[ISN] Linux Advisory Watch: December 12th, 2008

From: InfoSec News <alerts_at_private>
Date: Mon, 15 Dec 2008 03:14:42 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| December 12th, 2008                              Volume 9, Number 50 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for uw-imap, lcms, streamripper,
cups, java, tar, opensc, mgetty, vinagre, vim, clamav, bluez-utils,
libsamplerate, apahche2, ruby, php, and nfs-utils.  The distributors
include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, and
Ubuntu.

---

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides
you with the skills to manage and lead an organization-wide
information security program and the tools to fluently communicate
the intricacies of information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New uw-imap packages fix multiple vulnerabilities (Dec 12)
  ------------------------------------------------------------------
  It was discovered that several buffer overflows can be triggered via
  a long folder extension argument to the tmail or dmail program. This
  could lead to arbitrary code execution (CVE-2008-5005).

  http://www.linuxsecurity.com/content/view/145812

* Debian: New lcms packages fix multiple vulnerabilities (Dec 10)
  ---------------------------------------------------------------
  Inadequate enforcement of fixed-length buffer limits allows an
  attacker to overflow a buffer on the stack, potentially enabling
  the execution of arbitrary code when a maliciously-crafted	 image
  is opened.

  http://www.linuxsecurity.com/content/view/145729

* Debian: New streamripper packages fix potential code execution (Dec 8)
  ----------------------------------------------------------------------
  Multiple buffer overflows involving HTTP header and playlist parsing
  have been discovered in streamripper (CVE-2007-4337, CVE-2008-4829).

  http://www.linuxsecurity.com/content/view/145608

* Debian: New Linux 2.6.24 packages fix several vulnerabilities (Dec 4)
  ---------------------------------------------------------------------
  Eugene Teo reported a local DoS issue in the ext2 and ext3
  filesystems.	Local users who have been granted the privileges
  necessary to mount a filesystem would be able to craft a corrupted
  filesystem that causes the kernel to output error messages in an
  infinite loop.

  http://www.linuxsecurity.com/content/view/145234

* Debian: New clamav packages fix potential code execution (Dec 4)
  ----------------------------------------------------------------
  Moritz Jodeit discovered that ClamAV, an anti-virus solution, suffers
  from an off-by-one-error in its VBA project file processing, leading
  to a heap-based buffer overflow and potentially arbitrary code
  execution (CVE-2008-5050).

  http://www.linuxsecurity.com/content/view/145229

------------------------------------------------------------------------

* Fedora 8 Update: cups-1.3.9-2.fc8 (Dec 9)
  -----------------------------------------
  Security update to fix CVE-2008-5183.  Also included is a fix for
  incorrect form-feed handling in the textonly filter.

  http://www.linuxsecurity.com/content/view/145657

* Fedora 9 Update: cups-1.3.9-2.fc9 (Dec 9)
  -----------------------------------------
  Security update to fix CVE-2008-5183.    Also fixed in this update
  are a bug that caused cups-polld to fail to resolve hostnames, a bug
  that could cause libcups to get stuck in a loop, and incorrect
  form-feed handling in the textonly filter.

  http://www.linuxsecurity.com/content/view/145642

* Fedora 10 Update: cups-1.3.9-4.fc10 (Dec 9)
  -------------------------------------------
  Security update to fix CVE-2008-5183.    Also changed in this update:
     * a bug that caused cups-polld to fail to resolve hostnames has
  been fixed  * a bug that could cause libcups to get stuck in a loop
  has been fixed  * the dnssd backend has been removed as it is not
  working correctly and can prevent printers being added

  http://www.linuxsecurity.com/content/view/145623

* Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-7.b12.fc10 (Dec 6)
  ---------------------------------------------------------------
  OpenJDK security patches applied.

  http://www.linuxsecurity.com/content/view/145496

------------------------------------------------------------------------

* Gentoo: CUPS Multiple vulnerabilities (Dec 10)
  ----------------------------------------------
  Several remotely exploitable bugs have been found in CUPS, which
  allow remote execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/145737

* Gentoo: Archive:Tar: Directory traversal vulnerability (Dec 10)
  ---------------------------------------------------------------
  A directory traversal vulnerability has been discovered in
  Archive::Tar.

  http://www.linuxsecurity.com/content/view/145732

* Gentoo: OpenSC Insufficient protection of smart card PIN (Dec 10)
  -----------------------------------------------------------------
  Smart cards formatted using OpenSC do not sufficiently protect the
  PIN, allowing attackers to reset it.

  http://www.linuxsecurity.com/content/view/145731

* Gentoo: Mgetty Insecure temporary file usage (Dec 6)
  ----------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Mgetty uses temporary files in an insecure
  manner, allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/145246

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2008:197 ] mandriva-kde-config (Dec 10)
  -------------------------------------------------------------------------------------
  On Mandriva Linux 2009.0, every time a web page was opened under
  Konqueror, or opened in a new tab, it showed the HTML code in an
  editor instead of the website.  This update makes Konqueror display
  websites correctly instead of pure HTML code.

  http://www.linuxsecurity.com/content/view/145736

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:240 ] vinagre (Dec 10)
  --------------------------------------------------------------------------
  Alfredo Ortega found a flaw in how Vinagre uses format strings. A
  remote attacker could exploit this vulnerability if they were able to
  trick a user into connecting to a malicious VNC server, or opening a
  specially crafted URI with Vinagre.  With older versions of Vinagre,
  it was possible to execute arbitrary code with user privileges. In
  later versions, Vinagre would abort, leading to a denial of service.
  The updated packages have been patched to prevent this issue.

  http://www.linuxsecurity.com/content/view/145734

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:236-1 ] vim (Dec 8)
  -----------------------------------------------------------------------
  Several vulnerabilities were found in the vim editor: A number of
  input sanitization flaws were found in various vim system functions.
  If a user were to open a specially crafted file, it would be possible
  to execute arbitrary code as the user running vim (CVE-2008-2712).

  http://www.linuxsecurity.com/content/view/145611

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:239 ] clamav (Dec 5)
  ------------------------------------------------------------------------
  Ilja van Sprundel found that ClamAV contained a denial of service
  vulnerability in how it handled processing JPEG files, due to it not
  limiting the recursion depth when processing JPEG thumbnails
  (CVE-2008-5314). Other bugs have also been corrected in 0.94.2 which
  is being provided with this update.

  http://www.linuxsecurity.com/content/view/145245

* Mandriva: Subject: [Security Announce] [ MDVA-2008:189 ] bluez-utils (Dec 5)
  ----------------------------------------------------------------------------
  An incorrect configuration was preventing PIN authentication for
  Bluetooth devices under GNOME and KDE4.  This package updates fixes
  the issue.

  http://www.linuxsecurity.com/content/view/145243

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:238 ] libsamplerate (Dec 4)
  -------------------------------------------------------------------------------
  A buffer overflow was found by Russell O'Conner in the libsamplerate
  library versions prior to 0.1.4 that could possibly lead to the
  execution of arbitrary code via a specially crafted audio file
  (CVE-2008-5008).

  http://www.linuxsecurity.com/content/view/145240

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:237 ] apache2 (Dec 4)
  -------------------------------------------------------------------------
  A vulnerability was discovered in the mod_proxy module in Apache
  where it did not limit the number of forwarded interim responses,
  allowing remote HTTP servers to cause a denial of service (memory
  consumption) via a large number of interim responses (CVE-2008-2364).
  This update also provides HTTP/1.1 compliance fixes. The updated
  packages have been patched to prevent this issue.

  http://www.linuxsecurity.com/content/view/145237

------------------------------------------------------------------------

* RedHat: Moderate: Red Hat Application Stack v2.2 (Dec 4)
  --------------------------------------------------------
  Red Hat Application Stack v2.2 is now available.  This update fixes
  several security issues and adds various enhancements.A flaw was
  found in the mod_proxy module. An attacker  who has control of a web
  server to which requests are being proxied could cause a limited
  denial of service due to CPU consumption and stack exhaustion.
  (CVE-2008-2364)

  http://www.linuxsecurity.com/content/view/145239

* RedHat: Critical: java-1.5.0-sun security update (Dec 4)
  --------------------------------------------------------
  Updated java-1.5.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/145233

* RedHat: Moderate: ruby security update (Dec 4)
  ----------------------------------------------
  Updated ruby packages that fix a security issue are now available for
  Red Hat Enterprise Linux 4 and 5. This update has been rated as
  having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/145231

* RedHat: Critical: java-1.6.0-sun security update (Dec 4)
  --------------------------------------------------------
  Updated java-1.6.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/145232

------------------------------------------------------------------------

* Slackware:   php (Dec 5)
  ------------------------
  New php packages are available for Slackware 12.0, 12.1, and -current
  to fix security issues, as well as make improvements and fix bugs.

  http://www.linuxsecurity.com/content/view/145241

------------------------------------------------------------------------

* Ubuntu:  nfs-utils vulnerability (Dec 4)
  ----------------------------------------
  It was discovered that nfs-utils did not properly enforce netgroup
  restrictions when using TCP Wrappers. Remote attackers could bypass
  the netgroup restrictions enabled by the administrator and possibly
  gain access to sensitive information.

  http://www.linuxsecurity.com/content/view/145238

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Mon Dec 15 2008 - 01:14:42 PST

This archive was generated by hypermail 2.2.0 : Mon Dec 15 2008 - 01:32:53 PST