+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| February 2nd 2007 Volume 8, Number 5a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@private ben@private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released vlc, firefox, bind, libtop2,
gtk, libsoup, fetchmail, squid, cacti, thttpd, ksirc, elinks, xine,
ulogd, libsoup, kernel, squirrelmail, and tetex. The distributors
include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE,
and Ubuntu.
---
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec/
---
* EnGarde Secure Linux v3.0.11 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.11 (Version 3.0, Release 11). This release includes
several bug fixes and feature enhancements to the SELinux policy
and several updated packages.
http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.11
---
RFID with Bio-Smart Card in Linux
In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access
conditions.
http://www.linuxsecurity.com/content/view/125052/171/
---
Packet Sniffing Overview
The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.
http://www.linuxsecurity.com/content/view/123570/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New vlc packages fix arbitrary code execution
27th, January, 2007
Updated package.
http://www.linuxsecurity.com/content/view/126779
* Debian: New Mozilla Firefox packages fix several vulnerabilities
27th, January, 2007
Updated package.
http://www.linuxsecurity.com/content/view/126780
* Debian: New bind9 packages fix denial of service
28th, January, 2007
Updated package.
http://www.linuxsecurity.com/content/view/126783
* Debian: New libgtop2 packages fix arbitrary code execution
31st, January, 2007
Updated package.
http://www.linuxsecurity.com/content/view/126831
* Debian: New gtk+2.0 packages fix denial of service
31st, January, 2007
Updated package.
http://www.linuxsecurity.com/content/view/126845
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 6 Update: bind-9.3.4-1.fc6
29th, January, 2007
Updated to version 9.3.4 which contains two security bugfixes...
http://www.linuxsecurity.com/content/view/126788
* Fedora Core 6 Update: libsoup-2.2.99-1.fc6
29th, January, 2007
Update to the latest libsoup 2.2 release.
This release fixes a security flaw that causes the libsoup
server to crash when it receives a malformed HTTP GET header.
http://www.linuxsecurity.com/content/view/126790
* Fedora Core 5 Update: fetchmail-6.3.6-2.fc5
29th, January, 2007
Update to fetchmail-6.3.6 (CVE-2006-5867, CVE-2006-5974)
http://www.linuxsecurity.com/content/view/126802
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: Squid Multiple Denial of Service vulnerabilities
25th, January, 2007
Two vulnerabilities have been found in Squid which make it
susceptible to Denial of Service attacks.
http://www.linuxsecurity.com/content/view/126745
* Gentoo: Cacti Command execution and SQL injection
26th, January, 2007
Cacti has three vulnerabilities that could allow shell command
execution or SQL injection.
http://www.linuxsecurity.com/content/view/126750
* Gentoo: VLC media player Format string vulnerability
26th, January, 2007
VLC media player improperly handles format strings, allowing for the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/126751
* Gentoo: VLC media player Format string vulnerability
27th, January, 2007
VLC media player improperly handles format strings, allowing for the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/126781
* Gentoo: X.Org X server Multiple vulnerabilities
27th, January, 2007
Sean Larsson from iDefense Labs has found multiple vulnerabilities in
the DBE and Render extensions.
http://www.linuxsecurity.com/content/view/126782
* Gentoo: thttpd Unauthenticated remote file access
31st, January, 2007
The default configuration of the Gentoo thttpd package potentially
allows unauthenticated access to system files when used with newer
versions of baselayout.
http://www.linuxsecurity.com/content/view/126842
* Gentoo: KSirc Denial of Service vulnerability
31st, January, 2007
KSirc is vulnerable to a Denial of Service attack.
http://www.linuxsecurity.com/content/view/126843
* Gentoo: ELinks Arbitrary Samba command execution
31st, January, 2007
ELinks does not properly validate "smb://" URLs, making it vulnerable
to the execution of arbitrary Samba commands.
http://www.linuxsecurity.com/content/view/126844
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated xine-ui packages fix vulnerabilities
26th, January, 2007
Format string vulnerability in the errors_create_window function in
errors.c in xine-ui allows attackers to execute arbitrary code via
unknown vectors.
http://www.linuxsecurity.com/content/view/126752
* Mandriva: Updated ulogd packaged to address buffer overflow
vulnerability
27th, January, 2007
Buffer overflow in ulogd has unknown impact and attack vectors
related to "improper string length calculations." The updated packages
have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/126776
* Mandriva: Updated libsoup packages fix DoS vulnerability
27th, January, 2007
The soup_headers_parse function in soup-headers.c for libsoup HTTP
library before 2.2.99 allows remote attackers to cause a denial of
service (crash) via malformed HTTP headers, probably involving
missing fields or values.
The updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/126777
* Mandriva: Updated bind packages fix DoS vulnerabilities
30th, January, 2007
Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1
up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind
Forum only) allows remote attackers to cause a denial of service
(named daemon crash) via unspecified vectors that cause named to
"dereference a freed fetch context." <P>
http://www.linuxsecurity.com/content/view/126819
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: kernel security update
30th, January, 2007
Updated kernel packages that fix several security issues in the Red
Hat Enterprise Linux 4 kernel are now available. This security
advisory has been rated as having important security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/126813
* RedHat: Moderate: fetchmail security update
31st, January, 2007
Updated fetchmail packages that fix two security issues are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/126827
* RedHat: Moderate: squirrelmail security update
31st, January, 2007
A new squirrelmail package that fixes security issues is now
available for Red Hat Enterprise Linux 3 and 4.
http://www.linuxsecurity.com/content/view/126828
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
* Slackware: bind
27th, January, 2007
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, and 11.0 to fix denial of service security issues.
http://www.linuxsecurity.com/content/view/126778
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: bind remote denial of service
30th, January, 2007
Two security problems were fixed in the ISC BIND nameserver version
9.3.4, which are addressed by this advisory
http://www.linuxsecurity.com/content/view/126809
+---------------------------------+
| Distribution: Ubuntu | ----------------------------//
+---------------------------------+
* Ubuntu: teTeX vulnerability
25th, January, 2007
USN-410-1 fixed vulnerabilities in the poppler PDF loader library.
This update provides the corresponding updates for a copy of this
code in tetex-bin in Ubuntu 5.10. Versions of tetex-bin after Ubuntu
5.10 use poppler directly and do not need a separate update.
http://www.linuxsecurity.com/content/view/126747
* Ubuntu: Firefox regression
26th, January, 2007
USN-398-2 fixed vulnerabilities in Firefox 1.5. However, when
auto-filling saved-password login forms without a username field,
Firefox would crash. This update fixes the problem. We apologize for
the inconvenience.
http://www.linuxsecurity.com/content/view/126775
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Sun Feb 04 2007 - 22:40:20 PST