Linux Advisory Watch - December 26th 2008
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| December 26th, 2008 Volume 9, Number 52 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for courier-authlib, moodle, avahi,
VLC, imlib2, ampache, clamav, powerdns, mailscanner, flash-plugin,
java, firefox, nagios, blender, perl, mplayer, php and git. The
distributors include Gentoo, Mandriva, Red Hat, Slackware, Ubuntu, and
Pardus.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New courier-authlib packages fix regression (Dec 22)
------------------------------------------------------------
Two SQL injection vulnerabilities have beein found in
courier-authlib, the courier authentification library. The MySQL
database interface used insufficient escaping mechanisms when
constructing SQL statements, leading to SQL injection vulnerabilities
if certain charsets are used (CVE-2008-2380). A similar issue
affects the PostgreSQL database interface (CVE-2008-2667).
http://www.linuxsecurity.com/content/view/146349
* Debian: New moodle packages fix several vulnerabilities (Dec 22)
----------------------------------------------------------------
Several remote vulnerabilities have been discovered in Moodle, an
online course management system. The following issues are addressed
in this update, ranging from cross site scripting to remote code
execution.
http://www.linuxsecurity.com/content/view/146340
* Debian: New avahi packages fix denial of service (Dec 22)
---------------------------------------------------------
Two denial of service conditions were discovered in avahi, a
Multicast DNS implementation. Huge Dias discovered that the avahi
daemon aborts with an assert error if it encounters a UDP packet with
source port 0 (CVE-2008-5081).
http://www.linuxsecurity.com/content/view/146339
* Debian: New courier-authlib packages fix SQL injection (Dec 20)
---------------------------------------------------------------
Two SQL injection vulnerabilities have beein found in
courier-authlib, the courier authentification library. The MySQL
database interface used insufficient escaping mechanisms when
constructing SQL statements, leading to SQL injection vulnerabilities
if certain charsets are used (CVE-2008-2380). A similar issue
affects the PostgreSQL database interface (CVE-2008-2667).
http://www.linuxsecurity.com/content/view/146064
------------------------------------------------------------------------
* Gentoo: VLC Multiple vulnerabilities (Dec 23)
---------------------------------------------
Multiple vulnerabilities in VLC may lead to the remote execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/146362
* Gentoo: Imlib2 User-assisted execution of arbitrary code (Dec 23)
-----------------------------------------------------------------
A buffer overflow vulnerability has been discovered in Imlib2.
http://www.linuxsecurity.com/content/view/146361
* Gentoo: Ampache Insecure temporary file usage (Dec 23)
------------------------------------------------------
An insecure temporary file usage has been reported in Ampache,
allowing for symlink attacks.
http://www.linuxsecurity.com/content/view/146360
* Gentoo: ClamAV Multiple vulnerabilities (Dec 23)
------------------------------------------------
Two vulnerabilities in ClamAV may allow for the remote execution of
arbitrary code or a Denial of Service.
http://www.linuxsecurity.com/content/view/146359
* Gentoo: PowerDNS Multiple vulnerabilities (Dec 19)
--------------------------------------------------
Two vulnerabilities have been discovered in PowerDNS, possibly
leading to a Denial of Service and easing cache poisoning attacks.
http://www.linuxsecurity.com/content/view/146062
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2008:241 ] mailscanner (Dec 22)
-----------------------------------------------------------------------------
Local users can use symlink attacks throughout a flaw on
trend-autoupdate script of MailScanner by using /tmp/opr.ini.##### or
/tmp/lpt temporary file (CVE-2008-5140).
http://www.linuxsecurity.com/content/view/146348
------------------------------------------------------------------------
* RedHat: Critical: flash-plugin security update (Dec 19)
-------------------------------------------------------
An updated Adobe Flash Player package that fixes a security issue is
now available for Red Hat Enterprise Linux 3 Extras, Red Hat
Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/146061
* RedHat: Important: java-1.4.2-bea security update (Dec 18)
----------------------------------------------------------
java-1.4.2-bea as shipped in Red Hat Enterprise Linux 3 Extras, Red
Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
Supplementary, contains security flaws and should not be used. This
update has been rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/146053
* RedHat: Important: java-1.5.0-bea security update (Dec 18)
----------------------------------------------------------
java-1.5.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and
Red Hat Enterprise Linux 5 Supplementary, contains security flaws and
should not be used. This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/146054
* RedHat: Important: java-1.6.0-bea security update (Dec 18)
----------------------------------------------------------
java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and
Red Hat Enterprise Linux 5 Supplementary, contains security flaws and
should not be used.This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/146055
------------------------------------------------------------------------
* Slackware: mozilla-firefox (Dec 18)
-------------------------------------
New mozilla-firefox packages are available for Slackware 10.2, 11.0,
12.0, 12.1, 12.2, and -current to fix security issues.
http://www.linuxsecurity.com/content/view/146060
------------------------------------------------------------------------
* Ubuntu: OpenOffice.org Internationalization update (Dec 23)
------------------------------------------------------------
USN-677-1 fixed vulnerabilities in OpenOffice.org. The changes
required that openoffice.org-l10n also be updated for the new version
in Ubuntu 8.04 LTS. Original advisory details: Multiple memory
overflow flaws were discovered in OpenOffice.org's handling of WMF
and EMF files. If a user were tricked into opening a specially
crafted document, a remote attacker might be able to execute
arbitrary code with user privileges. (CVE-2008-2237, CVE-2008-2238)
http://www.linuxsecurity.com/content/view/146358
* Ubuntu: Nagios vulnerabilities (Dec 23)
----------------------------------------
It was discovered that Nagios was vulnerable to a Cross-site request
forgery (CSRF) vulnerability. If an authenticated nagios user were
tricked into clicking a link on a specially crafted web page, an
attacker could trigger commands to be processed by Nagios and execute
arbitrary programs. This update alters Nagios behaviour by disabling
submission of CMD_CHANGE commands. (CVE-2008-5028)
http://www.linuxsecurity.com/content/view/146351
* Ubuntu: Blender vulnerabilities (Dec 22)
-----------------------------------------
It was discovered that Blender did not correctly handle certain
malformed Radiance RGBE images. If a user were tricked into opening a
.blend file containing a specially crafted Radiance RGBE image, an
attacker could execute arbitrary code with the user's privileges.
(CVE-2008-1102)
http://www.linuxsecurity.com/content/view/146342
* Ubuntu: Nagios3 vulnerabilities (Dec 22)
-----------------------------------------
It was discovered that Nagios was vulnerable to a Cross-site request
forgery (CSRF) vulnerability. If an authenticated nagios user were
tricked into clicking a link on a specially crafted web page, an
attacker could trigger commands to be processed by Nagios and execute
arbitrary programs. This update alters Nagios behaviour by disabling
submission of CMD_CHANGE commands. (CVE-2008-5028)
http://www.linuxsecurity.com/content/view/146343
* Ubuntu: Imlib2 vulnerability (Dec 22)
--------------------------------------
It was discovered that Imlib2 did not correctly handle certain
malformed XPM and PNG images. If a user were tricked into opening a
specially crafted image with an application that uses Imlib2, an
attacker could cause a denial of service and possibly execute
arbitrary code with the user's privileges.
http://www.linuxsecurity.com/content/view/146344
* Ubuntu: Nagios vulnerability (Dec 22)
--------------------------------------
It was discovered that Nagios did not properly parse commands
submitted using the web interface. An authenticated user could use a
custom form or a browser addon to bypass security restrictions and
submit unauthorized commands.
http://www.linuxsecurity.com/content/view/146345
------------------------------------------------------------------------
* Pardus: Perl Symlink Attack (Dec 24)
------------------------------------
Race condition in the rmtree function in File::Path 1.08 and
2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users
to create arbitrary setuid binaries via a symlink attack.
http://www.linuxsecurity.com/content/view/146388
* Pardus: Mplayer Buffer Overflow (Dec 24)
----------------------------------------
Stack-based buffer overflow in the demux_open_vqf function
in libmpdemux/demux_vqf.c in MPlayer allows remote attackers to
execute arbitrary code via a malformed TwinVQ file.
http://www.linuxsecurity.com/content/view/146387
* Pardus: Flashplugin System access Vulnerability (Dec 23)
--------------------------------------------------------
A vulnerability has been reported in Adobe Flash Player,
which potentially can be exploited by malicious people to compromise
a user's system.
http://www.linuxsecurity.com/content/view/146357
* Pardus: Thunderbird Multiple Vulnerabilities (Dec 23)
-----------------------------------------------------
Some vulnerabilities have been reported in Mozilla Thunderbird,
which can be exploited by malicious people to bypass certain
security restrictions, disclose sensitive information, conduct
cross-site scripting attacks, or potentially compromise a user's
system.
http://www.linuxsecurity.com/content/view/146356
* Pardus: Firefox Multiple Vulnerabilities (Dec 23)
-------------------------------------------------
Some vulnerabilities have been reported in Mozilla Firefox, which can
be exploited by malicious people to bypass certain security
restrictions, disclose sensitive information, conduct cross-site
scripting attacks, or potentially compromise a user's system.
http://www.linuxsecurity.com/content/view/146355
* Pardus: Sun-JDK Multiple Vulnerabilities (Dec 23)
-------------------------------------------------
Some vulnerabilities have been reported in Sun Java, which can
be exploited by malicious people to bypass certain security
restrictions, disclose sensitive information, cause a DoS (Denial
of service), or compromise a vulnerable system.
http://www.linuxsecurity.com/content/view/146354
* Pardus: Avahi Denial of Service Vulnerability (Dec 23)
------------------------------------------------------
The vulnerability is caused due to an error when processing
multicast DNS (mDNS) data and can be exploited to terminate the
application via an UDP packet having a source port equal to zero.
http://www.linuxsecurity.com/content/view/146353
* Pardus: Php Multiple Vulnerabilities (Dec 23)
---------------------------------------------
Some vulnerabilities have been reported in PHP, where some have
an unknown impact and others can potentially be exploited by
malicious people to cause a DoS (Denial of Service) or compromise a
vulnerable system.
http://www.linuxsecurity.com/content/view/146352
* Pardus: Git Privilege Escalation (Dec 23)
-----------------------------------------
A security issue has been reported in GIT, which can be exploited
by malicious, local users to gain escalated privileges.
http://www.linuxsecurity.com/content/view/146389
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
