AOH :: IS1529.HTM

Linux Advisory Watch - December 26th 2008




Linux Advisory Watch - December 26th 2008
Linux Advisory Watch - December 26th 2008



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| December 26th, 2008                              Volume 9, Number 52 |
|                                                                      |
| Editorial Team: Dave Wreski  | 
| Benjamin D. Thomas  | 
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for courier-authlib, moodle, avahi,
VLC, imlib2, ampache, clamav, powerdns, mailscanner, flash-plugin,
java, firefox, nagios, blender, perl, mplayer, php and git.  The
distributors include Gentoo, Mandriva, Red Hat, Slackware, Ubuntu, and
Pardus.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939 

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088 

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- 

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668 

------------------------------------------------------------------------

* Debian: New courier-authlib packages fix regression (Dec 22)
  ------------------------------------------------------------
  Two SQL injection vulnerabilities have beein found in
  courier-authlib, the courier authentification library.  The MySQL
  database interface used insufficient escaping mechanisms when
  constructing SQL statements, leading to SQL injection vulnerabilities
  if certain charsets are used (CVE-2008-2380).  A similar issue
  affects the PostgreSQL database interface (CVE-2008-2667).

http://www.linuxsecurity.com/content/view/146349 

* Debian: New moodle packages fix several vulnerabilities (Dec 22)
  ----------------------------------------------------------------
  Several remote vulnerabilities have been discovered in Moodle, an
  online course management system. The following issues are addressed
  in this update, ranging from cross site scripting to remote code
  execution.

http://www.linuxsecurity.com/content/view/146340 

* Debian: New avahi packages fix denial of service (Dec 22)
  ---------------------------------------------------------
  Two denial of service conditions were discovered in avahi, a
  Multicast DNS implementation. Huge Dias discovered that the avahi
  daemon aborts with an assert error if it encounters a UDP packet with
  source port 0 (CVE-2008-5081).

http://www.linuxsecurity.com/content/view/146339 

* Debian: New courier-authlib packages fix SQL injection (Dec 20)
  ---------------------------------------------------------------
  Two SQL injection vulnerabilities have beein found in
  courier-authlib, the courier authentification library.  The MySQL
  database interface used insufficient escaping mechanisms when
  constructing SQL statements, leading to SQL injection vulnerabilities
  if certain charsets are used (CVE-2008-2380).  A similar issue
  affects the PostgreSQL database interface (CVE-2008-2667).

http://www.linuxsecurity.com/content/view/146064 

------------------------------------------------------------------------

* Gentoo: VLC Multiple vulnerabilities (Dec 23)
  ---------------------------------------------
  Multiple vulnerabilities in VLC may lead to the remote execution of
  arbitrary code.

http://www.linuxsecurity.com/content/view/146362 

* Gentoo: Imlib2 User-assisted execution of arbitrary code (Dec 23)
  -----------------------------------------------------------------
  A buffer overflow vulnerability has been discovered in Imlib2.

http://www.linuxsecurity.com/content/view/146361 

* Gentoo: Ampache Insecure temporary file usage (Dec 23)
  ------------------------------------------------------
  An insecure temporary file usage has been reported in Ampache,
  allowing for symlink attacks.

http://www.linuxsecurity.com/content/view/146360 

* Gentoo: ClamAV Multiple vulnerabilities (Dec 23)
  ------------------------------------------------
  Two vulnerabilities in ClamAV may allow for the remote execution of
  arbitrary code or a Denial of Service.

http://www.linuxsecurity.com/content/view/146359 

* Gentoo: PowerDNS Multiple vulnerabilities (Dec 19)
  --------------------------------------------------
  Two vulnerabilities have been discovered in PowerDNS, possibly
  leading to a Denial of Service and easing cache poisoning attacks.

http://www.linuxsecurity.com/content/view/146062 

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2008:241 ] mailscanner (Dec 22)
  -----------------------------------------------------------------------------
  Local users can use symlink attacks throughout a flaw on
  trend-autoupdate script of MailScanner by using /tmp/opr.ini.##### or
  /tmp/lpt temporary file (CVE-2008-5140).

http://www.linuxsecurity.com/content/view/146348 

------------------------------------------------------------------------

* RedHat: Critical: flash-plugin security update (Dec 19)
  -------------------------------------------------------
  An updated Adobe Flash Player package that fixes a security issue is
  now available for Red Hat Enterprise Linux 3 Extras, Red Hat
  Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/146061 

* RedHat: Important: java-1.4.2-bea security update (Dec 18)
  ----------------------------------------------------------
  java-1.4.2-bea as shipped in Red Hat Enterprise Linux 3 Extras, Red
  Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
  Supplementary, contains security flaws and should not be used. This
  update has been rated as having important security impact by the Red
  Hat Security Response Team.

http://www.linuxsecurity.com/content/view/146053 

* RedHat: Important: java-1.5.0-bea security update (Dec 18)
  ----------------------------------------------------------
  java-1.5.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and
  Red Hat Enterprise Linux 5 Supplementary, contains security flaws and
  should not be used. This update has been rated as having important
  security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/146054 

* RedHat: Important: java-1.6.0-bea security update (Dec 18)
  ----------------------------------------------------------
  java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and
  Red Hat Enterprise Linux 5 Supplementary, contains security flaws and
  should not be used.This update has been rated as having important
  security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/146055 

------------------------------------------------------------------------

* Slackware:   mozilla-firefox (Dec 18)
  -------------------------------------
  New mozilla-firefox packages are available for Slackware 10.2, 11.0,
  12.0, 12.1, 12.2, and -current to fix security issues.

http://www.linuxsecurity.com/content/view/146060 

------------------------------------------------------------------------

* Ubuntu:  OpenOffice.org Internationalization update (Dec 23)
  ------------------------------------------------------------
  USN-677-1 fixed vulnerabilities in OpenOffice.org. The changes
  required that openoffice.org-l10n also be updated for the new version
  in Ubuntu 8.04 LTS. Original advisory details: Multiple memory
  overflow flaws were discovered in OpenOffice.org's handling of WMF
  and EMF files. If a user were tricked into opening a specially
  crafted document, a remote attacker might be able to execute
  arbitrary code with user privileges. (CVE-2008-2237, CVE-2008-2238)

http://www.linuxsecurity.com/content/view/146358 

* Ubuntu:  Nagios vulnerabilities (Dec 23)
  ----------------------------------------
  It was discovered that Nagios was vulnerable to a Cross-site request
  forgery (CSRF) vulnerability. If an authenticated nagios user were
  tricked into clicking a link on a specially crafted web page, an
  attacker could trigger commands to be processed by Nagios and execute
  arbitrary programs. This update alters Nagios behaviour by disabling
  submission of CMD_CHANGE commands. (CVE-2008-5028)

http://www.linuxsecurity.com/content/view/146351 

* Ubuntu:  Blender vulnerabilities (Dec 22)
  -----------------------------------------
  It was discovered that Blender did not correctly handle certain
  malformed Radiance RGBE images. If a user were tricked into opening a
  .blend file containing a specially crafted Radiance RGBE image, an
  attacker could execute arbitrary code with the user's privileges.
  (CVE-2008-1102)

http://www.linuxsecurity.com/content/view/146342 

* Ubuntu:  Nagios3 vulnerabilities (Dec 22)
  -----------------------------------------
  It was discovered that Nagios was vulnerable to a Cross-site request
  forgery (CSRF) vulnerability. If an authenticated nagios user were
  tricked into clicking a link on a specially crafted web page, an
  attacker could trigger commands to be processed by Nagios and execute
  arbitrary programs. This update alters Nagios behaviour by disabling
  submission of CMD_CHANGE commands. (CVE-2008-5028)

http://www.linuxsecurity.com/content/view/146343 

* Ubuntu:  Imlib2 vulnerability (Dec 22)
  --------------------------------------
  It was discovered that Imlib2 did not correctly handle certain
  malformed XPM and PNG images. If a user were tricked into opening a
  specially crafted image with an application that uses Imlib2, an
  attacker could cause a denial of service and possibly execute
  arbitrary code with the user's privileges.

http://www.linuxsecurity.com/content/view/146344 

* Ubuntu:  Nagios vulnerability (Dec 22)
  --------------------------------------
  It was discovered that Nagios did not properly parse commands
  submitted using the web interface. An authenticated user could use a
  custom form or a browser addon to bypass security restrictions and
  submit unauthorized commands.

http://www.linuxsecurity.com/content/view/146345 

------------------------------------------------------------------------

* Pardus: Perl Symlink Attack (Dec 24)
  ------------------------------------
  Race condition in the rmtree	function  in  File::Path  1.08	and
  2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users
  to create arbitrary setuid binaries via a symlink attack.

http://www.linuxsecurity.com/content/view/146388 

* Pardus: Mplayer Buffer Overflow (Dec 24)
  ----------------------------------------
  Stack-based  buffer overflow	in  the   demux_open_vqf   function
  in libmpdemux/demux_vqf.c in MPlayer allows remote  attackers  to
  execute arbitrary code via a malformed TwinVQ file.

http://www.linuxsecurity.com/content/view/146387 

* Pardus: Flashplugin System access Vulnerability (Dec 23)
  --------------------------------------------------------
  A  vulnerability has	been  reported	in  Adobe  Flash  Player,
  which potentially can be exploited by malicious people to compromise
  a user's system.

http://www.linuxsecurity.com/content/view/146357 

* Pardus: Thunderbird Multiple Vulnerabilities (Dec 23)
  -----------------------------------------------------
  Some vulnerabilities have been reported in Mozilla  Thunderbird,
  which can  be exploited  by  malicious  people  to  bypass  certain
  security restrictions,  disclose sensitive  information,   conduct
  cross-site scripting attacks, or potentially compromise a user's
  system.

http://www.linuxsecurity.com/content/view/146356 

* Pardus: Firefox Multiple Vulnerabilities (Dec 23)
  -------------------------------------------------
  Some vulnerabilities have been reported in Mozilla Firefox, which can
  be exploited by malicious people to bypass certain security
  restrictions, disclose sensitive information, conduct cross-site
  scripting attacks, or potentially compromise a user's system.

http://www.linuxsecurity.com/content/view/146355 

* Pardus: Sun-JDK Multiple Vulnerabilities (Dec 23)
  -------------------------------------------------
  Some vulnerabilities have been reported  in  Sun  Java,  which  can
  be exploited by malicious people to bypass certain security
  restrictions, disclose sensitive information, cause a DoS  (Denial
  of  service),  or compromise a vulnerable system.

http://www.linuxsecurity.com/content/view/146354 

* Pardus: Avahi Denial of Service Vulnerability (Dec 23)
  ------------------------------------------------------
  The vulnerability is caused due to an error when  processing
  multicast DNS (mDNS) data and can be exploited to terminate the
  application via an UDP packet having a source port equal to zero.

http://www.linuxsecurity.com/content/view/146353 

* Pardus: Php Multiple Vulnerabilities (Dec 23)
  ---------------------------------------------
  Some vulnerabilities have been reported in  PHP,  where  some  have
  an unknown impact and others can potentially	be  exploited  by
  malicious people to cause a DoS (Denial of Service) or  compromise  a
   vulnerable system.

http://www.linuxsecurity.com/content/view/146352 

* Pardus: Git Privilege Escalation (Dec 23)
  -----------------------------------------
  A security issue has been reported in GIT, which can	be  exploited
  by malicious, local users to gain escalated privileges.

http://www.linuxsecurity.com/content/view/146389 


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

To unsubscribe email vuln-newsletter-request@linuxsecurity.com 
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html 

Site design & layout copyright © 1986-2014 CodeGods