[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Linux Advisory Watch - January 9th 2009
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| January 9th, 2009 Volume 10, Number 2 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for icedove, ruby, xterm, proftpd,
thunderbird, dovecove, samba, wireshark, kernel, msec, bind, lcms,
handterm-xf, openssl, xen, and gnome-vfs. The distributors include
Debian, Fedora, Red Hat, Slackware, Ubuntu, and Pardus.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New icedove packages fix several vulnerabilities (Jan 7)
----------------------------------------------------------------
Several remote vulnerabilities have been discovered in the Icedove
mail client, an unbranded version of the Thunderbird mail client.
http://www.linuxsecurity.com/content/view/147033
* Debian: New Ruby packages fix denial of service (Jan 2)
-------------------------------------------------------
The regular expression engine of Ruby, a scripting language, contains
a memory leak which can be triggered remotely under certain
circumstances, leading to a denial of service condition
(CVE-2008-3443).
http://www.linuxsecurity.com/content/view/146706
* Debian: New xterm packages fix remote code execution (Jan 2)
------------------------------------------------------------
Paul Szabo discovered that xterm, a terminal emulator for the X
Window System, places arbitrary characters into the input buffer when
displaying certain crafted escape sequences (CVE-2008-2383).
http://www.linuxsecurity.com/content/view/146705
------------------------------------------------------------------------
* Fedora 8 Update: proftpd-1.3.1-8.fc8 (Jan 7)
--------------------------------------------
This update fixes a security issue where an attacker could conduct
cross-site request forgery (CSRF) attacks and execute arbitrary FTP
commands. It also fixes some SSL shutdown issues seen with certain
clients.
http://www.linuxsecurity.com/content/view/146968
* Fedora 9 Update: thunderbird-2.0.0.19-1.fc9 (Jan 7)
---------------------------------------------------
Update to the new upstream Thunderbird 2.0.0.19 fixing multiple
security issues: http://www.mozilla.org/security/known-
vulnerabilities/thunderbird20.html#thunderbird2.0.0.19 Note: after
the updated packages are installed, Thunderbird must be restarted for
the update to take effect.
http://www.linuxsecurity.com/content/view/146962
* Fedora 10 Update: thunderbird-2.0.0.19-1.fc10 (Jan 7)
-----------------------------------------------------
Update to the new upstream Thunderbird 2.0.0.19 fixing multiple
security issues: http://www.mozilla.org/security/known-
vulnerabilities/thunderbird20.html#thunderbird2.0.0.19 Note: after
the updated packages are installed, Thunderbird must be restarted for
the update to take effect.
http://www.linuxsecurity.com/content/view/146956
* Fedora 8 Update: xterm-238-1.fc8 (Jan 7)
----------------------------------------
This update fixes the following security issue: CRLF injection
vulnerability in xterm allows user-assisted attackers to execute
arbitrary commands via LF (aka \n) characters surrounding a command
name within a Device Control Request Status String (DECRQSS) escape
sequence in a text file, a related issue to CVE-2003-0063 and
CVE-2003-0071.
http://www.linuxsecurity.com/content/view/146907
* Fedora 8 Update: dovecot-1.0.15-16.fc8 (Jan 7)
----------------------------------------------
new possibility to store ssl passwords in different file linked to
dovecot.conf via !include_try directive change permissions of deliver
and dovecot.conf to prevent possible password exposure change
permissions of deliver and dovecot.conf to prevent possible password
exposure
http://www.linuxsecurity.com/content/view/146910
* Fedora 10 Update: samba-3.2.7-0.25.fc10 (Jan 7)
-----------------------------------------------
Security fix for CVE-2009-0022
http://www.linuxsecurity.com/content/view/146912
* Fedora 9 Update: dovecot-1.0.15-16.fc9 (Jan 7)
----------------------------------------------
new possibility to store ssl passwords in different file linked to
dovecot.conf via !include_try directive change permissions of deliver
and dovecot.conf to prevent possible password exposure
http://www.linuxsecurity.com/content/view/146902
* Fedora 10 Update: xterm-238-1.fc10 (Jan 7)
------------------------------------------
This update fixes the following security issue: CRLF injection
vulnerability in xterm allows user-assisted attackers to execute
arbitrary commands via LF (aka \n) characters surrounding a command
name within a Device Control Request Status String (DECRQSS) escape
sequence in a text file, a related issue to CVE-2003-0063 and
CVE-2003-0071.
http://www.linuxsecurity.com/content/view/146834
* Fedora 9 Update: wireshark-1.0.5-1.fc9 (Jan 7)
----------------------------------------------
Various minor security flaws were fixed in wireshark 1.0.5
http://www.linuxsecurity.com/content/view/146824
* Fedora 8 Update: thunderbird-2.0.0.19-1.fc8 (Jan 7)
---------------------------------------------------
Update to the new upstream Thunderbird 2.0.0.19 fixing multiple
security issues: http://www.mozilla.org/security/known-
vulnerabilities/thunderbird20.html#thunderbird2.0.0.19 Note: after
the updated packages are installed, Thunderbird must be restarted for
the update to take effect.
http://www.linuxsecurity.com/content/view/146828
* Fedora 10 Update: proftpd-1.3.1-8.fc10 (Jan 7)
----------------------------------------------
This update fixes a security issue where an attacker could conduct
cross-site request forgery (CSRF) attacks and execute arbitrary FTP
commands. It also fixes some SSL shutdown issues seen with certain
clients.
http://www.linuxsecurity.com/content/view/146829
* Fedora 9 Update: xterm-238-1.fc9 (Jan 7)
----------------------------------------
This update fixes the following security issue: CRLF injection
vulnerability in xterm allows user-assisted attackers to execute
arbitrary commands via LF (aka \n) characters surrounding a command
name within a Device Control Request Status String (DECRQSS) escape
sequence in a text file, a related issue to CVE-2003-0063 and
CVE-2003-0071.
http://www.linuxsecurity.com/content/view/146795
* Fedora 9 Update: proftpd-1.3.1-8.fc9 (Jan 7)
--------------------------------------------
This update fixes a security issue where an attacker could conduct
cross-site request forgery (CSRF) attacks and execute arbitrary FTP
commands. It also fixes some SSL shutdown issues seen with certain
clients.
http://www.linuxsecurity.com/content/view/146800
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2009:007 ] kernel (Jan 7)
-----------------------------------------------------------------------
The security fix for CVE-2007-6716 in previous kernel update
introduced a problem in directio, when calling pvcreate. This update
provides an updated patch fixing it.
http://www.linuxsecurity.com/content/view/147078
* Mandriva: Subject: [Security Announce] [ MDVA-2009:002 ] msec (Jan 5)
---------------------------------------------------------------------
This update fixes the following two issues with msec: when changing
to a higher security level, permit_root_login is not handled
correctly (bug #19726)
http://www.linuxsecurity.com/content/view/146710
------------------------------------------------------------------------
* RedHat: Moderate: bind security update (Jan 8)
----------------------------------------------
Updated Bind packages to correct a security issue are now available
for Red Hat Enterprise Linux 2.1, 3, 4, and 5. A flaw was discovered
in the way BIND checked the return value of the OpenSSL DSA_do_verify
function. On systems using DNSSEC, a malicious zone could present a
malformed DSA certificate and bypass proper certificate validation,
allowing spoofing attacks. (CVE-2009-0025) This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/147114
* RedHat: Important: kernel security update (Jan 8)
-------------------------------------------------
Updated kernel packages that fix a number of security issues are now
available for Red Hat Enterprise Linux 2.1 running on 32-bit
architectures. This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147112
* RedHat: Moderate: lcms security update (Jan 7)
----------------------------------------------
Updated lcms packages that resolve several security issues are now
available for Red Hat Enterprise Linux 5. Multiple insufficient input
validation flaws were discovered in LittleCMS. An attacker could use
these flaws to create a specially-crafted image file which could
cause an application using LittleCMS to crash, or, possibly, execute
arbitrary code when opened.
http://www.linuxsecurity.com/content/view/147029
* RedHat: Important: hanterm-xf security update (Jan 7)
-----------------------------------------------------
An updated hanterm-xf package to correct a security issue is now
available for Red Hat Enterprise Linux 2.1. A flaw was found in the
Hanterm handling of Device Control Request Status String (DECRQSS)
escape sequences. An attacker could create a malicious text file (or
log entry, if unfiltered) that could run arbitrary commands if read
by a victim inside a Hanterm window. (CVE-2008-2383)
http://www.linuxsecurity.com/content/view/147030
* RedHat: Important: openssl security update (Jan 7)
--------------------------------------------------
Updated OpenSSL packages that correct a security issue are now
available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. The Google
security team discovered a flaw in the way OpenSSL checked the
verification of certificates. An attacker in control of a malicious
server, or able to effect a "man in the middle" attack, could present
a malformed SSL/TLS signature from a certificate chain to a
vulnerable client and bypass validation. This update has been rated
as having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/147027
* RedHat: Moderate: dbus security update (Jan 7)
----------------------------------------------
Updated dbus packages that fix a security issue are now available for
Red Hat Enterprise Linux 5. A denial-of-service flaw was discovered
in the system for sending messages between applications. A local user
could send a message with a malformed signature to the bus causing
the bus (and, consequently, any process using libdbus to receive
messages) to abort.
http://www.linuxsecurity.com/content/view/147028
* RedHat: Important: xterm security update (Jan 7)
------------------------------------------------
An updated xterm package to correct a security issue is now available
for Red Hat Enterprise Linux 3, 4, and 5. A flaw was found in the
xterm handling of Device Control Request Status String (DECRQSS)
escape sequences. An attacker could create a malicious text file (or
log entry, if unfiltered) that could run arbitrary commands if read
by a victim inside an xterm window. (CVE-2008-2383)
http://www.linuxsecurity.com/content/view/147026
* RedHat: Moderate: thunderbird security update (Jan 7)
-----------------------------------------------------
Updated thunderbird packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 and 5. Several flaws were
found in the processing of malformed HTML mail content. An HTML mail
message containing malicious content could cause Thunderbird to crash
or, potentially, execute arbitrary code as the user running
Thunderbird. (CVE-2008-5500,
http://www.linuxsecurity.com/content/view/147023
* RedHat: Moderate: xen security and bug fix update (Jan 7)
---------------------------------------------------------
Updated xen packages that resolve several security issues and a bug
are now available for Red Hat Enterprise Linux 5. Xen was found to
allow unprivileged DomU domains to overwrite xenstore values which
should only be changeable by the privileged Dom0 domain. An attacker
controlling a DomU domain could, potentially, use this flaw to kill
arbitrary processes in Dom0 or trick a Dom0 user into accessing the
text console of a different domain running on the same host. This
update makes certain parts of the xenstore tree read-only to the
unprivileged DomU domains. (CVE-2008-4405)
http://www.linuxsecurity.com/content/view/147024
* RedHat: Moderate: gnome-vfs, gnome-vfs2 security update (Jan 7)
---------------------------------------------------------------
Updated GNOME VFS packages that fix a security issue are now
available for Red Hat Enterprise Linux 2.1, 3 and 4. A buffer
overflow flaw was discovered in the GNOME virtual file system when
handling data returned by CDDB servers. If a user connected to a
malicious CDDB server, an attacker could use this flaw to execute
arbitrary code on the victim's machine.
http://www.linuxsecurity.com/content/view/147025
* RedHat: Important: kernel security update (Jan 5)
-------------------------------------------------
Updated kernel packages that fix a number of security issues are now
available for Red Hat Enterprise Linux 2.1 running on 64-bit
architectures. This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/146707
------------------------------------------------------------------------
* Slackware: samba (Jan 5)
--------------------------
New samba packages are available for Slackware 12.2 and -current to
fix a security issue. More details about this issue may be found in
the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0022
http://www.linuxsecurity.com/content/view/146715
------------------------------------------------------------------------
* Ubuntu: Samba vulnerability (Jan 5)
------------------------------------
Gunter Hckel discovered that Samba with registry shares enabled did
not properly validate share names. An authenticated user could gain
access to the root filesystem by using an older version of smbclient
and specifying an empty string as a share name. This is only an issue
if registry shares are enabled on the server by setting "registry
shares = yes", "include = registry", or "config backend = registry",
which is not the default.
http://www.linuxsecurity.com/content/view/146709
------------------------------------------------------------------------
* Pardus: Samba Security Bypass (Jan 8)
-------------------------------------
A security issue has been reported in Samba, which can be exploited
by malicious users to bypass certain security restrictions.
http://www.linuxsecurity.com/content/view/147113
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_______________________________________________
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html