[ISN] Linux Advisory Watch - January 9th 2009

From: InfoSec News <alerts_at_private>
Date: Mon, 12 Jan 2009 01:10:10 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| January 9th, 2009                                Volume 10, Number 2 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for icedove, ruby, xterm, proftpd,
thunderbird, dovecove, samba, wireshark, kernel, msec, bind, lcms,
handterm-xf, openssl, xen, and gnome-vfs.  The distributors include
Debian, Fedora, Red Hat, Slackware, Ubuntu, and Pardus.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New icedove packages fix several vulnerabilities (Jan 7)
  ----------------------------------------------------------------
  Several remote vulnerabilities have been discovered in the Icedove
  mail client, an unbranded version of the Thunderbird mail client.

  http://www.linuxsecurity.com/content/view/147033

* Debian: New Ruby packages fix denial of service (Jan 2)
  -------------------------------------------------------
  The regular expression engine of Ruby, a scripting language, contains
  a memory leak which can be triggered remotely under certain
  circumstances, leading to a denial of service condition
  (CVE-2008-3443).

  http://www.linuxsecurity.com/content/view/146706

* Debian: New xterm packages fix remote code execution (Jan 2)
  ------------------------------------------------------------
  Paul Szabo discovered that xterm, a terminal emulator for the X
  Window System, places arbitrary characters into the input buffer when
  displaying certain crafted escape sequences (CVE-2008-2383).

  http://www.linuxsecurity.com/content/view/146705

------------------------------------------------------------------------

* Fedora 8 Update: proftpd-1.3.1-8.fc8 (Jan 7)
  --------------------------------------------
  This update fixes a security issue where an attacker could conduct
  cross-site request forgery (CSRF) attacks and execute arbitrary FTP
  commands. It also fixes some SSL shutdown issues seen with certain
  clients.

  http://www.linuxsecurity.com/content/view/146968

* Fedora 9 Update: thunderbird-2.0.0.19-1.fc9 (Jan 7)
  ---------------------------------------------------
  Update to the new upstream Thunderbird 2.0.0.19 fixing multiple
  security issues: http://www.mozilla.org/security/known-
  vulnerabilities/thunderbird20.html#thunderbird2.0.0.19    Note: after
  the updated packages are installed, Thunderbird must be restarted for
  the update to take effect.

  http://www.linuxsecurity.com/content/view/146962

* Fedora 10 Update: thunderbird-2.0.0.19-1.fc10 (Jan 7)
  -----------------------------------------------------
  Update to the new upstream Thunderbird 2.0.0.19 fixing multiple
  security issues: http://www.mozilla.org/security/known-
  vulnerabilities/thunderbird20.html#thunderbird2.0.0.19    Note: after
  the updated packages are installed, Thunderbird must be restarted for
  the update to take effect.

  http://www.linuxsecurity.com/content/view/146956

* Fedora 8 Update: xterm-238-1.fc8 (Jan 7)
  ----------------------------------------
  This update fixes the following security issue:    CRLF injection
  vulnerability in xterm allows user-assisted attackers to execute
  arbitrary commands via LF (aka \n) characters surrounding a command
  name within a Device Control Request Status String (DECRQSS) escape
  sequence in a text file, a related issue to CVE-2003-0063 and
  CVE-2003-0071.

  http://www.linuxsecurity.com/content/view/146907

* Fedora 8 Update: dovecot-1.0.15-16.fc8 (Jan 7)
  ----------------------------------------------
  new possibility to store ssl passwords in different file linked to
  dovecot.conf via !include_try directive change permissions of deliver
  and dovecot.conf to prevent possible password exposure change
  permissions of deliver and dovecot.conf to prevent possible password
  exposure

  http://www.linuxsecurity.com/content/view/146910

* Fedora 10 Update: samba-3.2.7-0.25.fc10 (Jan 7)
  -----------------------------------------------
  Security fix for CVE-2009-0022

  http://www.linuxsecurity.com/content/view/146912

* Fedora 9 Update: dovecot-1.0.15-16.fc9 (Jan 7)
  ----------------------------------------------
  new possibility to store ssl passwords in different file linked to
  dovecot.conf via !include_try directive change permissions of deliver
  and dovecot.conf to prevent possible password exposure

  http://www.linuxsecurity.com/content/view/146902

* Fedora 10 Update: xterm-238-1.fc10 (Jan 7)
  ------------------------------------------
  This update fixes the following security issue:    CRLF injection
  vulnerability in xterm allows user-assisted attackers to execute
  arbitrary commands via LF (aka \n) characters surrounding a command
  name within a Device Control Request Status String (DECRQSS) escape
  sequence in a text file, a related issue to CVE-2003-0063 and
  CVE-2003-0071.

  http://www.linuxsecurity.com/content/view/146834

* Fedora 9 Update: wireshark-1.0.5-1.fc9 (Jan 7)
  ----------------------------------------------
  Various minor security flaws were fixed in wireshark 1.0.5

  http://www.linuxsecurity.com/content/view/146824

* Fedora 8 Update: thunderbird-2.0.0.19-1.fc8 (Jan 7)
  ---------------------------------------------------
  Update to the new upstream Thunderbird 2.0.0.19 fixing multiple
  security issues: http://www.mozilla.org/security/known-
  vulnerabilities/thunderbird20.html#thunderbird2.0.0.19    Note: after
  the updated packages are installed, Thunderbird must be restarted for
  the update to take effect.

  http://www.linuxsecurity.com/content/view/146828

* Fedora 10 Update: proftpd-1.3.1-8.fc10 (Jan 7)
  ----------------------------------------------
  This update fixes a security issue where an attacker could conduct
  cross-site request forgery (CSRF) attacks and execute arbitrary FTP
  commands. It also fixes some SSL shutdown issues seen with certain
  clients.

  http://www.linuxsecurity.com/content/view/146829

* Fedora 9 Update: xterm-238-1.fc9 (Jan 7)
  ----------------------------------------
  This update fixes the following security issue:    CRLF injection
  vulnerability in xterm allows user-assisted attackers to execute
  arbitrary commands via LF (aka \n) characters surrounding a command
  name within a Device Control Request Status String (DECRQSS) escape
  sequence in a text file, a related issue to CVE-2003-0063 and
  CVE-2003-0071.

  http://www.linuxsecurity.com/content/view/146795

* Fedora 9 Update: proftpd-1.3.1-8.fc9 (Jan 7)
  --------------------------------------------
  This update fixes a security issue where an attacker could conduct
  cross-site request forgery (CSRF) attacks and execute arbitrary FTP
  commands. It also fixes some SSL shutdown issues seen with certain
  clients.

  http://www.linuxsecurity.com/content/view/146800

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2009:007 ] kernel (Jan 7)
  -----------------------------------------------------------------------
  The security fix for CVE-2007-6716 in previous kernel update
  introduced a problem in directio, when calling pvcreate. This update
  provides an updated patch fixing it.

  http://www.linuxsecurity.com/content/view/147078

* Mandriva: Subject: [Security Announce] [ MDVA-2009:002 ] msec (Jan 5)
  ---------------------------------------------------------------------
  This update fixes the following two issues with msec: when changing
  to a higher security level, permit_root_login is not handled
  correctly (bug #19726)

  http://www.linuxsecurity.com/content/view/146710

------------------------------------------------------------------------

* RedHat: Moderate: bind security update (Jan 8)
  ----------------------------------------------
  Updated Bind packages to correct a security issue are now available
  for Red Hat Enterprise Linux 2.1, 3, 4, and 5. A flaw was discovered
  in the way BIND checked the return value of the OpenSSL DSA_do_verify
  function. On systems using DNSSEC, a malicious zone could present a
  malformed DSA certificate and bypass proper certificate validation,
  allowing spoofing attacks. (CVE-2009-0025) This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/147114

* RedHat: Important: kernel security update (Jan 8)
  -------------------------------------------------
  Updated kernel packages that fix a number of security issues are now
  available for Red Hat Enterprise Linux 2.1 running on 32-bit
  architectures. This update has been rated as having important
  security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/147112

* RedHat: Moderate: lcms security update (Jan 7)
  ----------------------------------------------
  Updated lcms packages that resolve several security issues are now
  available for Red Hat Enterprise Linux 5. Multiple insufficient input
  validation flaws were discovered in LittleCMS. An attacker could use
  these flaws to create a specially-crafted image file which could
  cause an application using LittleCMS to crash, or, possibly, execute
  arbitrary code when opened.

  http://www.linuxsecurity.com/content/view/147029

* RedHat: Important: hanterm-xf security update (Jan 7)
  -----------------------------------------------------
  An updated hanterm-xf package to correct a security issue is now
  available for Red Hat Enterprise Linux 2.1. A flaw was found in the
  Hanterm handling of Device Control Request Status String (DECRQSS)
  escape sequences. An attacker could create a malicious text file (or
  log entry, if unfiltered) that could run arbitrary commands if read
  by a victim inside a Hanterm window. (CVE-2008-2383)

  http://www.linuxsecurity.com/content/view/147030

* RedHat: Important: openssl security update (Jan 7)
  --------------------------------------------------
  Updated OpenSSL packages that correct a security issue are now
  available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. The Google
  security team discovered a flaw in the way OpenSSL checked the
  verification of certificates. An attacker in control of a malicious
  server, or able to effect a "man in the middle" attack, could present
  a malformed SSL/TLS signature from a certificate chain to a
  vulnerable client and bypass validation. This update has been rated
  as having important security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/147027

* RedHat: Moderate: dbus security update (Jan 7)
  ----------------------------------------------
  Updated dbus packages that fix a security issue are now available for
  Red Hat Enterprise Linux 5. A denial-of-service flaw was discovered
  in the system for sending messages between applications. A local user
  could send a message with a malformed signature to the bus causing
  the bus (and, consequently, any process using libdbus to receive
  messages) to abort.

  http://www.linuxsecurity.com/content/view/147028

* RedHat: Important: xterm security update (Jan 7)
  ------------------------------------------------
  An updated xterm package to correct a security issue is now available
  for Red Hat Enterprise Linux 3, 4, and 5. A flaw was found in the
  xterm handling of Device Control Request Status String (DECRQSS)
  escape sequences. An attacker could create a malicious text file (or
  log entry, if unfiltered) that could run arbitrary commands if read
  by a victim inside an xterm window. (CVE-2008-2383)

  http://www.linuxsecurity.com/content/view/147026

* RedHat: Moderate: thunderbird security update (Jan 7)
  -----------------------------------------------------
  Updated thunderbird packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. Several flaws were
  found in the processing of malformed HTML mail content. An HTML mail
  message containing malicious content could cause Thunderbird to crash
  or, potentially, execute arbitrary code as the user running
  Thunderbird. (CVE-2008-5500,

  http://www.linuxsecurity.com/content/view/147023

* RedHat: Moderate: xen security and bug fix update (Jan 7)
  ---------------------------------------------------------
  Updated xen packages that resolve several security issues and a bug
  are now available for Red Hat Enterprise Linux 5. Xen was found to
  allow unprivileged DomU domains to overwrite xenstore values which
  should only be changeable by the privileged Dom0 domain. An attacker
  controlling a DomU domain could, potentially, use this flaw to kill
  arbitrary processes in Dom0 or trick a Dom0 user into accessing the
  text console of a different domain running on the same host. This
  update makes certain parts of the xenstore tree read-only to the
  unprivileged DomU domains. (CVE-2008-4405)

  http://www.linuxsecurity.com/content/view/147024

* RedHat: Moderate: gnome-vfs, gnome-vfs2 security update (Jan 7)
  ---------------------------------------------------------------
  Updated GNOME VFS packages that fix a security issue are now
  available for Red Hat Enterprise Linux 2.1, 3 and 4. A buffer
  overflow flaw was discovered in the GNOME virtual file system when
  handling data returned by CDDB servers. If a user connected to a
  malicious CDDB server, an attacker could use this flaw to execute
  arbitrary code on the victim's machine.

  http://www.linuxsecurity.com/content/view/147025

* RedHat: Important: kernel security update (Jan 5)
  -------------------------------------------------
  Updated kernel packages that fix a number of security issues are now
  available for Red Hat Enterprise Linux 2.1 running on 64-bit
  architectures. This update has been rated as having important
  security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/146707

------------------------------------------------------------------------

* Slackware:   samba (Jan 5)
  --------------------------
  New samba packages are available for Slackware 12.2 and -current to
  fix a security issue. More details about this issue may be found in
  the Common Vulnerabilities and Exposures (CVE) database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0022

  http://www.linuxsecurity.com/content/view/146715

------------------------------------------------------------------------

* Ubuntu:  Samba vulnerability (Jan 5)
  ------------------------------------
  Gunter Hckel discovered that Samba with registry shares enabled did
  not properly validate share names. An authenticated user could gain
  access to the root filesystem by using an older version of smbclient
  and specifying an empty string as a share name. This is only an issue
  if registry shares are enabled on the server by setting "registry
  shares = yes", "include = registry", or "config backend = registry",
  which is not the default.

  http://www.linuxsecurity.com/content/view/146709

------------------------------------------------------------------------

* Pardus: Samba Security Bypass (Jan 8)
  -------------------------------------
  A security issue has been reported in Samba, which can be exploited
  by malicious users to bypass certain security restrictions.

  http://www.linuxsecurity.com/content/view/147113


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Sun Jan 11 2009 - 23:10:10 PST

This archive was generated by hypermail 2.2.0 : Sun Jan 11 2009 - 23:18:35 PST