In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
| |
EnGarde Secure Community v3.0.18 Now Available! (Dec 4) |
| |
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features.
In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more. http://www.linuxsecurity.com/content/view/131851
|
|
|
| |
Debian: New syslog-ng packages fix denial of service (Jan 15) |
| |
Oriol Carreras discovered that syslog-ng, a next generation logging daemon can be tricked into dereferencing a NULL pointer through malformed timestamps, which can lead to denial of service and the disguise of an subsequent attack, which would otherwise be logged. http://www.linuxsecurity.com/content/view/133404
|
| |
Debian: New postgresql-7.4 packages fix several (Jan 14) |
| |
Several local vulnerabilities have been discovered in PostgreSQL, an object-relational SQL database. It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. http://www.linuxsecurity.com/content/view/133306
|
| |
Debian: New hplip packages fix privilege escalation (Jan 13) |
| |
Kees Cook discovered that the hpssd tool of the HP Linux Printing and Imaging System (HPLIP) performs insufficient input sanitising of shell meta characters, which may result in local privilege escalation to the hplip user. http://www.linuxsecurity.com/content/view/133301
|
| |
Debian: New libxml2 packages fix denial of service (Jan 13) |
| |
Brad Fitzpatrick discovered that the UTF-8 decoding functions of libxml2, the GNOME XML library, validate UTF-8 correctness insufficiently, which may lead to denial of service by forcing libxml2 into an infinite loop. http://www.linuxsecurity.com/content/view/133300
|
| |
Debian: New postgresql-8.1 packages fix several (Jan 13) |
| |
It was discovered that the DBLink module performed insufficient credential validation. This issue is also tracked as CVE-2007-6601, since the initial upstream fix was incomplete. http://www.linuxsecurity.com/content/view/133299
|
| |
Debian: New gforge packages fix SQL injection (Jan 13) |
| |
It was discovered that Gforge, a collaborative development tool, did not properly sanitise some CGI parameters, allowing SQL injection in scripts related to RSS exports. http://www.linuxsecurity.com/content/view/133298
|
| |
Debian: New openafs packages fix denial of service vulnerability (Jan 10) |
| |
A race condition in the OpenAFS fileserver allows remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks, which causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host_glock lock. http://www.linuxsecurity.com/content/view/133088
|
|
|
| |
Fedora 8 Update: xine-lib- 1.1.9.1-1.fc8 (Jan 15) |
| |
Update to latest upstream security fix release, 1.1.9.1. http://sourceforge.net/project/shownotes.php?release_id=567872&group_id=9655 http://sourceforge.net/project/shownotes.php?release_id=566391&group_id=9655 http://www.linuxsecurity.com/content/view/133396
|
| |
Fedora 7 Update: python-paramiko- 1.7.1-3.fc7 (Jan 15) |
| |
Apply patch to fix recently discovered security problem in the python-parmaiko package. http://www.linuxsecurity.com/content/view/133398
|
|
|
| |
Mandriva: Updated apache 2.2.x packages fix multiple (Jan 16) |
| |
A number of vulnerabilities were found and fixed in the Apache 2.2.x packages: A flaw found in the mod_imagemap module could lead to a cross-site scripting attack on sites where mod_imagemap was enabled and an imagemap file was publically available (CVE-2007-5000). A flaw found in the mod_status module could lead to a cross-site scripting attack on sites where mod_status was enabled and the status pages were publically available (CVE-2007-6388). http://www.linuxsecurity.com/content/view/133410
|
| |
Mandriva: Updated apache 2.0.x packages fix multiple (Jan 16) |
| |
A number of vulnerabilities were found and fixed in the Apache 2.0.x packages: A flaw found in the mod_imagemap module could lead to a cross-site scripting attack on sites where mod_imagemap was enabled and an imagemap file was publically available (CVE-2007-5000). http://www.linuxsecurity.com/content/view/133408
|
| |
Mandriva: Updated apache 1.3.x packages fix multiple (Jan 16) |
| |
A number of vulnerabilities were found and fixed in the Apache 1.3.x packages: A flaw found in the mod_autoindex module could lead to a cross-site scripting attack on sites where mod_autoindex was enabled and the AddDefaultCharset directive was removed from the configuration, against web browsers that did not correctly derive the response character set following the rules in RFC 2616 (CVE-2007-4465). http://www.linuxsecurity.com/content/view/133407
|
| |
Mandriva: Updated python packages fix vulnerability in (Jan 14) |
| |
Multiple integer overflows were found in python's imageop module. If an application written in python used the imageop module to process untrusted images, it could cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the python interpreter. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/133310
|
| |
Mandriva: Updated python packages fix vulnerabilities (Jan 14) |
| |
An integer overflow flaw was discovered in how python's pcre module handled certain regular expressions. If a python application using the pcre module were to compile and execute untrusted regular expressions, it could possibly lead to an application crash or the excution of arbitrary code with the privileges of the python interpreter (CVE-2006-7228). Multiple integer overflows were found in python's imageop module. If an application written in python used the imageop module to process untrusted images, it could cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the python interpreter (CVE-2007-4965). The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/133309
|
| |
Mandriva: Updated autofs packages fix insecure hosts (Jan 12) |
| |
The default behaviour of autofs 5 for the hosts map did not specify the nosuid and nodev mount options. This could allow a local user with control of a remote NFS server to create a setuid root executable on the exported filesystem of the remote NFS server. If this filesystem was mounted with the default hosts map, it would allow the user to obtain root privileges (CVE-2007-5964) http://www.linuxsecurity.com/content/view/133297
|
| |
Mandriva: Updated rsync packages fix restrictions bypass (Jan 11) |
| |
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy. http://www.linuxsecurity.com/content/view/133296
|
| |
Mandriva: Updated libxml2 packages fix DoS vulnerability (Jan 11) |
| |
A denial of service flaw was discovered by the Google Security Team in the way libxml2 processes malformed XML content. This flaw could cause the application to stop responding. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/133295
|
| |
Mandriva: Updated autofs packages fix insecure hosts (Jan 11) |
| |
The default behaviour of autofs 5 for the hosts map did not specify the nosuid and nodev mount options. This could allow a local user with control of a remote NFS server to create a setuid root executable on the exported filesystem of the remote NFS server. If this filesystem was mounted with the default hosts map, it would allow the user to obtain root privileges (CVE-2007-5964). http://www.linuxsecurity.com/content/view/133294
|
| |
Mandriva: Updated kernel packages fix multiple (Jan 11) |
| |
Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The CIFS filesystem, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740) http://www.linuxsecurity.com/content/view/133106
|
| |
Mandriva: Updated e2fsprogs packages fix incorrect (Jan 11) |
| |
An incorrect Requires was added to the e2fsprogs package that prevented it from being installed properly on a system with both 32bit and 64bit update media configured. This update corrects the Requires, allowing the package to be installed properly. http://www.linuxsecurity.com/content/view/133091
|
| |
Mandriva: Updated exiv2 packages fix vulnerability (Jan 10) |
| |
An integer overflow in the Exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/133087
|
|
|
| |
SuSE: Xorg and XFree (SUSE-SA:2008:003) (Jan 17) |
| |
The X windows system is vulnerable to several kind of vulner- abilities that are caused due to insufficient input validation. The bugs range from crashing the X server to executing arbitrary code with the privilges of the X server process. http://www.linuxsecurity.com/content/view/133417
|
|
|
| |
Ubuntu: boost vulnerabilities (Jan 16) |
| |
Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. http://www.linuxsecurity.com/content/view/133409
|
| |
Ubuntu: libxml2 vulnerability (Jan 14) |
| |
Brad Fitzpatrick discovered that libxml2 did not correctly handle certain UTF-8 sequences. If a remote attacker were able to trick a user or automated system into processing a specially crafted XML document, the application linked against libxml2 could enter an infinite loop, leading to a denial of service via CPU resource consumption. http://www.linuxsecurity.com/content/view/133311
|
| |
Ubuntu: PostgreSQL vulnerabilities (Jan 14) |
| |
Nico Leidecker discovered that PostgreSQL did not properly restrict dblink functions. An authenticated user could exploit this flaw to access arbitrary accounts and execute arbitrary SQL queries. (CVE-2007-3278, CVE-2007-6601) http://www.linuxsecurity.com/content/view/133308
|
| |
Ubuntu: Dovecot vulnerability (Jan 10) |
| |
It was discovered that in very rare configurations using LDAP, Dovecot may reuse cached connections for users with the same password. As a result, a user may be able to login as another if the connection is reused. The default Ubuntu configuration of Dovecot was not vulnerable. http://www.linuxsecurity.com/content/view/133090
|
