[ISN] Linux Advisory Watch: July 25th, 2008

From: InfoSec News <alerts_at_private>
Date: Fri, 25 Jul 2008 07:31:59 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| July 25th, 2008                                  Volume 9, Number 30 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for clamav, xulrunner, iceweasel,
lighthttpd, libgd2, ruby, xemacs, wireshark, mysql, thunderbird, php,
acroread, dnsmasq, firefox, and seamonkey.  The distributors include
Debian, Mandriva, Red Hat, Slackware, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Security Features of Firefox 3.0
--------------------------------
Lets take a look at the security features of the newly released Firefox
3.0. Since it's release on Tuesday I have been testing it out to see
how the new security enhancements work and help in increase user
browsing security.  One of the exciting improvements for me was how
Firefox handles SSL secured web sites while browsing the Internet.
There are also many other security features that this article will look
at. For example, improved plugin and addon security.

Read on for more security features of Firefox 3.0.

http://www.linuxsecurity.com/content/view/138972

---

Review: The Book of Wireless
----------------------------
"The Book of Wireless" by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of
Wireless networks today anyone with a computer should at least know the
basics of wireless. Also, with the wireless networking, users need to
know how to protect themselves from wireless networking attacks.

http://www.linuxsecurity.com/content/view/136167

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
  -------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.19 (Version 3.0, Release 19).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/136174

------------------------------------------------------------------------

* Debian: new clamav packages fix denial of service (Jul 24)
  ----------------------------------------------------------
  Damian Put discovered a vulnerability in the ClamAV anti-virus
  toolkit's parsing of Petite-packed Win32 executables.  The weakness
  leads to an invalid memory access, and could enable an attacker to
  crash clamav by supplying a maliciously crafted Petite-compressed
  binary for scanning.	In some configurations, such as when clamav is
  used in combination with mail servers, this could cause a system to
  "fail open," facilitating a follow-on viral attack.

  http://www.linuxsecurity.com/content/view/140238

* Debian: New xulrunner packages fix several vulnerabilities (Jul 23)
  -------------------------------------------------------------------
  Several remote vulnerabilities have been discovered in Xulrunner, a
  runtime environment for XUL applications. The Common Vulnerabilities
  and Exposures project identifies the following problems:

  http://www.linuxsecurity.com/content/view/140196

* Debian: New iceweasel packages fix several vulnerabilities (Jul 23)
  -------------------------------------------------------------------
  Several remote vulnerabilities have been discovered in the Iceweasel
  web browser, an unbranded version of the Firefox browser.It was
  discovered that missing boundary checks on a reference counter for
  CSS objects can lead to the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/140194

* Debian: New lighttpd packages fix regression (Jul 23)
  -----------------------------------------------------
  It was discovered that lighttpd, a fast webserver with minimal memory
  footprint, was didn't correctly handle SSL errors.  This could allow
  a remote attacker to disconnect all active SSL connections.

  http://www.linuxsecurity.com/content/view/140193

* Debian: new libgd2 packages fix multiple vulnerabilities (Jul 22)
  -----------------------------------------------------------------
  Grayscale PNG files containing invalid tRNS chunk CRC values
  could cause a denial of service (crash), if a maliciously	crafted
  image is loaded into an application using libgd.

  http://www.linuxsecurity.com/content/view/140069

* Debian: New ruby1.8 packages fix several vulnerabilities (Jul 21)
  -----------------------------------------------------------------
  Several vulnerabilities have been discovered in the interpreter for
  the Ruby language, which may lead to denial of service or the
  execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/140064

------------------------------------------------------------------------

* Mandriva: Updated xemacs packages fix vulnerability (Jul 23)
  ------------------------------------------------------------
  A vulnerability in xemacs was found where an attacker could provide a
  group of files containing local variable definitions and arbitrary
  Lisp code to be executed when one of the provided files is opened by
  xemacs (CVE-2008-2142). The updated packages have been patched to
  correct this issue.

  http://www.linuxsecurity.com/content/view/140198

* Mandriva: Updated emacs packages fix vulnerability (Jul 23)
  -----------------------------------------------------------
  A vulnerability in emacs was found where an attacker could provide a
  group of files containing local variable definitions and arbitrary
  Lisp code to be executed when one of the provided files is opened by
  emacs (CVE-2008-2142). The updated packages have been patched to
  correct this issue.

  http://www.linuxsecurity.com/content/view/140197

* Mandriva: Updated wireshark packages fix denial of service vulnerability (Jul 22)
  ---------------------------------------------------------------------------------
  A vulnerability was found in Wireshark, that could cause it to crash
  while processing malicious packets. This update provides Wireshark
  1.0.2, which is not vulnerable to that.

  http://www.linuxsecurity.com/content/view/140073

* Mandriva: Updated libxslt packages fix buffer overflow vulnerability (Jul 21)
  -----------------------------------------------------------------------------
  A buffer overflow vulnerability in libxslt could be exploited via an
  XSL style sheet file with a long XLST transformation match condition,
  which could possibly lead to the execution of arbitrary code
  (CVE-2008-1767). The updated packages have been patched to correct
  this issue.

  http://www.linuxsecurity.com/content/view/140068

* Mandriva: Updated mysql packages fix vulnerabilities (Jul 19)
  -------------------------------------------------------------
  Multiple buffer overflows in yaSSL, which is used in MySQL, allowed
  remote attackers to execute arbitrary code (CVE-2008-0226) or cause a
  denial of service via a special Hello packet (CVE-2008-0227). Sergei
  Golubchik found that MySQL did not properly validate optional data or
  index directory paths given in a CREATE TABLE statement; as well it
  would not, under certain conditions, prevent two databases from using
  the same paths for data or index files.  This could allow an
  authenticated user with appropriate privilege to create tables in one
  database to read and manipulate data in tables later created in other
  databases, regardless of GRANT privileges (CVE-2008-2079). The
  updated packages have been patched to correct these issues.

  http://www.linuxsecurity.com/content/view/140060

* Mandriva: Updated mysql packages fix vulnerabilities (Jul 19)
  -------------------------------------------------------------
  Sergei Golubchik found that MySQL did not properly validate optional
  data or index directory paths given in a CREATE TABLE statement; as
  well it would not, under certain conditions, prevent two databases
  from using the same paths for data or index files.  This could allow
  an authenticated user with appropriate privilege to create tables in
  one database to read and manipulate data in tables later created in
  other databases, regardless of GRANT privileges (CVE-2008-2079). The
  updated packages have been patched to correct this issue.

  http://www.linuxsecurity.com/content/view/140059

* Mandriva: Updated Firefox packages fix vulnerabilities (Jul 17)
  ---------------------------------------------------------------
  Security vulnerabilities have been discovered and corrected in the
  latest Mozilla Firefox program, version 2.0.0.16 (CVE-2008-2785,
  CVE-2008-2933).

  http://www.linuxsecurity.com/content/view/140006

------------------------------------------------------------------------

* RedHat: Moderate: thunderbird security update (Jul 23)
  ------------------------------------------------------
  Updated thunderbird packages that fix a security issue are now
  available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux
  5. This update has been rated as having moderate security impact by
  the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/140199

* RedHat: Important: kernel security and bug fix update (Jul 23)
  --------------------------------------------------------------
  Updated kernel packages that fix a security issue and several bugs
  are now available for Red Hat Enterprise Linux 4. This update has
  been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/140191

* RedHat: Moderate: php security update (Jul 22)
  ----------------------------------------------
  Updated PHP packages that fix several security issues are now
  available for Red Hat Application Stack v1. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/140070

* RedHat: Critical: acroread security update (Jul 21)
  ---------------------------------------------------
  Updated acroread packages that fix various security issues are now
  available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/140063

------------------------------------------------------------------------

* Slackware:   dnsmasq (Jul 23)
  -----------------------------
  New dnsmasq packages are available for Slackware 10.0, 10.1, 10.2,
  11.0, 12.0, 12.1, and -current to address possible DNS cache
  poisoning issues. More details about this issue may be found in the
  Common Vulnerabilities and Exposures (CVE) database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

  http://www.linuxsecurity.com/content/view/140200

* Slackware:   mozilla-firefox (Jul 17)
  -------------------------------------
  New mozilla-firefox packages are available for Slackware 10.2, 11.0,
  12.0, and 12.1 to fix security issues. More details about the issues
  may be found on the Mozilla site:
  http://www.mozilla.org/security/known-vulnerabilities/firefox20.html

  http://www.linuxsecurity.com/content/view/139938

* Slackware:   seamonkey (Jul 17)
  -------------------------------
  New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
  and -current to fix security issues. More details about the issues
  may be found here:
  http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm
  l

  http://www.linuxsecurity.com/content/view/139939

------------------------------------------------------------------------

* Ubuntu:  PHP vulnerabilities (Jul 23)
  -------------------------------------
  It was discovered that PHP did not properly check the length of the
  string parameter to the fnmatch function. An attacker could cause a
  denial of service in the PHP interpreter if a script passed untrusted
  input to the fnmatch function. (CVE-2007-4782)

  http://www.linuxsecurity.com/content/view/140195

* Ubuntu:  Dnsmasq vulnerability (Jul 22)
  ---------------------------------------
  Dan Kaminsky discovered weaknesses in the DNS protocol as implemented
  by Dnsmasq. A remote attacker could exploit this to spoof DNS entries
  and poison DNS caches. Among other things, this could lead to
  misdirected email and web traffic.

  http://www.linuxsecurity.com/content/view/140072

* Ubuntu:  Firefox vulnerabilities (Jul 17)
  -----------------------------------------
  A flaw was discovered in the browser engine. A variable could be made
  to overflow causing the browser to crash. If a user were tricked into
  opening a malicious web page, an attacker could cause a denial of
  service or possibly execute arbitrary code with the privileges of the
  user invoking the program. (CVE-2008-2785)

  http://www.linuxsecurity.com/content/view/140005

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Fri Jul 25 2008 - 05:31:59 PDT

This archive was generated by hypermail 2.2.0 : Fri Jul 25 2008 - 05:54:46 PDT