AOH :: IS1120.HTM

Linux Advisory Watch: September 12th, 2008




Linux Advisory Watch: September 12th, 2008
Linux Advisory Watch: September 12th, 2008



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| September 12th, 2008                             Volume 9, Number 37 |
|                                                                      |
| Editorial Team: Dave Wreski  | 
| Benjamin D. Thomas  | 
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for xine, bitlbee, xastir, samba,
yelp, policycoreutils, libtiff, amarok, vlc, mysql, dnsmasq, clamav,
tomcat, ipa, postfix, and racoon.  The distributors include Debian,
Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 

---

Review: Hacking Exposed Linux, Third Edition
--------------------------------------------
"Hacking Exposed Linux" by  ISECOM (Institute for Security and Open
Methodologies) is a guide to help you secure your Linux environment.
This book does not only help improve your security it looks at why you
should. It does this by showing examples of real attacks and rates the
importance of protecting yourself from being a victim of each type of
attack.

http://www.linuxsecurity.com/content/view/141165 

---

Security Features of Firefox 3.0
--------------------------------
Lets take a look at the security features of the newly released Firefox
3.0. Since it's release on Tuesday I have been testing it out to see
how the new security enhancements work and help in increase user
browsing security.  One of the exciting improvements for me was how
Firefox handles SSL secured web sites while browsing the Internet.
There are also many other security features that this article will look
at. For example, improved plugin and addon security.

Read on for more security features of Firefox 3.0.

http://www.linuxsecurity.com/content/view/138972 

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- 

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.20 Now Available (Aug 19)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.20 (Version 3.0, Release 20). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

http://www.linuxsecurity.com/content/view/141173 

------------------------------------------------------------------------

* Debian: New freetype packages fix multiple vulnerabilities (Sep 10)
  -------------------------------------------------------------------
  An integer overflow allows context-dependent attackers to execute
  arbitrary code via a crafted set of values within the Private
  dictionary table in a Printer Font Binary (PFB) file.

http://www.linuxsecurity.com/content/view/141779 

------------------------------------------------------------------------

* Fedora 9 Update: xine-lib-1.1.15-1.fc9 (Sep 10)
  -----------------------------------------------
  This release fixes multiple bugs and security issues:  - DoS via
  corrupted Ogg files (CVE-2008-3231)  - multiple possible buffer
  overflows detailed in oCERT-2008-008=09  For more details, see:
http://sourceforge.net/project/shownotes.php?release_id=619869&group_ 
id=9655 http://www.ocert.org/advisories/ocert-2008-008.html=09 NOTE: 
  A coordinated release with 3rd-party repos was not possible, so this
  update may result in dependency issues with currently-installed
  xine-lib-extras-* rpms.  This temporary problem will be rectified
  asap.

http://www.linuxsecurity.com/content/view/141645 

* Fedora 8 Update: bitlbee-1.2.2-1.fc8 (Sep 10)
  ---------------------------------------------
  Upstream released Bitlbee 1.2.2 with the following changes to the
  former release:    - Security bugfix: It was possible to hijack
  accounts (without gaining access to the old account, it's simply an
  overwrite)  - Some more stability improvements.  - Fixed bug where
  people with non-lowercase nicks couldn't drop their account.=09-
  Easier upgrades of non-forking daemon mode servers (using the DEAF
  command).  - Can be cross-compiled for Win32 now! (No support for SSL
  yet though, which makes it less useful for now.)  - Exponential
  backoff on auto-reconnect.  - Changing passwords gives less confusing
  feedback ("password is empty") now.=09 Finished 26 Aug 2008

http://www.linuxsecurity.com/content/view/141595 

* Fedora 9 Update: xastir-1.9.2-9.fc9 (Sep 10)
  --------------------------------------------
  Multiple insecure temporary file usage flaws were identified in the
  get- maptools.sh and get_shapelib.sh scripts shipped in xastir
  packages.    As those scripts are not needed with Fedora-distributed
  xastir packages (they automate installation of libraries used by
  xastir, which are provided in the Fedora archive in the pre-packaged
  RPM format), they were removed.

http://www.linuxsecurity.com/content/view/141567 

* Fedora 9 Update: samba-3.2.3-0.20.fc9 (Sep 10)
  ----------------------------------------------
  Security fix for CVE-2008-3789 detailed in the upstream advisory:
http://www.samba.org/samba/security/CVE-2008-3789.html 

http://www.linuxsecurity.com/content/view/141531 

* Fedora 9 Update: R-2.7.2-1.fc9 (Sep 10)
  ---------------------------------------
  Update to R 2.7.2, also fixes security issue with unsafe temp
  directory handling in javareconf script.

http://www.linuxsecurity.com/content/view/141514 

* Fedora 8 Update: rpy-1.0.3-3.fc8 (Sep 10)
  -----------------------------------------
  Update to R 2.7.2, also fixes security issue with unsafe temp
  directory handling in javareconf script.

http://www.linuxsecurity.com/content/view/141478 

* Fedora 8 Update: R-2.7.2-1.fc8 (Sep 10)
  ---------------------------------------
  Update to R 2.7.2, also fixes security issue with unsafe temp
  directory handling in javareconf script.

http://www.linuxsecurity.com/content/view/141479 

* Fedora 8 Update: yelp-2.20.0-12.fc8 (Sep 10)
  --------------------------------------------
  This update fixes a format string vulnerability that was discovered
  in yelp 2.20.

http://www.linuxsecurity.com/content/view/141480 

* Fedora 9 Update: policycoreutils-2.0.52-8.fc9 (Sep 10)
  ------------------------------------------------------
  Security-enhanced Linux is a feature of the Linux=C2=AE kernel and a
  number of utilities with enhanced security functionality designed to
  add mandatory access controls to Linux.  The Security-enhanced Linux
  kernel contains new architectural components originally developed to
  improve the security of the Flask operating system. These
  architectural components provide general support for the enforcement
  of many kinds of mandatory access control policies, including those
  based on the concepts of Type Enforcement=C2=AE, Role-based Access
  Control, and Multi-level Security.

http://www.linuxsecurity.com/content/view/141455 

* Fedora 8 Update: libtiff-3.8.2-11.fc8 (Sep 10)
  ----------------------------------------------
  Fixes LZW decoding vulnerabilities described in CVE-2008-2327

http://www.linuxsecurity.com/content/view/141381 

* Fedora 8 Update: amarok-1.4.10-1.fc8 (Sep 10)
  ---------------------------------------------
  Amarok 1.4.10 has been released to fix a security problem.  For more
information please see http://amarok.kde.org/en/node/535/ Please 
  update.

http://www.linuxsecurity.com/content/view/141357 

* Fedora 9 Update: samba-3.2.3-0.20.fc9 (Sep 5)
  ---------------------------------------------
  Security fix for CVE-2008-3789 detailed in the upstream advisory:
http://www.samba.org/samba/security/CVE-2008-3789.html 

http://www.linuxsecurity.com/content/view/141248 

------------------------------------------------------------------------

* Gentoo: Amarok Insecure temporary file creation (Sep 8)
  -------------------------------------------------------
  Amarok uses temporary files in an insecure manner, allowing for a
  symlink attack.

http://www.linuxsecurity.com/content/view/141304 

* Gentoo: libTIFF User-assisted execution of arbitrary (Sep 8)
  ------------------------------------------------------------
  Multiple buffer underflow vulnerabilities in libTIFF may allow for
  the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/141303 

* Gentoo: VLC Multiple vulnerabilities (Sep 7)
  --------------------------------------------
  Two vulnerabilities in VLC may lead to the remote execution of
  arbitrary code.

http://www.linuxsecurity.com/content/view/141300 

* Gentoo: Courier Authentication Library SQL injection (Sep 5)
  ------------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An SQL injection vulnerability 
  has been discovered in the Courier Authentication Library.

http://www.linuxsecurity.com/content/view/141298 

* Gentoo: MySQL Privilege bypass (Sep 4)
  --------------------------------------
  A vulnerability in MySQL might allow users to bypass privileges and
  gain access to other databases.

http://www.linuxsecurity.com/content/view/141242 

* Gentoo: dnsmasq Denial of Service and DNS spoofing (Sep 4)
  ----------------------------------------------------------
  Two vulnerabilities in dnsmasq might allow for a Denial of Service or
  spoofing of DNS replies.

http://www.linuxsecurity.com/content/view/141241 

* Gentoo: yelp User-assisted execution of arbitrary code (Sep 4)
  --------------------------------------------------------------
  A vulnerability in yelp can lead to the execution of arbitrary code
  when opening a URI, for example through Firefox.

http://www.linuxsecurity.com/content/view/141240 

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:190 ] postfix (Sep 10)
  --------------------------------------------------------------------------
  A vulnerability in Postfix 2.4 and later was discovered, when running
  on Linux kernel 2.6, where a local user could cause a denial of
  service due to Postfix leaking the epoll file descriptor when
  executing non-Postfix commands (CVE-2008-3889). The updated packages
  have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/141777 

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:189 ] clamav (Sep 10)
  -------------------------------------------------------------------------
  A number of unspecified vulnerabilities in ClamAV were reported that
  have an unknown impact and attack vectors related to file descriptor
  leaks (CVE-2008-3914).

http://www.linuxsecurity.com/content/view/141309 

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:188 ] tomcat5 (Sep 5)
  -------------------------------------------------------------------------
  A number of vulnerabilities have been discovered in the Apache Tomcat
  server: The default catalina.policy in the JULI logging component did
  not restrict certain permissions for web applications which could
  allow a remote attacker to modify logging configuration options and
  overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/141299 

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:186 ] python (Sep 4)
  ------------------------------------------------------------------------
  Multiple integer overflows were reported by the Google Security Team
  that had been fixed in Python 2.5.2 (CVE-2008-3143). The Python
  packages on Corporate 3 have been updated to the latest version
  2.3.7, which corrects this issue.

http://www.linuxsecurity.com/content/view/141244 

------------------------------------------------------------------------

* RedHat: Important: libxml2 security update (Sep 11)
  ---------------------------------------------------
  A denial of service flaw was found in the way libxml2 processed
  certain content. If an application linked against libxml2 processed
  malformed XML content, it could cause the application to use an
  excessive amount of CPU time and memory, and stop responding.
  (CVE-2003-1564)

http://www.linuxsecurity.com/content/view/141784 

* RedHat: Important: libxml2 security update (Sep 11)
  ---------------------------------------------------
  Updated libxml2 packages that fix a security issue are now available
  for Red Hat Enterprise Linux 3, 4, and 5. A heap-based buffer
  overflow flaw was found in the way libxml2 handled long XML entity
  names. If an application linked against libxml2 processed untrusted
  malformed XML content, it could cause the application to crash or,
  possibly, execute arbitrary code. (CVE-2008-3529) This update has
  been rated as having important security impact by the Red Hat
  Security Response Team.

http://www.linuxsecurity.com/content/view/141783 

* RedHat: Important: ipa security update (Sep 10)
  -----------------------------------------------
  Updated ipa packages that fix a security flaw are now available for
  Red Hat Enterprise IPA. This update has been rated as having
  important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/141776 

* RedHat: Moderate: redhat-ds-base security and bug fix (Sep 10)
  --------------------------------------------------------------
  Updated redhat-ds-base packages are now available that fix security
  issues and various bugs for Red Hat Enterprise IPA. This update has
  been rated as having moderate security impact by the Red Hat Security
  Response Team.

http://www.linuxsecurity.com/content/view/141775 

------------------------------------------------------------------------

* Ubuntu:  Postfix vulnerabilities (Sep 10)
  -----------------------------------------
  Wietse Venema discovered that Postfix leaked internal file
  descriptors when executing non-Postfix commands.  A local attacker
  could exploit this to cause Postfix to run out of descriptors,
  leading to a denial of service.

http://www.linuxsecurity.com/content/view/141781 

* Ubuntu:  Racoon vulnerabilities (Sep 8)
  ---------------------------------------
  It was discovered that there were multiple ways to leak memory during
  the IKE negotiation when handling certain packets.  If a remote
  attacker sent repeated malicious requests, the "racoon" key exchange
  server could allocate large amounts of memory, possibly leading to a
  denial of service.

http://www.linuxsecurity.com/content/view/141305 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

To unsubscribe email vuln-newsletter-request@linuxsecurity.com 
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


__________________________________________________      
Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
http://conference.hackinthebox.org/hitbsecconf2008kl/ 

Site design & layout copyright © 1986-2014 CodeGods