[ISN] Linux Advisory Watch: November 21st, 2008

From: InfoSec News <alerts_at_private>
Date: Mon, 24 Nov 2008 02:19:56 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| November 21st, 2008                              Volume 9, Number 47 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week advisories were released for python, libxml, clamav, php,
kernel, dovecot, firefox, gnutls, gdm, thunderbird, net-snmp, HPLIP,
and mysql.  The distributors include Debian, Fedora, Gentoo, Mandriva,
Red Hat, Slackware, and Ubuntu.

---

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides
you with the skills to manage and lead an organization-wide
information security program and the tools to fluently communicate
the intricacies of information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
  -----------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.21 (Version 3.0, Release 21). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

  http://www.linuxsecurity.com/content/view/143039

------------------------------------------------------------------------

* Debian: New python2.4 packages fix several vulnerabilities (Nov 19)
  -------------------------------------------------------------------
  David Remahl discovered several integer overflows in the
  stringobject, unicodeobject,	bufferobject, longobject,
  tupleobject, stropmodule, gcmodule, and mmapmodule modules.

  http://www.linuxsecurity.com/content/view/144443

* Debian: New libxml2 packages fix several vulnerabilities (Nov 17)
  -----------------------------------------------------------------
  Several vulnerabilities have been discovered in the GNOME XML
  library. The Common Vulnerabilities and Exposures project identifies
  the  following problems: Drew Yao discovered that missing input
  sanitising in the	xmlBufferResize() function may lead to an
  infinite loop,     resulting in denial of service.

  http://www.linuxsecurity.com/content/view/144333

------------------------------------------------------------------------

* Fedora 9 Update: libxml2-2.7.2-2.fc9 (Nov 19)
  ---------------------------------------------
  Fixes a couple of security issues when overflowing text data size of
  buffer size.

  http://www.linuxsecurity.com/content/view/144423

* Fedora 8 Update: clamav-0.92.1-4.fc8 (Nov 14)
  ---------------------------------------------
  Security fixes from upstream 0.94 and 0.94.1:    CVE-2008-3912
  (#461461): Multiple out-of-memory NULL pointer dereferences
  CVE-2008-3913 (#461461): Fix memory leak in the error code path in
  freshclam  CVE-2008-3914 (#461461): File descriptor leak on the error
  code path  CVE-2008-5050 (#470783): get_unicode_name() off-by-one
  buffer overflow

  http://www.linuxsecurity.com/content/view/144239

* Fedora 9 Update: clamav-0.93.3-2.fc9 (Nov 14)
  ---------------------------------------------
  Security fixes from upstream 0.94 and 0.94.1:    CVE-2008-1389
  (#461461): Invalid memory access in the CHM unpacker	CVE-2008-3912
  (#461461): Multiple out-of-memory NULL pointer dereferences
  CVE-2008-3913 (#461461): Fix memory leak in the error code path in
  freshclam  CVE-2008-3914 (#461461): Multiple file descriptor leaks on
  the error code path  CVE-2008-5050 (#470783): get_unicode_name()
  off-by-one buffer overflow

  http://www.linuxsecurity.com/content/view/144223

------------------------------------------------------------------------

* Gentoo: PHP Multiple vulnerabilities (Nov 16)
  ---------------------------------------------
  PHP contains several vulnerabilities including buffer and integer
  overflows which could lead to the remote execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/144327

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:220-1 ] kernel (Nov 19)
  ---------------------------------------------------------------------------
  Some vulnerabilities were discovered and corrected in the Linux 2.6
  kernel: The snd_seq_oss_synth_make_info function in
  sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the
  Linux kernel before 2.6.27-rc2 does not verify that the device number
  is within the range defined by max_synthdev before returning certain
  data to the caller, which allows local users to obtain sensitive
  information. (CVE-2008-3272)

  http://www.linuxsecurity.com/content/view/144448

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:232 ] dovecot (Nov 19)
  --------------------------------------------------------------------------
  The ACL plugin in dovecot prior to version 1.1.4 treated negative
  access rights as though they were positive access rights, which
  allowed attackers to bypass intended access restrictions
  (CVE-2008-4577).

  http://www.linuxsecurity.com/content/view/144446

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:231 ] libxml2 (Nov 18)
  --------------------------------------------------------------------------
  Drew Yaro of the Apple Product Security Team found two flaws in
  libxml2.  The first is a denial of service flaw in libxml2's XML
  parser.  If an application linked against libxml2 were to process
  certain malformed XML content, it cause the application to enter an
  infinite loop (CVE-2008-4225).

  http://www.linuxsecurity.com/content/view/144336

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:230 ] firefox (Nov 17)
  --------------------------------------------------------------------------
  Security vulnerabilities have been discovered and corrected in the
  latest Mozilla Firefox 3.x, version 3.0.4 (CVE-2008-0017,
  CVE-2008-5014, CVE-2008-5015, CVE-2008-5016, CVE-2008-5017,
  CVE-2008-5018, CVE-2008-5019, CVE-2008-5021, CVE-2008-5022,
  CVE-2008-5023, CVE-2008-5024). This update provides the latest
  Mozilla Firefox 3.x to correct these issues.

  http://www.linuxsecurity.com/content/view/144334

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:227-1 ] gnutls (Nov 17)
  ---------------------------------------------------------------------------
  Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until
  2.6.1 verified certificate chains provided by a server.  A malicious
  server could use this flaw to spoof its identity by tricking client
  applications that used the GnuTLS library to trust invalid
  certificates (CVE-2008-4989).

  http://www.linuxsecurity.com/content/view/144332

* Mandriva: Subject: [Security Announce] [ MDVA-2008:171 ] gdm (Nov 14)
  ---------------------------------------------------------------------
  An incorrect memory deallocation was causing a crash when the GNOME
  display manager was exiting.	This package update fixes this issue
  and includes additional bug fixes and translation updates.

  http://www.linuxsecurity.com/content/view/144322

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:229 ] clamav (Nov 14)
  -------------------------------------------------------------------------
  An off-by-one error was found in ClamAV versions prior to 0.94.1 that
  could allow remote attackers to cause a denial of service or possibly
  execute arbitrary code via a crafted VBA project file
  (CVE-2008-5050). Other bugs have also been corrected in 0.94.1 which
  is being provided with this update.

  http://www.linuxsecurity.com/content/view/144321

------------------------------------------------------------------------

* RedHat: Moderate: thunderbird security update (Nov 19)
  ------------------------------------------------------
  Updated thunderbird packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/144451

* RedHat: Important: kernel security and bug fix update (Nov 19)
  --------------------------------------------------------------
  Updated kernel packages that resolve several security issues and fix
  various bugs are now available for Red Hat Enterprise Linux 4. This
  update has been rated as having important security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/144442

* RedHat: Important: libxml2 security update (Nov 17)
  ---------------------------------------------------
  Updated libxml2 packages that fix security issues are now available
  for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been
  rated as having important security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/144330

------------------------------------------------------------------------

* Slackware:   libxml2 (Nov 20)
  -----------------------------
  New libxml2 packages are available for Slackware 10.0, 10.1, 10.2,
  11.0, 12.0, 12.1, and -current to fix security issues including a
  denial or service or the possible execution of arbitrary code if
  untrusted XML is processed. More details about the issues may be
  found in the Common Vulnerabilities and Exposures (CVE) database:

  http://www.linuxsecurity.com/content/view/144454

* Slackware:   mozilla-firefox (Nov 16)
  -------------------------------------
  New mozilla-firefox packages are available for Slackware 10.2, 11.0,
  12.0, 12.1, and -current to fix security issues. More details may be
  found on the Mozilla web site:
  http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
  Or, for Slackware -current (using Firefox 3.0.x):
  http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

  http://www.linuxsecurity.com/content/view/144323

* Slackware:   net-snmp (Nov 16)
  ------------------------------
  New net-snmp packages are available for Slackware 12.0, 12.1, and
  -current to fix a denial of service issue. More details about this
  issue may be found in the Common Vulnerabilities and Exposures (CVE)
  database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4309

  http://www.linuxsecurity.com/content/view/144324

* Slackware:   gnutls (Nov 16)
  ----------------------------
  New gnutls packages are available for Slackware 12.0, 12.1, and
  -current to correctly fix the certificate chain verification issue
  that the upgrade to gnutls-2.6.1 attempted to fix.  Without this
  upgrade, processing a certificate chain containing only one
  self-signed certificate may cause GnuTLS linked programs to crash.

  http://www.linuxsecurity.com/content/view/144325

* Slackware:   seamonkey (Nov 16)
  -------------------------------
  New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
  and -current to fix security issues. More details may be found on the
  Mozilla web site:
  http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm
  l

  http://www.linuxsecurity.com/content/view/144326

------------------------------------------------------------------------

* Ubuntu:  HPLIP vulnerabilities (Nov 19)
  ---------------------------------------
  It was discovered that the hpssd tool of hplip did not validate
  privileges in the alert-mailing function. A local attacker could
  exploit this to gain privileges and send e-mail messages from the
  account of the hplip user. This update alters hplip behaviour by
  preventing users from setting alerts and by moving alert
  configuration to a root-controlled /etc/hp/alerts.conf file.
  (CVE-2008-2940) It was discovered that the hpssd tool of hplip did
  not correctly handle certain commands. A local attacker could use a
  specially crafted packet to crash hpssd, leading to a denial of
  service. (CVE-2008-2941)

  http://www.linuxsecurity.com/content/view/144445

* Ubuntu:  MySQL vulnerabilities (Nov 17)
  ---------------------------------------
  It was discovered that MySQL could be made to overwrite existing
  table files in the data directory. An authenticated user could use
  the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass
  privilege checks. This update alters table creation behaviour by
  disallowing the use of the MySQL data directory in DATA DIRECTORY and
  INDEX DIRECTORY options. (CVE-2008-2079, CVE-2008-4097 and
  CVE-2008-4098) It was discovered that MySQL did not handle empty
  bit-string literals properly. An attacker could exploit this problem
  and cause the MySQL server to crash, leading to a denial of service.
  (CVE-2008-3963)

  http://www.linuxsecurity.com/content/view/144331

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
Received on Mon Nov 24 2008 - 00:19:56 PST

This archive was generated by hypermail 2.2.0 : Mon Nov 24 2008 - 00:29:30 PST