+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 10th, 2009 Volume 10, Number 15 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for krb5, horde3, tunapie, openssl, moodle, icu, java, bugzilla, mapserver, moodle, tor, xpdf, eye, ntp, gnumeric, initscripts, libtommath, mdkonline, openssl, evolution, and postgresql. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, SuSE, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New krb5 packages fix several vulnerabilities (Apr 8) ------------------------------------------------------------- Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. http://www.linuxsecurity.com/content/view/148533 * Debian: New horde3 packages fix several vulnerabilities (Apr 8) --------------------------------------------------------------- Several vulnerabilities have been found in horde3, the horde web application framework. http://www.linuxsecurity.com/content/view/148527 * Debian: New tunapie packages fix several vulnerabilities (Apr 7) ---------------------------------------------------------------- Several vulnerabilities have been discovered in Tunapie, a GUI frontend to video and radio streams. http://www.linuxsecurity.com/content/view/148519 * Debian: New openssl packages fix denial of service (Apr 6) ---------------------------------------------------------- It was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate. http://www.linuxsecurity.com/content/view/148498 * Debian: New moodle packages fix file disclosure (Apr 3) ------------------------------------------------------- Christian J. Eibl discovered that the TeX filter of Moodle, a web-based course management system, doesn't check user input for certain TeX commands which allows an attacker to include and display the content of arbitrary system files. http://www.linuxsecurity.com/content/view/148491 * Debian: New icu packages fix cross site scripting (Apr 2) --------------------------------------------------------- It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to cross- site scripting attacks. http://www.linuxsecurity.com/content/view/148480 ------------------------------------------------------------------------ * Fedora 9 Update: krb5-1.6.3-16.fc9 (Apr 7) ------------------------------------------ This update incorporates patches to fix potential read overflow and NULL pointer dereferences in the implementation of the SPNEGO GSSAPI mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an uninitialized pointer during protocol parsing (CVE-2009-0846), and a bug in length validation during protocol parsing (CVE-2009-0847). http://www.linuxsecurity.com/content/view/148522 * Fedora 10 Update: krb5-1.6.3-18.fc10 (Apr 7) -------------------------------------------- This update incorporates patches to fix potential read overflow and NULL pointer dereferences in the implementation of the SPNEGO GSSAPI mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an uninitialized pointer during protocol parsing (CVE-2009-0846), and a bug in length validation during protocol parsing (CVE-2009-0847). http://www.linuxsecurity.com/content/view/148523 * Fedora 9 Update: java-1.6.0-openjdk-1.6.0.0-0.25.b09.fc9 (Apr 7) ---------------------------------------------------------------- Fixes remaining LCMS issue, which resolves a TCK failure http://www.linuxsecurity.com/content/view/148520 * Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-15.b14.fc10 (Apr 7) ---------------------------------------------------------------- Fixes remaining LCMS issue, which resolves a TCK failure http://www.linuxsecurity.com/content/view/148521 * Fedora 9 Update: bugzilla-3.2.3-1.fc9 (Apr 7) --------------------------------------------- fix CVE-2009-1213 http://www.linuxsecurity.com/content/view/148511 * Fedora 10 Update: bugzilla-3.2.3-1.fc10 (Apr 7) ----------------------------------------------- fix CVE-2009-1213 http://www.linuxsecurity.com/content/view/148512 * Fedora 9 Update: mapserver-5.2.2-1.fc9 (Apr 6) ---------------------------------------------- The releases contain fixes for issues discovered in an audit of the CGI by a 3rd party (tickets #2939, #2941, #2942, #2943 and #2944). http://www.linuxsecurity.com/content/view/148503 * Fedora 10 Update: mapserver-5.2.2-1.fc10 (Apr 6) ------------------------------------------------ The releases contain fixes for issues discovered in an audit of the CGI by a 3rd party (tickets #2939, #2941, #2942, #2943 and #2944). http://www.linuxsecurity.com/content/view/148502 * Fedora 9 Update: moodle-1.9.4-6.fc9 (Apr 2) ------------------------------------------- CVE-2009-1171: The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file. http://www.linuxsecurity.com/content/view/148483 * Fedora 10 Update: moodle-1.9.4-6.fc10 (Apr 2) --------------------------------------------- CVE-2009-1171: The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file. http://www.linuxsecurity.com/content/view/148482 ------------------------------------------------------------------------ * Gentoo: Tor Multiple vulnerabilities (Apr 8) -------------------------------------------- Multiple vulnerabilities in Tor might allow for heap corruption, Denial of Service, escalation of privileges and information disclosure. http://www.linuxsecurity.com/content/view/148531 * Gentoo: Avahi Denial of Service (Apr 8) --------------------------------------- An error in Avahi might lead to a Denial of Service via network and CPU consumption. http://www.linuxsecurity.com/content/view/148532 * Gentoo: MIT Kerberos 5 Multiple vulnerabilities (Apr 8) ------------------------------------------------------- Multiple vulnerabilites in MIT Kerberos 5 might allow remote unauthenticated users to execute arbitrary code with root privileges. http://www.linuxsecurity.com/content/view/148530 * Gentoo: OpenSSL Denial of Service (Apr 7) ----------------------------------------- An error in OpenSSL might allow for a Denial of Service when printing certificate details. http://www.linuxsecurity.com/content/view/148507 * Gentoo: Xpdf Untrusted search path (Apr 7) ------------------------------------------ A vulnerability in Xpdf might allow local attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/148506 * Gentoo: Eye of GNOME Untrusted search path (Apr 6) -------------------------------------------------- An untrusted search path vulnerability in the Eye of GNOME might result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/148504 * Gentoo: ntp Certificate validation error (Apr 5) ------------------------------------------------ An error in the OpenSSL certificate chain validation in ntp might allow for spoofing attacks. http://www.linuxsecurity.com/content/view/148497 * Gentoo: WeeChat Denial of Service (Apr 4) ----------------------------------------- A processing error in WeeChat might lead to a Denial of Service. http://www.linuxsecurity.com/content/view/148496 * Gentoo: Gnumeric Untrusted search path (Apr 3) ---------------------------------------------- An untrusted search path vulnerability in Gnumeric might result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/148492 * Gentoo: Openfire Multiple vulnerabilities (Apr 2) ------------------------------------------------- Multiple vulnerabilities were discovered in Openfire, the worst of which may allow remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/148485 ------------------------------------------------------------------------ * Mandriva: [ MDVA-2009:052 ] initscripts (Apr 8) ----------------------------------------------- A race condition on getkey process in initscripts shipped with Mandriva CS4 will make the boot stop when entering interactive startup. http://www.linuxsecurity.com/content/view/148529 * Mandriva: [ MDVA-2009:051 ] perl-Crypt-SSLeay (Apr 7) ----------------------------------------------------- This update provides updated perl-Crypt-SSLeay, required for mdkonline to work with restricted resources. http://www.linuxsecurity.com/content/view/148518 * Mandriva: [ MDVA-2009:050 ] libtommath (Apr 7) ---------------------------------------------- The tommath library will be needed for future clamav updates. http://www.linuxsecurity.com/content/view/148509 * Mandriva: [ MDVA-2009:049 ] mdkonline (Apr 6) --------------------------------------------- This update fixes an issue which could cause mdkonline to fail when attempting to setup restricted resources. http://www.linuxsecurity.com/content/view/148505 * Mandriva: [ MDVSA-2009:086 ] gstreamer-plugins (Apr 3) ------------------------------------------------------ An array indexing error in the GStreamer's QuickTime media file format decoding plug-in enables attackers to crash the application and potentially execute arbitrary code by using a crafted media file (CVE-2009-0398). This update provides fix for that security issue. http://www.linuxsecurity.com/content/view/148495 * Mandriva: [ MDVSA-2009:087 ] openssl (Apr 3) -------------------------------------------- A security vulnerability has been identified and fixed in OpenSSL, which could crash applications using OpenSSL library when parsing malformed certificates (CVE-2009-0590). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/148494 * Mandriva: [ MDVA-2009:048 ] evolution (Apr 2) --------------------------------------------- This update prevents unwanted dependency with gpilotd (bug #46302). http://www.linuxsecurity.com/content/view/148484 * Mandriva: [ MDVSA-2009:085 ] gstreamer0.10-plugins-base (Apr 2) --------------------------------------------------------------- Integer overflows in gstreamer0.10-plugins-base Base64 encoding and decoding functions (related with glib2.0 issue CVE-2008-4316) may lead attackers to cause denial of service. Altough vector attacks are not known yet (CVE-2009-0586). This update provide the fix for that security issue. http://www.linuxsecurity.com/content/view/148481 ------------------------------------------------------------------------ * RedHat: Critical: krb5 security update (Apr 7) ---------------------------------------------- Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148516 * RedHat: Moderate: device-mapper-multipath security (Apr 7) ---------------------------------------------------------- Updated device-mapper-multipath packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148517 * RedHat: Important: java-1.6.0-openjdk security update (Apr 7) ------------------------------------------------------------- Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148513 * RedHat: Important: krb5 security update (Apr 7) ----------------------------------------------- Updated krb5 packages that fix various security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148514 * RedHat: Important: krb5 security update (Apr 7) ----------------------------------------------- Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148515 * RedHat: Moderate: php security update (Apr 6) --------------------------------------------- Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148500 * RedHat: Moderate: gstreamer-plugins-base security update (Apr 6) ---------------------------------------------------------------- Updated gstreamer-plugins-base packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148501 * RedHat: Moderate: php security update (Apr 6) --------------------------------------------- Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/148499 ------------------------------------------------------------------------ * Slackware: php (Apr 8) ------------------------ New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/148524 * Slackware: xine-lib (Apr 8) ----------------------------- New xine-lib packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/148525 * Slackware: openssl (Apr 8) ---------------------------- New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. http://www.linuxsecurity.com/content/view/148526 ------------------------------------------------------------------------ * SuSE: krb5 (SUSE-SA:2009:019) (Apr 8) ------------------------------------- The Kerberos implementation from MIT is vulnerable to four different security issues that range from a remote crash to to possible, but very unlikely, remote code execution. http://www.linuxsecurity.com/content/view/148528 * SuSE: IBM Java 1.4.2 and 6 (Apr 7) ---------------------------------- The IBM Java 1.4.2 JDK and JRE were brought to Service Release 13 and the IBM JDK and JRE 6 were brought to Service Release 4. http://www.linuxsecurity.com/content/view/148508 * SuSE: Linux kernel (SUSE-SA:2009:017) (Apr 3) --------------------------------------------- The Linux kernel for SUSE Linux Enterprise 10 Service Pack 2 was updated to fixes various bugs and several security issues. http://www.linuxsecurity.com/content/view/148489 * SuSE: Sun Java (SUSE-SA:2009:016) (Apr 3) ----------------------------------------- The Sun JDK 5 was updated to Update18 and the Sun JDK 6 was updated to Update 13 to fix various bugs and security issues http://www.linuxsecurity.com/content/view/148487 * SuSE: Linux kernel (SUSE-SA:2009:015) (Apr 3) --------------------------------------------- The following security issues were fixed... http://www.linuxsecurity.com/content/view/148486 ------------------------------------------------------------------------ * Ubuntu: PostgreSQL vulnerability (Apr 7) ----------------------------------------- It was discovered that PostgreSQL did not properly handle encoding conversion failures. An attacker could exploit this by sending specially crafted requests to PostgreSQL, leading to a denial of service. http://www.linuxsecurity.com/content/view/148510 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------