[ISN] Linux Advisory Watch - February 2nd 2007

From: InfoSec News (alerts@private)
Date: Sun Feb 04 2007 - 22:32:06 PST

|  LinuxSecurity.com                               Weekly Newsletter  |
|  February 2nd 2007                             Volume 8, Number 5a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released vlc, firefox, bind, libtop2,
gtk, libsoup, fetchmail, squid, cacti, thttpd, ksirc, elinks, xine,
ulogd, libsoup, kernel, squirrelmail, and tetex.  The distributors
include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE,
and Ubuntu.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



* EnGarde Secure Linux v3.0.11 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.11 (Version 3.0, Release 11). This release includes
several bug fixes and feature enhancements to the SELinux policy
and several updated packages.



RFID with Bio-Smart Card in Linux

In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access



Packet Sniffing Overview

The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New vlc packages fix arbitrary code execution
  27th, January, 2007

Updated package.


* Debian: New Mozilla Firefox packages fix several vulnerabilities
  27th, January, 2007

Updated package.


* Debian: New bind9 packages fix denial of service
  28th, January, 2007

Updated package.


* Debian: New libgtop2 packages fix arbitrary code execution
  31st, January, 2007

Updated package.


* Debian: New gtk+2.0 packages fix denial of service
  31st, January, 2007

Updated package.


|  Distribution: Fedora           | ----------------------------//

* Fedora Core 6 Update: bind-9.3.4-1.fc6
  29th, January, 2007

Updated to version 9.3.4 which contains two security bugfixes...


* Fedora Core 6 Update: libsoup-2.2.99-1.fc6
  29th, January, 2007

Update to the latest libsoup 2.2 release.
This release fixes a security flaw that causes the libsoup
server to crash when it receives a malformed HTTP GET header.


* Fedora Core 5 Update: fetchmail-6.3.6-2.fc5
  29th, January, 2007

Update to fetchmail-6.3.6 (CVE-2006-5867, CVE-2006-5974)


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: Squid Multiple Denial of Service vulnerabilities
  25th, January, 2007

Two vulnerabilities have been found in Squid which make it
susceptible to Denial of Service attacks.


* Gentoo: Cacti Command execution and SQL injection
  26th, January, 2007

Cacti has three vulnerabilities that could allow shell command
execution or SQL injection.


* Gentoo: VLC media player Format string vulnerability
  26th, January, 2007

VLC media player improperly handles format strings, allowing for the
execution of arbitrary code.


* Gentoo: VLC media player Format string vulnerability
  27th, January, 2007

VLC media player improperly handles format strings, allowing for the
execution of arbitrary code.


* Gentoo: X.Org X server Multiple vulnerabilities
  27th, January, 2007

Sean Larsson from iDefense Labs has found multiple vulnerabilities in

the DBE and Render extensions.


* Gentoo: thttpd Unauthenticated remote file access
  31st, January, 2007

The default configuration of the Gentoo thttpd package potentially
allows unauthenticated access to system files when used with newer
versions of baselayout.


* Gentoo: KSirc Denial of Service vulnerability
  31st, January, 2007

KSirc is vulnerable to a Denial of Service attack.


* Gentoo: ELinks Arbitrary Samba command execution
  31st, January, 2007

ELinks does not properly validate "smb://" URLs, making it vulnerable
to the execution of arbitrary Samba commands.


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated xine-ui packages fix vulnerabilities
  26th, January, 2007

Format string vulnerability in the errors_create_window function in
errors.c in xine-ui allows attackers to execute arbitrary code via
unknown vectors.


* Mandriva: Updated ulogd packaged to address buffer overflow
  27th, January, 2007

Buffer overflow in ulogd has unknown impact and attack vectors
related to "improper string length calculations." The updated packages
have been patched to correct this issue.


* Mandriva: Updated libsoup packages fix DoS vulnerability
  27th, January, 2007

The soup_headers_parse function in soup-headers.c for libsoup HTTP
library before 2.2.99 allows remote attackers to cause a denial of
service (crash) via malformed HTTP headers, probably involving
missing fields or values.
The updated packages have been patched to correct this issue.


* Mandriva: Updated bind packages fix DoS vulnerabilities
  30th, January, 2007

Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1
up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind
Forum only) allows remote attackers to cause a denial of service
(named daemon crash) via unspecified vectors that cause named to
"dereference a freed fetch context." <P>


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Important: kernel security update
  30th, January, 2007

Updated kernel packages that fix several security issues in the Red
Hat Enterprise Linux 4 kernel are now available.  This security
advisory has been rated as having important security impact by the
Red Hat Security Response Team.


* RedHat: Moderate: fetchmail security update
  31st, January, 2007

Updated fetchmail packages that fix two security issues are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.


* RedHat: Moderate: squirrelmail security update
  31st, January, 2007

A new squirrelmail package that fixes security issues is now
available for Red Hat Enterprise Linux 3 and 4.


|  Distribution: Slackware        | ----------------------------//

* Slackware:   bind
  27th, January, 2007

New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, and 11.0 to fix denial of service security issues.


|  Distribution: SuSE             | ----------------------------//

* SuSE: bind remote denial of service
  30th, January, 2007

Two security problems were fixed in the ISC BIND nameserver version
9.3.4, which are addressed by this advisory


|  Distribution: Ubuntu           | ----------------------------//

* Ubuntu:  teTeX vulnerability
  25th, January, 2007

USN-410-1 fixed vulnerabilities in the poppler PDF loader library.
This update provides the corresponding updates for a copy of this
code in tetex-bin in Ubuntu 5.10.  Versions of tetex-bin after Ubuntu
5.10 use poppler directly and do not need a separate update.


* Ubuntu:  Firefox regression
  26th, January, 2007

USN-398-2 fixed vulnerabilities in Firefox 1.5.  However, when
auto-filling saved-password login forms without a username field,
Firefox would crash.  This update fixes the problem. We apologize for
the inconvenience.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Sun Feb 04 2007 - 22:40:20 PST