[ISN] Linux Advisory Watch: October 3rd, 2008

From: InfoSec News <alerts_at_private>
Date: Mon, 6 Oct 2008 01:19:50 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| October 3rd, 2008                                Volume 9, Number 40 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week advisories were released for clamav, wireshark, pam_mount,
openafs, mozilla-thunderbird, mozilla-firefox, xen, seamonkey, and
xulrunner.  The distributors include Gentoo, Mandriva, Red Hat,
Slackware, and Ubuntu.

---

Norwich University's Master of Science in Information Assurance
(MSIA) program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides you
with the skills to manage and lead an organization-wide information
security program and the tools to fluently communicate the intricacies
of information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641

---

Review: Hacking Exposed Linux, Third Edition
--------------------------------------------
"Hacking Exposed Linux" by  ISECOM (Institute for Security and Open
Methodologies) is a guide to help you secure your Linux environment.
This book does not only help improve your security it looks at why you
should. It does this by showing examples of real attacks and rates the
importance of protecting yourself from being a victim of each type of
attack.

http://www.linuxsecurity.com/content/view/141165

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.20 Now Available (Aug 19)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.20 (Version 3.0, Release 20). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

  http://www.linuxsecurity.com/content/view/141173

------------------------------------------------------------------------

* Gentoo: ClamAV Multiple Denials of Service (Sep 25)
  ---------------------------------------------------
  Multiple vulnerabilities in ClamAV may result in a Denial of Service.

  http://www.linuxsecurity.com/content/view/142640

* Gentoo: Wireshark Multiple Denials of Service (Sep 25)
  ------------------------------------------------------
  Multiple Denial of Service vulnerabilities have been discovered in
  Wireshark.

  http://www.linuxsecurity.com/content/view/142639

* Gentoo: Git User-assisted execution of arbitrary code (Sep 25)
  --------------------------------------------------------------
  Multiple buffer overflow vulnerabilities have been discovered in Git.

  http://www.linuxsecurity.com/content/view/142638

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:208 ] pam_mount (Sep 29)
  ----------------------------------------------------------------------------
  pam_mount 0.10 through 0.45, when luserconf is enabled, does not
  verify mountpoint and source ownership before mounting a user-defined
  volume, which allows local users to bypass intended access
  restrictions via a local mount. The updated packages have been
  patched to fix the issue.

  http://www.linuxsecurity.com/content/view/142769

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:207 ] openafs (Sep 29)
  --------------------------------------------------------------------------
  A race condition in OpenAFS 1.3.40 through 1.4.5 allowed remote
  attackers to cause a denial of service (daemon crash) by
  simultaneously acquiring and giving back file callbacks
  (CVE-2007-6559). The updated packages have been patched to prevent
  this issue.

  http://www.linuxsecurity.com/content/view/142768

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:206 ] mozilla-thunderbird (Sep 26)
  --------------------------------------------------------------------------------------
  A number of security vulnerabilities have been discovered and
  corrected in the latest Mozilla Thunderbird program, version 2.0.0.17
  (CVE-2008-0016, CVE-2008-3835, CVE-2008-4058, CVE-2008-4059,
  CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065,
  CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4070). This
  update provides the latest Thunderbird to correct these issues.

  http://www.linuxsecurity.com/content/view/142647

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:205 ] mozilla-firefox (Sep 25)
  ----------------------------------------------------------------------------------
  Security vulnerabilities have been discovered and corrected in the
  latest Mozilla Firefox program, version 2.0.0.17 (CVE-2008-0016,
  CVE-2008-3835, CVE-2008-3836, CVE-2008-3837, CVE-2008-4058,
  CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062,
  CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068,
  CVE-2008-4069). This update provides the latest Firefox to correct
  these issues.

  http://www.linuxsecurity.com/content/view/142642

------------------------------------------------------------------------

* RedHat: Moderate: wireshark security update (Oct 1)
  ---------------------------------------------------
  Updated wireshark packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3, 4, and 5. This update has
  been rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/142862

* RedHat: Important: xen security and bug fix update (Oct 1)
  ----------------------------------------------------------
  Updated xen packages that resolve a couple of security issues and fix
  a bug are now available for Red Hat Enterprise Linux 5. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/142863

* RedHat: Moderate: thunderbird security update (Oct 1)
  -----------------------------------------------------
  Updated thunderbird packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/142864

------------------------------------------------------------------------

* Slackware:   mozilla-thunderbird (Sep 27)
  -----------------------------------------
  New mozilla-thunderbird packages are available for Slackware 10.2,
  11.0, 12.0, 12.1, and -current to fix security issues. More details
  about the issues may be found on the Mozilla site:
  http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.h
  tml

  http://www.linuxsecurity.com/content/view/142648

* Slackware:   mozilla-firefox (Sep 26)
  -------------------------------------
  New mozilla-firefox packages are available for Slackware 10.2, 11.0,
  12.0, 12.1, and -current to fix security issues. More details about
  the issues may be found on the Mozilla site:
  http://www.mozilla.org/security/known-vulnerabilities/firefox20.html

  http://www.linuxsecurity.com/content/view/142644

* Slackware:   seamonkey (Sep 26)
  -------------------------------
  New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
  and -current to fix security issues. More details about the issues
  may be found here:
  http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

  http://www.linuxsecurity.com/content/view/142645

------------------------------------------------------------------------

* Ubuntu:  Thunderbird vulnerabilities (Sep 25)
  ---------------------------------------------
  It was discovered that the same-origin check in Thunderbird could be
  bypassed. If a user had JavaScript enabled and were tricked into
  opening a malicious website, an attacker may be able to execute
  JavaScript in the context of a different website. (CVE-2008-3835)
  Several problems were discovered in the browser engine of
  Thunderbird. If a user had JavaScript enabled, this could allow an
  attacker to execute code with chrome privileges. (CVE-2008-4058,
  CVE-2008-4059, CVE-2008-4060)

  http://www.linuxsecurity.com/content/view/142643

* Ubuntu:  Firefox and xulrunner regression (Sep 25)
  --------------------------------------------------
  USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The
  upstream patches introduced a regression in the saved password
  handling. While password data was not lost, if a user had saved any
  passwords with non-ASCII characters, Firefox could not access the
  password database. This update fixes the problem.

  http://www.linuxsecurity.com/content/view/142636

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


__________________________________________________      
Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
http://conference.hackinthebox.org/hitbsecconf2008kl/
Received on Sun Oct 05 2008 - 23:19:50 PDT

This archive was generated by hypermail 2.2.0 : Sun Oct 05 2008 - 23:27:15 PDT