Linux Advisory Watch: Dec 18th, 2009 - The Community's Center for Security


The central voice for Linux and Open Source security news
Welcome!
Sign up!
EnGarde Community
Polls
What is the most important Linux security technology?
	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: February 10th, 2012
Linux Security Week: February 6th, 2012
LinuxSecurity Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Linux Advisory Watch: Dec 18th, 2009
User Rating:
How can I rate this item?
Source: LinuxSecurity Contributors - Posted by Dave Wreski
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. Vulnerabilities exist for virtually every vendor, every week. Check this newsletter to be sure your distribution is secure.
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| December 18th, 2009                             Volume 10, Number 51 |
|                                                                      |
| Editorial Team:              Dave Wreski  |
|                       Benjamin D. Thomas  |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business – and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: xulrunner several vulnerabilities (Dec 16)
  --------------------------------------------------

  http://www.linuxsecurity.com/content/view/151171

* Debian: network-manager/network-manager-applet information disclosure (Dec 16)
  ---------------------------------------------------

  http://www.linuxsecurity.com/content/view/151170

* Debian: cacti insufficient input sanitising (Dec 16)
  ----------------------------------------------------

  http://www.linuxsecurity.com/content/view/151162

* Debian: expat denial of service (Dec 15)
  ----------------------------------------

  http://www.linuxsecurity.com/content/view/151149

* Debian: asterisk several vulnerabilities (Dec 15)
  -------------------------------------------------

  http://www.linuxsecurity.com/content/view/151138

* Debian: firefox-sage insufficient input sanitizing (Dec 15)
  -----------------------------------------------------------

  http://www.linuxsecurity.com/content/view/151137

* Debian: New webkit packages fix several vulnerabilities (Dec 12)
  ----------------------------------------------------------------

  http://www.linuxsecurity.com/content/view/151123

* Debian: New php-net-ping packages fix arbitrary code execution (Dec 12)
  ----------------------------------------------------

  http://www.linuxsecurity.com/content/view/151122

--------------------------------------------------------------

* Fedora 12 moodle-1.9.7-1.fc12 (Dec 11)
  --------------------------------------
  Moodle upstream has released latest stable versions (1.9.7 and
  1.8.11),  fixing multiple security issues.
  http://www.linuxsecurity.com/content/view/151117

* Fedora 10 ruby-1.8.6.368-2.fc10 (Dec 11)
  ----------------------------------------
  Update to 1.8.6 p368	  This package also fixes the build failure on
  arm -gnueabi systems (bug 506233), and DOS vulnerability issue on
  BigDecimal method (bug 504958, CVE-2009-1904)

  http://www.linuxsecurity.com/content/view/151118

* Fedora 12 ntp-4.2.4p8-1.fc12 (Dec 11)
  -------------------------------------
  This update fixes possible DoS with mode 7 packets. (CVE-2009-3563)

  http://www.linuxsecurity.com/content/view/151116

* Fedora 10 moodle-1.9.7-1.fc10 (Dec 11)
  --------------------------------------
  Moodle upstream has released latest stable versions (1.9.7 and
  1.8.11),  fixing multiple security issues.

  http://www.linuxsecurity.com/content/view/151115

* Fedora 12 kernel-2.6.31.6-166.fc12 (Dec 10)
  -------------------------------------------
  CVE-2009-4131:  EXT4 - fix insufficient permission checking which
  could result in arbitrary data corruption by a local unprivileged
  user.

  http://www.linuxsecurity.com/content/view/151096

------------------------------------------------------------------------

* Mandriva: koffice (Dec 17)
  --------------------------
  Security vulnerabilities have been discovered and fixed in pdf
  processing code embedded in koffice package (CVE-2009-3606 and
  CVE-2009-3609).

  http://www.linuxsecurity.com/content/view/151186

* Mandriva: kde4-splash-mdv (Dec 17)
  ----------------------------------
  This update improves the Polish translation used in KDE4 splash
  screens.

  http://www.linuxsecurity.com/content/view/151185

* Mandriva: kdepim4 (Dec 17)
  --------------------------
  In Mandriva 2010.0, because of a regression, the KTimetracker menu
  was missing many options, which made it unusable. Also in Mandriva
  2010.0, when using Knotes inside Kontact the note title was
  left-cutted when using a long title. This update fixes these issues.

  http://www.linuxsecurity.com/content/view/151184

* Mandriva: ffmpeg (Dec 17)
  -------------------------
  A vulnerability was discovered and corrected in ffmpeg: MPlayer
  allows remote attackers to cause a denial of service (application
  crash) via (1) a malformed AAC file, as demonstrated by lol-vlc.aac;
  or (2) a malformed Ogg Media (OGM) file, as demonstrated by
  lol-ffplay.ogm, different vectors than CVE-2007-6718 (CVE-2008-4610).
  http://www.linuxsecurity.com/content/view/151183

* Mandriva: poppler (Dec 16)
  --------------------------

  http://www.linuxsecurity.com/content/view/151173

* Mandriva: gnome-desktop (Dec 16)
  --------------------------------
  In Mandriva 2010.0, when using an old X server without support for
  the XrandR extension, the Gnome settings daemon would crash.

  http://www.linuxsecurity.com/content/view/151172

* Mandriva: webkit (Dec 16)
  -------------------------
  MDVA-2009:258 introduced a regression which made the libwebkitgtk
  devel packages uninstallable. This update fixes this issue.

  http://www.linuxsecurity.com/content/view/151158

* Mandriva: webkit (Dec 15)
  -------------------------
  MDVA-2009:252 introduced a regression with the newer version of the
  webkit package, which made the Mandriva Control Center crash. This
  update reverts the webkit package to the previous version.

  http://www.linuxsecurity.com/content/view/151150

* Mandriva: postgresql (Dec 15)
  -----------------------------
  Multiple vulnerabilities was discovered and corrected in postgresql:
  NULL Bytes in SSL Certificates can be used to falsify client or
  server authentication.

  http://www.linuxsecurity.com/content/view/151148

* Mandriva: mandriva-kde4-config (Dec 14)
  ---------------------------------------
  In kde4-firstsetup.sh from Mandriva 2010.0 there was still some
  references to plasma which have been renamed to plasma-desktop on KDE
  4.3. This update fixes this issue.

  http://www.linuxsecurity.com/content/view/151136

* Mandriva: kdepim4 (Dec 14)
  --------------------------
  In Mandriva 2010.0, with Ktimetracker embedded in Kontact, the
  shortcut to create a new task didn't work, another bug is that the
  shortcut ctrl + shift + W would make Kontact crash. This update fixes
  these issues.

  http://www.linuxsecurity.com/content/view/151135

* Mandriva: fontconfig (Dec 14)
  -----------------------------
  A bug in fontconfig language cache was generating invalid cache which
  would cause crashes or freeze when upgrading previous Mandriva Linux
  release to Mandriva Linux 2010 using live update feature. This
  updates fixes this issue.

  http://www.linuxsecurity.com/content/view/151134

* Mandriva: mdkonline (Dec 14)
  ----------------------------
  This update fixes several issues regarding the live upgrade to a more
  recent distribution

  http://www.linuxsecurity.com/content/view/151131

* Mandriva: graphviz (Dec 14)
  ---------------------------
  This update fixes an issue with graphviz: * graphviz isn't properly
  upgraded to a newer version when upgrading from a 2009.0 system

  http://www.linuxsecurity.com/content/view/151125

* Mandriva: mpg123 (Dec 14)
  -------------------------
  A regression was found and fixed for mpg123 while attempting to load
  the mpg123 modules. This regression stems from MDVSA-2009:307
  (libtool ltdl).

  http://www.linuxsecurity.com/content/view/151124

* Mandriva: webkitgtk (Dec 11)
  ----------------------------
  This update brings the new stable version 1.1.15.4 of webkitgtk, and
  solves the problem with the SSE2 instruction set on AMD machines.

  http://www.linuxsecurity.com/content/view/151120

* Mandriva: snort (Dec 11)
  ------------------------
  preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not
  properly identify packet fragments that have dissimilar TTL values,
  which allows remote attackers to bypass detection rules by using a
  different TTL for each fragment.

  http://www.linuxsecurity.com/content/view/151119

* Mandriva: gimp (Dec 11)
  -----------------------
  A vulnerability was discovered and corrected in gimp: Integer
  overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in
  GIMP 2.6.7 might allow remote attackers to execute arbitrary code via
  a BMP file with crafted width and height values that trigger a
  heap-based buffer overflow (CVE-2009-1570).

  http://www.linuxsecurity.com/content/view/151113

* Mandriva: gimp (Dec 11)
  -----------------------
  A vulnerability was discovered and corrected in gimp
  http://www.linuxsecurity.com/content/view/151106

* Mandriva: mdkonline (Dec 10)
  ----------------------------
  This update fixes several issues regarding the live upgrade to a more
  recent distribution, notably: - new distributions are now only
  presented after all updates were applied.

  http://www.linuxsecurity.com/content/view/151104

* Mandriva: mdkonline (Dec 10)
  ----------------------------
  This update fixes several issues regarding the live upgrade to a more
  recent distribution, notably: - new distributions are now only
  presented after all updates were applied.

  http://www.linuxsecurity.com/content/view/151103

* Mandriva: mdkonline (Dec 10)
  ----------------------------
  This update fixes several issues regarding the live upgrade to a more
  recent distribution

  http://www.linuxsecurity.com/content/view/151102

* Mandriva: wireless-regdb (Dec 10)
  ---------------------------------
  This updates the wireless regulatory domain database to 2009-11-10 in
  order to follow the wireless regulations in the world.

  http://www.linuxsecurity.com/content/view/151101

* Mandriva: mdkonline (Dec 10)
  ----------------------------
  This update fixes several issues regarding the live upgrade to a more
  recent distribution.

  http://www.linuxsecurity.com/content/view/151100

* Mandriva: hal-cups-utils (Dec 10)
  ---------------------------------
  In Mandriva 2010.0, hal-cups-utils does not re-enable printers when
  they are reconnected and no printer applet is running. This update
  fix this issue.

  http://www.linuxsecurity.com/content/view/151099

* Mandriva: espeak (Dec 10)
  -------------------------
  In Mandriva 2010.0, espeak did not support the pulseaudio audio
  system, which rendered incomprehensible speech. This update changes
  the build of espeak to use pulseaudio as audio output.

  http://www.linuxsecurity.com/content/view/151098

* Mandriva: kdegraphics (Dec 10)
  ------------------------------
  Multiple vulnerabilities has been found and corrected in kdegraphics:
  Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
  earlier allow remote attackers to cause a denial of service (crash)
  via a crafted PDF file

  http://www.linuxsecurity.com/content/view/151097

* Mandriva: kdelibs (Dec 10)
  --------------------------
  Multiple vulnerabilities has been found and corrected in kdelibs: The
  gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc in
  FreeBSD 6.4 and 7.2, NetBSD 5.0, and OpenBSD 4.5 allows
  context-dependent attackers to cause a denial of service (application
  crash) or possibly have unspecified other impact via a large
  precision value in the format argument to a printf function

  http://www.linuxsecurity.com/content/view/151095

------------------------------------------------------------------------

* RedHat: gpdf security update (Dec 16)
  -------------------------------------
  An updated gpdf package that fixes a security issue is now available
  for Red Hat Enterprise Linux 4. This update has been rated as having
  important security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/151160

* RedHat: kdegraphics security update (Dec 16)
  --------------------------------------------
  Updated kdegraphics packages that fix a security issue are now
  available for Red Hat Enterprise Linux 4. This update has been rated
  as having important security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/151161

* RedHat: xpdf security update (Dec 16)
  -------------------------------------
  An updated xpdf package that fixes a security issue is now available
  for Red Hat Enterprise Linux 4. This update has been rated as having
  important security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/151159

* RedHat: seamonkey security update (Dec 16)
  ------------------------------------------
  Updated seamonkey packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3 and 4. This update has been
  rated as having critical security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/151156

* RedHat: firefox security update (Dec 16)
  ----------------------------------------
  Updated firefox packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having critical security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/151157

* RedHat: kernel security and bug fix update (Dec 15)
  ---------------------------------------------------
  Updated kernel packages that fix multiple security issues and several
  bugs are now available for Red Hat Enterprise Linux 5. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/151145

* RedHat: kernel security and bug fix update (Dec 15)
  ---------------------------------------------------
  Updated kernel packages that fix multiple security issues and several
  bugs are now available for Red Hat Enterprise Linux 4. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/151146

* RedHat: kernel security and bug fix update (Dec 15)
  ---------------------------------------------------
  Updated kernel packages that fix multiple security issues and one bug
  are now available for Red Hat Enterprise Linux 5.2 Extended Update
  Support. This update has been rated as having important security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/151147

------------------------------------------------------------------------

* Slackware:   gimp (Dec 12)
  --------------------------
  New gimp packages are available for Slackware 12.1, 12.2, 13.0, and
  -current to fix security issues. More details about these issues may
  be found in the Common Vulnerabilities and Exposures (CVE) database

  http://www.linuxsecurity.com/content/view/151121

* Slackware:   ntp (Dec 10)
  -------------------------
  New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
  10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix a
  security issue.  If a spoofed mode 7 packet is sent to a vulnerable
  NTP daemon it may cause CPU and/or disk space exhaustion, resulting
  in a denial of service.

  http://www.linuxsecurity.com/content/view/151088

------------------------------------------------------------------------

* SuSE: Linux kernel (Dec 14)
  ---------------------------

  http://www.linuxsecurity.com/content/view/151133

------------------------------------------------------------------------

* Pardus: Automake: Code Execution (Dec 17)
  -----------------------------------------
  A vulnerability was found  in  automake,  which  can	be  exploited 
  by  malicious people in some situations to possibly execute arbitrary
  code.

  http://www.linuxsecurity.com/content/view/151174

* Pardus: MySQL: Multiple Vulnerabilities (Dec 17)
  ------------------------------------------------
  Multiple vulnerabilities were found in MySQL, which can be exploited
  by  malicious people to possibly 1)  cause  denial  of  service  2) 
  bypass  certain restrictions.

  http://www.linuxsecurity.com/content/view/151175

* Pardus: [UPDATED] Flashplugin: Multiple (Dec 17)
  ------------------------------------------------
  Multiple vulnerabilities were found in Adobe Flash Player, which can
  be  exploited by malicious  people  to  possibly  execute  arbitrary 
  code.  [UPDATE] Same issue was fixed in 2009

  http://www.linuxsecurity.com/content/view/151176

* Pardus: [UPDATED] Coreutils: Unsafe (Dec 15)
  --------------------------------------------
  A vulnerability was found in coreutils, which can be used by 
  malicious  people   to potentially   execute	 arbitrary   code  
  under   certain   circumstances. [UPDATE] Same issue was fixed in
  Pardus 2008

  http://www.linuxsecurity.com/content/view/151151

* Pardus: Flashplugin: Multiple (Dec 15)
  --------------------------------------
  Multiple vulnerabilities were found in Adobe Flash Player, which can
  be  exploited by malicious people to possibly execute arbitrary code.

  http://www.linuxsecurity.com/content/view/151152

* Pardus: [UPDATED] Glibc: Integer Overflow (Dec 15)
  --------------------------------------------------
  An integer overflow was found in  glibc,  which  can	be  exploited 
  by  malicious people to possibly execute arbitrary code. [UPDATE]
  Same issue was fixed in Pardus 2008

  http://www.linuxsecurity.com/content/view/151153

* Pardus: Ntp: Denial of Service (Dec 15)
  ---------------------------------------
  A vulnerability was found in ntp which can be  exploited  by 
  malicious  people to cause denial of service via malformed mode 7
  packets.

  http://www.linuxsecurity.com/content/view/151154

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------