|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: InfoSec News (alerts
infosecnews.org)
Date: Sat Oct 11 2008 - 02:03:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| October 10th, 2008 Volume 9, Number 41 |
| |
| Editorial Team: Dave Wreski <dwreskilinuxsecurity.com> |
| Benjamin D. Thomas <bthomaslinuxsecurity.com> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for iceweasel, mon, mplayer, feta,
postfix, libxml, wordnet, portage, rpm, timezone, drakxtools, mono,
pam_krb5, cups, condor, kernel, and tomcat. The distributors include
Debian, Fedora, Gentoo, Mandriva, and Red Hat.
---
Earn your MS in Info Assurance online
Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides you
with the skills to manage and lead an organization-wide information
security program and the tools to fluently communicate the intricacies
of information security at an executive level.
http://www.linuxsecurity.com/ads/adclick.php?bannerid=12
---
Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across. And I'm pretty sure they must be saying "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.
Read on for more information on Firestarter.
http://www.linuxsecurity.com/content/view/142641
---
Review: Hacking Exposed Linux, Third Edition
--------------------------------------------
"Hacking Exposed Linux" by ISECOM (Institute for Security and Open
Methodologies) is a guide to help you secure your Linux environment.
This book does not only help improve your security it looks at why you
should. It does this by showing examples of real attacks and rates the
importance of protecting yourself from being a victim of each type of
attack.
http://www.linuxsecurity.com/content/view/141165
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
-----------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.21 (Version 3.0, Release 21). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
In distribution since 2001, EnGarde Secure Community was one of the
very first security platforms developed entirely from open source,
and has been engineered from the ground-up to provide users and
organizations with complete, secure Web functionality, DNS, database,
e-mail security and even e-commerce.
http://www.linuxsecurity.com/content/view/143039
------------------------------------------------------------------------
* Debian: New iceweasel packages fix several vulnerabilities (Oct 8)
------------------------------------------------------------------
Several remote vulnerabilities have been discovered in the Iceweasel
web browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following
problems:
http://www.linuxsecurity.com/content/view/143053
* Debian: New mon packages fix insecure temporary files (Oct 8)
-------------------------------------------------------------
Dmitry E. Oboukhov discovered that the test.alert script used in one
of the alert functions in mon, a system to monitor hosts or services
and alert about problems, creates temporary files insecurely, which
may lead to a local denial of service through symlink attacks.
http://www.linuxsecurity.com/content/view/143051
* Debian: New mplayer packages fix integer overflows (Oct 5)
----------------------------------------------------------
Felipe Andres Manzano discovered that mplayer, a multimedia player,
is vulnerable to several integer overflows in the Real video stream
demuxing code. These flaws could allow an attacker to cause a denial
of service (a crash) or potentially the execution of arbitrary code
by supplying a maliciously crafted video file.
http://www.linuxsecurity.com/content/view/142955
* Debian: New feta packages fix denial of service (Oct 5)
-------------------------------------------------------
Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a
simpler interface to APT, dpkg, and other Debian package tools
creates temporary files insecurely, which may lead to local denial of
service through symlink attacks.
http://www.linuxsecurity.com/content/view/142954
------------------------------------------------------------------------
* Fedora 9 Update: postfix-2.5.5-1.fc9 (Oct 9)
--------------------------------------------
New upstream patch level version 2.5.5, including multiple security
fixes detailed in upstream announcements:
http://www.postfix.org/announcements/20080814.html
http://www.postfix.org/announcements/20080902.html
http://www.linuxsecurity.com/content/view/143104
* Fedora 8 Update: postfix-2.5.5-1.fc8 (Oct 9)
--------------------------------------------
New upstream patch level version 2.5.5, including multiple security
fixes detailed in upstream announcements:
http://www.postfix.org/announcements/20080814.html
http://www.postfix.org/announcements/20080902.html
http://www.linuxsecurity.com/content/view/143089
* Fedora 9 Update: libxml2-2.7.1-2.fc9 (Oct 3)
--------------------------------------------
This is an urgent security fix for a bug newly introduced in
libxml2-2.7.x leading to CPU and memory exhaustion. See upstream
bug report for further details:
https://bugzilla.gnome.org/show_bug.cgi?id=554660
http://www.linuxsecurity.com/content/view/142907
------------------------------------------------------------------------
* Gentoo: Portage Untrusted search path local root vulnerability (Oct 9)
----------------------------------------------------------------------
A search path vulnerability in Portage allows local attackers to
execute commands with root privileges if emerge is called from
untrusted directories.
http://www.linuxsecurity.com/content/view/143057
* Gentoo: WordNet Execution of arbitrary code (Oct 7)
---------------------------------------------------
Multiple vulnerabilities were found in WordNet, possibly allowing for
the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/143040
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2008:134 ] rpm (Oct 7)
--------------------------------------------------------------------
This package update adds support for LZMA compression in rpm. This
will allow users of Mandriva Linux 2007.1 to upgrade to the Mandriva
Linux 2009.0 release.
http://www.linuxsecurity.com/content/view/143045
* Mandriva: Subject: [Security Announce] [ MDVA-2008:133 ] timezone (Oct 7)
-------------------------------------------------------------------------
Updated timezone packages are being provided for older Mandriva Linux
systems that do not contain new Daylight Savings Time information and
Time Zone information for some locations. These updated packages
contain the new information.
http://www.linuxsecurity.com/content/view/143044
* Mandriva: Subject: [Security Announce] [ MDVA-2008:132 ] mandriva-release (Oct 3)
---------------------------------------------------------------------------------
mandriva-release for Mandriva 2008 Spring should contain a
product_branch set to Official, and not devel, otherwise it could
lead to an error with the new mdkonline. The updated package fixes
it.
http://www.linuxsecurity.com/content/view/142953
* Mandriva: Subject: [Security Announce] [ MDVA-2008:131 ] rpmdrake (Oct 3)
-------------------------------------------------------------------------
This update fixes several minor issues in rpmdrake: - it fixes a
crash due to bad timing with the X server (#41010) - it fix empty per
importance lists of updates in rpmdrake (list of all updates was OK,
MandrivaUpdate was OK) (#41331) (regression introduced in 3.95 on
2007-09-14)
http://www.linuxsecurity.com/content/view/142952
* Mandriva: Subject: [Security Announce] [ MDVA-2008:130 ] drakxtools (Oct 3)
---------------------------------------------------------------------------
This update fixes several minor issues in drakxtools: - it fixes
management of XEN kernels in bootloader-config, when adding a new
kernel, a xen entry should not replace an existing 'linux' (#40865) -
it fixes a crash in rpmdrake when description begins by Gtk2::..
(#43802) It also really enable draksnapashot to use Gtk+-2's new
FileChooserDialog in future.
http://www.linuxsecurity.com/content/view/142951
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:210 ] mono (Oct 3)
----------------------------------------------------------------------
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier
allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via CRLF sequences in the query
string. The updated packages have been patched to fix the issue.
http://www.linuxsecurity.com/content/view/142950
* Mandriva: Subject: [Security Announce] [ MDVSA-2008:209 ] pam_krb5 (Oct 3)
--------------------------------------------------------------------------
Stphane Bertin discovered a flaw in the pam_krb5 existing_ticket
configuration option where, if enabled and using an existing
credential cache, it was possible for a local user to gain elevated
privileges by using a different, local user's credential cache
(CVE-2008-3825). The updated packages have been patched to prevent
this issue.
http://www.linuxsecurity.com/content/view/142949
------------------------------------------------------------------------
* RedHat: Important: cups security update (Oct 10)
------------------------------------------------
Updated cups packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5. A buffer overflow
flaw was discovered in the SGI image format decoding routines used by
the CUPS image converting filter "imagetops". An attacker could
create a malicious SGI image file that could, possibly, execute
arbitrary code as the "lp" user if the file was printed.
http://www.linuxsecurity.com/content/view/143128
* RedHat: Moderate: condor security, (Oct 7)
------------------------------------------
Updated condor packages that fix multiple security issues, several
bugs and introduce feature enhancements are now available for Red Hat
Enterprise MRG 1.0 for Red Hat Enterprise Linux 4. This update has
been rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/143043
* RedHat: Moderate: condor security, (Oct 7)
------------------------------------------
Updated condor packages that address multiple security issues, fix
several bugs, and introduce feature enhancements are now available
for Red Hat Enterprise MRG 1.0 for Red Hat Enterprise Linux 5. This
update has been rated as having moderate security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/143042
* RedHat: Important: kernel security and bug fix update (Oct 7)
-------------------------------------------------------------
Updated kernel packages that fix several security issues and several
bugs are now available for Red Hat Enterprise MRG 1.0. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/143041
* RedHat: Important: tomcat security update (Oct 2)
-------------------------------------------------
Updated tomcat packages that fix multiple security issues are now
available for Red Hat Developer Suite 3. This update has been rated
as having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/142866
* RedHat: Moderate: pam_krb5 security update (Oct 2)
--------------------------------------------------
An updated pam_krb5 package that fixes a security issue is now
available for Red Hat Enterprise Linux 5. This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/142867
* RedHat: Important: tomcat security update (Oct 2)
-------------------------------------------------
Updated tomcat packages that fix several security issues are now
available for Red Hat Application Server v2. This update has been
rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/142865
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestlinuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
__________________________________________________
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!
http://conference.hackinthebox.org/hitbsecconf2008kl/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]