+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 13th 2007 Volume 8, Number 28a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for gfax, php, vlc, webmin, xnview, apache, mplayer, open office, wireshark, xorg-x11, perl, flash-plugin, and ImageMagick. The distributors include Debian, Gentoo, Mandriva, and Ubuntu. --- >> Accelerate your career with a Master in >> Information Assurance from Norwich! The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study offers you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.linuxsecurity.com/ads/adclick.php?log=no&bannerid=12 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- Review: Practical Packet Analysis In the introduction, McIlwraith points out that security awareness training properly consists of communication, raising of issues, and encouragement to modify behaviour. (This will come as no surprise to those who recall the definition of training as the modification of attitudes and behaviour.) He also notes that security professionals frequently concentrate solely on presentation of problems. The remainder of the introduction looks at other major security activities, and the part that awareness plays in ensuring that they actually work. http://www.linuxsecurity.com/content/view/128459/171/ --- Robert Slade Review: "Information Security and Employee Behaviour" The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/128404/171/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gfax packages fix privilege escalation 5th, July, 2007 Steve Kemp from the Debian Security Audit project discovered that gfax, a GHOME frontend for fax programs, uses temporary files in an unsafe manner which may be exploited to execute arbitary commands with the privileges of the root user. http://www.linuxsecurity.com/content/view/128725 * Debian: New php5 packages fix arbitrary code execution 7th, July, 2007 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/128730 * Debian: New php4 packages fix arbitrary code execution 7th, July, 2007 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/128731 * Debian: New vlc packages fix arbitrary code execution 9th, July, 2007 Several remote vulnerabilities have been discovered in the VideoLan multimedia player and streamer, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identified these flaws. http://www.linuxsecurity.com/content/view/128739 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Webmin, Usermin Cross-site scripting vulnerabilities 5th, July, 2007 Webmin and Usermin are vulnerable to cross-site scripting vulnerabilities (XSS). An unauthenticated attacker could entice a user to browse a specially crafted URL, allowing for the execution of script code in the context of the user's browser and for the theft of browser credentials. This may permit the attacker to login to Webmin or Usermin with the user's permissions. http://www.linuxsecurity.com/content/view/128726 * Gentoo: XnView Stack-based buffer overflow 11th, July, 2007 XnView is vulnerable to a stack-based buffer overflow and possible remote code execution when handling XPM image files.An attacker could entice a user to view a specially crafted XPM file with XnView that could trigger the vulnerability and possibly execute arbitrary code with the rights of the user running XnView. http://www.linuxsecurity.com/content/view/128763 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated apache packages fix multiple security 5th, July, 2007 A vulnerability was discovered in the the Apache mod_status module that could lead to a cross-site scripting attack on sites where the server-status page was publically accessible and ExtendedStatus was enabled. http://www.linuxsecurity.com/content/view/128720 * Mandriva: Updated apache packages fix multiple security 5th, July, 2007 A vulnerability was discovered in the the Apache mod_status module that could lead to a cross-site scripting attack on sites where the server-status page was publically accessible and ExtendedStatus was enabled (CVE-2006-5752). http://www.linuxsecurity.com/content/view/128721 * Mandriva: Updated mplayer packages fix buffer overflow 10th, July, 2007 Multiple stack-based buffer overflows in stream/stream_cddb.c in MPlayer before 1.0rc1try3 allow remote attackers to execute arbitrary code via a CDDB entry with a long (1) album title or (2) category. Updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/128752 * Mandriva: Updated OpenOffice.org packages fix RTF import 10th, July, 2007 A heap overflow flaw was found in the RTF import filter of OpenOffice.org. If a victim were to open a specially-crafted RTF file, OpenOffice.org could crash or possibly execute arbitrary code. Updated packages have been patched to prevent the above issues. http://www.linuxsecurity.com/content/view/128755 * Mandriva: Updated wireshark packages fix multiple 11th, July, 2007 A number of vulnerabilities in the Wireshark program were found that could cause crashes, excessive looping, or exhaustion of system memory. This updated provides wireshark 0.99.6 which is not vulnerable to these issues. http://www.linuxsecurity.com/content/view/128756 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: xorg-x11 security update 12th, July, 2007 Updated X.org packages that correct a flaw in the way the X.Org X11 xfs font server starts are now available for Red Hat Enterprise Linux. The init.d xfs script chown has race condition vulnerability. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128765 * RedHat: Moderate: kernel security and bug fix update 10th, July, 2007 Updated kernel packages that fix a security issue and a bug in the Red Hat Enterprise Linux 5 kernel are now available. A flaw in the signal handling on PowerPC-based systems that allowed a local user to cause a denial of service. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128745 * RedHat: Moderate: xorg-x11-xfs security update 12th, July, 2007 Updated X.org packages that address a flaw in the way the X.Org X11 xfs font server starts are now available for Red Hat Enterprise Linux 5.A temporary file flaw was found in the way the X.Org X11 xfs font server startup script executes. A local user could modify the permissions of a file of their choosing, possibly elevating their local privileges. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128766 * RedHat: Moderate: perl-Net-DNS security update 12th, July, 2007 Updated perl-Net-DNS packages that correct two security issues are now available for Red Hat Enterprise Linux 3 and 5.A denial of service flaw was found in the way Net::DNS parsed certain DNS requests. A malformed response to a DNS request could cause the application using Net::DNS to crash or stop responding. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128767 * RedHat: Moderate: perl-Net-DNS security update 12th, July, 2007 An updated perl-Net-DNS package that corrects a security issue is now available for Red Hat Enterprise Linux 4.A flaw was found in the way Net::DNS generated the ID field in a DNS query. This predictable ID field could be used by a remote attacker to return invalid DNS data. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128768 * RedHat: Critical: flash-plugin security update 12th, July, 2007 An updated Adobe Flash Player package that fixes a security issue is now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. An input validation flaw was found in the way Flash Player displayed certain content. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128769 +---------------------------------+ | Distribution: Ubuntu | ----------------------------// +---------------------------------+ * Ubuntu: ImageMagick vulnerabilities 10th, July, 2007 Multiple vulnerabilities were found in ImageMagick's handling of DCM and WXD image files. By tricking a user into processing a specially crafted image with an application that uses imagemagick, an attacker could execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/128748 * Ubuntu: OpenOffice.org vulnerability 11th, July, 2007 John Heasman discovered that OpenOffice did not correctly validate the sizes of tags in RTF documents. If a user were tricked into opening a specially crafted document, a remote attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/128757 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 16 2007 - 02:24:56 PDT