Linux Security Week - April 10th 2009

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| April 10th, 2009                                Volume 10, Number 15 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for krb5, horde3, tunapie, openssl,
moodle, icu, java, bugzilla, mapserver, moodle, tor, xpdf, eye, ntp,
gnumeric, initscripts, libtommath, mdkonline, openssl, evolution, and
postgresql.  The distributors include Debian, Fedora, Gentoo, Mandriva,
Red Hat, SuSE, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New krb5 packages fix several vulnerabilities (Apr 8)
  -------------------------------------------------------------
  Several vulnerabilities have been found in the MIT reference
  implementation of Kerberos V5, a system for authenticating users and
  services on a network.

  http://www.linuxsecurity.com/content/view/148533

* Debian: New horde3 packages fix several vulnerabilities (Apr 8)
  ---------------------------------------------------------------
  Several vulnerabilities have been found in horde3, the horde web
  application framework.

  http://www.linuxsecurity.com/content/view/148527

* Debian: New tunapie packages fix several vulnerabilities (Apr 7)
  ----------------------------------------------------------------
  Several vulnerabilities have been discovered in Tunapie, a GUI
  frontend to video and radio streams.

  http://www.linuxsecurity.com/content/view/148519

* Debian: New openssl packages fix denial of service (Apr 6)
  ----------------------------------------------------------
  It was discovered that insufficient length validations in the ASN.1
  handling of the OpenSSL crypto library may lead to denial of service
  when processing a manipulated certificate.

  http://www.linuxsecurity.com/content/view/148498

* Debian: New moodle packages fix file disclosure (Apr 3)
  -------------------------------------------------------
  Christian J. Eibl discovered that the TeX filter of Moodle, a
  web-based course management system, doesn't check user input for
  certain TeX commands which allows an attacker to include and display
  the content of arbitrary system files.

  http://www.linuxsecurity.com/content/view/148491

* Debian: New icu packages fix cross site scripting (Apr 2)
  ---------------------------------------------------------
  It was discovered that icu, the internal components for Unicode, did
  not properly sanitise invalid encoded data, which could lead to
  cross- site scripting attacks.

  http://www.linuxsecurity.com/content/view/148480

------------------------------------------------------------------------

* Fedora 9 Update: krb5-1.6.3-16.fc9 (Apr 7)
  ------------------------------------------
  This update incorporates patches to fix potential read overflow and
  NULL pointer dereferences in the implementation of the SPNEGO GSSAPI
  mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an
  uninitialized pointer during protocol parsing (CVE-2009-0846), and a
  bug in length validation during protocol parsing (CVE-2009-0847).

  http://www.linuxsecurity.com/content/view/148522

* Fedora 10 Update: krb5-1.6.3-18.fc10 (Apr 7)
  --------------------------------------------
  This update incorporates patches to fix potential read overflow and
  NULL pointer dereferences in the implementation of the SPNEGO GSSAPI
  mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an
  uninitialized pointer during protocol parsing (CVE-2009-0846), and a
  bug in length validation during protocol parsing (CVE-2009-0847).

  http://www.linuxsecurity.com/content/view/148523

* Fedora 9 Update: java-1.6.0-openjdk-1.6.0.0-0.25.b09.fc9 (Apr 7)
  ----------------------------------------------------------------
  Fixes remaining LCMS issue, which resolves a TCK failure

  http://www.linuxsecurity.com/content/view/148520

* Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-15.b14.fc10 (Apr 7)
  ----------------------------------------------------------------
  Fixes remaining LCMS issue, which resolves a TCK failure

  http://www.linuxsecurity.com/content/view/148521

* Fedora 9 Update: bugzilla-3.2.3-1.fc9 (Apr 7)
  ---------------------------------------------
  fix CVE-2009-1213

  http://www.linuxsecurity.com/content/view/148511

* Fedora 10 Update: bugzilla-3.2.3-1.fc10 (Apr 7)
  -----------------------------------------------
  fix CVE-2009-1213

  http://www.linuxsecurity.com/content/view/148512

* Fedora 9 Update: mapserver-5.2.2-1.fc9 (Apr 6)
  ----------------------------------------------
  The releases contain fixes for issues discovered in an audit of the
  CGI by a 3rd party   (tickets #2939, #2941, #2942, #2943 and #2944).

  http://www.linuxsecurity.com/content/view/148503

* Fedora 10 Update: mapserver-5.2.2-1.fc10 (Apr 6)
  ------------------------------------------------
  The releases contain fixes for issues discovered in an audit of the
  CGI by a 3rd party  (tickets #2939, #2941, #2942, #2943 and #2944).

  http://www.linuxsecurity.com/content/view/148502

* Fedora 9 Update: moodle-1.9.4-6.fc9 (Apr 2)
  -------------------------------------------
  CVE-2009-1171:  The TeX filter in Moodle 1.6 before 1.6.9+, 1.7
  before 1.7.7+, 1.8  before 1.8.9, and 1.9 before 1.9.5 allows
  user-assisted attackers to  read arbitrary files via an input command
  in a "$$" sequence, which  causes LaTeX to include the contents of
  the file.

  http://www.linuxsecurity.com/content/view/148483

* Fedora 10 Update: moodle-1.9.4-6.fc10 (Apr 2)
  ---------------------------------------------
  CVE-2009-1171:  The TeX filter in Moodle 1.6 before 1.6.9+, 1.7
  before 1.7.7+, 1.8  before 1.8.9, and 1.9 before 1.9.5 allows
  user-assisted attackers to  read arbitrary files via an input command
  in a "$$" sequence, which  causes LaTeX to include the contents of
  the file.

  http://www.linuxsecurity.com/content/view/148482

------------------------------------------------------------------------

* Gentoo: Tor Multiple vulnerabilities (Apr 8)
  --------------------------------------------
  Multiple vulnerabilities in Tor might allow for heap corruption,
  Denial of Service, escalation of privileges and information
  disclosure.

  http://www.linuxsecurity.com/content/view/148531

* Gentoo: Avahi Denial of Service (Apr 8)
  ---------------------------------------
  An error in Avahi might lead to a Denial of Service via network and
  CPU consumption.

  http://www.linuxsecurity.com/content/view/148532

* Gentoo: MIT Kerberos 5 Multiple vulnerabilities (Apr 8)
  -------------------------------------------------------
  Multiple vulnerabilites in MIT Kerberos 5 might allow remote
  unauthenticated users to execute arbitrary code with root privileges.

  http://www.linuxsecurity.com/content/view/148530

* Gentoo: OpenSSL Denial of Service (Apr 7)
  -----------------------------------------
  An error in OpenSSL might allow for a Denial of Service when printing
  certificate details.

  http://www.linuxsecurity.com/content/view/148507

* Gentoo: Xpdf Untrusted search path (Apr 7)
  ------------------------------------------
  A vulnerability in Xpdf might allow local attackers to execute
  arbitrary code.

  http://www.linuxsecurity.com/content/view/148506

* Gentoo: Eye of GNOME Untrusted search path (Apr 6)
  --------------------------------------------------
  An untrusted search path vulnerability in the Eye of GNOME might
  result in the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148504

* Gentoo: ntp Certificate validation error (Apr 5)
  ------------------------------------------------
  An error in the OpenSSL certificate chain validation in ntp might
  allow for spoofing attacks.

  http://www.linuxsecurity.com/content/view/148497

* Gentoo: WeeChat Denial of Service (Apr 4)
  -----------------------------------------
  A processing error in WeeChat might lead to a Denial of Service.

  http://www.linuxsecurity.com/content/view/148496

* Gentoo: Gnumeric Untrusted search path (Apr 3)
  ----------------------------------------------
  An untrusted search path vulnerability in Gnumeric might result in
  the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148492

* Gentoo: Openfire Multiple vulnerabilities (Apr 2)
  -------------------------------------------------
  Multiple vulnerabilities were discovered in Openfire, the worst of
  which may allow remote execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148485

------------------------------------------------------------------------

* Mandriva: [ MDVA-2009:052 ] initscripts (Apr 8)
  -----------------------------------------------
  A race condition on getkey process in initscripts shipped with
  Mandriva CS4 will make the boot stop when entering interactive
  startup.

  http://www.linuxsecurity.com/content/view/148529

* Mandriva: [ MDVA-2009:051 ] perl-Crypt-SSLeay (Apr 7)
  -----------------------------------------------------
  This update provides updated perl-Crypt-SSLeay, required for
  mdkonline to work with restricted resources.

  http://www.linuxsecurity.com/content/view/148518

* Mandriva: [ MDVA-2009:050 ] libtommath (Apr 7)
  ----------------------------------------------
  The tommath library will be needed for future clamav updates.

  http://www.linuxsecurity.com/content/view/148509

* Mandriva: [ MDVA-2009:049 ] mdkonline (Apr 6)
  ---------------------------------------------
  This update fixes an issue which could cause mdkonline to fail when
  attempting to setup restricted resources.

  http://www.linuxsecurity.com/content/view/148505

* Mandriva: [ MDVSA-2009:086 ] gstreamer-plugins (Apr 3)
  ------------------------------------------------------
  An array indexing error in the GStreamer's QuickTime media file
  format decoding plug-in enables attackers to crash the application
  and potentially execute arbitrary code by using a crafted media file
  (CVE-2009-0398). This update provides fix for that security issue.

  http://www.linuxsecurity.com/content/view/148495

* Mandriva: [ MDVSA-2009:087 ] openssl (Apr 3)
  --------------------------------------------
  A security vulnerability has been identified and fixed in OpenSSL,
  which could crash applications using OpenSSL library when parsing
  malformed certificates (CVE-2009-0590). The updated packages have
  been patched to prevent this.

  http://www.linuxsecurity.com/content/view/148494

* Mandriva: [ MDVA-2009:048 ] evolution (Apr 2)
  ---------------------------------------------
  This update prevents unwanted dependency with gpilotd (bug #46302).

  http://www.linuxsecurity.com/content/view/148484

* Mandriva: [ MDVSA-2009:085 ] gstreamer0.10-plugins-base (Apr 2)
  ---------------------------------------------------------------
  Integer overflows in gstreamer0.10-plugins-base Base64 encoding and
  decoding functions (related with glib2.0 issue CVE-2008-4316) may
  lead attackers to cause denial of service. Altough vector attacks are
  not known yet (CVE-2009-0586). This update provide the fix for that
  security issue.

  http://www.linuxsecurity.com/content/view/148481

------------------------------------------------------------------------

* RedHat: Critical: krb5 security update (Apr 7)
  ----------------------------------------------
  Updated krb5 packages that fix a security issue are now available for
  Red Hat Enterprise Linux 2.1 and 3. This update has been rated as
  having critical security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148516

* RedHat: Moderate: device-mapper-multipath security (Apr 7)
  ----------------------------------------------------------
  Updated device-mapper-multipath packages that fix a security issue
  are now available for Red Hat Enterprise Linux 4 and 5. This update
  has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/148517

* RedHat: Important: java-1.6.0-openjdk security update (Apr 7)
  -------------------------------------------------------------
  Updated java-1.6.0-openjdk packages that fix several security issues
  are now available for Red Hat Enterprise Linux 5. This update has
  been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/148513

* RedHat: Important: krb5 security update (Apr 7)
  -----------------------------------------------
  Updated krb5 packages that fix various security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having important security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148514

* RedHat: Important: krb5 security update (Apr 7)
  -----------------------------------------------
  Updated krb5 packages that fix a security issue are now available for
  Red Hat Enterprise Linux 4. This update has been rated as having
  important security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/148515

* RedHat: Moderate: php security update (Apr 6)
  ---------------------------------------------
  Updated php packages that fix several security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148500

* RedHat: Moderate: gstreamer-plugins-base security update (Apr 6)
  ----------------------------------------------------------------
  Updated gstreamer-plugins-base packages that fix a security issue are
  now available for Red Hat Enterprise Linux 5. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/148501

* RedHat: Moderate: php security update (Apr 6)
  ---------------------------------------------
  Updated php packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3 and 4. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/148499

------------------------------------------------------------------------

* Slackware:   php (Apr 8)
  ------------------------
  New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2,
  and -current to fix security issues.

  http://www.linuxsecurity.com/content/view/148524

* Slackware:   xine-lib (Apr 8)
  -----------------------------
  New xine-lib packages are available for Slackware 12.0, 12.1, 12.2,
  and -current to fix security issues.

  http://www.linuxsecurity.com/content/view/148525

* Slackware:   openssl (Apr 8)
  ----------------------------
  New openssl packages are available for Slackware 11.0, 12.0, 12.1,
  12.2, and -current to fix security issues.

  http://www.linuxsecurity.com/content/view/148526

------------------------------------------------------------------------

* SuSE: krb5 (SUSE-SA:2009:019) (Apr 8)
  -------------------------------------
  The Kerberos implementation from MIT is vulnerable to four
  different security issues that range from a remote crash to	 to
  possible, but very unlikely, remote code execution.

  http://www.linuxsecurity.com/content/view/148528

* SuSE: IBM Java 1.4.2 and 6 (Apr 7)
  ----------------------------------
  The IBM Java 1.4.2 JDK and JRE were brought to Service Release 13
  and the IBM JDK and JRE 6 were brought to Service Release 4.

  http://www.linuxsecurity.com/content/view/148508

* SuSE: Linux kernel (SUSE-SA:2009:017) (Apr 3)
  ---------------------------------------------
  The Linux kernel for SUSE Linux Enterprise 10 Service Pack 2 was
  updated to fixes various bugs and several security issues.

  http://www.linuxsecurity.com/content/view/148489

* SuSE: Sun Java (SUSE-SA:2009:016) (Apr 3)
  -----------------------------------------
  The Sun JDK 5 was updated to Update18 and the Sun JDK 6 was updated
   to Update 13 to fix various bugs and security issues

  http://www.linuxsecurity.com/content/view/148487

* SuSE: Linux kernel (SUSE-SA:2009:015) (Apr 3)
  ---------------------------------------------
  The following security issues were fixed...

  http://www.linuxsecurity.com/content/view/148486

------------------------------------------------------------------------

* Ubuntu:  PostgreSQL vulnerability (Apr 7)
  -----------------------------------------
  It was discovered that PostgreSQL did not properly handle encoding
  conversion failures. An attacker could exploit this by sending
  specially crafted requests to PostgreSQL, leading to a denial of
  service.

  http://www.linuxsecurity.com/content/view/148510

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux