LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: May 14th, 2012
Linux Advisory Watch: May 10th, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: January 23rd, 2009 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for iceweasel, amarok, netatalk, drupal, mumbles, moodle, uw-imap, devIL, net-snmp, scilab, php, xine-lib, kdebase, ffmpeg, mplayer, thunderbird, bind, ntp, and perl. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
 

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668
  Debian: New iceweasel packages fix several vulnerabilities (Jan 15)
 

Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems...

http://www.linuxsecurity.com/content/view/147395
  Debian: New amarok packages fix arbitrary code execution (Jan 15)
 

Tobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/147394
  Debian: New netatalk packages fix arbitrary code execution (Jan 15)
 

It was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job.

http://www.linuxsecurity.com/content/view/147391
  Fedora 10 Update: drupal-6.9-1.fc10 (Jan 22)
 

SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script.

http://www.linuxsecurity.com/content/view/147690
  Fedora 9 Update: drupal-6.9-1.fc9 (Jan 22)
 

SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to http://host/drupal/update.php to run the upgrade script.

http://www.linuxsecurity.com/content/view/147691
  Fedora 9 Update: amarok-1.4.10-2.fc9 (Jan 22)
 

This build includes a security fix concerning the parsing of malformed Audible digital audio files.

http://www.linuxsecurity.com/content/view/147692
  Fedora 10 Update: mumbles-0.4-9.fc10 (Jan 22)
 

- Fixed path to make mumbles run on x86_64 bug #479158 - Security fix for Firefox plugin bug #479171

http://www.linuxsecurity.com/content/view/147693
  Fedora 9 Update: moodle-1.9.3-5.fc9 (Jan 22)
 

Fix for spellcheck security flaw, and some font correction.

http://www.linuxsecurity.com/content/view/147694
  Fedora 10 Update: moodle-1.9.3-5.fc10 (Jan 22)
 

Fix for spellcheck security flaw, and some font correction.

http://www.linuxsecurity.com/content/view/147695
  Fedora 10 Update: uw-imap-2007e-1.fc10 (Jan 22)
 

Update to new upstream version - 2007e. Contains fix for a security issue - buffer overflow in rfc822_output_char / rfc822_output_data (CVE-2008-5514).

http://www.linuxsecurity.com/content/view/147696
  Fedora 9 Update: DevIL-1.7.5-2.fc9 (Jan 22)
 

- Fix missing symbols (rh 480269) - Fix off by one error in CVE-2008-5262 check (rh 479864)

http://www.linuxsecurity.com/content/view/147697
  Fedora 9 Update: uw-imap-2007e-1.fc9 (Jan 22)
 

Update to new upstream version - 2007e. Contains fix for a security issue - buffer overflow in rfc822_output_char / rfc822_output_data (CVE-2008-5514).

http://www.linuxsecurity.com/content/view/147698
  Fedora 10 Update: DevIL-1.7.5-2.fc10 (Jan 22)
 

- Fix missing symbols (rh 480269) - Fix off by one error in CVE-2008-5262 check (rh 479864)

http://www.linuxsecurity.com/content/view/147699
  Gentoo: Net-SNMP Denial of Service (Jan 21)
 

A vulnerability in Net-SNMP could lead to a Denial of Service.

http://www.linuxsecurity.com/content/view/147682
  Gentoo: Scilab Insecure temporary file usage (Jan 21)
 

An insecure temporary file usage has been reported in Scilab, allowing for symlink attacks.

http://www.linuxsecurity.com/content/view/147681
  Mandriva: [ MDVSA-2009:024 ] php4 (Jan 21)
 

A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/147687
  Mandriva: [ MDVSA-2009:023 ] php (Jan 21)
 

A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782)... The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/147686
  Mandriva: [ MDVSA-2009:022 ] php (Jan 21)
 

A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782).. The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/147685
  Mandriva: [ MDVSA-2009:021 ] php (Jan 21)
 

A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658)... The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/147684
  Mandriva: [ MDVSA-2009:020 ] xine-lib (Jan 21)
 

Failure on Ogg files manipulation can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-3231).... This update provides the fix for all these security issues found in xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities: CVE-2008-5234, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240, CVE-2008-5243 are found in xine-lib 1.1.15 of Mandriva 2009.0 and are also fixed by this update.

http://www.linuxsecurity.com/content/view/147683
  Mandriva: [ MDVSA-2009:017 ] kdebase (Jan 16)
 

A vulnerability in KDM allowed a local user to cause a denial of service via unknown vectors (CVE-2007-5963). The updated packages have been patched to prevent this issue.

http://www.linuxsecurity.com/content/view/147405
  Mandriva: [ MDVSA-2009:016 ] xen (Jan 16)
 

Ian Jackson found a security issue in the QEMU block device drivers backend that could allow a guest operating system to issue a block device request and read or write arbitrary memory locations, which could then lead to privilege escalation (CVE-2008-0928)... The updated packages have been patched to prevent these issues.

http://www.linuxsecurity.com/content/view/147404
  Mandriva: [ MDVSA-2009:015 ] ffmpeg (Jan 15)
 

Several vulnerabilities have been discovered in ffmpeg, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/147401
  Mandriva: [ MDVSA-2009:014 ] mplayer (Jan 15)
 

Several vulnerabilities have been discovered in mplayer, which could allow remote attackers to execute arbitrary code via a malformed TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer, related to the execution of DTS generation code (CVE-2008-4866). The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/147400
  Mandriva: [ MDVSA-2009:013 ] mplayer (Jan 15)
 

Several vulnerabilities have been discovered in mplayer, which could allow remote attackers to execute arbitrary code via a malformed TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/147399
  Mandriva: [ MDVSA-2009:012 ] mozilla-thunderbird (Jan 15)
 

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.19 (CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512). This update provides the latest Thunderbird to correct these issues.

http://www.linuxsecurity.com/content/view/147396
  Mandriva: [ MDVA-2009:012 ] kphotoalbum (Jan 15)
 

Kphotoalbum in Mandriva Linux 2009.0 had some unimplemented functions that could lead to crashes. This new package implements those functions and fixes the crashes.

http://www.linuxsecurity.com/content/view/147393
  Mandriva: [ MDVA-2009:011 ] kdegraphics4 (Jan 15)
 

This package updates the libkdraw and libkexiv2 libraries making it possible to build newer versions of digikam.

http://www.linuxsecurity.com/content/view/147392
  RedHat: Important: kernel security and bug fix update (Jan 22)
 

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise MRG 1.0. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/147689
  Slackware bind 10.2/11.0 recompile (Jan 15)
 

Updated bind packages are available for Slackware 10.2 and 11.0 to address a load problem. It was reported that the initial build of these updates complained that the Linux capability module was not present and would refuse to load. It was determined that the packages which were compiled on 10.2 and 11.0 systems running 2.6 kernels, and although the installed kernel headers are from 2.4.x, it picked up on this resulting in packages that would only run under 2.4 kernels. These new packages address the issue. As always, any problems noted with update patches should be reported to security@slackware.com, and we will do our best to address them as quickly as possible.

http://www.linuxsecurity.com/content/view/147398
  Slackware: ntp (Jan 15)
 

New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security issue.

http://www.linuxsecurity.com/content/view/147388
  Slackware: openssl (Jan 15)
 

New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue when connecting to an SSL/TLS server that uses a certificate containing a DSA or ECDSA key.

http://www.linuxsecurity.com/content/view/147389
  Slackware: bind (Jan 15)
 

New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue.

http://www.linuxsecurity.com/content/view/147387
  SuSE: bind (SUSE-SA:2009:005) (Jan 22)
 

The DNS daemon bind is used to resolve and lookup addresses on the inter- net. Some month ago a vulnerability in the DNS protocol and its numbers was published that allowed easy spoofing of DNS entries. The only way to pro- tect against spoofing is to use DNSSEC. Unfortunately the bind code that verifys the certification chain of a DNS- SEC zone transfer does not properly check the return value of function DSA_do_verify(). This allows the spoofing of records signed with DSA or NSEC3DSA.

http://www.linuxsecurity.com/content/view/147688
  Ubuntu:Perl regression (Jan 15)
 

USN-700-1 fixed vulnerabilities in Perl. Due to problems with the Ubuntu 8.04 build, some Perl .ph files were missing from the resulting update. This update fixes the problem. We apologize for the inconvenience.

http://www.linuxsecurity.com/content/view/147397

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
New Nmap Probes IPv6 Networks
Anatomy of a hack: 6 separate bugs needed to bring down Google browser
Sony PS Vita Hacking Expands With Homebrew Loader
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.