+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 11th, 2009 Volume 10, Number 37 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for nagio2, xapian, cyrus, openoffice, silc-client, libsic, cyrus-imapd, kdelibs, xemacs, fetchmail, openswan, tkman, screenie, lmbench, arp, clam, libvorbis, hplip, freeradius, aria, qt4, firefox, fetchmail, xmlsec1, and seamonkey. The distributors include Debian, Fedora, Gentoo, Mandrivra, Red Hat, and Slackware. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New nagios2 packages fix several cross-site scriptings (Sep 10) ----------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150001 * Debian: New xapian-omega packages fix cross-site scripting (Sep 9) ------------------------------------------------------------------ http://www.linuxsecurity.com/content/view/149994 * Debian: New cyrus-imapd packages fix arbitrary code execution (Sep 7) --------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149975 * Debian: New OpenOffice.org packages fix arbitrary code execution (Sep 4) ------------------------------------------------------------------------ http://www.linuxsecurity.com/content/view/149970 * Debian: New silc-client/silc-toolkit packages fix arbitrary code execution (Sep 4) ---------------------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149969 ------------------------------------------------------------------------ * Fedora 11 Update: libsilc-1.1.8-7.fc11 (Sep 9) ---------------------------------------------- http://www.linuxsecurity.com/content/view/150000 * Fedora 10 Update: libsilc-1.1.8-7.fc10 (Sep 9) ---------------------------------------------- http://www.linuxsecurity.com/content/view/149999 * Fedora 10 Update: cyrus-imapd-2.3.14-2.fc10 (Sep 8) --------------------------------------------------- fixes buffer overflow in SIEVE script handling http://www.linuxsecurity.com/content/view/149984 * Fedora 11 Update: cyrus-imapd-2.3.14-2.fc11 (Sep 8) --------------------------------------------------- fixes buffer overflow in SIEVE script handling http://www.linuxsecurity.com/content/view/149983 * Fedora 10 Update: kdelibs3-3.5.10-13.fc10.1 (Sep 8) --------------------------------------------------- This update fixes CVE-2009-2702, a security issue where SSL certificates containing embedded NUL characters would falsely pass validation when they're actually invalid, for the KDE 3 compatibility version of kdelibs. http://www.linuxsecurity.com/content/view/149982 * Fedora 11 Update: kdelibs3-3.5.10-13.fc11.1 (Sep 8) --------------------------------------------------- This update fixes CVE-2009-2702, a security issue where SSL certificates containing embedded NUL characters would falsely pass validation when they're actually invalid, for the KDE 3 compatibility version of kdelibs. http://www.linuxsecurity.com/content/view/149981 * Fedora 11 Update: xemacs-21.5.29-2.fc11 (Sep 4) ----------------------------------------------- This update fixes multiple buffer overflows when reading large image files, or maliciously created image files whose headers misrepresent the actual image size. The update also addresses multiple font issues, some of which cause warnings on startup. Some warnings remain, however, unless an ISO8859-13 fonts (e.g., terminus) is installed. Also note that some warnings remain on Rawhide pending a resolution for bz 507637. http://www.linuxsecurity.com/content/view/149966 * Fedora 10 Update: fetchmail-6.3.8-9.fc10 (Sep 4) ------------------------------------------------ If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process). http://www.linuxsecurity.com/content/view/149967 * Fedora 11 Update: fetchmail-6.3.9-5.fc11 (Sep 4) ------------------------------------------------ If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process). http://www.linuxsecurity.com/content/view/149965 * Fedora 10 Update: xemacs-21.5.28-10.fc10 (Sep 4) ------------------------------------------------ This update fixes multiple buffer overflows when reading large image files, or maliciously created image files whose headers misrepresent the actual image size. http://www.linuxsecurity.com/content/view/149964 * Fedora 10 Update: openoffice.org-3.0.1-15.6.fc10 (Sep 4) -------------------------------------------------------- CVE-2009-0200/CVE-2009-0201: Harden .doctable insert/delete record import handling. http://www.linuxsecurity.com/content/view/149963 ------------------------------------------------------------------------ * Gentoo: Openswan Denial of Service (Sep 9) ------------------------------------------ =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities in the pluto IKE daemon of Openswan might allow remote attackers to cause a Denial of Service. http://www.linuxsecurity.com/content/view/149987 * Gentoo: TkMan Insecure temporary file usage (Sep 9) --------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been reported in TkMan, allowing for symlink attacks. http://www.linuxsecurity.com/content/view/149988 * Gentoo: aMule Parameter injection (Sep 9) ----------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D An input validation error in aMule enables remote attackers to pass arbitrary parameters to a victim's media player. http://www.linuxsecurity.com/content/view/149989 * Gentoo: C* music player Insecure temporary file usage (Sep 9) ------------------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been reported in the C* music player, allowing for symlink attacks. http://www.linuxsecurity.com/content/view/149990 * Gentoo: Screenie Insecure temporary file usage (Sep 9) ------------------------------------------------------ =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been reported in Screenie, allowing for symlink attacks. http://www.linuxsecurity.com/content/view/149991 * Gentoo: LMBench Insecure temporary file usage (Sep 9) ----------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Multiple insecure temporary file usage issues have been reported in LMBench, allowing for symlink attacks. http://www.linuxsecurity.com/content/view/149992 * Gentoo: GCC-XML Insecure temporary file usage (Sep 9) ----------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been reported in GCC-XML allowing for symlink attacks. http://www.linuxsecurity.com/content/view/149993 * Gentoo: Apache Portable Runtime, APR Utility Library (Sep 9) ------------------------------------------------------------ =3D=3D=3D=3D=3D=3D=3D=3D Multiple integer overflows in the Apache Portable Runtime and its Utility Library might allow for the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/149985 * Gentoo: Clam AntiVirus Multiple vulnerabilities (Sep 9) ------------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities in ClamAV allow for the remote execution of arbitrary code or Denial of Service. http://www.linuxsecurity.com/content/view/149986 * Gentoo: Linux-PAM Privilege escalation (Sep 6) ---------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D An error in the handling of user names of Linux-PAM might allow remote attackers to cause a Denial of Service or escalate privileges. http://www.linuxsecurity.com/content/view/149973 * Gentoo: libvorbis User-assisted execution of arbitrary (Sep 6) -------------------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D A processing error in libvorbis might result in the execution of arbitrary code or a Denial of Service. http://www.linuxsecurity.com/content/view/149974 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2009:159 ] hplip (Sep 10) ----------------------------------------------------------------------- This update resolves a runtime error with hplip found after the KDE4 updates and in conjunction with the newer python-qt4-gui package. This version upgrade provides hplip v3.9.2 that addresses this problem. http://www.linuxsecurity.com/content/view/150003 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] freeradius (Sep 10) ----------------------------------------------------------------------------- A vulnerability has been found and corrected in freeradius: The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes. NOTE: this is a regression error related to CVE-2003-0967 (CVE-2009-3111). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/150002 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] aria2 (Sep 9) ----------------------------------------------------------------------- A vulnerability has been found and corrected in aria2: aria2 has a buffer overflow which makes it crashing at least on mips. This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/149995 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:225 ] qt4 (Sep 8) --------------------------------------------------------------------- A vulnerability has been found and corrected in qt4: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-2700). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/149980 * Mandriva: Subject: [Security Announce] [ MDVA-2009:158 ] xmlrpc-c (Sep 3) ------------------------------------------------------------------------- This update resolves a missing dependency for the recent KDE4 updates. http://www.linuxsecurity.com/content/view/149962 ------------------------------------------------------------------------ * RedHat: Critical: firefox security update (Sep 9) ------------------------------------------------- Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149996 * RedHat: Critical: seamonkey security update (Sep 9) --------------------------------------------------- Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149997 * RedHat: Critical: seamonkey security update (Sep 9) --------------------------------------------------- Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149998 * RedHat: Moderate: fetchmail security update (Sep 8) --------------------------------------------------- An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149978 * RedHat: Moderate: xmlsec1 security update (Sep 8) ------------------------------------------------- Updated xmlsec1 packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149979 * RedHat: Important: openoffice.org security update (Sep 4) --------------------------------------------------------- Updated openoffice.org packages that correct security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149968 ------------------------------------------------------------------------ * Slackware: seamonkey (Sep 8) ------------------------------ New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues. More details about the issues may be found on the Mozilla web site: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm l http://www.linuxsecurity.com/content/view/149976 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------