Linux Advisory Watch: July 18th, 2008 - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Advisory Watch: February 10th, 2012

Linux Security Week: February 6th, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Linux Advisory Watch: July 18th, 2008

User Rating:

How can I rate this item?

Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas

This week, advisories were released for afuse, pdns-recursor, cacti, gaim, lighttpd, iceweasel, bind, pcre, x11, poppler, openldap, openoffice, pidgin, firefox, php, java, ruby, and seamonkey. The distributors include Debian, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Security Features of Firefox 3.0 - Lets take a look at the security features of the newly released Firefox 3.0. Since it's release on Tuesday I have been testing it out to see how the new security enhancements work and help in increase user browsing security. One of the exciting improvements for me was how Firefox handles SSL secured web sites while browsing the Internet. There are also many other security features that this article will look at. For example, improved plugin and addon security.

Read on for more security features of Firefox 3.0.

Review: The Book of Wireless - "The Book of Wireless" by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

	EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
	Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/136174

	Debian: New afuse packages fix privilege escalation (Jul 16)
	Anders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem. http://www.linuxsecurity.com/content/view/139936
	Debian: New pdns-recursor packages fix predictable randomness (Jul 16)
	Thomas Biege discovered that the upstream fix for the weak random number generator released in DSA-1544-1 was incomplete: Source port randomization did still not use difficult-to-predict random numbers. This is corrected in this security update. http://www.linuxsecurity.com/content/view/139935
	Debian: New cacti packages fix regression (Jul 15)
	Since the previous security update, the cacti package could no longer be rebuilt from the source package. This update corrects that problem. Note that this problem does not affect regular use of the provided binary packages (.deb). http://www.linuxsecurity.com/content/view/139921
	Debian: New gaim packages fix execution of arbitrary code (Jul 15)
	It was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/139919
	Debian: New lighttpd packages fix multiple DOS issues (Jul 15)
	Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint. http://www.linuxsecurity.com/content/view/139918
	Debian: New iceweasel packages fix several vulnerabilities (Jul 11)
	Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. http://www.linuxsecurity.com/content/view/139768

	Gentoo: Mercurial Directory traversal (Jul 15)
	=3D=3D=3D=3D=3D=3D=3D=3D A directory traversal vulnerability in Mercurial allows for the renaming of arbitrary files. http://www.linuxsecurity.com/content/view/139922
	Gentoo: BIND Cache poisoning (Jul 11)
	A weakness in the DNS protocol has been reported, which could lead to cache poisoning on recursive resolvers. http://www.linuxsecurity.com/content/view/139769

	Mandriva: Updated pcre packages fix vulnerability (Jul 16)
	Tavis Ormandy of the Google Security Team discovered a heap-based buffer overflow when compiling certain regular expression patterns. This could be used by a malicious attacker by sending a specially crafted regular expression to an application using the PCRE library, resulting in the possible execution of arbitrary code or a denial of service (CVE-2008-2371). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139926
	Mandriva: Updated x11-server packages fix offscreen pixmaps drawing issue (Jul 16)
	This x11-sever update disables offscreen pixmaps by default as they were causing drawing issues with Firefox 3 and other applications. To re-enable this option, use 'Option XaaOffscreenPixmaps on' in xorg.conf. http://www.linuxsecurity.com/content/view/139925
	Mandriva: Updated poppler packages fix arbitrary code execution vulnerability (Jul 15)
	A memory management issue was found in libpoppler by Felipe Andres Manzano that could allow for the execution of arbitrary code with the privileges of the user running a poppler-based application, if they opened a specially crafted PDF file (CVE-2008-2950). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139923
	Mandriva: Updated bluez/bluez-utils packages fix SDP packet parsing vulnerability (Jul 15)
	An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used in the Bluez bluetooth utilities. A bluetooth device with an already-trusted relationship, or a local user registering a service record via a UNIX socket or D-Bus interface, could cause a crash and potentially execute arbitrary code with the privileges of the hcid daemon (CVE-2008-2374). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139786
	Mandriva: Updated openldap packages fix slapd DoS vulnerability (Jul 12)
	A denial of service vulnerability was discovered in the way the OpenLDAP slapd daemon processed certain network messages. An unauthenticated remote attacker could send a specially crafted request that would crash the slapd daemon (CVE-2008-2952). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139773
	Mandriva: Updated OpenOffice.org packages fix vulnerability (Jul 11)
	Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4 allows remote attackers to execute arbitrary code via a crafted file that triggers a heap-based buffer overflow. The updated packages have been patched to fix the issue. http://www.linuxsecurity.com/content/view/139772
	Mandriva: Updated pidgin packages fix MSN protocol handler vulnerability (Jul 10)
	An integer overflow flaw was found in Pidgin's MSN protocol handler that could allow for the execution of arbitrary code if a user received a malicious MSN message (CVE-2008-2927). In addition, this update provides the ability to use ICQ networks again on Mandriva Linux 2008.0, as in MDVA-2008:103 (updated pidgin for 2008.1). The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/139761

	RedHat: Critical: firefox security update (Jul 16)
	An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139933
	RedHat: Critical: seamonkey security update (Jul 16)
	Updated seamonkey packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139934
	RedHat: Critical: firefox security update (Jul 16)
	Updated firefox packages that fix various security issues are now available for Red Hat Enterprise Linux 5. An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. http://www.linuxsecurity.com/content/view/139932
	RedHat: Moderate: php security update (Jul 16)
	Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139929
	RedHat: Moderate: php security and bug fix update (Jul 16)
	Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139928
	RedHat: Moderate: php security update (Jul 16)
	Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139927
	RedHat: Critical: java-1.5.0-sun security update (Jul 14)
	Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139784
	RedHat: Critical: java-1.4.2-ibm security update (Jul 14)
	Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139779
	RedHat: Moderate: ruby security update (Jul 14)
	Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139780
	RedHat: Moderate: ruby security update (Jul 14)
	Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139781
	RedHat: Moderate: bluez-libs and bluez-utils security (Jul 14)
	Updated bluez-libs and bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139782
	RedHat: Critical: java-1.6.0-sun security update (Jul 14)
	Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/139783

	Slackware: mozilla-firefox (Jul 17)
	New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, and 12.1 to fix security issues. More details about the issues may be found on the Mozilla site: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html http://www.linuxsecurity.com/content/view/139938
	Slackware: seamonkey (Jul 17)
	New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found here: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html http://www.linuxsecurity.com/content/view/139939
	Slackware: seamonkey (Jul 10)
	New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found here: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey http://www.linuxsecurity.com/content/view/139756
	Slackware: mozilla-firefox (Jul 10)
	New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, and 12.1 to fix security issues. More details about the issues may be found on the Mozilla site: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox http://www.linuxsecurity.com/content/view/139757
	Slackware: bind (Jul 10)
	New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to address a security problem. More details may be found at the following links: http://www.isc.org/sw/bind/bind-security.php http://www.kb.cert.org/vuls/id/800113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.linuxsecurity.com/content/view/139758

	SuSE: bind (SUSE-SA:2008:033) (Jul 11)
	The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the "birthday paradox" and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky's attack and have to trust the statement that a random UDP source-port is sufficient to stop it. http://www.linuxsecurity.com/content/view/139763

	Ubuntu: Firefox vulnerabilities (Jul 17)
	A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785) http://www.linuxsecurity.com/content/view/140005
	Ubuntu: PCRE vulnerability (Jul 14)
	Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause applications linked against pcre3 to crash, leading to a denial of service. http://www.linuxsecurity.com/content/view/139785