Linux Advisory Watch: July 11th, 2008 - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

How strictly do your users obey your security policies?

	To the letter.
	For the most part.
	When it suits them.
	By chance.
	Not at all.

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

Emily Ratliff: OS Security

DanWalsh LiveJournal

Security Bloggers Network

Latest Newsletters

Linux Security Week: December 1st, 2008

Linux Advisory Watch: November 28th, 2008

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Linux Advisory Watch: July 11th, 2008

User Rating:

How can I rate this item?

Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas

This week, advisories were released for iceweasel, wordpress, bind, pidgin, ruby, gnome-screensaver, squid, sympa, phpMyAdmin, seamonkey, and mozilla-firefox. The distributors include Debian, Gentoo, Mandriva, Slackware, and SuSE.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Security Features of Firefox 3.0 - Lets take a look at the security features of the newly released Firefox 3.0. Since it's release on Tuesday I have been testing it out to see how the new security enhancements work and help in increase user browsing security. One of the exciting improvements for me was how Firefox handles SSL secured web sites while browsing the Internet. There are also many other security features that this article will look at. For example, improved plugin and addon security.

Read on for more security features of Firefox 3.0.

Review: The Book of Wireless - "The Book of Wireless" by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

	EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
	Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/136174

	Debian: New iceweasel packages fix several vulnerabilities (Jul 11)
	Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. http://www.linuxsecurity.com/content/view/139768
	Debian: New wordpress packages fix several vulnerabilities (Jul 4)
	WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information. http://www.linuxsecurity.com/content/view/139444

	Gentoo: BIND Cache poisoning (Jul 11)
	A weakness in the DNS protocol has been reported, which could lead to cache poisoning on recursive resolvers. http://www.linuxsecurity.com/content/view/139769

	Mandriva: Updated pidgin packages fix MSN protocol handler vulnerability (Jul 10)
	An integer overflow flaw was found in Pidgin's MSN protocol handler that could allow for the execution of arbitrary code if a user received a malicious MSN message (CVE-2008-2927). In addition, this update provides the ability to use ICQ networks again on Mandriva Linux 2008.0, as in MDVA-2008:103 (updated pidgin for 2008.1). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139761
	Mandriva: Updated ruby packages fix vulnerabilities (Jul 9)
	Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. http://www.linuxsecurity.com/content/view/139755
	Mandriva: Updated ruby packages fix vulnerabilities (Jul 9)
	Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. http://www.linuxsecurity.com/content/view/139754
	Mandriva: Updated ruby packages fix vulnerabilities (Jul 9)
	Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. (CVE-2008-2663) http://www.linuxsecurity.com/content/view/139753
	Mandriva: Updated BIND packages fix critical DNS vulnerability (Jul 9)
	A weakness was found in the DNS protocol by Dan Kaminsky. A remote attacker could exploit this weakness to spoof DNS entries and poison DNS caches. This could be used to misdirect users and services; i.e. for web and email traffic (CVE-2008-1447). This update provides the latest stable BIND releases for all platforms except Corporate Server/Desktop 3.0 and MNF2, which have been patched to correct the issue. http://www.linuxsecurity.com/content/view/139752
	Mandriva: Updated gnome-screensaver packages fix (Jul 4)
	A vulnerability was found in gnome-screensaver 2.20.0 that could possibly allow a local user to read the clipboard contents and X selection data for a locked session by using CTRL-V (CVE-2007-6389). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139450
	Mandriva: Updated squid packages fix DoS vulnerability (Jul 4)
	An incorrect fix for CVE-2007-6239 resulted in Squid not performing proper bounds checking when processing cache update replies. Because of this, a remote authenticated user might have been able to trigger an assertion error and cause a denial of service (CVE-2008-1612). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139449
	Mandriva: Updated sympa packages fix DoS vulnerability (Jul 4)
	A denial of service condition was discovered in Sympa versions prior to 5.4 that allowed remote attackers to crash the Sympa daemon via a malformed email message (CVE-2008-1648). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139448
	Mandriva: Updated gnome-screensaver packages fix authentication vulnerability (Jul 4)
	A vulnerability was found in gnome-screensaver prior to 2.22.1 when a remote authentication server was enabled. During a network outage, gnome-screensaver would crash upon an unlock attempt, allowing physically local users to gain access to locked sessions (CVE-2008-0887). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139447
	Mandriva: Updated phpMyAdmin packages fix multiple vulnerabilities (Jul 4)
	A few vulnerabilities and security-related issues have been fixed in phpMyAdmin since the 2.11.2.2 release. This update provides version 2.11.7 which is the latest stable release of phpMyAdmin and fixes CVE-2008-1149, CVE-2008-1567, CVE-2008-1924, and CVE-2008-2960. No configuration changes should be required since the previous update (version 2.11.2.2). If upgrading from older versions, it may be necessary to reconfigure phpMyAdmin. The configuration file is located in /etc/phpMyAdmin/. In most cases, it should be sufficient so simply replace config.default.php with config.default.php.rpmnew and make whatever modifications are necessary. http://www.linuxsecurity.com/content/view/139446
	Mandriva: Updated PHP packages fix multiple vulnerabilities (Jul 3)
	Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, http://www.linuxsecurity.com/content/view/139399
	Mandriva: Updated PHP packages fix multiple vulnerabilities (Jul 3)
	An integer overflow in the zip_read_entry() function in PHP prior to 4.4.5 allowed remote attackers to execute arbitrary code via a ZIP archive containing a certain type of entry that triggered a heap overflow (CVE-2007-1777). http://www.linuxsecurity.com/content/view/139400
	Mandriva: Updated PHP packages fix multiple vulnerabilities (Jul 3)
	A number of vulnerabilities have been found and corrected in PHP: php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). http://www.linuxsecurity.com/content/view/139398
	Mandriva: Updated PHP packages fix multiple vulnerabilities (Jul 3)
	A number of vulnerabilities have been found and corrected in PHP: The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). http://www.linuxsecurity.com/content/view/139397
	Mandriva: Updated PHP packages fix multiple vulnerabilities (Jul 3)
	A number of vulnerabilities have been found and corrected in PHP: PHP 5.2.1 would allow context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with 'S:', which did not properly track the number of input bytes being processed (CVE-2007-1649). http://www.linuxsecurity.com/content/view/139395
	Mandriva: Updated PHP packages fix multiple vulnerabilities (Jul 3)
	A number of vulnerabilities have been found and corrected in PHP: A vulnerability in the chunk_split() function in PHP prior to 5.2.4 has unknown impact and attack vectors, related to an incorrect size calculation (CVE-2007-4660). http://www.linuxsecurity.com/content/view/139396

	Slackware: seamonkey (Jul 10)
	New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found here: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey http://www.linuxsecurity.com/content/view/139756
	Slackware: mozilla-firefox (Jul 10)
	New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, and 12.1 to fix security issues. More details about the issues may be found on the Mozilla site: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox http://www.linuxsecurity.com/content/view/139757
	Slackware: bind (Jul 10)
	New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to address a security problem. More details may be found at the following links: http://www.isc.org/sw/bind/bind-security.php http://www.kb.cert.org/vuls/id/800113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.linuxsecurity.com/content/view/139758

	SuSE: bind (SUSE-SA:2008:033) (Jul 11)
	The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the "birthday paradox" and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky's attack and have to trust the statement that a random UDP source-port is sufficient to stop it. http://www.linuxsecurity.com/content/view/139763

Write Comment
Please keep the topic of messages relevant to the subject of the article. Personal verbal attacks will be deleted. Please don't use comments to plug your web site.. Such material will be removed.
Name:
Title:
Comment:
Code:*

< Prev		Next >

Partner:

Latest Features

A Secure Nagios Server

Never Installed a Firewall on Ubuntu? Try Firestarter

Review: Hacking Exposed Linux, Third Edition

Security Features of Firefox 3.0

Review: The Book of Wireless

April 2008 Open Source Tool of the Month: sudo

Open Source Tool of March: ZoneMinder

Yesterday's Edition

Linux Role in Botnets Studied

10 Mistakes New Linux Administrators Make

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
Security Projects , Latest News , Newsletters , SELinux , Privacy , Home,
Hardening , About Us, Advertise, Legal Notice, RSS, Guardian Digital