+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| March 2nd 2007 Volume 8, Number 9a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@private ben@private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for Nexuiz, mplayer, chmlib, php,
spamassassin, gnome-terminal, snort, tcpdump, timezone, seamonkey,
firefox, clamav, ekiga, enigmail, and nvidia-glx-config. The
distributors include Gentoo, Mandriva, Red Hat, Slackware, SuSE,
and Ubuntu.
---
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec/
---
* EnGarde Secure Linux v3.0.12 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.11 (Version 3.0, Release 12). This release includes
several bug fixes and feature enhancements to the SELinux policy
and several updated packages.
http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.12
---
RFID with Bio-Smart Card in Linux
In this paper, we describe the integration of fingerprint template
and RF smart card for clustered network, which is designed on Linux
platform and Open source technology to obtain biometrics security.
Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a
Personal Identification Number (PIN) and the card holder is
authenticated using the biometrics template stored in the smart
card that is based on the fingerprint verification. The fingerprint
verification has to be executed on central host server for
security purposes. Protocol designed allows controlling entire
parameters of smart security controller like PIN options, Reader
delay, real-time clock, alarm option and cardholder access
conditions.
http://www.linuxsecurity.com/content/view/125052/171/
---
Packet Sniffing Overview
The best way to secure you against sniffing is to use encryption.
While this won't prevent a sniffer from functioning, it will ensure
that what a sniffer reads is pure junk.
http://www.linuxsecurity.com/content/view/123570/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Gentoo: Nexuiz Multiple vulnerabilities
25th, February, 2007
Two separate vulnerabilities have been found in Nexuiz allowing the
remote execution of arbitrary code and a Denial of Service.
http://www.linuxsecurity.com/content/view/127194
* Gentoo: UFO2000 Multiple vulnerabilities
25th, February, 2007
Multiple vulnerabilities have been found in the network components of
UFO2000 that could result in the remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/127195
* Gentoo: MPlayer Buffer overflow
27th, February, 2007
A buffer overflow was found in MPlayer's RTSP plugin that could lead
to
a Denial of Service or arbitrary code execution.
http://www.linuxsecurity.com/content/view/127232
* Gentoo: CHMlib User-assisted remote execution of arbitrary code
27th, February, 2007
A memory corruption vulnerability in CHMlib could lead to the remote
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/127233
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated php packages fix multiple vulnerabilities
23rd, February, 2007
A number of vulnerabilities were discovered in PHP language. Many
buffer overflow flaws were discovered in the PHP session extension,
the str_replace() function, and the imap_mail_compose() function. An
attacker able to use a PHP application using any of these functions
could trigger these flaws and possibly execute arbitrary code as the
apache user (CVE-2007-0906).
http://www.linuxsecurity.com/content/view/127174
* Mandriva: Updated spamassassin packages fix DoS vulnerability
23rd, February, 2007
A bug in the way that SpamAssassin processes HTML emails containing
URIs was discovered in versions 3.1.x. A carefully crafted mail
message could make SpamAssassin consume significant amounts of CPU
resources that could delay or prevent the delivery of mail if a
number of these messages were sent at once.
http://www.linuxsecurity.com/content/view/127191
* Mandriva: Updated gnome-terminal packages resizing issue
26th, February, 2007
A bug was causing incorrect window resizing when switching between
multiple tabs in GNOME-Terminal. This bug, as well as memory leaks,
has been fixed with this update.
http://www.linuxsecurity.com/content/view/127205
* Mandriva: Updated Firefox packages fix multiple vulnerabilities
28th, February, 2007
A number of security vulnerabilities have been discovered and
corrected in the latest Mozilla Firefox program, version 1.5.0.10.
This update provides the latest Firefox to correct these issues.
http://www.linuxsecurity.com/content/view/127249
* Mandriva: Updated snort packages fix DoS vulnerability
28th, February, 2007
Algorithmic complexity vulnerability in Snort before 2.6.1, during
predicate evaluation in rule matching for certain rules, allows
remote attackers to cause a denial of service (CPU consumption and
detection outage) via crafted network traffic, aka a backtracking
attack. Updated packages have been patched to address this issue.
http://www.linuxsecurity.com/content/view/127251
* Mandriva: Updated tcpdump packages fix segfault
1st, March, 2007
Tcpdump would cause a segmentation fault on certain packets when
reading back a captured tcpdump file. This update corrects that
problem.
http://www.linuxsecurity.com/content/view/127259
* Mandriva: Updated timezone packages provide updated DST information
1st, March, 2007
Updated timezone packages are being provided for older Mandriva Linux
systems that do not contain the new Daylight Savings Time information
for 2007 for certain time zones. These updated packages contain the
new information.
http://www.linuxsecurity.com/content/view/127260
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: php security update
22nd, February, 2007
Updated PHP packages that fix several security issues are now
available for Red Hat Application Stack v1.1. This update has been
rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/127157
* RedHat: Critical: seamonkey security update
23rd, February, 2007
Updated seamonkey packages that fix several security bugs are now
available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has
been rated as having critical security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/127192
* RedHat: Critical: Firefox security update
23rd, February, 2007
Updated firefox packages that fix several security bugs are now
available for Red Hat Enterprise Linux 4. This update has been rated
as having critical security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/127193
* RedHat: Important: kernel security update
27th, February, 2007
Updated kernel packages that fix two security issues and a bug in the
Red Hat Enterprise Linux 4 kernel are now available. This update has
been rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/127223
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
* Slackware: php
23rd, February, 2007
New php packages are available for Slackware 10.2 and 11.0 to improve
the stability and security of PHP. Quite a few bugs were fixed --
please see http://www.php.net for a detailed list.
http://www.linuxsecurity.com/content/view/127175
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: clamav 0.90 (SUSE-SA:2007:017)
23rd, February, 2007
Updated package.
http://www.linuxsecurity.com/content/view/127178
* SuSE: Linux Kernel (SUSE-SA:2007:018)
27th, February, 2007
A kernel update has been released to fix several security problems.
http://www.linuxsecurity.com/content/view/127226
+---------------------------------+
| Distribution: Ubuntu | ----------------------------//
+---------------------------------+
* Ubuntu: Ekiga vulnerabilities
22nd, February, 2007
Mu Security discovered a format string vulnerability in Ekiga. If a
user was running Ekiga and listening for incoming calls, a remote
attacker could send a crafted call request, and execute arbitrary
code with the user's privileges.
http://www.linuxsecurity.com/content/view/127156
* Ubuntu: enigmail vulnerability
23rd, February, 2007
Mikhail Markin reported that enigmail incorrectly handled memory
allocations for certain large encrypted attachments. This caused
Thunderbird to crash and thus caused the entire message to be
inaccessible.
http://www.linuxsecurity.com/content/view/127176
* Ubuntu: Firefox vulnerabilities
28th, February, 2007
Several flaws have been found in Firefox that could be used to
perform Cross-site scripting attacks.
http://www.linuxsecurity.com/content/view/127247
* Ubuntu: nvidia-glx-config regression
1st, March, 2007
USN-416-1 fixed various vulnerabilities in the Linux kernel.
Unfortunately that update caused the 'nvidia-glx-config' script to
not work any more. The new version fixes the problem. We apologize for
the inconvenience.
http://www.linuxsecurity.com/content/view/127252
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Mar 04 2007 - 22:21:08 PST