+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 27th, 2009 Volume 10, Number 13 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for systemtap, lcms, webcit, xulrunner, libpng, libsoup, glib, ghostscript, java, argyllcms, phpmyadmin, compiz-fusion, openjdk, postgresql, drupal, squid, muttprint, ffmpeg, pam, evolution, drakconf, dhcp, and thunderbird. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Ubuntu, and Pardus. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New systemtap packages fix local privilege escalation (Mar 25) ---------------------------------------------------------------------- Erik Sjoelund discovered that a race condition in the stap tool shipped by Systemtap, an instrumentation system for Linux 2.6, allows local privilege escalation for members of the stapusr group. http://www.linuxsecurity.com/content/view/148378 * Debian: New lcms packages fix regression (Mar 25) ------------------------------------------------- Several security issues have been discovered in lcms, a color management library. http://www.linuxsecurity.com/content/view/148363 * Debian: New webcit packages fix potential remote code execution (Mar 23) ------------------------------------------------------------------------ Wilfried Goesgens discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution (CVE-2009-0364). http://www.linuxsecurity.com/content/view/148344 * Debian: New xulrunner packages fix several vulnerabilities (Mar 22) ------------------------------------------------------------------- Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. http://www.linuxsecurity.com/content/view/148336 * Debian: New libpng packages fix several vulnerabilities (Mar 22) ---------------------------------------------------------------- Several vulnerabilities have been discovered in libpng, a library for reading and writing PNG files. http://www.linuxsecurity.com/content/view/148335 * Debian: New Linux 2.6.26 packages fix several vulnerabilities (Mar 20) ---------------------------------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. http://www.linuxsecurity.com/content/view/148326 * Debian: New libsoup packages fix arbitrary code execution (Mar 20) ------------------------------------------------------------------ It was discovered that libsoup, an HTTP library implementation in C, handles large strings insecurely via its Base64 encoding functions. This could possibly lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/148320 * Debian: New glib2.0 packages fix arbitrary code execution (Mar 20) ------------------------------------------------------------------ Diego Petten discovered that glib2.0, the GLib library of C routines, handles large strings insecurely via its Base64 encoding functions. This could possible lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/148319 * Debian: New ghostscript packages fix arbitrary code execution (Mar 20) ---------------------------------------------------------------------- Two security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. http://www.linuxsecurity.com/content/view/148317 * Debian: New lcms packages fix arbitrary code execution (Mar 20) --------------------------------------------------------------- Several security issues have been discovered in lcms, a color management library. http://www.linuxsecurity.com/content/view/148316 ------------------------------------------------------------------------ * Fedora 9 Update: java-1.6.0-openjdk-1.6.0.0-0.23.b09.fc9 (Mar 25) ----------------------------------------------------------------- lcms in OpenJDK upgraded to 1.18 fixing many related security issues. http://www.linuxsecurity.com/content/view/148377 * Fedora 9 Update: argyllcms-1.0.3-3.fc9 (Mar 25) ----------------------------------------------- Multiple integer overflows were found in the International Color Consortium Format Library (icclib). An attacker could use this flaw to potentially execute arbitrary code by requesting to translate a specially- crafted image file created on one device into another's device native color space via a device file. http://www.linuxsecurity.com/content/view/148376 * Fedora 10 Update: argyllcms-1.0.3-3.fc10 (Mar 25) ------------------------------------------------- Multiple integer overflows were found in the International Color Consortium Format Library (icclib). An attacker could use this flaw to potentially execute arbitrary code by requesting to translate a specially- crafted image file created on one device into another's device native color space via a device file. http://www.linuxsecurity.com/content/view/148375 * Fedora 10 Update: phpMyAdmin-3.1.3.1-1.fc10 (Mar 25) ---------------------------------------------------- Improvements for 3.1.3.1: - [security] HTTP Response Splitting and file inclusion vulnerabilities - [security] XSS vulnerability on export page - [security] Insufficient output sanitizing when generating configuration file http://www.linuxsecurity.com/content/view/148374 * Fedora 9 Update: compiz-fusion-0.7.6-6.fc9 (Mar 25) --------------------------------------------------- This update fixes a security issue in the expo plugin which allows local users with physical access to drag the screen saver aside and access the locked desktop by using Expo mouse shortcuts. http://www.linuxsecurity.com/content/view/148373 * Fedora 9 Update: phpMyAdmin-3.1.3.1-1.fc9 (Mar 25) -------------------------------------------------- Improvements for 3.1.3.1: - [security] HTTP Response Splitting and file inclusion vulnerabilities - [security] XSS vulnerability on export page - [security] Insufficient output sanitizing when generating configuration file http://www.linuxsecurity.com/content/view/148371 * Fedora 10 Update: compiz-fusion-0.7.8-4.fc10 (Mar 25) ----------------------------------------------------- This update fixes a security issue in the expo plugin which allows local users with physical access to drag the screen saver aside and access the locked desktop by using Expo mouse shortcuts. http://www.linuxsecurity.com/content/view/148372 * Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-11.b14.fc10 (Mar 24) ----------------------------------------------------------------- Fixes important lcms security bug which gives unwarranted access to malicious users. http://www.linuxsecurity.com/content/view/148352 * Fedora 9 Update: java-1.6.0-openjdk-1.6.0.0-0.21.b09.fc9 (Mar 24) ----------------------------------------------------------------- Fixes important lcms security bug which gives unwarranted access to malicious users. http://www.linuxsecurity.com/content/view/148353 * Fedora 10 Update: lcms-1.18-0.1.beta2.fc10 (Mar 23) --------------------------------------------------- Some patches that was collected in the fedora package have just been submitted upstream. Changes are hight that this update can be superseeded by a beta3 or a stable release from upstream. http://www.linuxsecurity.com/content/view/148343 * Fedora 10 Update: postgresql-8.3.7-1.fc10 (Mar 23) -------------------------------------------------- Update to PostgreSQL 8.3.7, for various fixes described at http://www.postgresql.org/docs/8.3/static/release-8-3-7.html http://www.linuxsecurity.com/content/view/148342 * Fedora 9 Update: postgresql-8.3.7-1.fc9 (Mar 23) ------------------------------------------------ Update to PostgreSQL 8.3.7, for various fixes described at http://www.postgresql.org/docs/8.3/static/release-8-3-7.html http://www.linuxsecurity.com/content/view/148340 * Fedora 9 Update: lcms-1.18-0.1.beta2.fc9 (Mar 23) ------------------------------------------------- Some patches that was collected in the fedora package have just been submitted upstream. Changes are hight that this update can be superseeded by a beta3 or a stable release from upstream. http://www.linuxsecurity.com/content/view/148339 * Fedora 10 Update: ghostscript-8.63-5.fc10 (Mar 20) -------------------------------------------------- Security update for integer overflows (CVE-2009-0583) and upper bounds checks (CVE-2009-0584) in the ICC profile handling. http://www.linuxsecurity.com/content/view/148331 * Fedora 9 Update: thunderbird-2.0.0.21-1.fc9 (Mar 20) ---------------------------------------------------- Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-0040, CVE-2009-0352, CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775) Several flaws were found in the way malformed content was processed. An HTML mail message containing specially-crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2009-0355, CVE-2009-0776) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. http://www.linuxsecurity.com/content/view/148330 * Fedora 10 Update: thunderbird-2.0.0.21-1.fc10 (Mar 20) ------------------------------------------------------ Several flaws were found in the processing of malformed HTML mail content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code as the user running Thunderbird. (CVE-2009-0040, CVE-2009-0352, CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775) Several flaws were found in the way malformed content was processed. An HTML mail message containing specially-crafted content could potentially trick a Thunderbird user into surrendering sensitive information. (CVE-2009-0355, CVE-2009-0776) Note: JavaScript support is disabled by default in Thunderbird. None of the above issues are exploitable unless JavaScript is enabled. http://www.linuxsecurity.com/content/view/148328 * Fedora 9 Update: ghostscript-8.63-2.fc9 (Mar 20) ------------------------------------------------ Security update for integer overflows (CVE-2009-0583) and upper bounds checks (CVE-2009-0584) in the ICC profile handling. http://www.linuxsecurity.com/content/view/148329 * Fedora 10 Update: drupal-cck-6.x.2.2-1.fc10 (Mar 20) ---------------------------------------------------- Fixes DRUPAL-SA-CONTRIB-2009-013 - XSS issue. http://www.linuxsecurity.com/content/view/148322 * Fedora 9 Update: drupal-cck-6.x.2.2-1.fc9 (Mar 20) -------------------------------------------------- Fixes DRUPAL-SA-CONTRIB-2009-013 - XSS issue. http://www.linuxsecurity.com/content/view/148323 ------------------------------------------------------------------------ * Gentoo: Squid Multiple Denial of Service vulnerabilities (Mar 24) ----------------------------------------------------------------- Multiple vulnerabilities have been found in Squid which allow for remote Denial of Service attacks. http://www.linuxsecurity.com/content/view/148357 * Gentoo: Ghostscript User-assisted execution of arbitrary (Mar 23) ----------------------------------------------------------------- Multiple integer overflows in the Ghostscript ICC library might allow for user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/148351 * Gentoo: MLDonkey Information disclosure (Mar 23) ------------------------------------------------ A vulnerability in the MLDonkey web interface allows remote attackers to disclose arbitrary files. http://www.linuxsecurity.com/content/view/148350 * Gentoo: Muttprint Insecure temporary file usage (Mar 23) -------------------------------------------------------- An insecure temporary file usage in Muttprint allows for symlink attacks. http://www.linuxsecurity.com/content/view/148349 * Gentoo: Amarok User-assisted execution of arbitrary code (Mar 20) ----------------------------------------------------------------- Multiple vulnerabilities in Amarok might allow for user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/148325 * Gentoo: FFmpeg Multiple vulnerabilities (Mar 19) ------------------------------------------------ Multiple vulnerabilities in FFmpeg may lead to the remote execution of arbitrary code or a Denial of Service. http://www.linuxsecurity.com/content/view/148315 ------------------------------------------------------------------------ * Mandriva: [ MDVSA-2009:079 ] postgresql (Mar 23) ------------------------------------------------ PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests (CVE-2009-0922). This update provides a fix for this vulnerability. http://www.linuxsecurity.com/content/view/148348 * Mandriva: [ MDVSA-2009:078 ] evolution-data-server (Mar 23) ----------------------------------------------------------- A wrong handling of signed Secure/Multipurpose Internet Mail Extensions (S/MIME) e-mail messages enables attackers to spoof its signatures by modifying the latter copy (CVE-2009-0547). Crafted authentication challange packets (NT Lan Manager type 2) sent by a malicious remote mail server enables remote attackers either to cause denial of service and to read information from the process memory of the client (CVE-2009-0582). Multiple integer overflows in Base64 encoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0587). This update provides fixes for those vulnerabilities. http://www.linuxsecurity.com/content/view/148347 * Mandriva: [ MDVSA-2009:077 ] pam (Mar 21) ----------------------------------------- A security vulnerability has been identified and fixed in pam: Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt (CVE-2009-0887). The updated packages have been patched to prevent this. Additionally some development packages were missing that are required to build pam for CS4, these are also provided with this update. http://www.linuxsecurity.com/content/view/148334 * Mandriva: [ MDVA-2009:047 ] drakconf (Mar 21) --------------------------------------------- This update prevents drakconf from crashing if the tool currently embedded within drakconf segfaulted in some rare case (bug #48080). http://www.linuxsecurity.com/content/view/148333 * Mandriva: [ MDVA-2009:046 ] pidgin (Mar 21) ------------------------------------------- Protocol changes on the ICQ servers made pidgin incompatible. This update upgrades pidgin to version 2.5.5 which will take care of this problem. http://www.linuxsecurity.com/content/view/148332 * Mandriva: [ MDVA-2009:045 ] dhcp (Mar 20) ----------------------------------------- dhclient-script, in dhcp-client package as released with Mandriva Linux 2009, would put the network interface down on some circumstances, as part of it's workings. Coupled with a bug in the kernel wireless stack, when done on wireless interfaces this could cause the wireless association to be lost and never automatically remade. This update fixes dhcp-client to use a better way instead of putting the interface down, working around the wireless stack bug, fixing many cases of the lost association problem. http://www.linuxsecurity.com/content/view/148327 * Mandriva: [ MDVSA-2009:060-1 ] nfs-utils (Mar 19) ------------------------------------------------- A security vulnerability has been identified and fixed in nfs-utils, which caused TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions (CVE-2008-4552). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/148314 ------------------------------------------------------------------------ * RedHat: Critical: java-1.6.0-ibm security update (Mar 25) --------------------------------------------------------- Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148370 * RedHat: Moderate: NetworkManager security update (Mar 25) --------------------------------------------------------- Updated NetworkManager packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148366 * RedHat: Moderate: NetworkManager security update (Mar 25) --------------------------------------------------------- Updated NetworkManager packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148367 * RedHat: Critical: acroread security update (Mar 25) --------------------------------------------------- Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148368 * RedHat: Moderate: thunderbird security update (Mar 24) ------------------------------------------------------ An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148354 * RedHat: Moderate: glib2 security update (Mar 24) ------------------------------------------------ Updated glib2 packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148355 * RedHat: Moderate: libvirt security update (Mar 19) -------------------------------------------------- Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148312 * RedHat: Moderate: curl security update (Mar 19) ----------------------------------------------- Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148310 * RedHat: Moderate: ghostscript security update (Mar 19) ------------------------------------------------------ Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148311 * RedHat: Moderate: lcms security update (Mar 19) ----------------------------------------------- Updated lcms packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148309 ------------------------------------------------------------------------ * Slackware: seamonkey (Mar 24) ------------------------------- New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/148358 * Slackware: mozilla-thunderbird (Mar 24) ----------------------------------------- New mozilla-thunderbird packages are available for Slackware 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/148359 * Slackware: lcms (Mar 24) -------------------------- New lcms packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/148360 ------------------------------------------------------------------------ * Ubuntu: Ghostscript vulnerabilities (Mar 23) --------------------------------------------- It was discovered that Ghostscript contained multiple integer overflows in its ICC color management library. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0583) It was discovered that Ghostscript did not properly perform bounds checking in its ICC color management library. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0584) http://www.linuxsecurity.com/content/view/148345 * Ubuntu: LittleCMS vulnerabilities (Mar 23) ------------------------------------------- Chris Evans discovered that LittleCMS did not properly handle certain error conditions, resulting in a large memory leak. If a user or automated system were tricked into processing an image with malicious ICC tags, a remote attacker could cause a denial of service. (CVE-2009-0581) Chris Evans discovered that LittleCMS contained multiple integer overflows. If a user or automated system were tricked into processing an image with malicious ICC tags, a remote attacker could crash applications linked against liblcms1, leading to a denial of service, or possibly execute arbitrary code with user privileges. (CVE-2009-0723) Chris Evans discovered that LittleCMS did not properly perform bounds checking, leading to a buffer overflow. If a user or automated system were tricked into processing an image with malicious ICC tags, a remote attacker could execute arbitrary code with user privileges. (CVE-2009-0733) http://www.linuxsecurity.com/content/view/148346 * Ubuntu: JasPer vulnerabilities (Mar 19) ---------------------------------------- It was discovered that JasPer did not correctly handle memory allocation when parsing certain malformed JPEG2000 images. If a user were tricked into opening a specially crafted image with an application that uses libjasper, an attacker could cause a denial of service and possibly execute arbitrary code with the user's privileges. (CVE-2008-3520) It was discovered that JasPer created temporary files in an insecure way. Local users could exploit a race condition and cause a denial of service in libjasper applications. (CVE-2008-3521) It was discovered that JasPer did not correctly handle certain formatting operations. If a user were tricked into opening a specially crafted image with an application that uses libjasper, an attacker could cause a denial of service and possibly execute arbitrary code with the user's privileges. (CVE-2008-3522) http://www.linuxsecurity.com/content/view/148313 ------------------------------------------------------------------------ * Pardus: Thunderbird: Multiple (Mar 25) -------------------------------------- Some vulnerabilities have been reported in Mozilla Thunderbird, which can potentially be exploited by malicious people to compromise a user's system. http://www.linuxsecurity.com/content/view/148365 * Pardus: PostgreSQL: Denial of Service (Mar 25) ---------------------------------------------- A weakness and a security issue have been reported in PostgreSQL, which can be exploited by malicious users to disclose potentially sensitive information or cause a DoS (Denial of Service). http://www.linuxsecurity.com/content/view/148364 * Pardus: Glib2: Integer Overflow (Mar 25) ---------------------------------------- Some vulnerabilities have been reported in GLib, which can potentially be exploited by malicious people to compromise an application using the library. http://www.linuxsecurity.com/content/view/148362 * Pardus: Flashplugin: Multiple (Mar 25) -------------------------------------- Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious, local users to disclose sensitive information and potentially gain escalated privileges, and by malicious people to bypass certain security restrictions, disclose potentially sensitive information, and compromise a user's system. http://www.linuxsecurity.com/content/view/148361 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------