+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 20th, 2009 Volume 10, Number 8 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for moodle, net-snmp, fail2ban, dnsmasq, libresample, dahdi-tools, asterisk, squid, lighttpd, squidGuard, xine-lib, python, valgrind, openssl, dai, gedit, blender, db46, xkeyboard-config, rhythmbox, php, krb5, wireshark, pycrypto, and ffmpeg. The distributors include Debian, Fedora, Gentoo, Mandriva, and Pardus. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New websvn packages fix information leak (Feb 15) --------------------------------------------------------- Bas van Schaik discovered that WebSVN, a tool to view Subversion repositories over the web, did not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content. http://www.linuxsecurity.com/content/view/148008 * Debian: New moodle packages fix several vulnerabilities (Feb 13) ---------------------------------------------------------------- Several vulnerabilities have been discovered in Moodle, an online course management system. http://www.linuxsecurity.com/content/view/148002 ------------------------------------------------------------------------ * Fedora 10 Update: net-snmp-5.4.2.1-3.fc10 (Feb 17) -------------------------------------------------- fix tcp_wrappers integration (CVE-2008-6123) http://www.linuxsecurity.com/content/view/148020 * Fedora 9 Update: fail2ban-0.8.3-18.fc9 (Feb 14) ----------------------------------------------- This updates fixes CVE-2009-0362. See http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2009-0362 for further details. http://www.linuxsecurity.com/content/view/148006 * Fedora 10 Update: fail2ban-0.8.3-18.fc10 (Feb 14) ------------------------------------------------- This updates fixes CVE-2009-0362. See http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2009-0362 for further details. http://www.linuxsecurity.com/content/view/148007 * Fedora 9 Update: dnsmasq-2.45-1.fc9 (Feb 14) -------------------------------------------- Update to newer upstream version - 2.45. Version of dnsmasq previously shipped in Fedora 9 did not properly drop privileges, causing it to run as root instead of intended user nobody. Issue was caused by a bug in kernel-headers used in build environment of the original packages. (#454415) New upstream version also adds DNS query source port randomization, mitigating DNS spoofing attacks. (CVE-2008-1447) http://www.linuxsecurity.com/content/view/148005 * Fedora 10 Update: moodle-1.9.4-1.fc10 (Feb 13) ---------------------------------------------- Multiple security fixes. http://www.linuxsecurity.com/content/view/148003 * Fedora 9 Update: libresample-0.1.3-9.fc9 (Feb 13) ------------------------------------------------- Add a patch to fix a problem with the manager interface. Update to 1.6.0.5 to fix AST-2009-001 / CVE-2009-0041. http://www.linuxsecurity.com/content/view/148000 * Fedora 9 Update: dahdi-tools-2.0.0-1.fc9 (Feb 13) ------------------------------------------------- Add a patch to fix a problem with the manager interface. Update to 1.6.0.5 to fix AST-2009-001 / CVE-2009-0041. http://www.linuxsecurity.com/content/view/147998 * Fedora 9 Update: asterisk-1.6.0.5-2.fc9 (Feb 13) ------------------------------------------------ Add a patch to fix a problem with the manager interface. Update to 1.6.0.5 to fix AST-2009-001 / CVE-2009-0041. http://www.linuxsecurity.com/content/view/147999 * Fedora 9 Update: moodle-1.9.4-1.fc9 (Feb 12) -------------------------------------------- Multiple security fixes. http://www.linuxsecurity.com/content/view/147997 * Fedora 10 Update: asterisk-1.6.0.5-2.fc10 (Feb 12) -------------------------------------------------- Add a patch to fix a problem with the manager interface. Update to 1.6.0.5 to fix AST-2009-001 / CVE-2009-0041. http://www.linuxsecurity.com/content/view/147996 * Fedora 9 Update: squid-3.0.STABLE13-1.fc9 (Feb 12) -------------------------------------------------- upgrade to latest upstream http://www.linuxsecurity.com/content/view/147988 * Fedora 9 Update: lighttpd-1.4.20-6.fc9 (Feb 12) ----------------------------------------------- This update fixes some moderate security issues and includes a few enhancements. http://www.linuxsecurity.com/content/view/147989 * Fedora 10 Update: squidGuard-1.2.1-2.fc10 (Feb 12) -------------------------------------------------- Update to 1.2.1, and patch for SG-2008-06-13 http://www.linuxsecurity.com/content/view/147990 * Fedora 9 Update: xine-lib-1.1.16.2-1.fc9.1 (Feb 12) --------------------------------------------------- This release contains one new security fix (CVE-2008-5240) and corrections of previous security fixes. It also includes fixes for race conditions in gapless_switch (ref. kde bug #180339) http://www.linuxsecurity.com/content/view/147991 * Fedora 10 Update: python-fedora-0.3.9-1.fc10 (Feb 12) ----------------------------------------------------- This release includes a bugfix to the fedora.client.AccountSystem().verify_password() method. verify_password() was incorrectly returning True (username, password combination was correct) for any input. Although no known code is using this method to verify a user's account with the Fedora Account System, the existence of the method and the fact that anyone using this would be allowing users due to the bug makes this a high priority bug to fix. http://www.linuxsecurity.com/content/view/147992 * Fedora 10 Update: xine-lib-1.1.16.2-1.fc10 (Feb 12) --------------------------------------------------- This release contains one new security fix (CVE-2008-5240) and corrections of previous security fixes. It also includes fixes for race conditions in gapless_switch (ref. kde bug #180339) http://www.linuxsecurity.com/content/view/147984 * Fedora 9 Update: squidGuard-1.2.1-2.fc9 (Feb 12) ------------------------------------------------ Update to 1.2.1, and patch for SG-2008-06-13 http://www.linuxsecurity.com/content/view/147985 * Fedora 9 Update: python-fedora-0.3.9-1.fc9 (Feb 12) --------------------------------------------------- This release includes a bugfix to the fedora.client.AccountSystem().verify_password() method. verify_password() was incorrectly returning True (username, password combination was correct) for any input. Although no known code is using this method to verify a user's account with the Fedora Account System, the existence of the method and the fact that anyone using this would be allowing users due to the bug makes this a high priority bug to fix. http://www.linuxsecurity.com/content/view/147986 * Fedora 10 Update: squid-3.0.STABLE13-1.fc10 (Feb 12) ---------------------------------------------------- upgrade to latest upstream http://www.linuxsecurity.com/content/view/147987 ------------------------------------------------------------------------ * Gentoo: xterm User-assisted arbitrary commands execution (Feb 14) ----------------------------------------------------------------- An error in the processing of special sequences in xterm may lead to arbitrary commands execution. http://www.linuxsecurity.com/content/view/148004 * Gentoo: xterm User-assisted arbitrary commands execution (Feb 12) ----------------------------------------------------------------- An error in the processing of special sequences in xterm may lead to arbitrary commands execution. http://www.linuxsecurity.com/content/view/147995 * Gentoo: Valgrind Untrusted search path (Feb 12) ----------------------------------------------- An untrusted search path vulnerability in Valgrind might result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/147994 * Gentoo: OpenSSL Certificate validation error (Feb 12) ----------------------------------------------------- An error in the OpenSSL certificate chain validation might allow for spoofing attacks. http://www.linuxsecurity.com/content/view/147993 ------------------------------------------------------------------------ * Mandriva: [ MDVSA-2009:040 ] dia (Feb 16) ----------------------------------------- Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current dia working directory (CVE-2008-5984). This update provides fix for that vulnerability. http://www.linuxsecurity.com/content/view/148013 * Mandriva: [ MDVSA-2009:039 ] gedit (Feb 16) ------------------------------------------- Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current gedit working directory (CVE-2009-0314). This update provides fix for that vulnerability. http://www.linuxsecurity.com/content/view/148012 * Mandriva: [ MDVSA-2009:038 ] blender (Feb 16) --------------------------------------------- Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Blender working directory (CVE-2008-4863). This update provides fix for that vulnerability. http://www.linuxsecurity.com/content/view/148011 * Mandriva: [ MDVSA-2009:037 ] bind (Feb 16) ------------------------------------------ Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. In this particular case the DSA_verify function was fixed with MDVSA-2009:002, this update does however address the RSA_verify function (CVE-2009-0265). http://www.linuxsecurity.com/content/view/148010 * Mandriva: [ MDVSA-2009:036 ] python (Feb 12) -------------------------------------------- Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) http://www.linuxsecurity.com/content/view/147981 * Mandriva: [ MDVA-2009:023 ] db46 (Feb 12) ----------------------------------------- Additional official patches have been released for db 4.6 after Mandriva release. http://www.linuxsecurity.com/content/view/147979 * Mandriva: [ MDVA-2009:022 ] xkeyboard-config (Feb 12) ----------------------------------------------------- Wrong directory permissions would prevent the compilation of keyboard mappings. This update fixes this issue. http://www.linuxsecurity.com/content/view/147978 * Mandriva: [ MDVA-2009:021 ] drakxtools (Feb 12) ----------------------------------------------- This update fixes several minor issues with drakxtools http://www.linuxsecurity.com/content/view/147977 * Mandriva: [ MDVA-2009:020 ] rhythmbox (Feb 12) ---------------------------------------------- Rhythmbox could crash when handling removable devices and media players, like ipods. This update fixes the problem. http://www.linuxsecurity.com/content/view/147976 ------------------------------------------------------------------------ * SuSE: Mozilla Firefox (SUSE-SA:2009:009) (Feb 16) ------------------------------------------------- The Mozilla Firefox browser is updated to version 3.0.6 fixing various security and stability issues. http://www.linuxsecurity.com/content/view/148009 ------------------------------------------------------------------------ * Ubuntu: PHP vulnerabilities (Feb 12) ------------------------------------- It was discovered that PHP did not properly enforce php_admin_value and php_admin_flag restrictions in the Apache configuration file. A local attacker could create a specially crafted PHP script that would bypass intended security restrictions. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900) http://www.linuxsecurity.com/content/view/147983 * Ubuntu: pam-krb5 vulnerabilities (Feb 12) ------------------------------------------ It was discovered that pam_krb5 parsed environment variables when run with setuid applications. A local attacker could exploit this flaw to bypass authentication checks and gain root privileges. (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly handled refreshing existing credentials when used with setuid applications. A local attacker could exploit this to create or overwrite arbitrary files, and possibly gain root privileges. (CVE-2009-0361) http://www.linuxsecurity.com/content/view/147982 ------------------------------------------------------------------------ * Pardus: Firefox: Multiple Vulnerabilities (Feb 17) -------------------------------------------------- Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system. http://www.linuxsecurity.com/content/view/148019 * Pardus: Pam-krb5: Privilege Escalation (Feb 17) ----------------------------------------------- Some vulnerabilities have been reported in pam-krb5, which can be exploited by malicious, local users to overwrite files and to gain escalated privileges. http://www.linuxsecurity.com/content/view/148018 * Pardus: Libvirt: Buffer Overflow (Feb 17) ----------------------------------------- A vulnerability has been reported in libvirt, which can be exploited by malicious, local users to potentially gain escalated privileges. http://www.linuxsecurity.com/content/view/148017 * Pardus: Wireshark: Buffer Overflow (Feb 17) ------------------------------------------- A vulnerability has been reported in Wireshark, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a boundary error in the processing of NetScreen Snoop capture files and can be exploited to cause a stack-based buffer overflow. http://www.linuxsecurity.com/content/view/148016 * Pardus: Pycrypto: Buffer Overflow (Feb 17) ------------------------------------------ Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length. http://www.linuxsecurity.com/content/view/148015 * Pardus: Ffmpeg and Mplayer: Denial of (Feb 17) ---------------------------------------------- Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. This vulnerability also effects Mplayer. http://www.linuxsecurity.com/content/view/148014 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
