Linux Advisory Watch - January 23rd 2009
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| January 23rd, 2009 Volume 10, Number 4 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for iceweasel, amarok, netatalk,
drupal, mumbles, moodle, uw-imap, devIL, net-snmp, scilab, php,
xine-lib, kdebase, ffmpeg, mplayer, thunderbird, bind, ntp, and perl.
The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat,
Slackware, SuSE, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New iceweasel packages fix several vulnerabilities (Jan 15)
-------------------------------------------------------------------
Several remote vulnerabilities have been discovered in the Iceweasel
web browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following
problems...
http://www.linuxsecurity.com/content/view/147395
* Debian: New amarok packages fix arbitrary code execution (Jan 15)
-----------------------------------------------------------------
Tobias Klein discovered that integer overflows in the code the Amarok
media player uses to parse Audible files may lead to the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/147394
* Debian: New netatalk packages fix arbitrary code execution (Jan 15)
-------------------------------------------------------------------
It was discovered that netatalk, an implementation of the AppleTalk
suite, is affected by a command injection vulnerability when
processing PostScript streams via papd. This could lead to the
execution of arbitrary code. Please note that this only affects
installations that are configured to use a pipe command in
combination with wildcard symbols substituted with values of the
printed job.
http://www.linuxsecurity.com/content/view/147391
------------------------------------------------------------------------
* Fedora 10 Update: drupal-6.9-1.fc10 (Jan 22)
--------------------------------------------
SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log
in to your site as the admin user before upgrading this package.
After upgrading the package, browse to http://host/drupal/update.php
to run the upgrade script.
http://www.linuxsecurity.com/content/view/147690
* Fedora 9 Update: drupal-6.9-1.fc9 (Jan 22)
------------------------------------------
SA-CORE-2009-001 ( http://drupal.org/node/358957 ) Remember to log
in to your site as the admin user before upgrading this package.
After upgrading the package, browse to http://host/drupal/update.php
to run the upgrade script.
http://www.linuxsecurity.com/content/view/147691
* Fedora 9 Update: amarok-1.4.10-2.fc9 (Jan 22)
---------------------------------------------
This build includes a security fix concerning the parsing of
malformed Audible digital audio files.
http://www.linuxsecurity.com/content/view/147692
* Fedora 10 Update: mumbles-0.4-9.fc10 (Jan 22)
---------------------------------------------
- Fixed path to make mumbles run on x86_64 bug #479158 - Security
fix for Firefox plugin bug #479171
http://www.linuxsecurity.com/content/view/147693
* Fedora 9 Update: moodle-1.9.3-5.fc9 (Jan 22)
--------------------------------------------
Fix for spellcheck security flaw, and some font correction.
http://www.linuxsecurity.com/content/view/147694
* Fedora 10 Update: moodle-1.9.3-5.fc10 (Jan 22)
----------------------------------------------
Fix for spellcheck security flaw, and some font correction.
http://www.linuxsecurity.com/content/view/147695
* Fedora 10 Update: uw-imap-2007e-1.fc10 (Jan 22)
-----------------------------------------------
Update to new upstream version - 2007e. Contains fix for a
security issue - buffer overflow in rfc822_output_char /
rfc822_output_data (CVE-2008-5514).
http://www.linuxsecurity.com/content/view/147696
* Fedora 9 Update: DevIL-1.7.5-2.fc9 (Jan 22)
-------------------------------------------
- Fix missing symbols (rh 480269) - Fix off by one error in
CVE-2008-5262 check (rh 479864)
http://www.linuxsecurity.com/content/view/147697
* Fedora 9 Update: uw-imap-2007e-1.fc9 (Jan 22)
---------------------------------------------
Update to new upstream version - 2007e. Contains fix for a
security issue - buffer overflow in rfc822_output_char /
rfc822_output_data (CVE-2008-5514).
http://www.linuxsecurity.com/content/view/147698
* Fedora 10 Update: DevIL-1.7.5-2.fc10 (Jan 22)
---------------------------------------------
- Fix missing symbols (rh 480269) - Fix off by one error in
CVE-2008-5262 check (rh 479864)
http://www.linuxsecurity.com/content/view/147699
------------------------------------------------------------------------
* Gentoo: Net-SNMP Denial of Service (Jan 21)
-------------------------------------------
A vulnerability in Net-SNMP could lead to a Denial of Service.
http://www.linuxsecurity.com/content/view/147682
* Gentoo: Scilab Insecure temporary file usage (Jan 21)
-----------------------------------------------------
An insecure temporary file usage has been reported in Scilab,
allowing for symlink attacks.
http://www.linuxsecurity.com/content/view/147681
------------------------------------------------------------------------
* Mandriva: [ MDVSA-2009:024 ] php4 (Jan 21)
------------------------------------------
A buffer overflow in the imageloadfont() function in PHP allowed
context-dependent attackers to cause a denial of service (crash) and
potentially execute arbitrary code via a crafted font file
(CVE-2008-3658). A buffer overflow in the memnstr() function allowed
context-dependent attackers to cause a denial of service (crash) and
potentially execute arbitrary code via the delimiter argument to the
explode() function (CVE-2008-3659). PHP, when used as a FastCGI
module, allowed remote attackers to cause a denial of service (crash)
via a request with multiple dots preceding the extension
(CVE-2008-3660). The updated packages have been patched to correct
these issues.
http://www.linuxsecurity.com/content/view/147687
* Mandriva: [ MDVSA-2009:023 ] php (Jan 21)
-----------------------------------------
A vulnerability in PHP allowed context-dependent attackers to cause a
denial of service (crash) via a certain long string in the glob() or
fnmatch() functions (CVE-2007-4782)... The updated packages have been
patched to correct these issues.
http://www.linuxsecurity.com/content/view/147686
* Mandriva: [ MDVSA-2009:022 ] php (Jan 21)
-----------------------------------------
A vulnerability in PHP allowed context-dependent attackers to cause a
denial of service (crash) via a certain long string in the glob() or
fnmatch() functions (CVE-2007-4782).. The updated packages have been
patched to correct these issues.
http://www.linuxsecurity.com/content/view/147685
* Mandriva: [ MDVSA-2009:021 ] php (Jan 21)
-----------------------------------------
A buffer overflow in the imageloadfont() function in PHP allowed
context-dependent attackers to cause a denial of service (crash) and
potentially execute arbitrary code via a crafted font file
(CVE-2008-3658)... The updated packages have been patched to correct
these issues.
http://www.linuxsecurity.com/content/view/147684
* Mandriva: [ MDVSA-2009:020 ] xine-lib (Jan 21)
----------------------------------------------
Failure on Ogg files manipulation can lead remote attackers to cause
a denial of service by using crafted files (CVE-2008-3231).... This
update provides the fix for all these security issues found in
xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities:
CVE-2008-5234, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239,
CVE-2008-5240, CVE-2008-5243 are found in xine-lib 1.1.15 of Mandriva
2009.0 and are also fixed by this update.
http://www.linuxsecurity.com/content/view/147683
* Mandriva: [ MDVSA-2009:017 ] kdebase (Jan 16)
---------------------------------------------
A vulnerability in KDM allowed a local user to cause a denial of
service via unknown vectors (CVE-2007-5963). The updated packages
have been patched to prevent this issue.
http://www.linuxsecurity.com/content/view/147405
* Mandriva: [ MDVSA-2009:016 ] xen (Jan 16)
-----------------------------------------
Ian Jackson found a security issue in the QEMU block device drivers
backend that could allow a guest operating system to issue a block
device request and read or write arbitrary memory locations, which
could then lead to privilege escalation (CVE-2008-0928)... The
updated packages have been patched to prevent these issues.
http://www.linuxsecurity.com/content/view/147404
* Mandriva: [ MDVSA-2009:015 ] ffmpeg (Jan 15)
--------------------------------------------
Several vulnerabilities have been discovered in ffmpeg, related to
the execution of DTS generation code (CVE-2008-4866) and incorrect
handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated
packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147401
* Mandriva: [ MDVSA-2009:014 ] mplayer (Jan 15)
---------------------------------------------
Several vulnerabilities have been discovered in mplayer, which could
allow remote attackers to execute arbitrary code via a malformed
TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer,
related to the execution of DTS generation code (CVE-2008-4866). The
updated packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147400
* Mandriva: [ MDVSA-2009:013 ] mplayer (Jan 15)
---------------------------------------------
Several vulnerabilities have been discovered in mplayer, which could
allow remote attackers to execute arbitrary code via a malformed
TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer,
related to the execution of DTS generation code (CVE-2008-4866) and
incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The
updated packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147399
* Mandriva: [ MDVSA-2009:012 ] mozilla-thunderbird (Jan 15)
---------------------------------------------------------
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Thunderbird program, version 2.0.0.19
(CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507,
CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512). This
update provides the latest Thunderbird to correct these issues.
http://www.linuxsecurity.com/content/view/147396
* Mandriva: [ MDVA-2009:012 ] kphotoalbum (Jan 15)
------------------------------------------------
Kphotoalbum in Mandriva Linux 2009.0 had some unimplemented functions
that could lead to crashes. This new package implements those
functions and fixes the crashes.
http://www.linuxsecurity.com/content/view/147393
* Mandriva: [ MDVA-2009:011 ] kdegraphics4 (Jan 15)
-------------------------------------------------
This package updates the libkdraw and libkexiv2 libraries making it
possible to build newer versions of digikam.
http://www.linuxsecurity.com/content/view/147392
------------------------------------------------------------------------
* RedHat: Important: kernel security and bug fix update (Jan 22)
--------------------------------------------------------------
Updated kernel packages that fix several security issues and several
bugs are now available for Red Hat Enterprise MRG 1.0. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/147689
------------------------------------------------------------------------
* Slackware bind 10.2/11.0 recompile (Jan 15)
-------------------------------------------
Updated bind packages are available for Slackware 10.2 and 11.0 to
address a load problem. It was reported that the initial build of
these updates complained that the Linux capability module was not
present and would refuse to load. It was determined that the
packages which were compiled on 10.2 and 11.0 systems running 2.6
kernels, and although the installed kernel headers are from 2.4.x, it
picked up on this resulting in packages that would only run under 2.4
kernels. These new packages address the issue. As always, any
problems noted with update patches should be reported to
security@xxxxxxxxxxxxx, and we will do our best to address them as
quickly as possible.
http://www.linuxsecurity.com/content/view/147398
* Slackware: ntp (Jan 15)
-------------------------
New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security
issue.
http://www.linuxsecurity.com/content/view/147388
* Slackware: openssl (Jan 15)
-----------------------------
New openssl packages are available for Slackware 11.0, 12.0, 12.1,
12.2, and -current to fix a security issue when connecting to an
SSL/TLS server that uses a certificate containing a DSA or ECDSA key.
http://www.linuxsecurity.com/content/view/147389
* Slackware: bind (Jan 15)
--------------------------
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security
issue.
http://www.linuxsecurity.com/content/view/147387
------------------------------------------------------------------------
* SuSE: bind (SUSE-SA:2009:005) (Jan 22)
--------------------------------------
The DNS daemon bind is used to resolve and lookup addresses on the
inter- net. Some month ago a vulnerability in the DNS protocol
and its numbers was published that allowed easy spoofing of DNS
entries. The only way to pro- tect against spoofing is to use
DNSSEC. Unfortunately the bind code that verifys the certification
chain of a DNS- SEC zone transfer does not properly check the
return value of function DSA_do_verify(). This allows the spoofing
of records signed with DSA or NSEC3DSA.
http://www.linuxsecurity.com/content/view/147688
------------------------------------------------------------------------
* Ubuntu:Perl regression (Jan 15)
-------------------------------
USN-700-1 fixed vulnerabilities in Perl. Due to problems with the
Ubuntu 8.04 build, some Perl .ph files were missing from the
resulting update. This update fixes the problem. We apologize for
the inconvenience.
http://www.linuxsecurity.com/content/view/147397
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
