LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: May 14th, 2012
Linux Advisory Watch: May 10th, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: March 9th 2007 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for gnomemeeting, clamav, php4, kernel, selinux, snort, spamassassin, firefox, STLport, tcpdump, timezone, thunderbird, util-linux, mod_jk, gnupg, seamonkey, imagemagick, nvidia-glx, mod_python, and php. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu.

Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

LinuxSecurity.com Feature Extras:

    RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.

    Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

   Debian
  Debian: New gnomemeeting packages fix arbitrary code execution
  4th, March, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127288
 
  Debian: New clamav packages fix denial of service
  6th, March, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127331
 
  Debian: New php4 packages fix several vulnerabilities
  7th, March, 2007

Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code.

The Common Vulnerabilities and Exposures project identifies the following problems:

http://www.linuxsecurity.com/content/view/127347
 
   Fedora
  Fedora Core 6 Update: kernel-2.6.19-1.2911.6.4.fc6
  2nd, March, 2007

Unspecified vulnerability in the listxattr system call in Linux kernel, when a "bad inode" is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges via unknown vectors.

http://www.linuxsecurity.com/content/view/127272
 
  Fedora Core 5 Update: kernel-2.6.19-1.2288.2.1.fc5
  2nd, March, 2007

The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer.

http://www.linuxsecurity.com/content/view/127273
 
  Fedora Core 6 Update: selinux-policy-2.4.6-41.fc6
  2nd, March, 2007

Updates the SELinux policy configuration. This update allows samba to run as domain controller - execute useradd

http://www.linuxsecurity.com/content/view/127274
 
   Gentoo
  Gentoo: Snort Remote execution of arbitrary code
  1st, March, 2007

The Snort DCE/RPC preprocessor contains a buffer overflow that could result in the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/127261
 
  Gentoo: SpamAssassin Long URI Denial of Service
  1st, March, 2007

SpamAssassin is vulnerable to a Denial of Service attack.

http://www.linuxsecurity.com/content/view/127262
 
  Gentoo: ClamAV Denial of Service
  1st, March, 2007

ClamAV contains two vulnerabilities allowing a Denial of Service.

http://www.linuxsecurity.com/content/view/127263
 
  Gentoo: Mozilla Firefox Multiple vulnerabilities
  2nd, March, 2007

Multiple vulnerabilities have been reported in Mozilla Firefox, some of which may allow user-assisted arbitrary remote code execution.

http://www.linuxsecurity.com/content/view/127284
 
  Gentoo: Mozilla Suite Multiple vulnerabilities
  3rd, March, 2007

Several vulnerabilities exist in the Mozilla Suite, which is no longer supported by the Mozilla project.

http://www.linuxsecurity.com/content/view/127285
 
  Gentoo: Snort Remote execution of arbitrary code
  3rd, March, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127286
 
  Gentoo: AMD64 x86 emulation Qt library Integer overflow
  3rd, March, 2007

The AMD64 x86 emulation Qt library makes use of an insecure version of the Qt library, potentially allowing for the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/127287
 
  Gentoo: STLport Possible remote execution of arbitrary
  6th, March, 2007

Two buffer overflows have been discovered in STLport possibly leading to the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/127328
 
   Mandriva
  Mandriva: Updated tcpdump packages fix segfault
  1st, March, 2007

Tcpdump would cause a segmentation fault on certain packets when reading back a captured tcpdump file. This update corrects that problem.

http://www.linuxsecurity.com/content/view/127259
 
  Mandriva: Updated timezone packages provide updated DST information
  1st, March, 2007

Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 for certain time zones. These updated packages contain the new information.

http://www.linuxsecurity.com/content/view/127260
 
  Mandriva: Updated Firefox packages fix multiple vulnerabilities
  2nd, March, 2007

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.10. This update provides the latest Firefox to correct these issues.

http://www.linuxsecurity.com/content/view/127283
 
  Mandriva: Updated Thunderbird packages fix multiple vulnerabilities
  6th, March, 2007

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 1.5.0.10. This update provides the latest Thunderbird to correct these issues.

http://www.linuxsecurity.com/content/view/127333
 
  Mandriva: Updated util-linux packages address umount crash issue
  6th, March, 2007

Umount allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents. Updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/127334
 
   Red Hat
  RedHat: Critical: thunderbird security update
  2nd, March, 2007

Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/127280
 
  RedHat: Critical: mod_jk security update
  2nd, March, 2007

Updated the mod_jk packages this fixes a security issue are now available for Red Hat Application Stack v1.1. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/127281
 
  RedHat: Important: gnupg security update
  6th, March, 2007

Updated GnuPG packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/127309
 
   Slackware
  Slackware: mozilla-firefox
  7th, March, 2007

New mozilla-firefox packages are available for Slackware 10.2, and 11.0 to fix security issues.

http://www.linuxsecurity.com/content/view/127361
 
  Slackware: x11
  7th, March, 2007

New x11 packages are available for Slackware 10.2 and 11.0. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database.

http://www.linuxsecurity.com/content/view/127362
 
  Slackware: seamonkey
  7th, March, 2007

A new seamonkey package is available for Slackware 11.0 to fix security issues.

http://www.linuxsecurity.com/content/view/127363
 
  Slackware: imagemagick
  7th, March, 2007

A new imagemagick package is available for Slackware 11.0 to fix security issues.

http://www.linuxsecurity.com/content/view/127364
 
  Slackware: mozilla-thunderbird
  7th, March, 2007

New mozilla-thunderbird packages are available for Slackware 10.2, and 11.0 to fix security issues.

http://www.linuxsecurity.com/content/view/127365
 
  Slackware: gnupg
  7th, March, 2007

New gnupg packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and 11.0 to fix security ramifications of incorrect gpg usage.

http://www.linuxsecurity.com/content/view/127366
 
  SuSE: MozillaFirefox (SUSE-SA:2007:019)
  6th, March, 2007

Updated package.

http://www.linuxsecurity.com/content/view/127322
 
   Ubuntu
  Ubuntu: nvidia-glx-config regression
  1st, March, 2007

USN-416-1 fixed various vulnerabilities in the Linux kernel. Unfortunately that update caused the 'nvidia-glx-config' script to not work any more. The new version fixes the problem. We apologize for the inconvenience.

http://www.linuxsecurity.com/content/view/127252
 
  Ubuntu: Firefox regression
  2nd, March, 2007

USN-428-1 fixed vulnerabilities in Firefox 1.5. However, changes to library paths caused applications depending on libnss3 to fail to start up. This update fixes the problem.

http://www.linuxsecurity.com/content/view/127266
 
  Ubuntu: mod_python vulnerability
  6th, March, 2007

Miles Egan discovered that mod_python, when used in output filter mode, did not handle output larger than 16384 bytes, and would display freed memory, possibly disclosing private data. Thanks to Jim Garrison of the Software Freedom Law Center for identifying the original bug as a security vulnerability.

http://www.linuxsecurity.com/content/view/127329
 
  Ubuntu: tcpdump vulnerability
  6th, March, 2007

Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service.

http://www.linuxsecurity.com/content/view/127330
 
  Ubuntu: Thunderbird vulnerabilities
  6th, March, 2007

The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. A remote attacker could exploit this to execute arbitrary code in a server application that uses the NSS library.

http://www.linuxsecurity.com/content/view/127332
 
  Ubuntu: GnuPG vulnerability
  8th, March, 2007

Gerardo Richarte from Core Security Technologies discovered that when gnupg is used without --status-fd, there is no way to distinguish initial unsigned messages from a following signed message.

http://www.linuxsecurity.com/content/view/127368
 
  Ubuntu: PHP regression
  8th, March, 2007

USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes were not included, which caused errors in the stream filters. This update fixes the problem.

http://www.linuxsecurity.com/content/view/127369
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
New Nmap Probes IPv6 Networks
Anatomy of a hack: 6 separate bugs needed to bring down Google browser
Sony PS Vita Hacking Expands With Homebrew Loader
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.