Linux Advisory Watch: January 8th, 2010 - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Advisory Watch: February 10th, 2012

Linux Security Week: February 6th, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Linux Advisory Watch: January 8th, 2010

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. Vulnerabilities exist for virtually every vendor, every week. Check this newsletter to be sure your distribution is secure.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

	EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
	Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668

	Debian: transmission directory traversal (Jan 7)
	http://www.linuxsecurity.com/content/view/151317
	Debian: horde3 cross-site scripting (Jan 6)
	http://www.linuxsecurity.com/content/view/151307
	Debian: phpldapadmin remote file inclusion (Jan 6)
	http://www.linuxsecurity.com/content/view/151302
	Debian: PostgreSQL several vulnerabilities (Dec 31)
	http://www.linuxsecurity.com/content/view/151270
	Debian: expat regression (Dec 31)
	http://www.linuxsecurity.com/content/view/151269

	Gentoo: PHP Multiple vulnerabilities (Jan 5)
	Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/151292
	Gentoo: NTP Denial of Service (Jan 3)
	A Denial of Service condition in ntpd can cause excessive CPU or bandwidth consumption. http://www.linuxsecurity.com/content/view/151275
	Gentoo: Adobe Flash Player Multiple vulnerabilities (Jan 3)
	Multiple vulnerabilities in Adobe Flash Player might allow remote attackers to execute arbitrary code or cause a Denial of Service. http://www.linuxsecurity.com/content/view/151272
	Gentoo: NTP Denial of Service (Jan 3)
	A Denial of Service condition in ntpd can cause excessive CPU or bandwidth consumption. http://www.linuxsecurity.com/content/view/151271

	Mandriva: apache-conf (Jan 7)
	This is a maintenance and bugfix release of apache-conf that mainly fixes so that the httpd service is handled more gracefully when reloading the apache server (#56857). Other fixes (where appliable): - fix #53887 (obsolete favicon.ico file in Apache default www pages) - workaround #47992 (apache does not start occasionally) - added logic to make it possible to set limits from the init script in an attempt to address #30849 and similar problems - added logic to easy debugging with gdb in the initscript Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. http://www.linuxsecurity.com/content/view/151313
	Mandriva: kde4-style-iaora (Jan 6)
	In mandriva 2010.0 under KDE, the scrollbar was too small to be used in some cases, this update adds a minimum size to 21 for the scrollbar (bug #56018). -In mandriva 2010.0 under KDE, Quassel could crash when highlighting links. -This update fixes the titlebar colors to make it friendly with ia ora specs. http://www.linuxsecurity.com/content/view/151312
	Mandriva: apache-conf (Jan 6)
	A vulnerability was discovered and corrected in apache-conf: The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software (CVE-2009-2823). This update provides a solution to this vulnerability. Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. http://www.linuxsecurity.com/content/view/151311
	Mandriva: apache-conf (Jan 6)
	A vulnerability was discovered and corrected in apache-conf: The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software (CVE-2009-2823). This update provides a solution to this vulnerability. Update: The wrong package was uploaded for 2009.1. This update addresses that problem. http://www.linuxsecurity.com/content/view/151310
	Mandriva: run-parts (Jan 6)
	This update provides a newer version of run-parts as current version in MES5 is very old and options are missing such as --list required by logcheck http://www.linuxsecurity.com/content/view/151305
	Mandriva: docbook-to-man (Jan 6)
	Fix man pages build for broken man pages. http://www.linuxsecurity.com/content/view/151304
	Mandriva: kdelibs4 (Jan 6)
	In mandriva 2010.0 there was some missing translations. This update fixes this issue. http://www.linuxsecurity.com/content/view/151303
	Mandriva: timezone (Jan 6)
	Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. http://www.linuxsecurity.com/content/view/151300
	Mandriva: msec (Jan 6)
	This update fixes two issues with msec: - some error messages could result in msec trowing an exception instead of logging the corresponding text (bug #56180) - security report about group-writable files belonging to gdm user was silenced by default (bug #56064) http://www.linuxsecurity.com/content/view/151299
	Mandriva: kdebase4 (Jan 6)
	This update only reverts two testing patches, fixing some font issues in the folderview-applet. http://www.linuxsecurity.com/content/view/151298
	Mandriva: phonon (Jan 6)
	In mandriva 2010.0, when listening to a web stream while you lose your internet connection can make Amarok to crash. This update fixes this bug. http://www.linuxsecurity.com/content/view/151297
	Mandriva: rpmstats (Jan 6)
	rpmstats in 2010.0 displays strange characters for some last modified file names, this is easy noticed on Drakstats. This updated package fixes this bug (#56176). http://www.linuxsecurity.com/content/view/151296
	Mandriva: davfs (Jan 5)
	A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625 (CVE-2009-3720). This update fixes this vulnerability. Update: Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. http://www.linuxsecurity.com/content/view/151291
	Mandriva: a2ps (Jan 4)
	The a2ps package as provided in Mandriva Linux 2010.0 contains improvements concerning paper auto-detection, locale recognition and security issues. The locale recognition prevented the application to perform correctly, this update fixes the issue. http://www.linuxsecurity.com/content/view/151281

	RedHat: kernel (Jan 7)
	Updated kernel packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/151320
	RedHat: kernel (Jan 7)
	Updated kernel packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/151319
	RedHat: dbus (Jan 7)
	Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/151318
	RedHat: gd (Jan 4)
	Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/151280
	RedHat: PyXML (Jan 4)
	An updated PyXML package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/151279

	Slackware: mozilla-firefox (Jan 5)
	New mozilla-firefox packages are available for Slackware 12.2, 13.0, and -current to fix security issues. The Firefox 3.0.16 package may also be used with Slackware 11.0 or newer. More details about the issues may be found on the Mozilla website: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html http://www.mozilla.org/security/known-vulnerabilities/firefox35.html http://www.linuxsecurity.com/content/view/151293

	SuSE: Linux kernel (Jan 7)
	http://www.linuxsecurity.com/content/view/151315

	Ubuntu: GIMP vulnerabilities (Jan 7)
	Stefan Cornelius discovered that GIMP did not correctly handle certain malformed BMP files. If a user were tricked into opening a specially crafted BMP file, an attacker could execute arbitrary code with the user's privileges. (CVE-2009-1570) Stefan Cornelius discovered that GIMP did not correctly handle certain malformed PSD files. If a user were tricked into opening a specially crafted PSD file, an attacker could execute arbitrary code with the user's privileges. This issue only applied to Ubuntu 8.10, 9.04 and 9.10. (CVE-2009-3909) http://www.linuxsecurity.com/content/view/151314

	Pardus: PostgreSQL: Multiple (Jan 3)
	Multiple vulnerabilities were found in PostgreSQL, which have various impact on a user. http://www.linuxsecurity.com/content/view/151273
	Pardus: Wireshark: Multiple Vulnerabilities (Jan 3)
	Multiple vulnerabilities were found in wireshark, which can be exploited by malicious people to possibly execute arbitrary code. http://www.linuxsecurity.com/content/view/151274