Linux Advisory Watch - September 11th 2009

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| September 11th, 2009                            Volume 10, Number 37 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for nagio2, xapian, cyrus,
openoffice, silc-client, libsic, cyrus-imapd, kdelibs, xemacs,
fetchmail, openswan, tkman, screenie, lmbench, arp, clam, libvorbis,
hplip, freeradius, aria, qt4, firefox, fetchmail, xmlsec1, and
seamonkey.  The distributors include Debian, Fedora, Gentoo, Mandrivra,
Red Hat, and Slackware.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New nagios2 packages fix several cross-site scriptings (Sep 10)
  -----------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150001

* Debian: New xapian-omega packages fix cross-site scripting (Sep 9)
  ------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149994

* Debian: New cyrus-imapd packages fix arbitrary code execution (Sep 7)
  ---------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149975

* Debian: New OpenOffice.org packages fix arbitrary code execution (Sep 4)
  ------------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149970

* Debian: New silc-client/silc-toolkit packages fix arbitrary code execution (Sep 4)
  ----------------------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149969

------------------------------------------------------------------------

* Fedora 11 Update: libsilc-1.1.8-7.fc11 (Sep 9)
  ----------------------------------------------


  http://www.linuxsecurity.com/content/view/150000

* Fedora 10 Update: libsilc-1.1.8-7.fc10 (Sep 9)
  ----------------------------------------------


  http://www.linuxsecurity.com/content/view/149999

* Fedora 10 Update: cyrus-imapd-2.3.14-2.fc10 (Sep 8)
  ---------------------------------------------------
  fixes buffer overflow in SIEVE script handling

  http://www.linuxsecurity.com/content/view/149984

* Fedora 11 Update: cyrus-imapd-2.3.14-2.fc11 (Sep 8)
  ---------------------------------------------------
  fixes buffer overflow in SIEVE script handling

  http://www.linuxsecurity.com/content/view/149983

* Fedora 10 Update: kdelibs3-3.5.10-13.fc10.1 (Sep 8)
  ---------------------------------------------------
  This update fixes CVE-2009-2702, a security issue where SSL
  certificates containing embedded NUL characters would falsely pass
  validation when they're actually invalid, for the KDE 3 compatibility
  version of kdelibs.

  http://www.linuxsecurity.com/content/view/149982

* Fedora 11 Update: kdelibs3-3.5.10-13.fc11.1 (Sep 8)
  ---------------------------------------------------
  This update fixes CVE-2009-2702, a security issue where SSL
  certificates containing embedded NUL characters would falsely pass
  validation when they're actually invalid, for the KDE 3 compatibility
  version of kdelibs.

  http://www.linuxsecurity.com/content/view/149981

* Fedora 11 Update: xemacs-21.5.29-2.fc11 (Sep 4)
  -----------------------------------------------
  This update fixes multiple buffer overflows when reading large image
  files, or maliciously created image files whose headers misrepresent
  the actual image size.    The update also addresses multiple font
  issues, some of which cause warnings on startup.  Some warnings
  remain, however, unless an ISO8859-13 fonts (e.g., terminus) is
  installed.  Also note that some warnings remain on Rawhide pending a
  resolution for bz 507637.

  http://www.linuxsecurity.com/content/view/149966

* Fedora 10 Update: fetchmail-6.3.8-9.fc10 (Sep 4)
  ------------------------------------------------
  If fetchmail is running in daemon mode, it must be restarted for this
  update to take effect (use the "fetchmail --quit" command to stop the
  fetchmail process).

  http://www.linuxsecurity.com/content/view/149967

* Fedora 11 Update: fetchmail-6.3.9-5.fc11 (Sep 4)
  ------------------------------------------------
  If fetchmail is running in daemon mode, it must be restarted for this
  update to take effect (use the "fetchmail --quit" command to stop the
  fetchmail process).

  http://www.linuxsecurity.com/content/view/149965

* Fedora 10 Update: xemacs-21.5.28-10.fc10 (Sep 4)
  ------------------------------------------------
  This update fixes multiple buffer overflows when reading large image
  files, or maliciously created image files whose headers misrepresent
  the actual image size.

  http://www.linuxsecurity.com/content/view/149964

* Fedora 10 Update: openoffice.org-3.0.1-15.6.fc10 (Sep 4)
  --------------------------------------------------------
  CVE-2009-0200/CVE-2009-0201: Harden .doctable insert/delete record
  import handling.

  http://www.linuxsecurity.com/content/view/149963

------------------------------------------------------------------------

* Gentoo: Openswan Denial of Service (Sep 9)
  ------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities in the pluto IKE
  daemon of Openswan might allow remote attackers to cause a Denial of
  Service.

  http://www.linuxsecurity.com/content/view/149987

* Gentoo: TkMan Insecure temporary file usage (Sep 9)
  ---------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been
  reported in TkMan, allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/149988

* Gentoo: aMule Parameter injection (Sep 9)
  -----------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An input validation error in aMule enables
  remote attackers to pass arbitrary parameters to a victim's media
  player.

  http://www.linuxsecurity.com/content/view/149989

* Gentoo: C* music player Insecure temporary file usage (Sep 9)
  -------------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been
  reported in the C* music player, allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/149990

* Gentoo: Screenie Insecure temporary file usage (Sep 9)
  ------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been
  reported in Screenie, allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/149991

* Gentoo: LMBench Insecure temporary file usage (Sep 9)
  -----------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple insecure temporary file usage
  issues have been reported in LMBench, allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/149992

* Gentoo: GCC-XML Insecure temporary file usage (Sep 9)
  -----------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An insecure temporary file usage has been
  reported in GCC-XML allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/149993

* Gentoo: Apache Portable Runtime, APR Utility Library (Sep 9)
  ------------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple integer overflows in the Apache
  Portable Runtime and its Utility Library might allow for the remote
  execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/149985

* Gentoo: Clam AntiVirus Multiple vulnerabilities (Sep 9)
  -------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities in ClamAV allow for
  the remote execution of arbitrary code or Denial of Service.

  http://www.linuxsecurity.com/content/view/149986

* Gentoo: Linux-PAM Privilege escalation (Sep 6)
  ----------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An error in the handling of user names of
  Linux-PAM might allow remote attackers to cause a Denial of Service
  or escalate privileges.

  http://www.linuxsecurity.com/content/view/149973

* Gentoo: libvorbis User-assisted execution of arbitrary (Sep 6)
  --------------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D A processing error in libvorbis might result
  in the execution of arbitrary code or a Denial of Service.

  http://www.linuxsecurity.com/content/view/149974

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2009:159 ] hplip (Sep 10)
  -----------------------------------------------------------------------
  This update resolves a runtime error with hplip found after the KDE4
  updates and in conjunction with the newer python-qt4-gui package.
  This version upgrade provides hplip v3.9.2 that addresses this
  problem.

  http://www.linuxsecurity.com/content/view/150003

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] freeradius (Sep 10)
  -----------------------------------------------------------------------------
  A vulnerability has been found and corrected in freeradius: The
  rad_decode function in FreeRADIUS before 1.1.8 allows remote
  attackers to cause a denial of service (radiusd crash) via
  zero-length Tunnel-Password attributes.  NOTE: this is a regression
  error related to CVE-2003-0967 (CVE-2009-3111). This update provides
  a solution to this vulnerability.

  http://www.linuxsecurity.com/content/view/150002

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] aria2 (Sep 9)
  -----------------------------------------------------------------------
  A vulnerability has been found and corrected in aria2: aria2 has a
  buffer overflow which makes it crashing at least on mips. This update
  provides a solution to this vulnerability.

  http://www.linuxsecurity.com/content/view/149995

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:225 ] qt4 (Sep 8)
  ---------------------------------------------------------------------
  A vulnerability has been found and corrected in qt4:
  src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does
  not properly handle a '\0' character in a domain name in the Subject
  Alternative Name field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a
  crafted certificate issued by a legitimate Certification Authority, a
  related issue to CVE-2009-2408 (CVE-2009-2700). This update provides
  a solution to this vulnerability.

  http://www.linuxsecurity.com/content/view/149980

* Mandriva: Subject: [Security Announce] [ MDVA-2009:158 ] xmlrpc-c (Sep 3)
  -------------------------------------------------------------------------
  This update resolves a missing dependency for the recent KDE4
  updates.

  http://www.linuxsecurity.com/content/view/149962

------------------------------------------------------------------------

* RedHat: Critical: firefox security update (Sep 9)
  -------------------------------------------------
  Updated firefox packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having critical security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/149996

* RedHat: Critical: seamonkey security update (Sep 9)
  ---------------------------------------------------
  Updated seamonkey packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4. This update has been rated
  as having critical security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/149997

* RedHat: Critical: seamonkey security update (Sep 9)
  ---------------------------------------------------
  Updated seamonkey packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3. This update has been rated
  as having critical security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/149998

* RedHat: Moderate: fetchmail security update (Sep 8)
  ---------------------------------------------------
  An updated fetchmail package that fixes multiple security issues is
  now available for Red Hat Enterprise Linux 3, 4, and 5. This update
  has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149978

* RedHat: Moderate: xmlsec1 security update (Sep 8)
  -------------------------------------------------
  Updated xmlsec1 packages that fix one security issue are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/149979

* RedHat: Important: openoffice.org security update (Sep 4)
  ---------------------------------------------------------
  Updated openoffice.org packages that correct security issues are now
  available for Red Hat Enterprise Linux 3, 4, and 5. This update has
  been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149968

------------------------------------------------------------------------

* Slackware:   seamonkey (Sep 8)
  ------------------------------
  New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
  12.2, 13.0, and -current to fix security issues. More details about
  the issues may be found on the Mozilla web site:
  http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm
  l

  http://www.linuxsecurity.com/content/view/149976

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux