Linux Advisory Watch - February 13th 2009
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| February 13th, 2009 Volume 10, Number 7 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for phpmyadmin, libpam-heimdal,
libpam-krb5, gnutls13, boinc, devil, mozvoikko, ruby-gnome2, mugshot,
totem, yelp, cairo-dock, blam, galeon, devhelp, evolution,
google-gadgets, kazehakase, miro, xulrunner, firefox, epiphany, chmsee,
kazehakase, evolution, blam, sudo, python, drakxtools, glibc, squid,
clamav, mod_auth_mysql, vnc, netpbm, and wicd. The distributors
include Debian, Fedora, Mandriva, Red Hat, Slackware, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New phpmyadmin packages fix arbitrary code execution (Feb 11)
---------------------------------------------------------------------
Michael Brooks discovered that phpMyAdmin, a tool to administrate
MySQL over the web, performs insufficient input sanitising allowing a
user assisted remote attacker to execute code on the webserver.
http://www.linuxsecurity.com/content/view/147974
* Debian: New libpam-heimdal packages fix local privilege (Feb 11)
----------------------------------------------------------------
Derek Chan discovered that the PAM module for the Heimdal Kerberos
implementation allows reinitialisation of user credentials when run
from a setuid context, resulting in potential local denial of service
by overwriting the credential cache file or to local privilege
escalation.
http://www.linuxsecurity.com/content/view/147973
* Debian: New libpam-krb5 packages fix local privilege (Feb 11)
-------------------------------------------------------------
Several local vulnerabilities have been discovered in the PAM module
for MIT Kerberos. The Common Vulnerabilities and Exposures project
identifies the following problems...
http://www.linuxsecurity.com/content/view/147972
* Debian: New TYPO3 packages fix several vulnerabilities (Feb 10)
---------------------------------------------------------------
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework.
http://www.linuxsecurity.com/content/view/147967
* Debian: New gnutls13 packages fix certificate validation (Feb 10)
-----------------------------------------------------------------
Martin von Gagern discovered that GNUTLS, an implementation of the
TLS/SSL protocol, handles verification of X.509 certificate chains
incorrectly if a self-signed certificate is configured as a trusted
certificate. This could cause clients to accept forged server
certificates as genuine.
http://www.linuxsecurity.com/content/view/147964
* Debian: New boinc packages fix validation bypass (Feb 8)
--------------------------------------------------------
It was discovered that the core client for the BOINC distributed
computing infrastructure performs incorrect validation of the return
values of OpenSSL's RSA functions.
http://www.linuxsecurity.com/content/view/147961
* Debian: New devil packages fix buffer overflow (Feb 5)
------------------------------------------------------
Stefan Cornelius discovered a buffer overflow in devil, a
cross-platform image loading and manipulation toolkit, which could be
triggered via a crafted Radiance RGBE file. This could potentially
lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/147912
------------------------------------------------------------------------
* Fedora 9 Update: mozvoikko-0.9.5-6.fc9 (Feb 6)
----------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147949
* Fedora 9 Update: gtkmozembedmm-1.4.2.cvs20060817-25.fc9 (Feb 6)
---------------------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147950
* Fedora 9 Update: ruby-gnome2-0.17.0-5.fc9 (Feb 6)
-------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147951
* Fedora 9 Update: mugshot-1.2.2-5.fc9 (Feb 6)
--------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147952
* Fedora 9 Update: totem-2.23.2-10.fc9 (Feb 6)
--------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147953
* Fedora 9 Update: yelp-2.22.1-8.fc9 (Feb 6)
------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147954
* Fedora 9 Update: cairo-dock-1.6.3.1-1.fc9.3 (Feb 6)
---------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147939
* Fedora 9 Update: gnome-python2-extras-2.19.1-23.fc9 (Feb 6)
-----------------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147940
* Fedora 9 Update: blam-1.8.5-5.fc9.1 (Feb 6)
-------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147941
* Fedora 9 Update: galeon-2.0.7-5.fc9 (Feb 6)
-------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147942
* Fedora 9 Update: gnome-web-photo-0.3-17.fc9 (Feb 6)
---------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147943
* Fedora 9 Update: devhelp-0.19.1-8.fc9 (Feb 6)
---------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147944
* Fedora 9 Update: evolution-rss-0.1.0-6.fc9 (Feb 6)
--------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147945
* Fedora 9 Update: google-gadgets-0.10.5-2.fc9 (Feb 6)
----------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147946
* Fedora 9 Update: kazehakase-0.5.6-1.fc9.3 (Feb 6)
-------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147947
* Fedora 9 Update: Miro-1.2.7-4.fc9 (Feb 6)
-----------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147948
* Fedora 10 Update: ruby-gnome2-0.18.1-3.fc10 (Feb 6)
---------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147932
* Fedora 10 Update: yelp-2.24.0-5.fc10 (Feb 6)
--------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147933
* Fedora 9 Update: xulrunner-1.9.0.6-1.fc9 (Feb 6)
------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147934
* Fedora 9 Update: firefox-3.0.6-1.fc9 (Feb 6)
--------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147935
* Fedora 9 Update: epiphany-extensions-2.22.1-7.fc9 (Feb 6)
---------------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147936
* Fedora 9 Update: epiphany-2.22.2-7.fc9 (Feb 6)
----------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147937
* Fedora 9 Update: chmsee-1.0.1-8.fc9 (Feb 6)
-------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147938
* Fedora 10 Update: gnome-web-photo-0.3-14.fc10 (Feb 6)
-----------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147926
* Fedora 10 Update: kazehakase-0.5.6-1.fc10.3 (Feb 6)
---------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147927
* Fedora 10 Update: mozvoikko-0.9.5-6.fc10 (Feb 6)
------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147928
* Fedora 10 Update: Miro-1.2.8-2.fc10 (Feb 6)
-------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147929
* Fedora 10 Update: mugshot-1.2.2-5.fc10 (Feb 6)
----------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147931
* Fedora 10 Update: epiphany-extensions-2.24.0-4.fc10 (Feb 6)
-----------------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147917
* Fedora 10 Update: devhelp-0.22-3.fc10 (Feb 6)
---------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147918
* Fedora 10 Update: epiphany-2.24.3-2.fc10 (Feb 6)
------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147919
* Fedora 10 Update: evolution-rss-0.1.2-4.fc10 (Feb 6)
----------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147920
* Fedora 10 Update: blam-1.8.5-6.fc10 (Feb 6)
-------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147921
* Fedora 10 Update: galeon-2.0.7-5.fc10 (Feb 6)
---------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147922
* Fedora 10 Update: google-gadgets-0.10.5-2.fc10 (Feb 6)
------------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147923
* Fedora 10 Update: gnome-python2-extras-2.19.1-26.fc10 (Feb 6)
-------------------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147924
* Fedora 10 Update: gecko-sharp2-0.13-4.fc10 (Feb 6)
--------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147925
* Fedora 10 Update: xulrunner-1.9.0.6-1.fc10 (Feb 6)
--------------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147915
* Fedora 10 Update: firefox-3.0.6-1.fc10 (Feb 6)
----------------------------------------------
Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
multiple security issues.
http://www.linuxsecurity.com/content/view/147916
------------------------------------------------------------------------
* Gentoo: sudo Privilege escalation (Feb 6)
-----------------------------------------
A vulnerability in sudo may allow for privilege escalation.
http://www.linuxsecurity.com/content/view/147960
------------------------------------------------------------------------
* Mandriva: [ MDVSA-2009:036 ] python (Feb 12)
--------------------------------------------
Multiple integer overflows in imageop.c in the imageop module in
Python 1.5.2 through 2.5.1 allow context-dependent attackers to break
out of the Python VM and execute arbitrary code via large integer
values in certain arguments to the crop function, leading to a buffer
overflow, a different vulnerability than CVE-2007-4965 and
CVE-2008-1679. (CVE-2008-4864)
http://www.linuxsecurity.com/content/view/147981
* Mandriva: [ MDVA-2009:023 ] db46 (Feb 12)
-----------------------------------------
Additional official patches have been released for db 4.6 after
Mandriva release.
http://www.linuxsecurity.com/content/view/147979
* Mandriva: [ MDVA-2009:022 ] xkeyboard-config (Feb 12)
-----------------------------------------------------
Wrong directory permissions would prevent the compilation of keyboard
mappings. This update fixes this issue.
http://www.linuxsecurity.com/content/view/147978
* Mandriva: [ MDVA-2009:021 ] drakxtools (Feb 12)
-----------------------------------------------
This update fixes several minor issues with drakxtools
http://www.linuxsecurity.com/content/view/147977
* Mandriva: [ MDVA-2009:020 ] rhythmbox (Feb 12)
----------------------------------------------
Rhythmbox could crash when handling removable devices and media
players, like ipods. This update fixes the problem.
http://www.linuxsecurity.com/content/view/147976
* Mandriva: [ MDVA-2009:019 ] glibc (Feb 11)
------------------------------------------
The glibc packages released with Mandriva Linux 2008 and Mandriva
Linux 2008 Spring had the /etc/ld.so.conf file using relative paths
to include other config files at /etc/ld.so.conf.d, breaking usage of
ldconfig -r, for example when you have chroot environments. This
update fixes ld.so.conf to use absolute paths instead. Also, other
cumulative bug fixes are provided.
http://www.linuxsecurity.com/content/view/147975
* Mandriva: [ MDVSA-2009:035 ] gstreamer0.10-plugins-good (Feb 10)
----------------------------------------------------------------
Security vulnerabilities have been discovered and corrected in
gstreamer0.10-plugins-good, might allow remote attackers to execute
arbitrary code via a malformed QuickTime media file (CVE-2009-0386,
CVE-2009-0387, CVE-2009-0397). The updated packages have been patched
to prevent this.
http://www.linuxsecurity.com/content/view/147968
* Mandriva: [ MDVSA-2009:034 ] squid (Feb 10)
-------------------------------------------
Due to an internal error Squid is vulnerable to a denial of service
attack when processing specially crafted requests. This problem
allows any client to perform a denial of service attack on the Squid
service (CVE-2009-0478). The updated packages have been patched to
adress this.
http://www.linuxsecurity.com/content/view/147966
* Mandriva: [ MDVA-2009:018 ] clamav (Feb 6)
------------------------------------------
This update fixes several issues with clamav.
http://www.linuxsecurity.com/content/view/147959
* Mandriva: [ MDVA-2009:017 ] glibc (Feb 6)
-----------------------------------------
regexp.h header shipped with glibc 2.8, in Mandriva Linux 2009, had
an error which caused the build of programs using the regexp compile
function to fail. This update addresses the issue.
http://www.linuxsecurity.com/content/view/147955
------------------------------------------------------------------------
* RedHat: Moderate: mod_auth_mysql security update (Feb 11)
---------------------------------------------------------
An updated mod_auth_mysql package to correct a security issue is now
available for Red Hat Enterprise Linux 5. This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/147970
* RedHat: Moderate: vnc security update (Feb 11)
----------------------------------------------
Updated vnc packages to correct a security issue are now available
for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/147971
* RedHat: Moderate: netpbm security update (Feb 11)
-------------------------------------------------
Updated netpbm packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 and 5. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/147969
* RedHat: Important: kernel security update (Feb 10)
--------------------------------------------------
Updated kernel packages that resolve several security issues are now
available for Red Hat Enterprise Linux 5. This update has been rated
as having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/147965
* RedHat: Important: gstreamer-plugins security update (Feb 6)
------------------------------------------------------------
Updated gstreamer-plugins packages that fix one security issue are
now available for Red Hat Enterprise Linux 3. This update has been
rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/147956
* RedHat: Important: gstreamer-plugins security update (Feb 6)
------------------------------------------------------------
Updated gstreamer-plugins packages that fix one security issue are
now available for Red Hat Enterprise Linux 4. This update has been
rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/147957
* RedHat: Important: gstreamer-plugins-good security (Feb 6)
----------------------------------------------------------
Updated gstreamer-plugins-good packages that fix several security
issues are now available for Red Hat Enterprise Linux 5. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/147958
* RedHat: Moderate: sudo security update (Feb 5)
----------------------------------------------
An updated sudo package to fix a security issue is now available for
Red Hat Enterprise Linux 5. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147913
------------------------------------------------------------------------
* Slackware: wicd (Feb 9)
-----------------------
New wicd packages are available for Slackware 12.2 and -current to
fix a security issue with the D-Bus configuration file that could
allow local information disclosure (such as network credentials).
http://www.linuxsecurity.com/content/view/147963
------------------------------------------------------------------------
* Ubuntu: PHP vulnerabilities (Feb 12)
-------------------------------------
It was discovered that PHP did not properly enforce php_admin_value
and php_admin_flag restrictions in the Apache configuration file. A
local attacker could create a specially crafted PHP script that would
bypass intended security restrictions. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900)
http://www.linuxsecurity.com/content/view/147983
* Ubuntu: pam-krb5 vulnerabilities (Feb 12)
------------------------------------------
It was discovered that pam_krb5 parsed environment variables when run
with setuid applications. A local attacker could exploit this flaw to
bypass authentication checks and gain root privileges.
(CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly
handled refreshing existing credentials when used with setuid
applications. A local attacker could exploit this to create or
overwrite arbitrary files, and possibly gain root privileges.
(CVE-2009-0361)
http://www.linuxsecurity.com/content/view/147982
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
