9 Update: Miro-1.2.7-4.fc9 (Feb 6) ----------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147948 * Fedora 10 Update: ruby-gnome2-0.18.1-3.fc10 (Feb 6) --------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147932 * Fedora 10 Update: yelp-2.24.0-5.fc10 (Feb 6) -------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147933 * Fedora 9 Update: xulrunner-1.9.0.6-1.fc9 (Feb 6) ------------------------------------------------ Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147934 * Fedora 9 Update: firefox-3.0.6-1.fc9 (Feb 6) -------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147935 * Fedora 9 Update: epiphany-extensions-2.22.1-7.fc9 (Feb 6) --------------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147936 * Fedora 9 Update: epiphany-2.22.2-7.fc9 (Feb 6) ---------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147937 * Fedora 9 Update: chmsee-1.0.1-8.fc9 (Feb 6) ------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147938 * Fedora 10 Update: gnome-web-photo-0.3-14.fc10 (Feb 6) ----------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147926 * Fedora 10 Update: kazehakase-0.5.6-1.fc10.3 (Feb 6) --------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147927 * Fedora 10 Update: mozvoikko-0.9.5-6.fc10 (Feb 6) ------------------------------------------------ Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147928 * Fedora 10 Update: Miro-1.2.8-2.fc10 (Feb 6) ------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147929 * Fedora 10 Update: mugshot-1.2.2-5.fc10 (Feb 6) ---------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147931 * Fedora 10 Update: epiphany-extensions-2.24.0-4.fc10 (Feb 6) ----------------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147917 * Fedora 10 Update: devhelp-0.22-3.fc10 (Feb 6) --------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147918 * Fedora 10 Update: epiphany-2.24.3-2.fc10 (Feb 6) ------------------------------------------------ Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147919 * Fedora 10 Update: evolution-rss-0.1.2-4.fc10 (Feb 6) ---------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147920 * Fedora 10 Update: blam-1.8.5-6.fc10 (Feb 6) ------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147921 * Fedora 10 Update: galeon-2.0.7-5.fc10 (Feb 6) --------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147922 * Fedora 10 Update: google-gadgets-0.10.5-2.fc10 (Feb 6) ------------------------------------------------------ Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147923 * Fedora 10 Update: gnome-python2-extras-2.19.1-26.fc10 (Feb 6) ------------------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147924 * Fedora 10 Update: gecko-sharp2-0.13-4.fc10 (Feb 6) -------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147925 * Fedora 10 Update: xulrunner-1.9.0.6-1.fc10 (Feb 6) -------------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147915 * Fedora 10 Update: firefox-3.0.6-1.fc10 (Feb 6) ---------------------------------------------- Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing multiple security issues. http://www.linuxsecurity.com/content/view/147916 ------------------------------------------------------------------------ * Gentoo: sudo Privilege escalation (Feb 6) ----------------------------------------- A vulnerability in sudo may allow for privilege escalation. http://www.linuxsecurity.com/content/view/147960 ------------------------------------------------------------------------ * Mandriva: [ MDVSA-2009:036 ] python (Feb 12) -------------------------------------------- Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) http://www.linuxsecurity.com/content/view/147981 * Mandriva: [ MDVA-2009:023 ] db46 (Feb 12) ----------------------------------------- Additional official patches have been released for db 4.6 after Mandriva release. http://www.linuxsecurity.com/content/view/147979 * Mandriva: [ MDVA-2009:022 ] xkeyboard-config (Feb 12) ----------------------------------------------------- Wrong directory permissions would prevent the compilation of keyboard mappings. This update fixes this issue. http://www.linuxsecurity.com/content/view/147978 * Mandriva: [ MDVA-2009:021 ] drakxtools (Feb 12) ----------------------------------------------- This update fixes several minor issues with drakxtools http://www.linuxsecurity.com/content/view/147977 * Mandriva: [ MDVA-2009:020 ] rhythmbox (Feb 12) ---------------------------------------------- Rhythmbox could crash when handling removable devices and media players, like ipods. This update fixes the problem. http://www.linuxsecurity.com/content/view/147976 * Mandriva: [ MDVA-2009:019 ] glibc (Feb 11) ------------------------------------------ The glibc packages released with Mandriva Linux 2008 and Mandriva Linux 2008 Spring had the /etc/ld.so.conf file using relative paths to include other config files at /etc/ld.so.conf.d, breaking usage of ldconfig -r, for example when you have chroot environments. This update fixes ld.so.conf to use absolute paths instead. Also, other cumulative bug fixes are provided. http://www.linuxsecurity.com/content/view/147975 * Mandriva: [ MDVSA-2009:035 ] gstreamer0.10-plugins-good (Feb 10) ---------------------------------------------------------------- Security vulnerabilities have been discovered and corrected in gstreamer0.10-plugins-good, might allow remote attackers to execute arbitrary code via a malformed QuickTime media file (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147968 * Mandriva: [ MDVSA-2009:034 ] squid (Feb 10) ------------------------------------------- Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any client to perform a denial of service attack on the Squid service (CVE-2009-0478). The updated packages have been patched to adress this. http://www.linuxsecurity.com/content/view/147966 * Mandriva: [ MDVA-2009:018 ] clamav (Feb 6) ------------------------------------------ This update fixes several issues with clamav. http://www.linuxsecurity.com/content/view/147959 * Mandriva: [ MDVA-2009:017 ] glibc (Feb 6) ----------------------------------------- regexp.h header shipped with glibc 2.8, in Mandriva Linux 2009, had an error which caused the build of programs using the regexp compile function to fail. This update addresses the issue. http://www.linuxsecurity.com/content/view/147955 ------------------------------------------------------------------------ * RedHat: Moderate: mod_auth_mysql security update (Feb 11) --------------------------------------------------------- An updated mod_auth_mysql package to correct a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147970 * RedHat: Moderate: vnc security update (Feb 11) ---------------------------------------------- Updated vnc packages to correct a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147971 * RedHat: Moderate: netpbm security update (Feb 11) ------------------------------------------------- Updated netpbm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147969 * RedHat: Important: kernel security update (Feb 10) -------------------------------------------------- Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147965 * RedHat: Important: gstreamer-plugins security update (Feb 6) ------------------------------------------------------------ Updated gstreamer-plugins packages that fix one security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147956 * RedHat: Important: gstreamer-plugins security update (Feb 6) ------------------------------------------------------------ Updated gstreamer-plugins packages that fix one security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147957 * RedHat: Important: gstreamer-plugins-good security (Feb 6) ---------------------------------------------------------- Updated gstreamer-plugins-good packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147958 * RedHat: Moderate: sudo security update (Feb 5) ---------------------------------------------- An updated sudo package to fix a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147913 ------------------------------------------------------------------------ * Slackware: wicd (Feb 9) ----------------------- New wicd packages are available for Slackware 12.2 and -current to fix a security issue with the D-Bus configuration file that could allow local information disclosure (such as network credentials). http://www.linuxsecurity.com/content/view/147963 ------------------------------------------------------------------------ * Ubuntu: PHP vulnerabilities (Feb 12) ------------------------------------- It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) http://www.linuxsecurity.com/content/view/147983 * Ubuntu: pam-krb5 vulnerabilities (Feb 12) ------------------------------------------ It was discovered that pam_krb5 parsed environment variables when run with setuid applications. A local attacker could exploit this flaw to bypass authentication checks and gain root privileges. (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly handled refreshing existing credentials when used with setuid applications. A local attacker could exploit this to create or overwrite arbitrary files, and possibly gain root privileges. (CVE-2009-0361) http://www.linuxsecurity.com/content/view/147982 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
