+------------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 2nd, 2007 Volume 8, Number 44 |
| |
| Editorial Team: Dave Wreski <dwreski@private> |
| Benjamin D. Thomas <bthomas@private> |
+------------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week advisories were releaed for dhcp, iceweasel, xen-utils, Opera,
sylpheed, qt, the Linux kernel, firefox, libpng, and cups. The distributors
include Debian, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu.
---
>> Linux+DVD Magazine <<
Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software. The majority of our readers is between 15 and 40
years old. They are interested in current news from the Linux world,
upcoming projects etc.
In each issue you can find information concerning typical use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Linux Firewalls
-----------------------
Security is at the forefront of everyone's mind and a firewall can be an
integral part of your Linux defense. But is Michael's Rash's "Linux
Firewalls," the newest release from NoStarchPress, up for the challenge?
Eckie S. here at Linuxsecurity.com gives you the low-down on this newest
addition to the Linux security resource library and how it's one of the
best ways to crack down on attacks to your Linux network.
http://www.linuxsecurity.com/content/view/130392
---
State of Linux Security Survey
------------------------------
It is customary for communities of every sphere to stand up occasionally,
and take a good, long look at what.s going on in the world around them.
For us here at Linuxsecurity.com, we felt it was a great opportunity to
put it all together.
Since 1996, Linuxsecurity.com has been bringing open source news,
HOW-TOs, Feature stories and more to the open source community with
comprehensive coverage. As one of the veterans in this area, we.d like
to see you chime in. With so much going on in Linux and security, what
does the community really care about?
http://www.linuxsecurity.com/content/view/130173
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
--------------------------------------------------------------------------
* EnGarde Secure Community v3.0.17 Now Available (Oct 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.17 (Version 3.0, Release 17). This release includes many
updated packages and bug fixes, some feature enhancements to Guardian
Digital WebTool and the SELinux policy, and a few new features.
In distribution since 2001, EnGarde Secure Community was one of the
very first security platforms developed entirely from open source, and
has been engineered from the ground-up to provide users and
organizations with complete, secure Web functionality, DNS, database,
e-mail security and even e-commerce.
http://www.linuxsecurity.com/content/view/129961
--------------------------------------------------------------------------
* Debian: New dhcp packages fix arbitrary code execution (Oct 29)
---------------------------------------------------------------
The patch used to correct the DHCP server buffer overflow in DSA-1388-1
was incomplete and did not adequately resolve the problem. This update
to the previous advisory makes available updated packages based on a
newer version of the patch.
http://www.linuxsecurity.com/content/view/130307
* Debian: New iceweasel packages fix several vulnerabilities (Oct 27)
-------------------------------------------------------------------
Several remote vulnerabilities have been discovered in the Iceweasel
web browser, an unbranded version of the Firefox browser. Michal
Zalewski discovered that the unload event handler had access to the
address of the next page to be loaded, which could allow information
disclosure or spoofing.
http://www.linuxsecurity.com/content/view/130304
* Debian: New xen-utils packages fix file truncation (Oct 25)
-----------------------------------------------------------
Steve Kemp from the Debian Security Audit project discovered that
xen-utils, a collection of XEN administrative tools, used temporary
files insecurely within the xenmon tool allowing local users to
truncate arbitrary files.
http://www.linuxsecurity.com/content/view/130295
--------------------------------------------------------------------------
* Gentoo: Opera Multiple vulnerabilities (Oct 30)
-----------------------------------------------
Opera contains multiple vulnerabilities, which may allow the execution
of arbitrary code.
http://www.linuxsecurity.com/content/view/130385
* Gentoo: Sylpheed, Claws Mail User-assisted remote (Oct 25)
----------------------------------------------------------
A format string error has been discovered in Sylpheed and Claws Mail,
potentially leading to the remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/130300
* Gentoo: Qt Buffer overflow (Oct 25)
-----------------------------------
An off-by-one vulnerability has been discovered in Qt, possibly
resulting in the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/130299
--------------------------------------------------------------------------
* Mandriva: Updated xen packages fix multiple vulnerabilities (Nov 1)
-------------------------------------------------------------------
Tavis Ormandy discovered a heap overflow flaw during video-to-video
copy operations in the Cirrus VGA extension code that is used in Xen. A
malicious local administrator of a guest domain could potentially
trigger this flaw and execute arbitrary code outside of the domain
(CVE-2007-1320).
http://www.linuxsecurity.com/content/view/130396
--------------------------------------------------------------------------
* RedHat: Important: kernel security update (Nov 1)
-------------------------------------------------
Updated kernel packages that fix various security issues in the Red Hat
Enterprise Linux 4 kernel are now available. A flaw was found in the
aacraid SCSI driver. This allowed a local user to make ioctl calls to
the driver that should be restricted to privileged users. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/130394
* RedHat: Important: cups security and bug fix update (Oct 31)
------------------------------------------------------------
A flaw was found in the way CUPS handles certain Internet Printing
Protocol (IPP) tags. A remote attacker who is able to connect to the
IPP TCP port could send a malicious request causing the CUPS daemon to
crash, or potentially execute arbitrary code. Please note that the
default CUPS configuration does not allow remote hosts to connect to
the IPP TCP port. This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/130389
* RedHat: Moderate: httpd security update (Oct 25)
------------------------------------------------
Updated httpd packages that fix two security issues are now available
for Red Hat Application Stack. A flaw was found in the Apache HTTP
Server mod_proxy module. On sites where a reverse proxy is configured,
a remote attacker could send a carefully crafted request that would
cause the Apache child process handling that request to crash. On sites
where a forward proxy is configured, an attacker could cause a similar
crash if a user could be persuaded to visit a malicious site using the
proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/130297
* RedHat: Moderate: php security update (Oct 25)
----------------------------------------------
Updated PHP packages that fix several security issues are now available
for Red Hat Application Stack. Various integer overflow flaws were
found in the PHP gd extension. A script that could be forced to resize
images from an untrusted source could possibly allow a remote attacker
to execute arbitrary code as the apache user. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/130296
--------------------------------------------------------------------------
* Slackware: firefox, seamonkey (Oct 25)
----------------------------------------
New mozilla-firefox packages are available for Slackware 10.2, 11.0,
12.0, and -current to fix security issues. New seamonkey updates are
available for Slackware 11.0, 12.0, and -current to address similar
issues.
http://www.linuxsecurity.com/content/view/130292
--------------------------------------------------------------------------
* Ubuntu: libpng vulnerabilities (Oct 25)
----------------------------------------
It was discovered that libpng did not properly perform bounds checking
and comparisons in certain operations. An attacker could send a
specially crafted PNG image and cause a denial of service in
applications linked against libpng.
http://www.linuxsecurity.com/content/view/130298
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Sun Nov 04 2007 - 22:21:07 PST