LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: May 14th, 2012
Linux Advisory Watch: May 10th, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: June 13th, 2008 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com 2008 - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week advisories were released for type3, mt-daapd, xorg-server, imlib2, tomcat, kernel, gnome-panel, nautilus, evolution, perl, xfree, ucd-snmp, openssl-blacklist, and OpenVPN. The distributors include Debian, Gentoo, Mandriva, Red Hat, and Ubuntu.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Review: The Book of Wireless - “The Book of Wireless” by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.

April 2008 Open Source Tool of the Month: sudo - This month the editors at LinuxSecurity.com have chosen sudo as the Open Source Tool of the Month!

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
 

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/136174
  Debian: New typo3 packages fix several vulnerabilities (Jun 12)
 

Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user.

http://www.linuxsecurity.com/content/view/138527
  Debian: New mt-daapd packages fix several vulnerabilities (Jun 12)
 

Insufficient validation and bounds checking of the Authorization: HTTP header enables a heap buffer overflow, potentially enabling the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/138526
  Debian: New xorg-server packages fix several vulnerabilities (Jun 11)
 

Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption.

http://www.linuxsecurity.com/content/view/138473
  Debian: New imlib2 packages fix arbitrary code execution (Jun 11)
 

Stefan Cornelius discovered two buffer overflows in Imlib's - a powerful image loading and rendering library - image loaders for PNM and XPM images, which may result in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/138466
  Debian: New tomcat5.5 packages cross-site scripting (Jun 9)
 

Tt was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting.

http://www.linuxsecurity.com/content/view/138230
  Debian: New Linux 2.6.18 packages fix overflow conditions (Jun 9)
 

Wei Wang from McAfee reported a potential heap overflow in the ASN.1 decode code that is used by the SNMP NAT and CIFS subsystem. Exploitation of this issue may lead to arbitrary code execution. This issue is not believed to be exploitable with the pre-built kernel images provided by Debian, but it might be an issue for custom images built from the Debian-provided source package.

http://www.linuxsecurity.com/content/view/138229
  Debian: New Linux 2.6.18 packages fix overflow conditions (Jun 9)
 

Wei Wang from McAfee reported a potential heap overflow in the ASN.1 decode code that is used by the SNMP NAT and CIFS subsystem. Exploitation of this issue may lead to arbitrary code execution. This issue is not believed to be exploitable with the pre-built kernel images provided by Debian, but it might be an issue for custom images built from the Debian-provided source package.

http://www.linuxsecurity.com/content/view/138223
  Gentoo: Imlib 2 User-assisted execution of arbitrary code (Jun 9)
 

Two vulnerabilities in Imlib 2 may allow for the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/138226
  Gentoo: Imlib 2 User-assisted execution of arbitrary (Jun 8)
 

Two vulnerabilities in Imlib 2 may allow for the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/138222
  Mandriva: Updated kernel packages fix security issues (Jun 12)
 

The Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and probably other versions, does not properly check feature lengths, which might allow remote attackers to execute arbitrary code, related to an unspecified overflow. (CVE-2008-2358)

http://www.linuxsecurity.com/content/view/138528
  Mandriva: Updated gnome-panel packages fix various bugs (Jun 11)
 

The clock applet in GNOME could crash when using some specific locations or when using updated timezone data. The Recent Documents menu was not always able to start the right application for a specific document.

http://www.linuxsecurity.com/content/view/138472
  Mandriva: Updated nautilus and gvfs packages fix regression (Jun 11)
 

A regression was introduced in the Mandriva Linux GNOME package while fixing CD-ROM drives ejecting when using the hardware button when the CD-ROM drive was present in the system fstab. This regression caused an error popup to appear when using the eject hardware button on CD-ROM drives not present in the system fstab.

http://www.linuxsecurity.com/content/view/138465
  Mandriva: Updated Evolution packages fix vulnerabilities (Jun 10)
 

Alan Rad Pop of Secunia Research discovered the following two vulnerabilities in Evolution: Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the Itip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or potentially execute arbitrary code with the user's privileges (CVE-2008-1108).

http://www.linuxsecurity.com/content/view/138358
  Mandriva: Updated Firefox packages fix vulnerabilities (Jun 6)
 

Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.14. This update provides the latest Firefox to correct these issues.

http://www.linuxsecurity.com/content/view/138110
  RedHat: Important: openoffice.org security update (Jun 12)
 

Updated openoffice.org packages to correct a security issue are now available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138618
  RedHat: Important: openoffice.org security update (Jun 12)
 

It was discovered that certain libraries in the Red Hat Enterprise Linux 3 and 4 openoffice.org packages had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run OpenOffice in an attacker-controlled directory, could run arbitrary code with the privileges of the victim.

http://www.linuxsecurity.com/content/view/138619
  RedHat: Important: perl security update (Jun 11)
 

Updated perl packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138471
  RedHat: Important: XFree86 security update (Jun 11)
 

Updated XFree86 packages that fix several security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138467
  RedHat: Important: xorg-x11 security update (Jun 11)
 

Updated xorg-x11 packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138468
  RedHat: Important: xorg-x11-server security update (Jun 11)
 

Updated xorg-x11-server packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138469
  RedHat: Important: XFree86 security update (Jun 11)
 

Updated XFree86 packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138470
  RedHat: Moderate: ucd-snmp security update (Jun 10)
 

Updated ucd-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. A flaw was found in the way ucd-snmp checked an SNMPv3 packet's Keyed-Hash Message Authentication Code (HMAC). An attacker could use this flaw to spoof an authenticated SNMPv3 packet. (CVE-2008-0960) This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/138356
  RedHat: Moderate: net-snmp security update (Jun 10)
 

Updated net-snmp packages that fix a security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. A buffer overflow was found in the Perl bindings for Net-SNMP. This could be exploited if an attacker could convince an application using the Net-SNMP Perl module to connect to a malicious SNMP agent. (CVE-2008-2292)

http://www.linuxsecurity.com/content/view/138357
  Ubuntu: X.org vulnerabilities (Jun 13)
 

It was discovered that the MIT-SHM extension of X.org did not correctly validate the location of memory during an image copy. An authenticated attacker could exploit this to read arbitrary memory locations within X, exposing sensitive information. (CVE-2008-1379)

http://www.linuxsecurity.com/content/view/138620
  Ubuntu: openssl-blacklist update (Jun 12)
 

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check Certificate Signing Requests, accept input from STDIN, and check moduli without a certificate. It was also discovered that additional moduli are vulnerable if generated with OpenSSL 0.9.8g or higher. While it is believed that there are few of these vulnerable moduli in use, this update includes updated RSA-1024 and RSA-2048 blacklists. RSA-512 blacklists are also included in the new openssl-blacklist-extra package.

http://www.linuxsecurity.com/content/view/138529
  Ubuntu: OpenVPN regression (Jun 12)
 

USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS with password protected certificates which caused OpenVPN to not start when used with applications such as NetworkManager.

http://www.linuxsecurity.com/content/view/138530
  Ubuntu: Evolution vulnerabilities (Jun 6)
 

Alin Rad Pop of Secunia Research discovered that Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the ITip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or possibly execute code with user privileges. Note that the ITip Formatter plugin is enabled by default in Ubuntu. (CVE-2008-1108)

http://www.linuxsecurity.com/content/view/138212

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
New Nmap Probes IPv6 Networks
Anatomy of a hack: 6 separate bugs needed to bring down Google browser
Sony PS Vita Hacking Expands With Homebrew Loader
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.