+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 6th, 2009 Volume 10, Number 37 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for ikiwiki, xemacs, fetchmail, openoffice, mapserver, qt, htmldoc, firebird, httpd, irssi, xmlrpc, kdebase, nss, postfix, mysql, rgmanager, cman, gfs, nfs-utils, kernel-rt, and dnsmasq. The distributors include Debian, Fedora, Mandriva, Red Hat, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New devscripts packages fix remote code execution (Sep 2) ----------------------------------------------------------------- Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. http://www.linuxsecurity.com/content/view/149956 * Debian: New mysql-dfsg-5.0 packages fix arbitrary code (Sep 2) -------------------------------------------------------------- In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities in the dispatch_command() function in libmysqld/sql_parse.cc in mysqld allow remote authenticated users to cause a denial of service (daemon crash) and potentially the execution of arbitrary code via format string specifiers in a database name in a COM_CREATE_DB or COM_DROP_DB request. http://www.linuxsecurity.com/content/view/149955 * Debian: New dnsmasq packages fix remote code execution (Sep 1) -------------------------------------------------------------- Several remote vulnerabilities have been discovered in the TFTP component of dnsmasq. http://www.linuxsecurity.com/content/view/149941 * Debian: New ikiwiki packages fix information disclosure (Aug 31) ---------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149924 ------------------------------------------------------------------------ * Fedora 11 Update: xemacs-21.5.29-2.fc11 (Sep 4) ----------------------------------------------- This update fixes multiple buffer overflows when reading large image files, or maliciously created image files whose headers misrepresent the actual image size. The update also addresses multiple font issues, some of which cause warnings on startup. Some warnings remain, however, unless an ISO8859-13 fonts (e.g., terminus) is installed. Also note that some warnings remain on Rawhide pending a resolution for bz 507637. http://www.linuxsecurity.com/content/view/149966 * Fedora 10 Update: fetchmail-6.3.8-9.fc10 (Sep 4) ------------------------------------------------ If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process). http://www.linuxsecurity.com/content/view/149967 * Fedora 11 Update: fetchmail-6.3.9-5.fc11 (Sep 4) ------------------------------------------------ If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process). http://www.linuxsecurity.com/content/view/149965 * Fedora 10 Update: xemacs-21.5.28-10.fc10 (Sep 4) ------------------------------------------------ This update fixes multiple buffer overflows when reading large image files, or maliciously created image files whose headers misrepresent the actual image size. http://www.linuxsecurity.com/content/view/149964 * Fedora 10 Update: openoffice.org-3.0.1-15.6.fc10 (Sep 4) -------------------------------------------------------- CVE-2009-0200/CVE-2009-0201: Harden .doctable insert/delete record import handling. http://www.linuxsecurity.com/content/view/149963 * Fedora 10 Update: mapserver-5.2.3-1.fc10 (Sep 2) ------------------------------------------------ Changing imagepath and imageurl no longer allowed via URL, New fix for incomplete CVE-2009-0840 security fix made in 5.2.2, Fixed seg fault if font not found with label ANGLE FOLLOW (#2973) http://www.linuxsecurity.com/content/view/149960 * Fedora 11 Update: mapserver-5.2.3-1.fc11 (Sep 2) ------------------------------------------------ Changing imagepath and imageurl no longer allowed via URL, New fix for incomplete CVE-2009-0840 security fix made in 5.2.2, Fixed seg fault if font not found with label ANGLE FOLLOW (#2973) http://www.linuxsecurity.com/content/view/149957 * Fedora 11 Update: qt-4.5.2-3.fc11 (Sep 2) ----------------------------------------- security fix for CVE-2009-2700 http://www.linuxsecurity.com/content/view/149958 * Fedora 10 Update: qt-4.5.2-3.fc10 (Sep 2) ----------------------------------------- security fix for CVE-2009-2700 http://www.linuxsecurity.com/content/view/149959 * Fedora 10 Update: htmldoc-1.8.27-8.fc10 (Aug 31) ------------------------------------------------ Fix scanf issues found by Gentoo. Fix FTBFS on Fedora 12. http://www.linuxsecurity.com/content/view/149930 * Fedora 11 Update: htmldoc-1.8.27-12.fc11 (Aug 31) ------------------------------------------------- Fix scanf issues found by Gentoo. Fix FTBFS on Fedora 12. http://www.linuxsecurity.com/content/view/149929 * Fedora 11 Update: firebird-2.1.3.18185.0-2.fc11 (Aug 31) -------------------------------------------------------- Upgrade from previous package version may be a problem since previous version remove /var/run/firebird and it shouldn't This release fix this problem for future updates If you are in that case (no longer /var/run/firebird directory after upgrade), just reinstall firebird-2.1.3.18185.0-2 package or create /var/run/firebird owned by user firebird http://www.linuxsecurity.com/content/view/149928 * Fedora 11 Update: httpd-2.2.13-1.fc11 (Aug 31) ---------------------------------------------- This update includes the latest release of the Apache HTTP Server, version 2.2.13, fixing several security issues: * Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. (CVE-2009-1891) * Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. (CVE-2009-1195) * Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. (CVE-2009-1890) * mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. (CVE-2009-1191) Many bug fixes are also included; see the upstream changelog for further details: http://www.apache.org/dist/httpd/CHANGES_2.2.13 http://www.linuxsecurity.com/content/view/149927 * Fedora 10 Update: irssi-0.8.13-3.fc10 (Aug 31) ---------------------------------------------- http://www.linuxsecurity.com/content/view/149926 * Fedora 10 Update: firebird-2.1.3.18185.0-2.fc10 (Aug 31) -------------------------------------------------------- Upgrade from previous package version may be a problem since previous version remove /var/run/firebird and it shouldn't This release fix this problem for future updates If you are in that case (no longer /var/run/firebird directory after upgrade), just reinstall firebird-2.1.3.18185.0-2 package or create /var/run/firebird owned by user firebird http://www.linuxsecurity.com/content/view/149925 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2009:158 ] xmlrpc-c (Sep 3) ------------------------------------------------------------------------- This update resolves a missing dependency for the recent KDE4 updates. http://www.linuxsecurity.com/content/view/149962 * Mandriva: Subject: [Security Announce] [ MDVA-2009:157 ] kdebase4-workspace (Sep 2) ----------------------------------------------------------------------------------- krandrtray from KDE4 is known to have some issues. A patch was added that makes krandrtray open its configuration module when the system tray icon is clicked. http://www.linuxsecurity.com/content/view/149954 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:197 ] nss (Sep 1) --------------------------------------------------------------------- Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate (CVE-2009-2404). This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. http://www.linuxsecurity.com/content/view/149940 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:224 ] postfix (Aug 30) -------------------------------------------------------------------------- A vulnerability has been found and corrected in postfix: Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name (CVE-2008-2937). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/149918 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:223 ] xerces-c (Aug 30) --------------------------------------------------------------------------- A vulnerability has been found and corrected in xerces-c: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in simply nested DTD structures, as demonstrated by the Codenomicon XML fuzzing framework (CVE-2009-1885). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/149917 ------------------------------------------------------------------------ * RedHat: Important: openoffice.org security update (Sep 4) --------------------------------------------------------- Updated openoffice.org packages that correct security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149968 * RedHat: Moderate: mysql security and bug fix update (Sep 2) ----------------------------------------------------------- Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149953 * RedHat: Low: gdm security and bug fix update (Sep 2) ---------------------------------------------------- Updated gdm packages that fix a security issue and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149952 * RedHat: Low: rgmanager security, bug fix, (Sep 2) ------------------------------------------------- An updated rgmanager package that fixes multiple security issues, various bugs, and adds enhancements is now available for Red Hat Enterprise Linux 5. http://www.linuxsecurity.com/content/view/149950 * RedHat: Low: cman security, bug fix, (Sep 2) -------------------------------------------- Updated cman packages that fix several security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149951 * RedHat: Low: gfs2-utils security and bug fix update (Sep 2) ----------------------------------------------------------- An updated gfs2-utils package that fixes multiple security issues and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149949 * RedHat: Moderate: openssl security, bug fix, (Sep 2) ---------------------------------------------------- Updated openssl packages that fix several security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149948 * RedHat: Low: ecryptfs-utils security, bug fix, (Sep 2) ------------------------------------------------------ Updated ecryptfs-utils packages that fix a security issue, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149946 * RedHat: Low: nfs-utils security and bug fix update (Sep 2) ---------------------------------------------------------- An updated nfs-utils package that fixes a security issue and several bugs is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149947 * RedHat: Low: openssh security, bug fix, (Sep 2) ----------------------------------------------- Updated openssh packages that fix a security issue, a bug, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149945 * RedHat: Important: Red Hat Enterprise Linux 5.4 kernel (Sep 2) -------------------------------------------------------------- Updated kernel packages that fix security issues, address several hundred bugs and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the fourth regular update. http://www.linuxsecurity.com/content/view/149943 * RedHat: Low: lftp security and bug fix update (Sep 2) ----------------------------------------------------- An updated lftp package that fixes one security issue and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149944 * RedHat: Important: kernel-rt security and bug fix update (Sep 1) ---------------------------------------------------------------- Updated kernel-rt packages that fix several security issues and various bugs are now available for Red Hat Enterprise MRG 1.1. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149938 * RedHat: Important: kernel-rt security and bug fix update (Sep 1) ---------------------------------------------------------------- Updated kernel-rt packages that fix several security issues and various bugs are now available for Red Hat Enterprise MRG 1.1. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149937 * RedHat: Important: dnsmasq security update (Aug 31) --------------------------------------------------- An updated dnsmasq package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149931 ------------------------------------------------------------------------ * Ubuntu: Dnsmasq vulnerabilities (Sep 1) ---------------------------------------- IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn Coco, Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not properly validate its input when processing TFTP requests for files with long names. A remote attacker could cause a denial of service or execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/149942 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
