LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: June 29th, 2009
Linux Advisory Watch: June 26th, 2009
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: November 21st, 2008 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week advisories were released for python, libxml, clamav, php, kernel, dovecot, firefox, gnutls, gdm, thunderbird, net-snmp, HPLIP, and mysql. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu.

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA) program, designated by the National Security Agency as providing academically excellent education in Information Assurance, provides you with the skills to manage and lead an organization-wide information security program and the tools to fluently communicate the intricacies of information security at an executive level. Learn more

LinuxSecurity.com Feature Extras:

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Never Installed a Firewall on Ubuntu? Try Firestarter - When I typed on Google "Do I really need a firewall?" 695,000 results came across. And I'm pretty sure they must be saying "Hell yeah!". In my opinion, no one would ever recommend anyone to sit naked on the internet keeping in mind the insecurity internet carries these days, unless you really know what you are doing.

Read on for more information on Firestarter.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  EnGarde Secure Community 3.0.21 Now Available (Oct 7)
 

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.21 (Version 3.0, Release 21). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce.

http://www.linuxsecurity.com/content/view/143039
  Debian: New python2.4 packages fix several vulnerabilities (Nov 19)
 

David Remahl discovered several integer overflows in the stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule modules.

http://www.linuxsecurity.com/content/view/144443
  Debian: New libxml2 packages fix several vulnerabilities (Nov 17)
 

Several vulnerabilities have been discovered in the GNOME XML library. The Common Vulnerabilities and Exposures project identifies the following problems: Drew Yao discovered that missing input sanitising in the xmlBufferResize() function may lead to an infinite loop, resulting in denial of service.

http://www.linuxsecurity.com/content/view/144333
  Fedora 9 Update: libxml2-2.7.2-2.fc9 (Nov 19)
 

Fixes a couple of security issues when overflowing text data size of buffer size.

http://www.linuxsecurity.com/content/view/144423
  Fedora 8 Update: clamav-0.92.1-4.fc8 (Nov 14)
 

Security fixes from upstream 0.94 and 0.94.1: CVE-2008-3912 (#461461): Multiple out-of-memory NULL pointer dereferences CVE-2008-3913 (#461461): Fix memory leak in the error code path in freshclam CVE-2008-3914 (#461461): File descriptor leak on the error code path CVE-2008-5050 (#470783): get_unicode_name() off-by-one buffer overflow

http://www.linuxsecurity.com/content/view/144239
  Fedora 9 Update: clamav-0.93.3-2.fc9 (Nov 14)
 

Security fixes from upstream 0.94 and 0.94.1: CVE-2008-1389 (#461461): Invalid memory access in the CHM unpacker CVE-2008-3912 (#461461): Multiple out-of-memory NULL pointer dereferences CVE-2008-3913 (#461461): Fix memory leak in the error code path in freshclam CVE-2008-3914 (#461461): Multiple file descriptor leaks on the error code path CVE-2008-5050 (#470783): get_unicode_name() off-by-one buffer overflow

http://www.linuxsecurity.com/content/view/144223
  Gentoo: PHP Multiple vulnerabilities (Nov 16)
 

PHP contains several vulnerabilities including buffer and integer overflows which could lead to the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/144327
  Mandriva: Subject: [Security Announce] [ MDVSA-2008:220-1 ] kernel (Nov 19)
 

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information. (CVE-2008-3272)

http://www.linuxsecurity.com/content/view/144448
  Mandriva: Subject: [Security Announce] [ MDVSA-2008:232 ] dovecot (Nov 19)
 

The ACL plugin in dovecot prior to version 1.1.4 treated negative access rights as though they were positive access rights, which allowed attackers to bypass intended access restrictions (CVE-2008-4577).

http://www.linuxsecurity.com/content/view/144446
  Mandriva: Subject: [Security Announce] [ MDVSA-2008:231 ] libxml2 (Nov 18)
 

Drew Yaro of the Apple Product Security Team found two flaws in libxml2. The first is a denial of service flaw in libxml2's XML parser. If an application linked against libxml2 were to process certain malformed XML content, it cause the application to enter an infinite loop (CVE-2008-4225).

http://www.linuxsecurity.com/content/view/144336
  Mandriva: Subject: [Security Announce] [ MDVSA-2008:230 ] firefox (Nov 17)
 

Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox 3.x, version 3.0.4 (CVE-2008-0017, CVE-2008-5014, CVE-2008-5015, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021, CVE-2008-5022, CVE-2008-5023, CVE-2008-5024). This update provides the latest Mozilla Firefox 3.x to correct these issues.

http://www.linuxsecurity.com/content/view/144334
  Mandriva: Subject: [Security Announce] [ MDVSA-2008:227-1 ] gnutls (Nov 17)
 

Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates (CVE-2008-4989).

http://www.linuxsecurity.com/content/view/144332
  Mandriva: Subject: [Security Announce] [ MDVA-2008:171 ] gdm (Nov 14)
 

An incorrect memory deallocation was causing a crash when the GNOME display manager was exiting. This package update fixes this issue and includes additional bug fixes and translation updates.

http://www.linuxsecurity.com/content/view/144322
  Mandriva: Subject: [Security Announce] [ MDVSA-2008:229 ] clamav (Nov 14)
 

An off-by-one error was found in ClamAV versions prior to 0.94.1 that could allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted VBA project file (CVE-2008-5050). Other bugs have also been corrected in 0.94.1 which is being provided with this update.

http://www.linuxsecurity.com/content/view/144321
  RedHat: Moderate: thunderbird security update (Nov 19)
 

Updated thunderbird packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/144451
  RedHat: Important: kernel security and bug fix update (Nov 19)
 

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/144442
  RedHat: Important: libxml2 security update (Nov 17)
 

Updated libxml2 packages that fix security issues are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/144330
  Slackware: libxml2 (Nov 20)
 

New libxml2 packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, and -current to fix security issues including a denial or service or the possible execution of arbitrary code if untrusted XML is processed. More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://www.linuxsecurity.com/content/view/144454
  Slackware: mozilla-firefox (Nov 16)
 

New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, 12.1, and -current to fix security issues. More details may be found on the Mozilla web site: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html Or, for Slackware -current (using Firefox 3.0.x): http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

http://www.linuxsecurity.com/content/view/144323
  Slackware: net-snmp (Nov 16)
 

New net-snmp packages are available for Slackware 12.0, 12.1, and -current to fix a denial of service issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309

http://www.linuxsecurity.com/content/view/144324
  Slackware: gnutls (Nov 16)
 

New gnutls packages are available for Slackware 12.0, 12.1, and -current to correctly fix the certificate chain verification issue that the upgrade to gnutls-2.6.1 attempted to fix. Without this upgrade, processing a certificate chain containing only one self-signed certificate may cause GnuTLS linked programs to crash.

http://www.linuxsecurity.com/content/view/144325
  Slackware: seamonkey (Nov 16)
 

New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details may be found on the Mozilla web site: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

http://www.linuxsecurity.com/content/view/144326
  Ubuntu: HPLIP vulnerabilities (Nov 19)
 

It was discovered that the hpssd tool of hplip did not validate privileges in the alert-mailing function. A local attacker could exploit this to gain privileges and send e-mail messages from the account of the hplip user. This update alters hplip behaviour by preventing users from setting alerts and by moving alert configuration to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940) It was discovered that the hpssd tool of hplip did not correctly handle certain commands. A local attacker could use a specially crafted packet to crash hpssd, leading to a denial of service. (CVE-2008-2941)

http://www.linuxsecurity.com/content/view/144445
  Ubuntu: MySQL vulnerabilities (Nov 17)
 

It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. (CVE-2008-2079, CVE-2008-4097 and CVE-2008-4098) It was discovered that MySQL did not handle empty bit-string literals properly. An attacker could exploit this problem and cause the MySQL server to crash, leading to a denial of service. (CVE-2008-3963)

http://www.linuxsecurity.com/content/view/144331

Write Comment
  • Please keep the topic of messages relevant to the subject of the article.
  • Personal verbal attacks will be deleted.
  • Please don't use comments to plug your web site.. Such material will be removed.
Name:
Title:
Comment:

Code:* Code

Powered by AkoComment!
 
< Prev   Next >
    
Partner:

 
Latest Features
Review: Googling Security: How Much Does Google Know About You
A Secure Nagios Server
Never Installed a Firewall on Ubuntu? Try Firestarter
Review: Hacking Exposed Linux, Third Edition
Security Features of Firefox 3.0
Review: The Book of Wireless
April 2008 Open Source Tool of the Month: sudo
Yesterday's Edition

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
  Security Projects ,   Latest News ,  Newsletters ,  SELinux ,  Privacy ,  Home,
 Hardening ,   About Us,   Advertise,   Legal Notice,   RSS,   Guardian Digital
  Home Security Systems, Surveillance Cameras

(c)Copyright 2009 Guardian Digital, Inc. All rights reserved.