AOH :: IS1717.HTM

Linux Advisory Watch - February 13th 2009




Linux Advisory Watch - February 13th 2009
Linux Advisory Watch - February 13th 2009



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| February 13th, 2009                              Volume 10, Number 7 |
|                                                                      |
| Editorial Team: Dave Wreski  | 
| Benjamin D. Thomas  | 
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for phpmyadmin, libpam-heimdal,
libpam-krb5, gnutls13, boinc, devil, mozvoikko, ruby-gnome2, mugshot,
totem, yelp, cairo-dock, blam, galeon, devhelp, evolution,
google-gadgets, kazehakase, miro, xulrunner, firefox, epiphany, chmsee,
kazehakase, evolution, blam, sudo, python, drakxtools, glibc, squid,
clamav, mod_auth_mysql, vnc, netpbm, and wicd.	The distributors
include Debian, Fedora, Mandriva, Red Hat, Slackware, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939 

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088 

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- 

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668 

------------------------------------------------------------------------

* Debian: New phpmyadmin packages fix arbitrary code execution (Feb 11)
  ---------------------------------------------------------------------
  Michael Brooks discovered that phpMyAdmin, a tool to administrate
  MySQL over the web, performs insufficient input sanitising allowing a
  user assisted remote attacker to execute code on the webserver.

http://www.linuxsecurity.com/content/view/147974 

* Debian: New libpam-heimdal packages fix local privilege (Feb 11)
  ----------------------------------------------------------------
  Derek Chan discovered that the PAM module for the Heimdal Kerberos
  implementation allows reinitialisation of user credentials when run
  from a setuid context, resulting in potential local denial of service
  by overwriting the credential cache file or to local privilege
  escalation.

http://www.linuxsecurity.com/content/view/147973 

* Debian: New libpam-krb5 packages fix local privilege (Feb 11)
  -------------------------------------------------------------
  Several local vulnerabilities have been discovered in the  PAM module
  for MIT Kerberos. The Common Vulnerabilities and Exposures project
  identifies the following problems...

http://www.linuxsecurity.com/content/view/147972 

* Debian: New TYPO3 packages fix several vulnerabilities (Feb 10)
  ---------------------------------------------------------------
  Several remote vulnerabilities have been discovered in the TYPO3 web
  content management framework.

http://www.linuxsecurity.com/content/view/147967 

* Debian: New gnutls13 packages fix certificate validation (Feb 10)
  -----------------------------------------------------------------
  Martin von Gagern discovered that GNUTLS, an implementation of the
  TLS/SSL protocol, handles verification of X.509 certificate chains
  incorrectly if a self-signed certificate is configured as a trusted
  certificate.	This could cause clients to accept forged server
  certificates as genuine.

http://www.linuxsecurity.com/content/view/147964 

* Debian: New boinc packages fix validation bypass (Feb 8)
  --------------------------------------------------------
  It was discovered that the core client for the BOINC distributed
  computing infrastructure performs incorrect validation of the return
  values of OpenSSL's RSA functions.

http://www.linuxsecurity.com/content/view/147961 

* Debian: New devil packages fix buffer overflow (Feb 5)
  ------------------------------------------------------
  Stefan Cornelius discovered a buffer overflow in devil, a
  cross-platform image loading and manipulation toolkit, which could be
  triggered via a crafted Radiance RGBE file. This could potentially
  lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/147912 

------------------------------------------------------------------------

* Fedora 9 Update: mozvoikko-0.9.5-6.fc9 (Feb 6)
  ----------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147949 

* Fedora 9 Update: gtkmozembedmm-1.4.2.cvs20060817-25.fc9 (Feb 6)
  ---------------------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147950 

* Fedora 9 Update: ruby-gnome2-0.17.0-5.fc9 (Feb 6)
  -------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147951 

* Fedora 9 Update: mugshot-1.2.2-5.fc9 (Feb 6)
  --------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147952 

* Fedora 9 Update: totem-2.23.2-10.fc9 (Feb 6)
  --------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147953 

* Fedora 9 Update: yelp-2.22.1-8.fc9 (Feb 6)
  ------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147954 

* Fedora 9 Update: cairo-dock-1.6.3.1-1.fc9.3 (Feb 6)
  ---------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147939 

* Fedora 9 Update: gnome-python2-extras-2.19.1-23.fc9 (Feb 6)
  -----------------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147940 

* Fedora 9 Update: blam-1.8.5-5.fc9.1 (Feb 6)
  -------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147941 

* Fedora 9 Update: galeon-2.0.7-5.fc9 (Feb 6)
  -------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147942 

* Fedora 9 Update: gnome-web-photo-0.3-17.fc9 (Feb 6)
  ---------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147943 

* Fedora 9 Update: devhelp-0.19.1-8.fc9 (Feb 6)
  ---------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147944 

* Fedora 9 Update: evolution-rss-0.1.0-6.fc9 (Feb 6)
  --------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147945 

* Fedora 9 Update: google-gadgets-0.10.5-2.fc9 (Feb 6)
  ----------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147946 

* Fedora 9 Update: kazehakase-0.5.6-1.fc9.3 (Feb 6)
  -------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147947 

* Fedora 9 Update: Miro-1.2.7-4.fc9 (Feb 6)
  -----------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147948 

* Fedora 10 Update: ruby-gnome2-0.18.1-3.fc10 (Feb 6)
  ---------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147932 

* Fedora 10 Update: yelp-2.24.0-5.fc10 (Feb 6)
  --------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147933 

* Fedora 9 Update: xulrunner-1.9.0.6-1.fc9 (Feb 6)
  ------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147934 

* Fedora 9 Update: firefox-3.0.6-1.fc9 (Feb 6)
  --------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147935 

* Fedora 9 Update: epiphany-extensions-2.22.1-7.fc9 (Feb 6)
  ---------------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147936 

* Fedora 9 Update: epiphany-2.22.2-7.fc9 (Feb 6)
  ----------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147937 

* Fedora 9 Update: chmsee-1.0.1-8.fc9 (Feb 6)
  -------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147938 

* Fedora 10 Update: gnome-web-photo-0.3-14.fc10 (Feb 6)
  -----------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147926 

* Fedora 10 Update: kazehakase-0.5.6-1.fc10.3 (Feb 6)
  ---------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147927 

* Fedora 10 Update: mozvoikko-0.9.5-6.fc10 (Feb 6)
  ------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147928 

* Fedora 10 Update: Miro-1.2.8-2.fc10 (Feb 6)
  -------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147929 

* Fedora 10 Update: mugshot-1.2.2-5.fc10 (Feb 6)
  ----------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147931 

* Fedora 10 Update: epiphany-extensions-2.24.0-4.fc10 (Feb 6)
  -----------------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147917 

* Fedora 10 Update: devhelp-0.22-3.fc10 (Feb 6)
  ---------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147918 

* Fedora 10 Update: epiphany-2.24.3-2.fc10 (Feb 6)
  ------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147919 

* Fedora 10 Update: evolution-rss-0.1.2-4.fc10 (Feb 6)
  ----------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147920 

* Fedora 10 Update: blam-1.8.5-6.fc10 (Feb 6)
  -------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147921 

* Fedora 10 Update: galeon-2.0.7-5.fc10 (Feb 6)
  ---------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147922 

* Fedora 10 Update: google-gadgets-0.10.5-2.fc10 (Feb 6)
  ------------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147923 

* Fedora 10 Update: gnome-python2-extras-2.19.1-26.fc10 (Feb 6)
  -------------------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147924 

* Fedora 10 Update: gecko-sharp2-0.13-4.fc10 (Feb 6)
  --------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147925 

* Fedora 10 Update: xulrunner-1.9.0.6-1.fc10 (Feb 6)
  --------------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147915 

* Fedora 10 Update: firefox-3.0.6-1.fc10 (Feb 6)
  ----------------------------------------------
  Update to the new upstream Firefox 3.0.6 / XULRunner 1.9.0.6 fixing
  multiple security issues.

http://www.linuxsecurity.com/content/view/147916 

------------------------------------------------------------------------

* Gentoo: sudo Privilege escalation (Feb 6)
  -----------------------------------------
  A vulnerability in sudo may allow for privilege escalation.

http://www.linuxsecurity.com/content/view/147960 

------------------------------------------------------------------------

* Mandriva: [ MDVSA-2009:036 ] python (Feb 12)
  --------------------------------------------
  Multiple integer overflows in imageop.c in the imageop module in
  Python 1.5.2 through 2.5.1 allow context-dependent attackers to break
  out of the Python VM and execute arbitrary code via large integer
  values in certain arguments to the crop function, leading to a buffer
  overflow, a different vulnerability than CVE-2007-4965 and
  CVE-2008-1679. (CVE-2008-4864)

http://www.linuxsecurity.com/content/view/147981 

* Mandriva: [ MDVA-2009:023 ] db46 (Feb 12)
  -----------------------------------------
  Additional official patches have been released for db 4.6 after
  Mandriva release.

http://www.linuxsecurity.com/content/view/147979 

* Mandriva: [ MDVA-2009:022 ] xkeyboard-config (Feb 12)
  -----------------------------------------------------
  Wrong directory permissions would prevent the compilation of keyboard
  mappings. This update fixes this issue.

http://www.linuxsecurity.com/content/view/147978 

* Mandriva: [ MDVA-2009:021 ] drakxtools (Feb 12)
  -----------------------------------------------
  This update fixes several minor issues with drakxtools

http://www.linuxsecurity.com/content/view/147977 

* Mandriva: [ MDVA-2009:020 ] rhythmbox (Feb 12)
  ----------------------------------------------
  Rhythmbox could crash when handling removable devices and media
  players, like ipods. This update fixes the problem.

http://www.linuxsecurity.com/content/view/147976 

* Mandriva: [ MDVA-2009:019 ] glibc (Feb 11)
  ------------------------------------------
  The glibc packages released with Mandriva Linux 2008 and Mandriva
  Linux 2008 Spring had the /etc/ld.so.conf file using relative paths
  to include other config files at /etc/ld.so.conf.d, breaking usage of
  ldconfig -r, for example when you have chroot environments. This
  update fixes ld.so.conf to use absolute paths instead. Also, other
  cumulative bug fixes are provided.

http://www.linuxsecurity.com/content/view/147975 

* Mandriva: [ MDVSA-2009:035 ] gstreamer0.10-plugins-good (Feb 10)
  ----------------------------------------------------------------
  Security vulnerabilities have been discovered and corrected in
  gstreamer0.10-plugins-good, might allow remote attackers to execute
  arbitrary code via a malformed QuickTime media file (CVE-2009-0386,
  CVE-2009-0387, CVE-2009-0397). The updated packages have been patched
  to prevent this.

http://www.linuxsecurity.com/content/view/147968 

* Mandriva: [ MDVSA-2009:034 ] squid (Feb 10)
  -------------------------------------------
  Due to an internal error Squid is vulnerable to a denial of service
  attack when processing specially crafted requests. This problem
  allows any client to perform a denial of service attack on the Squid
  service (CVE-2009-0478). The updated packages have been patched to
  adress this.

http://www.linuxsecurity.com/content/view/147966 

* Mandriva: [ MDVA-2009:018 ] clamav (Feb 6)
  ------------------------------------------
  This update fixes several issues with clamav.

http://www.linuxsecurity.com/content/view/147959 

* Mandriva: [ MDVA-2009:017 ] glibc (Feb 6)
  -----------------------------------------
  regexp.h header shipped with glibc 2.8, in Mandriva Linux 2009, had
  an error which caused the build of programs using the regexp compile
  function to fail. This update addresses the issue.

http://www.linuxsecurity.com/content/view/147955 

------------------------------------------------------------------------

* RedHat: Moderate: mod_auth_mysql security update (Feb 11)
  ---------------------------------------------------------
  An updated mod_auth_mysql package to correct a security issue is now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

http://www.linuxsecurity.com/content/view/147970 

* RedHat: Moderate: vnc security update (Feb 11)
  ----------------------------------------------
  Updated vnc packages to correct a security issue are now available
  for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

http://www.linuxsecurity.com/content/view/147971 

* RedHat: Moderate: netpbm security update (Feb 11)
  -------------------------------------------------
  Updated netpbm packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

http://www.linuxsecurity.com/content/view/147969 

* RedHat: Important: kernel security update (Feb 10)
  --------------------------------------------------
  Updated kernel packages that resolve several security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having important security impact by the Red Hat Security Response
  Team.

http://www.linuxsecurity.com/content/view/147965 

* RedHat: Important: gstreamer-plugins security update (Feb 6)
  ------------------------------------------------------------
  Updated gstreamer-plugins packages that fix one security issue are
  now available for Red Hat Enterprise Linux 3. This update has been
  rated as having important security impact by the Red Hat Security
  Response Team.

http://www.linuxsecurity.com/content/view/147956 

* RedHat: Important: gstreamer-plugins security update (Feb 6)
  ------------------------------------------------------------
  Updated gstreamer-plugins packages that fix one security issue are
  now available for Red Hat Enterprise Linux 4. This update has been
  rated as having important security impact by the Red Hat Security
  Response Team.

http://www.linuxsecurity.com/content/view/147957 

* RedHat: Important: gstreamer-plugins-good security (Feb 6)
  ----------------------------------------------------------
  Updated gstreamer-plugins-good packages that fix several security
  issues are now available for Red Hat Enterprise Linux 5. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

http://www.linuxsecurity.com/content/view/147958 

* RedHat: Moderate: sudo security update (Feb 5)
  ----------------------------------------------
  An updated sudo package to fix a security issue is now available for
  Red Hat Enterprise Linux 5. This update has been rated as having
  moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/147913 

------------------------------------------------------------------------

* Slackware: wicd (Feb 9)
  -----------------------
  New wicd packages are available for Slackware 12.2 and -current to
  fix a security issue with the D-Bus configuration file that could
  allow local information disclosure (such as network credentials).

http://www.linuxsecurity.com/content/view/147963 

------------------------------------------------------------------------

* Ubuntu:  PHP vulnerabilities (Feb 12)
  -------------------------------------
  It was discovered that PHP did not properly enforce php_admin_value
  and php_admin_flag restrictions in the Apache configuration file. A
  local attacker could create a specially crafted PHP script that would
  bypass intended security restrictions. This issue only applied to
  Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900)

http://www.linuxsecurity.com/content/view/147983 

* Ubuntu:  pam-krb5 vulnerabilities (Feb 12)
  ------------------------------------------
  It was discovered that pam_krb5 parsed environment variables when run
  with setuid applications. A local attacker could exploit this flaw to
  bypass authentication checks and gain root privileges.
  (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly
  handled refreshing existing credentials when used with setuid
  applications. A local attacker could exploit this to create or
  overwrite arbitrary files, and possibly gain root privileges.
  (CVE-2009-0361)

http://www.linuxsecurity.com/content/view/147982 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

To unsubscribe email vuln-newsletter-request@linuxsecurity.com 
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Best Selling Security Books & More!
http://www.shopinfosecnews.org/ 

Site design & layout copyright © 1986-2014 CodeGods