|
Information Security News
mailing list archives
Linux Advisory Watch: July 18th, 2008
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 22 Jul 2008 00:03:22 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 18th, 2008 Volume 9, Number 29 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity com> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for afuse, pdns-recursor, cacti,
gaim, lighttpd, iceweasel, bind, pcre, x11, poppler, openldap,
openoffice, pidgin, firefox, php, java, ruby, and seamonkey. The
distributors include Debian, Gentoo, Mandriva, Red Hat, Slackware, and
Ubuntu.
---
Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Security Features of Firefox 3.0
--------------------------------
Lets take a look at the security features of the newly released Firefox
3.0. Since it's release on Tuesday I have been testing it out to see
how the new security enhancements work and help in increase user
browsing security. One of the exciting improvements for me was how
Firefox handles SSL secured web sites while browsing the Internet.
There are also many other security features that this article will look
at. For example, improved plugin and addon security.
Read on for more security features of Firefox 3.0.
http://www.linuxsecurity.com/content/view/138972
---
Review: The Book of Wireless
----------------------------
"The Book of Wireless" by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of
Wireless networks today anyone with a computer should at least know the
basics of wireless. Also, with the wireless networking, users need to
know how to protect themselves from wireless networking attacks.
http://www.linuxsecurity.com/content/view/136167
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
-------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.19 (Version 3.0, Release 19). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/136174
------------------------------------------------------------------------
* Debian: New afuse packages fix privilege escalation (Jul 16)
------------------------------------------------------------
Anders Kaseorg discovered that afuse, an automounting file system in
user-space, did not properly escape meta characters in paths. This
allowed a local attacker with read access to the filesystem to
execute commands as the owner of the filesystem.
http://www.linuxsecurity.com/content/view/139936
* Debian: New pdns-recursor packages fix predictable randomness (Jul 16)
----------------------------------------------------------------------
Thomas Biege discovered that the upstream fix for the weak random
number generator released in DSA-1544-1 was incomplete: Source port
randomization did still not use difficult-to-predict random numbers.
This is corrected in this security update.
http://www.linuxsecurity.com/content/view/139935
* Debian: New cacti packages fix regression (Jul 15)
--------------------------------------------------
Since the previous security update, the cacti package could no longer
be rebuilt from the source package. This update corrects that
problem. Note that this problem does not affect regular use of the
provided binary packages (.deb).
http://www.linuxsecurity.com/content/view/139921
* Debian: New gaim packages fix execution of arbitrary code (Jul 15)
------------------------------------------------------------------
It was discovered that gaim, an multi-protocol instant messaging
client, was vulnerable to several integer overflows in its MSN
protocol handlers. These could allow a remote attacker to execute
arbitrary code.
http://www.linuxsecurity.com/content/view/139919
* Debian: New lighttpd packages fix multiple DOS issues (Jul 15)
--------------------------------------------------------------
Several local/remote vulnerabilities have been discovered in
lighttpd, a fast webserver with minimal memory footprint.
http://www.linuxsecurity.com/content/view/139918
* Debian: New iceweasel packages fix several vulnerabilities (Jul 11)
-------------------------------------------------------------------
Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes
in the layout engine, which might allow the execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/139768
------------------------------------------------------------------------
* Gentoo: Mercurial Directory traversal (Jul 15)
----------------------------------------------
A directory traversal vulnerability in
Mercurial allows for the renaming of arbitrary files.
http://www.linuxsecurity.com/content/view/139922
* Gentoo: BIND Cache poisoning (Jul 11)
-------------------------------------
A weakness in the DNS protocol has been reported, which could lead to
cache poisoning on recursive resolvers.
http://www.linuxsecurity.com/content/view/139769
------------------------------------------------------------------------
* Mandriva: Updated pcre packages fix vulnerability (Jul 16)
----------------------------------------------------------
Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371). The updated packages have been patched to
correct this issue.
http://www.linuxsecurity.com/content/view/139926
* Mandriva: Updated x11-server packages fix offscreen pixmaps drawing issue (Jul 16)
----------------------------------------------------------------------------------
This x11-sever update disables offscreen pixmaps by default as they
were causing drawing issues with Firefox 3 and other applications. To
re-enable this option, use 'Option XaaOffscreenPixmaps on' in
xorg.conf.
http://www.linuxsecurity.com/content/view/139925
* Mandriva: Updated poppler packages fix arbitrary code execution vulnerability (Jul 15)
--------------------------------------------------------------------------------------
A memory management issue was found in libpoppler by Felipe Andres
Manzano that could allow for the execution of arbitrary code with the
privileges of the user running a poppler-based application, if they
opened a specially crafted PDF file (CVE-2008-2950). The updated
packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/139923
* Mandriva: Updated bluez/bluez-utils packages fix SDP packet parsing vulnerability (Jul 15)
------------------------------------------------------------------------------------------
An input validation flaw was found in the Bluetooth Session
Description Protocol (SDP) packet parser used in the Bluez bluetooth
utilities. A bluetooth device with an already-trusted relationship,
or a local user registering a service record via a UNIX socket or
D-Bus interface, could cause a crash and potentially execute
arbitrary code with the privileges of the hcid daemon
(CVE-2008-2374). The updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/139786
* Mandriva: Updated openldap packages fix slapd DoS vulnerability (Jul 12)
------------------------------------------------------------------------
A denial of service vulnerability was discovered in the way the
OpenLDAP slapd daemon processed certain network messages. An
unauthenticated remote attacker could send a specially crafted
request that would crash the slapd daemon (CVE-2008-2952). The
updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/139773
* Mandriva: Updated OpenOffice.org packages fix vulnerability (Jul 11)
--------------------------------------------------------------------
Integer overflow in the rtl_allocateMemory function in
sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4
allows remote attackers to execute arbitrary code via a crafted file
that triggers a heap-based buffer overflow. The updated packages have
been patched to fix the issue.
http://www.linuxsecurity.com/content/view/139772
* Mandriva: Updated pidgin packages fix MSN protocol handler vulnerability (Jul 10)
---------------------------------------------------------------------------------
An integer overflow flaw was found in Pidgin's MSN protocol handler
that could allow for the execution of arbitrary code if a user
received a malicious MSN message (CVE-2008-2927). In addition, this
update provides the ability to use ICQ networks again on Mandriva
Linux 2008.0, as in MDVA-2008:103 (updated pidgin for 2008.1). The
updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/139761
------------------------------------------------------------------------
* RedHat: Critical: firefox security update (Jul 16)
--------------------------------------------------
An updated firefox package that fixes various security issues is now
available for Red Hat Enterprise Linux 4. This update has been rated
as having critical security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/139933
* RedHat: Critical: seamonkey security update (Jul 16)
----------------------------------------------------
Updated seamonkey packages that fix a security issue are now
available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has
been rated as having critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139934
* RedHat: Critical: firefox security update (Jul 16)
--------------------------------------------------
Updated firefox packages that fix various security issues are now
available for Red Hat Enterprise Linux 5. An integer overflow flaw
was found in the way Firefox displayed certain web content. A
malicious web site could cause Firefox to crash, or execute arbitrary
code with the permissions of the user running Firefox.
http://www.linuxsecurity.com/content/view/139932
* RedHat: Moderate: php security update (Jul 16)
----------------------------------------------
Updated PHP packages that fix several security issues are now
available for Red Hat Enterprise Linux 2.1. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139929
* RedHat: Moderate: php security and bug fix update (Jul 16)
----------------------------------------------------------
Updated php packages that fix several security issues and a bug are
now available for Red Hat Enterprise Linux 4. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139928
* RedHat: Moderate: php security update (Jul 16)
----------------------------------------------
Updated PHP packages that fix several security issues are now
available for Red Hat Enterprise Linux 3 and 5. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139927
* RedHat: Critical: java-1.5.0-sun security update (Jul 14)
---------------------------------------------------------
Updated java-1.5.0-sun packages that correct several security issues
are now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/139784
* RedHat: Critical: java-1.4.2-ibm security update (Jul 14)
---------------------------------------------------------
Updated java-1.4.2-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 3 and 4 Extras, and 5
Supplementary. This update has been rated as having critical
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/139779
* RedHat: Moderate: ruby security update (Jul 14)
-----------------------------------------------
Updated ruby packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 and 5. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139780
* RedHat: Moderate: ruby security update (Jul 14)
-----------------------------------------------
Updated ruby packages that fix several security issues are now
available for Red Hat Enterprise Linux 2.1 and 3. This update has
been rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139781
* RedHat: Moderate: bluez-libs and bluez-utils security (Jul 14)
--------------------------------------------------------------
Updated bluez-libs and bluez-utils packages that fix a security flaw
are now available for Red Hat Enterprise Linux 4 and 5. This update
has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/139782
* RedHat: Critical: java-1.6.0-sun security update (Jul 14)
---------------------------------------------------------
Updated java-1.6.0-sun packages that correct several security issues
are now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/139783
------------------------------------------------------------------------
* Slackware: mozilla-firefox (Jul 17)
-------------------------------------
New mozilla-firefox packages are available for Slackware 10.2, 11.0,
12.0, and 12.1 to fix security issues. More details about the issues
may be found on the Mozilla site:
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
http://www.linuxsecurity.com/content/view/139938
* Slackware: seamonkey (Jul 17)
-------------------------------
New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
and -current to fix security issues. More details about the issues
may be found here:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm
l
http://www.linuxsecurity.com/content/view/139939
* Slackware: seamonkey (Jul 10)
-------------------------------
New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
and -current to fix security issues. More details about the issues
may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#s
eamonkey
http://www.linuxsecurity.com/content/view/139756
* Slackware: mozilla-firefox (Jul 10)
-------------------------------------
New mozilla-firefox packages are available for Slackware 10.2, 11.0,
12.0, and 12.1 to fix security issues. More details about the issues
may be found on the Mozilla site:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#f
irefox
http://www.linuxsecurity.com/content/view/139757
* Slackware: bind (Jul 10)
--------------------------
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, and -current to address a security
problem. More details may be found at the following links:
http://www.isc.org/sw/bind/bind-security.php
http://www.kb.cert.org/vuls/id/800113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.linuxsecurity.com/content/view/139758
------------------------------------------------------------------------
* SuSE: bind (SUSE-SA:2008:033) (Jul 11)
--------------------------------------
The new version of bind uses a random transaction-ID (TRXID) and a
random UDP source-port for DNS queries to address DNS cache
poisoning attacks possible because of the "birthday paradox" and
an attack discovered by Dan Kaminsky. Unfortunately we do not have
details about Kaminsky's attack and have to trust the statement
that a random UDP source-port is sufficient to stop it.
http://www.linuxsecurity.com/content/view/139763
------------------------------------------------------------------------
* Ubuntu: Firefox vulnerabilities (Jul 17)
-----------------------------------------
A flaw was discovered in the browser engine. A variable could be made
to overflow causing the browser to crash. If a user were tricked into
opening a malicious web page, an attacker could cause a denial of
service or possibly execute arbitrary code with the privileges of the
user invoking the program. (CVE-2008-2785)
http://www.linuxsecurity.com/content/view/140005
* Ubuntu: PCRE vulnerability (Jul 14)
------------------------------------
Tavis Ormandy discovered that the PCRE library did not correctly
handle certain in-pattern options. An attacker could cause
applications linked against pcre3 to crash, leading to a denial of
service.
http://www.linuxsecurity.com/content/view/139785
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
 By Date 
By Thread
Current thread:
- Linux Advisory Watch: July 18th, 2008 InfoSec News (Jul 21)
|
Intro
