+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 2nd 2007 Volume 8, Number 9a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for Nexuiz, mplayer, chmlib, php, spamassassin, gnome-terminal, snort, tcpdump, timezone, seamonkey, firefox, clamav, ekiga, enigmail, and nvidia-glx-config. The distributors include Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec/ --- * EnGarde Secure Linux v3.0.12 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.11 (Version 3.0, Release 12). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.12 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Gentoo: Nexuiz Multiple vulnerabilities 25th, February, 2007 Two separate vulnerabilities have been found in Nexuiz allowing the remote execution of arbitrary code and a Denial of Service. http://www.linuxsecurity.com/content/view/127194 * Gentoo: UFO2000 Multiple vulnerabilities 25th, February, 2007 Multiple vulnerabilities have been found in the network components of UFO2000 that could result in the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/127195 * Gentoo: MPlayer Buffer overflow 27th, February, 2007 A buffer overflow was found in MPlayer's RTSP plugin that could lead to a Denial of Service or arbitrary code execution. http://www.linuxsecurity.com/content/view/127232 * Gentoo: CHMlib User-assisted remote execution of arbitrary code 27th, February, 2007 A memory corruption vulnerability in CHMlib could lead to the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/127233 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated php packages fix multiple vulnerabilities 23rd, February, 2007 A number of vulnerabilities were discovered in PHP language. Many buffer overflow flaws were discovered in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. An attacker able to use a PHP application using any of these functions could trigger these flaws and possibly execute arbitrary code as the apache user (CVE-2007-0906). http://www.linuxsecurity.com/content/view/127174 * Mandriva: Updated spamassassin packages fix DoS vulnerability 23rd, February, 2007 A bug in the way that SpamAssassin processes HTML emails containing URIs was discovered in versions 3.1.x. A carefully crafted mail message could make SpamAssassin consume significant amounts of CPU resources that could delay or prevent the delivery of mail if a number of these messages were sent at once. http://www.linuxsecurity.com/content/view/127191 * Mandriva: Updated gnome-terminal packages resizing issue 26th, February, 2007 A bug was causing incorrect window resizing when switching between multiple tabs in GNOME-Terminal. This bug, as well as memory leaks, has been fixed with this update. http://www.linuxsecurity.com/content/view/127205 * Mandriva: Updated Firefox packages fix multiple vulnerabilities 28th, February, 2007 A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 1.5.0.10. This update provides the latest Firefox to correct these issues. http://www.linuxsecurity.com/content/view/127249 * Mandriva: Updated snort packages fix DoS vulnerability 28th, February, 2007 Algorithmic complexity vulnerability in Snort before 2.6.1, during predicate evaluation in rule matching for certain rules, allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a backtracking attack. Updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/127251 * Mandriva: Updated tcpdump packages fix segfault 1st, March, 2007 Tcpdump would cause a segmentation fault on certain packets when reading back a captured tcpdump file. This update corrects that problem. http://www.linuxsecurity.com/content/view/127259 * Mandriva: Updated timezone packages provide updated DST information 1st, March, 2007 Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 for certain time zones. These updated packages contain the new information. http://www.linuxsecurity.com/content/view/127260 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: php security update 22nd, February, 2007 Updated PHP packages that fix several security issues are now available for Red Hat Application Stack v1.1. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127157 * RedHat: Critical: seamonkey security update 23rd, February, 2007 Updated seamonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127192 * RedHat: Critical: Firefox security update 23rd, February, 2007 Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127193 * RedHat: Important: kernel security update 27th, February, 2007 Updated kernel packages that fix two security issues and a bug in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/127223 +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ * Slackware: php 23rd, February, 2007 New php packages are available for Slackware 10.2 and 11.0 to improve the stability and security of PHP. Quite a few bugs were fixed -- please see http://www.php.net for a detailed list. http://www.linuxsecurity.com/content/view/127175 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: clamav 0.90 (SUSE-SA:2007:017) 23rd, February, 2007 Updated package. http://www.linuxsecurity.com/content/view/127178 * SuSE: Linux Kernel (SUSE-SA:2007:018) 27th, February, 2007 A kernel update has been released to fix several security problems. http://www.linuxsecurity.com/content/view/127226 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: Ekiga vulnerabilities 22nd, February, 2007 Mu Security discovered a format string vulnerability in Ekiga. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/127156 * Ubuntu: enigmail vulnerability 23rd, February, 2007 Mikhail Markin reported that enigmail incorrectly handled memory allocations for certain large encrypted attachments. This caused Thunderbird to crash and thus caused the entire message to be inaccessible. http://www.linuxsecurity.com/content/view/127176 * Ubuntu: Firefox vulnerabilities 28th, February, 2007 Several flaws have been found in Firefox that could be used to perform Cross-site scripting attacks. http://www.linuxsecurity.com/content/view/127247 * Ubuntu: nvidia-glx-config regression 1st, March, 2007 USN-416-1 fixed various vulnerabilities in the Linux kernel. Unfortunately that update caused the 'nvidia-glx-config' script to not work any more. The new version fixes the problem. We apologize for the inconvenience. http://www.linuxsecurity.com/content/view/127252 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Mar 04 2007 - 22:21:08 PST