AOH :: IS1321.HTM
Linux Advisory Watch: November 3rd, 2008
|
Linux Advisory Watch: November 3rd, 2008
Linux Advisory Watch: November 3rd, 2008
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 3rd, 2008 Volume 9, Number 45 |
| |
| Editorial Team: Dave Wreski |
| Benjamin D. Thomas |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for openoffice, libspf2, mdkonline,
eterm, aterm, mplayer, kernel, lynx, emacs, and wireshark. This
distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat.
---
Earn your MS in Info Assurance online
Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides
you with the skills to manage and lead an organization-wide
information security program and the tools to fluently communicate
the intricacies of information security at an executive level.
http://www.linuxsecurity.com/ads/adclick.php?bannerid=12
---
Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across. And I'm pretty sure they must be saying "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.
Read on for more information on Firestarter.
http://www.linuxsecurity.com/content/view/142641
---
Review: Hacking Exposed Linux, Third Edition
--------------------------------------------
"Hacking Exposed Linux" by ISECOM (Institute for Security and Open
Methodologies) is a guide to help you secure your Linux environment.
This book does not only help improve your security it looks at why you
should. It does this by showing examples of real attacks and rates the
importance of protecting yourself from being a victim of each type of
attack.
http://www.linuxsecurity.com/content/view/141165
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
-----------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.21 (Version 3.0, Release 21). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
In distribution since 2001, EnGarde Secure Community was one of the
very first security platforms developed entirely from open source,
and has been engineered from the ground-up to provide users and
organizations with complete, secure Web functionality, DNS, database,
e-mail security and even e-commerce.
http://www.linuxsecurity.com/content/view/143039
------------------------------------------------------------------------
* Debian: New OpenOffice.org packages fix several vulnerabilities (Oct 29)
------------------------------------------------------------------------
The SureRun Security team discovered a bug in the WMF file parser
that can be triggered by manipulated WMF files and can lead to
heap overflows and arbitrary code execution.
http://www.linuxsecurity.com/content/view/143700
* Debian: New clamav packages fix denial of service (Oct 26)
----------------------------------------------------------
Several denial-of-service vulnerabilities have been discovered in the
ClamAV anti-virus toolkit: Insufficient checking for out-of-memory
conditions results in null pointer derefences (CVE-2008-3912).
http://www.linuxsecurity.com/content/view/143686
------------------------------------------------------------------------
* Fedora 8 Update: openoffice.org-2.3.0-6.17.fc8 (Oct 31)
-------------------------------------------------------
A security release to address: - CVE-2008-2237: Manipulated WMF
files - CVE-2008-2238: Manipulated EMF files as described at
http://www.openoffice.org/security/bulletin.html
http://www.linuxsecurity.com/content/view/143832
* Fedora 9 Update: openoffice.org-2.4.2-18.1.fc9 (Oct 31)
-------------------------------------------------------
Security update to address - CVE-2008-2237: Manipulated WMF files -
CVE-2008-2238: Manipulated EMF files as described at
http://www.openoffice.org/security/bulletin.html
http://www.linuxsecurity.com/content/view/143813
------------------------------------------------------------------------
* Gentoo: libspf2 DNS response buffer overflow (Oct 30)
-----------------------------------------------------
A memory management error in libspf2 might allow for remote execution
of arbitrary code.
http://www.linuxsecurity.com/content/view/143806
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2008:163 ] mdkonline (Oct 30)
---------------------------------------------------------------------------
This update ensures that the distribution upgrade notification is not
detected in incorrect cases, and ensures that a distribution upgrade
is only suggested after all security updates have been applied. It
also improves the distribution upgrade confirmation dialog and
reliability of network package installation.
http://www.linuxsecurity.com/content/view/143805
* Mandriva: Subject: [Security Announce] [ MDVA-2008:162 ] openoffice.org (Oct 30)
--------------------------------------------------------------------------------
This update provides a new upstream version of OpenOffice.org -
2.4.1.10. It also corrects the following bugs: Under 2.4 versions of
OpenOffice.org, the Orientation option was removed from printer
properties which prevented users from printing on a booklet format in
a way they were used to do. This OpenOffice.org update enables the
Orientation printer option again.
http://www.linuxsecurity.com/content/view/143804
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:222 ] Eterm (Oct 29)
------------------------------------------------------------------------
A vulnerability in Eterm allowed it to open a terminal on :0 if the
environment variable was not set or the -display option was not
specified, which could be used by a local user to hijack X11
connections (CVE-2008-1692). The updated packages have been patched
to correct this issue.
http://www.linuxsecurity.com/content/view/143704
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:221 ] aterm (Oct 29)
------------------------------------------------------------------------
A vulnerability in rxvt allowed it to open a terminal on :0 if the
environment variable was not set, which could be used by a local user
to hijack X11 connections (CVE-2008-1142). This issue also affects
aterm. The updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/143703
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:219 ] mplayer (Oct 29)
--------------------------------------------------------------------------
A vulnerability that was discovered in xine-lib that allowed remote
RTSP servers to execute arbitrary code via a large streamid SDP
parameter also affects MPlayer (CVE-2008-0073).
http://www.linuxsecurity.com/content/view/143702
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:220 ] kernel (Oct 29)
-------------------------------------------------------------------------
Some vulnerabilities were discovered and corrected in the Linux 2.6
kernel: The snd_seq_oss_synth_make_info function in
sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the
Linux kernel before 2.6.27-rc2 does not verify that the device number
is within the range defined by max_synthdev before returning certain
data to the caller, which allows local users to obtain sensitive
information.
http://www.linuxsecurity.com/content/view/143701
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:218 ] lynx (Oct 28)
-----------------------------------------------------------------------
A vulnerability was found in the Lynxcgi: URI handler that could
allow an attacker to create a web page redirecting to a malicious URL
that would execute arbitrary code as the user running Lynx, if they
were using the non-default Advanced user mode (CVE-2008-4690). This
update corrects these issues and, in addition, makes Lynx always
prompt the user before loading a lynxcgi: URI. As well, the default
lynx.cfg configuration file marks all lynxcgi: URIs as untrusted.
http://www.linuxsecurity.com/content/view/143698
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:217 ] lynx (Oct 28)
-----------------------------------------------------------------------
A flaw was found in the way Lynx handled .mailcap and .mime.types
configuration files. If these files were present in the current
working directory, they would be loaded prior to similar files in the
user's home directory. This could allow a local attacker to possibly
execute arbitrary code as the user running Lynx, if they could
convince the user to run Lynx in a directory under their control
(CVE-2006-7234)
http://www.linuxsecurity.com/content/view/143697
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:216 ] emacs (Oct 27)
------------------------------------------------------------------------
A vulnerability was found in how Emacs would import python scripts
from the current working directory during the editing of a python
file. This could allow a local user to execute arbitrary code via a
trojan python file (CVE-2008-3949).
http://www.linuxsecurity.com/content/view/143693
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:215 ] wireshark (Oct 27)
----------------------------------------------------------------------------
A number of vulnerabilities were discovered in Wireshark that could
cause it to crash or abort while processing malicious packets
http://www.linuxsecurity.com/content/view/143690
------------------------------------------------------------------------
* RedHat: Important: flash-plugin security update (Oct 28)
--------------------------------------------------------
An updated Adobe Flash Player package that fixes several security
issues is now available for Red Hat Enterprise Linux 5 Supplementary.
A flaw was found in the way Adobe Flash Player wrote content to the
clipboard. A malicious SWF file could populate the clipboard with a
URL that could cause the user to mistakenly load an
attacker-controlled URL.
http://www.linuxsecurity.com/content/view/143695
* RedHat: Important: lynx security update (Oct 27)
------------------------------------------------
An updated lynx package that corrects two security issues is now
available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/143689
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Site design & layout copyright © 1986- CodeGods