[ISN] Linux Advisory Watch - October 10th 2008

From: InfoSec News <alerts_at_private>
Date: Sat, 11 Oct 2008 02:03:06 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| October 10th, 2008                               Volume 9, Number 41 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for iceweasel, mon, mplayer, feta,
postfix, libxml, wordnet, portage, rpm, timezone, drakxtools, mono,
pam_krb5, cups, condor, kernel, and tomcat.  The distributors include
Debian, Fedora, Gentoo, Mandriva, and Red Hat.

---

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides you
with the skills to manage and lead an organization-wide information
security program and the tools to fluently communicate the intricacies
of information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641

---

Review: Hacking Exposed Linux, Third Edition
--------------------------------------------
"Hacking Exposed Linux" by  ISECOM (Institute for Security and Open
Methodologies) is a guide to help you secure your Linux environment.
This book does not only help improve your security it looks at why you
should. It does this by showing examples of real attacks and rates the
importance of protecting yourself from being a victim of each type of
attack.

http://www.linuxsecurity.com/content/view/141165

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
  -----------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.21 (Version 3.0, Release 21). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

  http://www.linuxsecurity.com/content/view/143039

------------------------------------------------------------------------

* Debian: New iceweasel packages fix several vulnerabilities (Oct 8)
  ------------------------------------------------------------------
  Several remote vulnerabilities have been discovered in the Iceweasel
  web browser, an unbranded version of the Firefox browser. The Common
  Vulnerabilities and Exposures project identifies the following
  problems:

  http://www.linuxsecurity.com/content/view/143053

* Debian: New mon packages fix insecure temporary files (Oct 8)
  -------------------------------------------------------------
  Dmitry E. Oboukhov discovered that the test.alert script used in one
  of the  alert functions in mon, a system to monitor hosts or services
  and alert  about problems, creates temporary files insecurely, which
  may lead to a local  denial of service through symlink attacks.

  http://www.linuxsecurity.com/content/view/143051

* Debian: New mplayer packages fix integer overflows (Oct 5)
  ----------------------------------------------------------
  Felipe Andres Manzano discovered that mplayer, a multimedia player,
  is vulnerable to several integer overflows in the Real video stream
  demuxing code.  These flaws could allow an attacker to cause a denial
  of service (a crash) or potentially the execution of arbitrary code
  by supplying a maliciously crafted video file.

  http://www.linuxsecurity.com/content/view/142955

* Debian: New feta packages fix denial of service (Oct 5)
  -------------------------------------------------------
  Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a
  simpler interface to APT, dpkg, and other Debian package tools
  creates temporary files insecurely, which may lead to local denial of
  service through symlink attacks.

  http://www.linuxsecurity.com/content/view/142954

------------------------------------------------------------------------

* Fedora 9 Update: postfix-2.5.5-1.fc9 (Oct 9)
  --------------------------------------------
  New upstream patch level version 2.5.5, including multiple security
  fixes detailed in upstream announcements:
  http://www.postfix.org/announcements/20080814.html
  http://www.postfix.org/announcements/20080902.html

  http://www.linuxsecurity.com/content/view/143104

* Fedora 8 Update: postfix-2.5.5-1.fc8 (Oct 9)
  --------------------------------------------
  New upstream patch level version 2.5.5, including multiple security
  fixes detailed in upstream announcements:
  http://www.postfix.org/announcements/20080814.html
  http://www.postfix.org/announcements/20080902.html

  http://www.linuxsecurity.com/content/view/143089

* Fedora 9 Update: libxml2-2.7.1-2.fc9 (Oct 3)
  --------------------------------------------
  This is an urgent security fix for a bug newly introduced in
  libxml2-2.7.x leading to CPU and memory exhaustion.	 See upstream
  bug report for further details:
  https://bugzilla.gnome.org/show_bug.cgi?id=554660

  http://www.linuxsecurity.com/content/view/142907

------------------------------------------------------------------------

* Gentoo: Portage Untrusted search path local root vulnerability (Oct 9)
  ----------------------------------------------------------------------
  A search path vulnerability in Portage allows local attackers to
  execute commands with root privileges if emerge is called from
  untrusted directories.

  http://www.linuxsecurity.com/content/view/143057

* Gentoo: WordNet Execution of arbitrary code (Oct 7)
  ---------------------------------------------------
  Multiple vulnerabilities were found in WordNet, possibly allowing for
  the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/143040

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2008:134 ] rpm (Oct 7)
  --------------------------------------------------------------------
  This package update adds support for LZMA compression in rpm. This
  will allow users of Mandriva Linux 2007.1 to upgrade to the Mandriva
  Linux 2009.0 release.

  http://www.linuxsecurity.com/content/view/143045

* Mandriva: Subject: [Security Announce] [ MDVA-2008:133 ] timezone (Oct 7)
  -------------------------------------------------------------------------
  Updated timezone packages are being provided for older Mandriva Linux
  systems that do not contain new Daylight Savings Time information and
  Time Zone information for some locations. These updated packages
  contain the new information.

  http://www.linuxsecurity.com/content/view/143044

* Mandriva: Subject: [Security Announce] [ MDVA-2008:132 ] mandriva-release (Oct 3)
  ---------------------------------------------------------------------------------
  mandriva-release for Mandriva 2008 Spring should contain a
  product_branch set to Official, and not devel, otherwise it could
  lead to an error with the new mdkonline. The updated package fixes
  it.

  http://www.linuxsecurity.com/content/view/142953

* Mandriva: Subject: [Security Announce] [ MDVA-2008:131 ] rpmdrake (Oct 3)
  -------------------------------------------------------------------------
  This update fixes several minor issues in rpmdrake: - it fixes a
  crash due to bad timing with the X server (#41010) - it fix empty per
  importance lists of updates in rpmdrake (list of all updates was OK,
  MandrivaUpdate was OK) (#41331) (regression introduced in 3.95 on
  2007-09-14)

  http://www.linuxsecurity.com/content/view/142952

* Mandriva: Subject: [Security Announce] [ MDVA-2008:130 ] drakxtools (Oct 3)
  ---------------------------------------------------------------------------
  This update fixes several minor issues in drakxtools: - it fixes
  management of XEN kernels in bootloader-config, when adding a new
  kernel, a xen entry should not replace an existing 'linux' (#40865) -
  it fixes a crash in rpmdrake when description begins by Gtk2::..
  (#43802) It also really enable draksnapashot to use Gtk+-2's new
  FileChooserDialog in future.

  http://www.linuxsecurity.com/content/view/142951

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:210 ] mono (Oct 3)
  ----------------------------------------------------------------------
  CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier
  allows remote attackers to inject arbitrary HTTP headers and conduct
  HTTP response splitting attacks via CRLF sequences in the query
  string. The updated packages have been patched to fix the issue.

  http://www.linuxsecurity.com/content/view/142950

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:209 ] pam_krb5 (Oct 3)
  --------------------------------------------------------------------------
  Stphane Bertin discovered a flaw in the pam_krb5 existing_ticket
  configuration option where, if enabled and using an existing
  credential cache, it was possible for a local user to gain elevated
  privileges by using a different, local user's credential cache
  (CVE-2008-3825). The updated packages have been patched to prevent
  this issue.

  http://www.linuxsecurity.com/content/view/142949

------------------------------------------------------------------------

* RedHat: Important: cups security update (Oct 10)
  ------------------------------------------------
  Updated cups packages that fix multiple security issues are now
  available for Red Hat Enterprise Linux 3, 4, and 5. A buffer overflow
  flaw was discovered in the SGI image format decoding routines used by
  the CUPS image converting filter "imagetops". An attacker could
  create a malicious SGI image file that could, possibly, execute
  arbitrary code as the "lp" user if the file was printed.

  http://www.linuxsecurity.com/content/view/143128

* RedHat: Moderate: condor security, (Oct 7)
  ------------------------------------------
  Updated condor packages that fix multiple security issues, several
  bugs and introduce feature enhancements are now available for Red Hat
  Enterprise MRG 1.0 for Red Hat Enterprise Linux 4. This update has
  been rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/143043

* RedHat: Moderate: condor security, (Oct 7)
  ------------------------------------------
  Updated condor packages that address multiple security issues, fix
  several bugs, and introduce feature enhancements are now available
  for Red Hat Enterprise MRG 1.0 for Red Hat Enterprise Linux 5. This
  update has been rated as having moderate security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/143042

* RedHat: Important: kernel security and bug fix update (Oct 7)
  -------------------------------------------------------------
  Updated kernel packages that fix several security issues and several
  bugs are now available for Red Hat Enterprise MRG 1.0. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/143041

* RedHat: Important: tomcat security update (Oct 2)
  -------------------------------------------------
  Updated tomcat packages that fix multiple security issues are now
  available for Red Hat Developer Suite 3. This update has been rated
  as having important security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/142866

* RedHat: Moderate: pam_krb5 security update (Oct 2)
  --------------------------------------------------
  An updated pam_krb5 package that fixes a security issue is now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/142867

* RedHat: Important: tomcat security update (Oct 2)
  -------------------------------------------------
  Updated tomcat packages that fix several security issues are now
  available for Red Hat Application Server v2. This update has been
  rated as having important security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/142865

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


__________________________________________________      
Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
http://conference.hackinthebox.org/hitbsecconf2008kl/
Received on Sat Oct 11 2008 - 00:03:06 PDT

This archive was generated by hypermail 2.2.0 : Sat Oct 11 2008 - 00:10:26 PDT