Linux Advisory Watch - September 6th 2009
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| September 6th, 2009 Volume 10, Number 37 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for ikiwiki, xemacs, fetchmail,
openoffice, mapserver, qt, htmldoc, firebird, httpd, irssi, xmlrpc,
kdebase, nss, postfix, mysql, rgmanager, cman, gfs, nfs-utils,
kernel-rt, and dnsmasq. The distributors include Debian, Fedora,
Mandriva, Red Hat, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New devscripts packages fix remote code execution (Sep 2)
-----------------------------------------------------------------
Raphael Geissert discovered that uscan, a program to check for
availability of new source code versions which is part of the
devscripts package, runs Perl code downloaded from potentially
untrusted sources to implement its URL and version mangling
functionality.
http://www.linuxsecurity.com/content/view/149956
* Debian: New mysql-dfsg-5.0 packages fix arbitrary code (Sep 2)
--------------------------------------------------------------
In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities
in the dispatch_command() function in libmysqld/sql_parse.cc in
mysqld allow remote authenticated users to cause a denial of service
(daemon crash) and potentially the execution of arbitrary code via
format string specifiers in a database name in a COM_CREATE_DB or
COM_DROP_DB request.
http://www.linuxsecurity.com/content/view/149955
* Debian: New dnsmasq packages fix remote code execution (Sep 1)
--------------------------------------------------------------
Several remote vulnerabilities have been discovered in the TFTP
component of dnsmasq.
http://www.linuxsecurity.com/content/view/149941
* Debian: New ikiwiki packages fix information disclosure (Aug 31)
----------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149924
------------------------------------------------------------------------
* Fedora 11 Update: xemacs-21.5.29-2.fc11 (Sep 4)
-----------------------------------------------
This update fixes multiple buffer overflows when reading large image
files, or maliciously created image files whose headers misrepresent
the actual image size. The update also addresses multiple font
issues, some of which cause warnings on startup. Some warnings
remain, however, unless an ISO8859-13 fonts (e.g., terminus) is
installed. Also note that some warnings remain on Rawhide pending a
resolution for bz 507637.
http://www.linuxsecurity.com/content/view/149966
* Fedora 10 Update: fetchmail-6.3.8-9.fc10 (Sep 4)
------------------------------------------------
If fetchmail is running in daemon mode, it must be restarted for this
update to take effect (use the "fetchmail --quit" command to stop the
fetchmail process).
http://www.linuxsecurity.com/content/view/149967
* Fedora 11 Update: fetchmail-6.3.9-5.fc11 (Sep 4)
------------------------------------------------
If fetchmail is running in daemon mode, it must be restarted for this
update to take effect (use the "fetchmail --quit" command to stop the
fetchmail process).
http://www.linuxsecurity.com/content/view/149965
* Fedora 10 Update: xemacs-21.5.28-10.fc10 (Sep 4)
------------------------------------------------
This update fixes multiple buffer overflows when reading large image
files, or maliciously created image files whose headers misrepresent
the actual image size.
http://www.linuxsecurity.com/content/view/149964
* Fedora 10 Update: openoffice.org-3.0.1-15.6.fc10 (Sep 4)
--------------------------------------------------------
CVE-2009-0200/CVE-2009-0201: Harden .doctable insert/delete record
import handling.
http://www.linuxsecurity.com/content/view/149963
* Fedora 10 Update: mapserver-5.2.3-1.fc10 (Sep 2)
------------------------------------------------
Changing imagepath and imageurl no longer allowed via URL, New fix
for incomplete CVE-2009-0840 security fix made in 5.2.2, Fixed seg
fault if font not found with label ANGLE FOLLOW (#2973)
http://www.linuxsecurity.com/content/view/149960
* Fedora 11 Update: mapserver-5.2.3-1.fc11 (Sep 2)
------------------------------------------------
Changing imagepath and imageurl no longer allowed via URL, New fix
for incomplete CVE-2009-0840 security fix made in 5.2.2, Fixed seg
fault if font not found with label ANGLE FOLLOW (#2973)
http://www.linuxsecurity.com/content/view/149957
* Fedora 11 Update: qt-4.5.2-3.fc11 (Sep 2)
-----------------------------------------
security fix for CVE-2009-2700
http://www.linuxsecurity.com/content/view/149958
* Fedora 10 Update: qt-4.5.2-3.fc10 (Sep 2)
-----------------------------------------
security fix for CVE-2009-2700
http://www.linuxsecurity.com/content/view/149959
* Fedora 10 Update: htmldoc-1.8.27-8.fc10 (Aug 31)
------------------------------------------------
Fix scanf issues found by Gentoo. Fix FTBFS on Fedora 12.
http://www.linuxsecurity.com/content/view/149930
* Fedora 11 Update: htmldoc-1.8.27-12.fc11 (Aug 31)
-------------------------------------------------
Fix scanf issues found by Gentoo. Fix FTBFS on Fedora 12.
http://www.linuxsecurity.com/content/view/149929
* Fedora 11 Update: firebird-2.1.3.18185.0-2.fc11 (Aug 31)
--------------------------------------------------------
Upgrade from previous package version may be a problem since
previous version remove /var/run/firebird and it shouldn't This
release fix this problem for future updates If you are in that case
(no longer /var/run/firebird directory after upgrade), just reinstall
firebird-2.1.3.18185.0-2 package or create /var/run/firebird owned
by user firebird
http://www.linuxsecurity.com/content/view/149928
* Fedora 11 Update: httpd-2.2.13-1.fc11 (Aug 31)
----------------------------------------------
This update includes the latest release of the Apache HTTP Server,
version 2.2.13, fixing several security issues: * Fix a potential
Denial-of-Service attack against mod_deflate or other modules, by
forcing the server to consume CPU time in compressing a large file
after a client disconnects. (CVE-2009-1891) * Prevent the
"Includes" Option from being enabled in an .htaccess file if the
AllowOverride restrictions do not permit it. (CVE-2009-1195) * Fix
a potential Denial-of-Service attack against mod_proxy in a reverse
proxy configuration, where a remote attacker can force a proxy
process to consume CPU time indefinitely. (CVE-2009-1890) *
mod_proxy_ajp: Avoid delivering content from a previous request which
failed to send a request body. (CVE-2009-1191) Many bug fixes are
also included; see the upstream changelog for further details:
http://www.apache.org/dist/httpd/CHANGES_2.2.13
http://www.linuxsecurity.com/content/view/149927
* Fedora 10 Update: irssi-0.8.13-3.fc10 (Aug 31)
----------------------------------------------
http://www.linuxsecurity.com/content/view/149926
* Fedora 10 Update: firebird-2.1.3.18185.0-2.fc10 (Aug 31)
--------------------------------------------------------
Upgrade from previous package version may be a problem since
previous version remove /var/run/firebird and it shouldn't This
release fix this problem for future updates If you are in that case
(no longer /var/run/firebird directory after upgrade), just reinstall
firebird-2.1.3.18185.0-2 package or create /var/run/firebird owned
by user firebird
http://www.linuxsecurity.com/content/view/149925
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2009:158 ] xmlrpc-c (Sep 3)
-------------------------------------------------------------------------
This update resolves a missing dependency for the recent KDE4
updates.
http://www.linuxsecurity.com/content/view/149962
* Mandriva: Subject: [Security Announce] [ MDVA-2009:157 ] kdebase4-workspace (Sep 2)
-----------------------------------------------------------------------------------
krandrtray from KDE4 is known to have some issues. A patch was added
that makes krandrtray open its configuration module when the system
tray icon is clicked.
http://www.linuxsecurity.com/content/view/149954
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:197 ] nss (Sep 1)
---------------------------------------------------------------------
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404). This update
provides the latest versions of NSS and NSPR libraries which are not
vulnerable to those attacks.
http://www.linuxsecurity.com/content/view/149940
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:224 ] postfix (Aug 30)
--------------------------------------------------------------------------
A vulnerability has been found and corrected in postfix: Postfix 2.5
before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file
even when this file is not owned by the recipient, which allows local
users to read e-mail messages by creating a mailbox file
corresponding to another user's account name (CVE-2008-2937). This
update provides a solution to this vulnerability.
http://www.linuxsecurity.com/content/view/149918
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:223 ] xerces-c (Aug 30)
---------------------------------------------------------------------------
A vulnerability has been found and corrected in xerces-c: Stack
consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache
Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to
cause a denial of service (application crash) via vectors involving
nested parentheses and invalid byte values in simply nested DTD
structures, as demonstrated by the Codenomicon XML fuzzing framework
(CVE-2009-1885). This update provides a solution to this
vulnerability.
http://www.linuxsecurity.com/content/view/149917
------------------------------------------------------------------------
* RedHat: Important: openoffice.org security update (Sep 4)
---------------------------------------------------------
Updated openoffice.org packages that correct security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5. This update has
been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/149968
* RedHat: Moderate: mysql security and bug fix update (Sep 2)
-----------------------------------------------------------
Updated mysql packages that fix various security issues and several
bugs are now available for Red Hat Enterprise Linux 5. This update
has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/149953
* RedHat: Low: gdm security and bug fix update (Sep 2)
----------------------------------------------------
Updated gdm packages that fix a security issue and several bugs are
now available for Red Hat Enterprise Linux 5. This update has been
rated as having low security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/149952
* RedHat: Low: rgmanager security, bug fix, (Sep 2)
-------------------------------------------------
An updated rgmanager package that fixes multiple security issues,
various bugs, and adds enhancements is now available for Red Hat
Enterprise Linux 5.
http://www.linuxsecurity.com/content/view/149950
* RedHat: Low: cman security, bug fix, (Sep 2)
--------------------------------------------
Updated cman packages that fix several security issues, various bugs,
and add enhancements are now available for Red Hat Enterprise Linux
5. This update has been rated as having low security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149951
* RedHat: Low: gfs2-utils security and bug fix update (Sep 2)
-----------------------------------------------------------
An updated gfs2-utils package that fixes multiple security issues and
various bugs is now available for Red Hat Enterprise Linux 5. This
update has been rated as having low security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/149949
* RedHat: Moderate: openssl security, bug fix, (Sep 2)
----------------------------------------------------
Updated openssl packages that fix several security issues, various
bugs, and add enhancements are now available for Red Hat Enterprise
Linux 5. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149948
* RedHat: Low: ecryptfs-utils security, bug fix, (Sep 2)
------------------------------------------------------
Updated ecryptfs-utils packages that fix a security issue, various
bugs, and add enhancements are now available for Red Hat Enterprise
Linux 5. This update has been rated as having low security impact by
the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149946
* RedHat: Low: nfs-utils security and bug fix update (Sep 2)
----------------------------------------------------------
An updated nfs-utils package that fixes a security issue and several
bugs is now available. This update has been rated as having low
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149947
* RedHat: Low: openssh security, bug fix, (Sep 2)
-----------------------------------------------
Updated openssh packages that fix a security issue, a bug, and add
enhancements are now available for Red Hat Enterprise Linux 5. This
update has been rated as having low security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/149945
* RedHat: Important: Red Hat Enterprise Linux 5.4 kernel (Sep 2)
--------------------------------------------------------------
Updated kernel packages that fix security issues, address several
hundred bugs and add numerous enhancements are now available as part
of the ongoing support and maintenance of Red Hat Enterprise Linux
version 5. This is the fourth regular update.
http://www.linuxsecurity.com/content/view/149943
* RedHat: Low: lftp security and bug fix update (Sep 2)
-----------------------------------------------------
An updated lftp package that fixes one security issue and various
bugs is now available for Red Hat Enterprise Linux 5. This update has
been rated as having low security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/149944
* RedHat: Important: kernel-rt security and bug fix update (Sep 1)
----------------------------------------------------------------
Updated kernel-rt packages that fix several security issues and
various bugs are now available for Red Hat Enterprise MRG 1.1. This
update has been rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149938
* RedHat: Important: kernel-rt security and bug fix update (Sep 1)
----------------------------------------------------------------
Updated kernel-rt packages that fix several security issues and
various bugs are now available for Red Hat Enterprise MRG 1.1. This
update has been rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149937
* RedHat: Important: dnsmasq security update (Aug 31)
---------------------------------------------------
An updated dnsmasq package that fixes two security issues is now
available for Red Hat Enterprise Linux 5. This update has been rated
as having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/149931
------------------------------------------------------------------------
* Ubuntu: Dnsmasq vulnerabilities (Sep 1)
----------------------------------------
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn
Coco, Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq
did not properly validate its input when processing TFTP requests for
files with long names. A remote attacker could cause a denial of
service or execute arbitrary code with user privileges.
http://www.linuxsecurity.com/content/view/149942
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
