http://www.linuxsecurity.com/ The central voice for Linux and Open Source security news. en-us generate-advisory-rss.pl (1.01) http://www.linuxsecurity.com/content/view/116271?rdf (Sep 9) With few junk e-mail filters supporting a protocol for verifying the source address of digital messages, spammers have adopted it themselves as a way to appear more legitimate, according to a report released on Wednesday. . . . ... http://www.linuxsecurity.com/content/view/116271?rdf Robert Lemos, CNET News.com http://www.linuxsecurity.com/content/view/136167?rdf (Apr 15) "The Book of Wireless" by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless ne ... http://www.linuxsecurity.com/content/view/136167?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/136393?rdf (Apr 22) Flaws were discovered in Firefox which could lead to crashes during JavaScript garbage collection. If a user were tricked into opening a malicious web page, an attacker may be able to crash the browser or possibly execute arbitrary code with the user's privileges. (CVE-2008-1380) http://www.linuxsecurity.com/content/view/136393?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/136392?rdf (Apr 21) Thilo Pfennig and Morten Welinder discovered that the XLS spreadsheet handling code in Gnumeric did not correctly calculate needed memory sizes. If a user or automated system were tricked into loading a specially crafted XLS document, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/136392?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/136350?rdf (Apr 17) USN-603-1 fixed vulnerabilities in poppler. This update provides the corresponding updates for KWord, part of KOffice. Original advisory details: It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/136350?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/136347?rdf (Apr 17) It was discovered that the poppler PDF library did not correctly handle certain malformed embedded fonts. If a user or an automated system were tricked into opening a malicious PDF, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/136347?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/136156?rdf (Apr 11) Sebastian Krahmer discovered that rsync could overflow when handling ACLs. An attacker could construct a malicious set of files that when processed by rsync could lead to arbitrary code execution or a crash. http://www.linuxsecurity.com/content/view/136156?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/136149?rdf (Apr 9) Chris Evans discovered that Ghostscript contained a buffer overflow in its color space handling code. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2008-0411) http://www.linuxsecurity.com/content/view/136149?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/135970?rdf (Apr 2) It was discovered that the CUPS administration interface contained a heap- based overflow flaw. A local attacker, and a remote attacker if printer sharing is enabled, could send a malicious request and possibly execute arbitrary code as the non-root user in Ubuntu 6.06 LTS, 6.10, and 7.04. In Ubuntu 7.10, attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-0047) http://www.linuxsecurity.com/content/view/135970?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/135969?rdf (Apr 2) USN-588-1 fixed vulnerabilities in MySQL. In fixing CVE-2007-2692 for Ubuntu 6.06, additional improvements were made to make privilege checks more restictive. As a result, an upstream bug was exposed which could cause operations on tables or views in a different database to fail. This update fixes the problem. http://www.linuxsecurity.com/content/view/135969?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/135963?rdf (Apr 2) Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards. http://www.linuxsecurity.com/content/view/135963?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/135813?rdf (Mar 26) It was discovered that Net::DNS did not correctly validate the size of DNS replies. A remote attacker could send a specially crafted DNS response and cause applications using Net::DNS to abort, leading to a denial of service. http://www.linuxsecurity.com/content/view/135813?rdf LinuxSecurity.com