Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Advisory Watch: May 30th, 2008
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for libxslt, mtr, xine-lib, heap, mplater, roundup, gnutls, gnome-settings-daemon, openssl, nfs-utils, dkms, gnutls, samba, and rdesktop. The distributors include Debian, Gentoo, Mandriva, and Slackware.
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: The Book of Wireless - “The Book of Wireless” by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
Debian: New libxslt packages fix execution of arbitrary code (May 28)
It was discovered that libxslt, an XSLT processing runtime library, could be coerced into executing arbitrary code via a buffer overflow when an XSL style sheet file with a long XSLT "transformation match" condition triggered a large number of steps.
Debian: New Linux 2.6.18 packages fix several vulnerabilities (May 27)
Johannes Bauer discovered an integer overflow condition in the hrtimer subsystem on 64-bit systems. This can be exploited by local users to trigger a denial of service (DoS) by causing the kernel to execute an infinite loop.
Debian: New mtr packages fix execution of arbitrary code (May 26)
Adam Zabrocki discovered that under certain circumstances mtr, a full screen ncurses and X11 traceroute tool, could be tricked into executing arbitrary code via overly long reverse DNS records.
Debian: New xine-lib packages fix several vulnerabilities (May 22)
Integer overflow vulnerabilities exist in xine's FLV, QuickTime, RealMedia, MVE and CAK demuxers, as well as the EBML parser used by the Matroska demuxer. These weaknesses allow an attacker to overflow heap buffers and potentially execute arbitrary code by supplying a maliciously crafted file of those types.
Mandriva: Updated gnome-settings-daemon package fixs various (May 29)
Gnome-settings-daemon was not respecting correctly user settings when disabling the background completely. This bug has been sfixed, improvement have been made in the time needed to display background when nautilus is used by the system, additional bugfixes and translations have been integrated in this updated package.
Mandriva: Updated openssl package fixes denial of service (May 28)
Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause a crash. (CVE-2008-0891)
On certain circumstances, specially when using Wine, keys would get stuck, and stay so, even after quitting the application, requiring the user to restart Xorg.
Mandriva: Updated nfs-utils packages fix lack of quota (May 26)
The nfs server initscript in Mandriva Linux 2008 and 2008 Spring releases lacked support for NFS quota, preventing quota information to be available on user side. The updated packages fix this issue.
Mandriva: Updated dkms package fixes a few bugs (May 26)
The dkms-minimal package in Mandriva Linux 2008 Spring did not require lsb-release. If lsb-release was not installed, the dkms modules were installed in the standard location, instead of the intended /dkms or /dkms-binary. This update fixes that issue. Due to another bug, dkms would consider older installed binary dkms modules as original modules when installing a newer version of the module as a source dkms package, thus wrongly moving the binary modules around. This update disables original_module handling, not needed anymore since the rework of dkms system in 2008 Spring. Dkms would also print an error message during an upgrade of binary module packages, and under certain conditions an additional warning message regarding multiple modules being found. This update removes those harmless messages when they are not appropriate.
Mandriva: Updated gnutls packages fix denial of service (May 24)
Flaws discovered in versions prior to 2.2.4 (stable) and 2.3.10 (development) of GnuTLS allow an attacker to cause denial of service (application crash), and maybe (so far undetermined) execute arbitrary code. The updated packages have been patched to fix these flaws. Note that any applications using this library must be restarted for the update to take effect.
RedHat: Critical: samba security and bug fix update (May 28)
Updated samba packages that fix a security issue and two bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team.
Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team.
Updated samba packages that fix a security issue are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team.
New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to fix a security issue: "Specifically crafted SMB responses can result in a heap overflow in the Samba client code. Because the server process, smbd, can itself act as a client during operations such as printer notification and domain authentication, this issue affects both Samba client and server installations."
New rdesktop packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix a security issue caused by using rdesktop to connect to a malicious or compromised RDP server. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801
