AOH :: IS1450.HTM

Linux Advisory Watch: December 5th, 2008




Linux Advisory Watch: December 5th, 2008
Linux Advisory Watch: December 5th, 2008



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| December 5th, 2008                               Volume 9, Number 49 |
|                                                                      |
| Editorial Team: Dave Wreski  | 
| Benjamin D. Thomas  | 
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week advisories were released for clamav, awstats, perl, CUPS,
flamethrower, phpmyadmin, jailer, wireshark, imlib2, Mantis, libxml2,
libsamplerate, lighttpd, IPsec-Tools, enscript, OptiPNG, apache2, vim,
ruby, java, samba, nfs-utils, ImageMagick, and libvorbis.  The
distributors include Debian, Gentoo, Mandriva, Red Hat, Slackware, and
Ubuntu.

---

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides
you with the skills to manage and lead an organization-wide
information security program and the tools to fluently communicate
the intricacies of information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12 

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088 

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641 

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- 

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
  -----------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.21 (Version 3.0, Release 21). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

http://www.linuxsecurity.com/content/view/143039 

------------------------------------------------------------------------

* Debian: New Linux 2.6.24 packages fix several vulnerabilities (Dec 4)
  ---------------------------------------------------------------------
  Eugene Teo reported a local DoS issue in the ext2 and ext3
  filesystems.	Local users who have been granted the privileges
  necessary to mount a filesystem would be able to craft a corrupted
  filesystem that causes the kernel to output error messages in an
  infinite loop.

http://www.linuxsecurity.com/content/view/145234 

* Debian: New clamav packages fix potential code execution (Dec 4)
  ----------------------------------------------------------------
  Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers
  from an off-by-one-error in its VBA project file processing, leading
  to a heap-based buffer overflow and potentially arbitrary code
  execution (CVE-2008-5050).

http://www.linuxsecurity.com/content/view/145229 

* Debian: New awstats packages fix cross-site scripting (Dec 3)
  -------------------------------------------------------------
  Morgan Todd discovered a cross-site scripting vulnerability in
  awstats, a log file analyzer, involving the "config" request
  parameter (and possibly others; CVE-2008-3714).

http://www.linuxsecurity.com/content/view/145226 

* Debian: New perl packages fix privilege escalation (Dec 3)
  ----------------------------------------------------------
  Paul Szabo rediscovered a vulnerability in the File::Path::rmtree
  function of Perl. It was possible to exploit a race condition to
  create setuid binaries in a directory tree or remove arbitrary files
  when a process is deleting this tree.  This issue was originally
  known as CVE-2005-0448 and CVE-2004-0452, which were addressed by
  DSA-696-1 and DSA-620-1. Unfortunately, they were reintroduced later.

http://www.linuxsecurity.com/content/view/145225 

* Debian: New CUPS packages fix arbitrary code execution (Dec 2)
  --------------------------------------------------------------
  An integer overflow has been discovered in the image validation code
  of cupsys, the Common UNIX Printing System.  An attacker could
  trigger this bug by supplying a malicious graphic that could lead to
  the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/145031 

* Debian: New flamethrower packages fix denial of service (Dec 1)
  ---------------------------------------------------------------
  Dmitry E. Oboukhov discovered that flamethrower creates predictable
  temporary filenames, which may lead to a local denial of service
  through a symlink attack.

http://www.linuxsecurity.com/content/view/145015 

* Debian: New phpmyadmin packages fix cross site scripting (Nov 30)
  -----------------------------------------------------------------
  Masako Oono discovered that phpMyAdmin, a web-based administration
  interface for MySQL, insufficiently sanitises input allowing a remote
  attacker to gather sensitive data through cross site scripting,
  provided that the user uses the Internet Explorer web browser.

http://www.linuxsecurity.com/content/view/145009 

* Debian: New jailer packages fix denial of service (Nov 30)
  ----------------------------------------------------------
  Javier Fernandez-Sanguino Pena discovered that updatejail, a
  component of the chroot maintenance tool Jailer, creates a
  predictable temporary file name, which may lead to local denial of
  service through a symlink attack.

http://www.linuxsecurity.com/content/view/145008 

* Debian: New wireshark packages fix several vulnerabilities (Nov 29)
  -------------------------------------------------------------------
  Several remote vulnerabilities have been discovered network traffic
  analyzer Wireshark. The Common Vulnerabilities and Exposures project
  identifies the following problems: The GSM SMS dissector is
  vulnerable to denial of service.

http://www.linuxsecurity.com/content/view/145006 

* Debian: New imlib2 packages fix arbitrary code execution (Nov 28)
  -----------------------------------------------------------------
  Julien Danjou and Peter De Wachter discovered that a buffer overflow
  in the XPM loader of Imlib2, a powerful image loading and rendering
  library, might lead to arbitrary code execution.

http://www.linuxsecurity.com/content/view/145004 

------------------------------------------------------------------------

* Gentoo: Mantis Multiple vulnerabilities (Dec 2)
  -----------------------------------------------
  Multiple vulnerabilities have been discovered in Mantis, the most
  severe of which leading to the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/145027 

* Gentoo: libxml2 Multiple vulnerabilities (Dec 2)
  ------------------------------------------------
  Multiple vulnerabilities in libxml2 might lead to execution of
  arbitrary code or Denial of Service.

http://www.linuxsecurity.com/content/view/145026 

* Gentoo: libsamplerate User-assisted execution of arbitrary code (Dec 2)
  -----------------------------------------------------------------------
  A buffer overflow vulnerability in libsamplerate might lead to the
  execution of arbitrary code.

http://www.linuxsecurity.com/content/view/145025 

* Gentoo: lighttpd Multiple vulnerabilities (Dec 2)
  -------------------------------------------------
  Multiple vulnerabilities in lighttpd may lead to information
  disclosure or a Denial of Service.

http://www.linuxsecurity.com/content/view/145024 

* Gentoo: IPsec-Tools racoon Denial of Service (Dec 2)
  ----------------------------------------------------
  IPsec-Tools' racoon is affected by a remote Denial of Service
  vulnerability.

http://www.linuxsecurity.com/content/view/145023 

* Gentoo: enscript User-assisted execution of arbitrary code (Dec 2)
  ------------------------------------------------------------------
  Two buffer overflows in enscript might lead to the execution of
  arbitrary code.

http://www.linuxsecurity.com/content/view/145022 

* Gentoo: OptiPNG User-assisted execution of arbitrary code (Dec 2)
  -----------------------------------------------------------------
  A vulnerability in OptiPNG might result in user-assisted execution of
  arbitrary code.

http://www.linuxsecurity.com/content/view/145021 

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:237 ] apache2 (Dec 4)
  -------------------------------------------------------------------------
  A vulnerability was discovered in the mod_proxy module in Apache
  where it did not limit the number of forwarded interim responses,
  allowing remote HTTP servers to cause a denial of service (memory
  consumption) via a large number of interim responses (CVE-2008-2364).
  This update also provides HTTP/1.1 compliance fixes. The updated
  packages have been patched to prevent this issue.

http://www.linuxsecurity.com/content/view/145237 

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:236 ] vim (Dec 3)
  ---------------------------------------------------------------------
  Several vulnerabilities were found in the vim editor: A number of
  input sanitization flaws were found in various vim system functions.
  If a user were to open a specially crafted file, it would be possible
  to execute arbitrary code as the user running vim (CVE-2008-2712).

http://www.linuxsecurity.com/content/view/145228 

------------------------------------------------------------------------

* RedHat: Moderate: Red Hat Application Stack v2.2 (Dec 4)
  --------------------------------------------------------
  Red Hat Application Stack v2.2 is now available.  This update fixes
  several security issues and adds various enhancements.A flaw was
  found in the mod_proxy module. An attacker  who has control of a web
  server to which requests are being proxied could cause a limited
  denial of service due to CPU consumption and stack exhaustion.
  (CVE-2008-2364)

http://www.linuxsecurity.com/content/view/145239 

* RedHat: Critical: java-1.5.0-sun security update (Dec 4)
  --------------------------------------------------------
  Updated java-1.5.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/145233 

* RedHat: Moderate: ruby security update (Dec 4)
  ----------------------------------------------
  Updated ruby packages that fix a security issue are now available for
  Red Hat Enterprise Linux 4 and 5. This update has been rated as
  having moderate security impact by the Red Hat Security Response
  Team.

http://www.linuxsecurity.com/content/view/145231 

* RedHat: Critical: java-1.6.0-sun security update (Dec 4)
  --------------------------------------------------------
  Updated java-1.6.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/145232 

------------------------------------------------------------------------

* Slackware:   ruby (Nov 29)
  --------------------------
  New ruby packages are available for Slackware 11.0, 12.0, and 12.1 to
  fix bugs and a security issue. More details about the issue may be
  found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 

http://www.linuxsecurity.com/content/view/145007 

* Slackware:   samba (Nov 28)
  ---------------------------
  New samba packages are available for Slackware 10.0, 10.1, 10.2,
  11.0, 12.0, 12.1, and -current to fix a possible security
  vulnerability involving the reading of uninitialized memory. More
  details about this issue may be found in the Common Vulnerabilities
  and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4314 

http://www.linuxsecurity.com/content/view/145005 

------------------------------------------------------------------------

* Ubuntu:  nfs-utils vulnerability (Dec 4)
  ----------------------------------------
  It was discovered that nfs-utils did not properly enforce netgroup
  restrictions when using TCP Wrappers. Remote attackers could bypass
  the netgroup restrictions enabled by the administrator and possibly
  gain access to sensitive information.

http://www.linuxsecurity.com/content/view/145238 

* Ubuntu:  Imlib2 vulnerability (Dec 2)
  -------------------------------------
  It was discovered that Imlib2 did not correctly handle certain
  malformed XPM images. If a user were tricked into opening a specially
  crafted image with an application that uses Imlib2, an attacker could
  cause a denial of service and possibly execute arbitrary code with
  the user's privileges.

http://www.linuxsecurity.com/content/view/145020 

* Ubuntu:  ImageMagick vulnerability (Dec 1)
  ------------------------------------------
  It was discovered that ImageMagick did not correctly handle certain
  malformed XCF images. If a user were tricked into opening a specially
  crafted image with an application that uses ImageMagick, an attacker
  could cause a denial of service and possibly execute arbitrary code
  with the user's privileges.

http://www.linuxsecurity.com/content/view/145012 

* Ubuntu:  libvorbis vulnerabilities (Dec 1)
  ------------------------------------------
  It was discovered that libvorbis did not correctly handle certain
  malformed sound files. If a user were tricked into opening a
  specially crafted sound file with an application that uses libvorbis,
  an attacker could execute arbitrary code with the user's privileges.

http://www.linuxsecurity.com/content/view/145013 

* Ubuntu:  Samba vulnerability (Nov 27)
  -------------------------------------
  It was discovered that Samba did not properly perform bounds checking
  in certain operations. A remote attacker could possibly exploit this
  to read arbitrary memory contents of the smb process, which could
  contain sensitive infomation or possibly have other impacts, such as
  a denial of service.

http://www.linuxsecurity.com/content/view/145000 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

To unsubscribe email vuln-newsletter-request@linuxsecurity.com 
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html 

Site design & layout copyright © 1986-2014 CodeGods