[ISN] Linux Advisory Watch - January 23rd 2009

From: InfoSec News <alerts_at_private>
Date: Mon, 26 Jan 2009 00:11:04 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| January 23rd, 2009                               Volume 10, Number 4 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for iceweasel, amarok, netatalk,
drupal, mumbles, moodle, uw-imap, devIL, net-snmp, scilab, php,
xine-lib, kdebase, ffmpeg, mplayer, thunderbird, bind, ntp, and perl.
The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat,
Slackware, SuSE, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New iceweasel packages fix several vulnerabilities (Jan 15)
  -------------------------------------------------------------------
  Several remote vulnerabilities have been discovered in the Iceweasel
  web browser, an unbranded version of the Firefox browser. The Common
  Vulnerabilities and Exposures project identifies the following
  problems...

  http://www.linuxsecurity.com/content/view/147395

* Debian: New amarok packages fix arbitrary code execution (Jan 15)
  -----------------------------------------------------------------
  Tobias Klein discovered that integer overflows in the code the Amarok
  media player uses to parse Audible files may lead to the execution of
  arbitrary code.

  http://www.linuxsecurity.com/content/view/147394

* Debian: New netatalk packages fix arbitrary code execution (Jan 15)
  -------------------------------------------------------------------
  It was discovered that netatalk, an implementation of the AppleTalk
  suite, is affected by a command injection vulnerability when
  processing PostScript streams via papd.  This could lead to the
  execution of arbitrary code.	Please note that this only affects
  installations that are configured to use a pipe command in
  combination with wildcard symbols substituted with values of the
  printed job.

  http://www.linuxsecurity.com/content/view/147391

------------------------------------------------------------------------

* Fedora 10 Update: drupal-6.9-1.fc10 (Jan 22)
  --------------------------------------------
  SA-CORE-2009-001 ( http://drupal.org/node/358957 )	Remember to log
  in to your site as the admin user before upgrading this package.
  After upgrading the package, browse to http://host/drupal/update.php
  to run the upgrade script.

  http://www.linuxsecurity.com/content/view/147690

* Fedora 9 Update: drupal-6.9-1.fc9 (Jan 22)
  ------------------------------------------
  SA-CORE-2009-001 ( http://drupal.org/node/358957 )	Remember to log
  in to your site as the admin user before upgrading this package.
  After upgrading the package, browse to http://host/drupal/update.php
  to run the upgrade script.

  http://www.linuxsecurity.com/content/view/147691

* Fedora 9 Update: amarok-1.4.10-2.fc9 (Jan 22)
  ---------------------------------------------
  This build includes a security fix concerning the parsing of
  malformed Audible digital audio files.

  http://www.linuxsecurity.com/content/view/147692

* Fedora 10 Update: mumbles-0.4-9.fc10 (Jan 22)
  ---------------------------------------------
  - Fixed path to make mumbles run on x86_64 bug #479158  - Security
  fix for Firefox plugin bug #479171

  http://www.linuxsecurity.com/content/view/147693

* Fedora 9 Update: moodle-1.9.3-5.fc9 (Jan 22)
  --------------------------------------------
  Fix for spellcheck security flaw, and some font correction.

  http://www.linuxsecurity.com/content/view/147694

* Fedora 10 Update: moodle-1.9.3-5.fc10 (Jan 22)
  ----------------------------------------------
  Fix for spellcheck security flaw, and some font correction.

  http://www.linuxsecurity.com/content/view/147695

* Fedora 10 Update: uw-imap-2007e-1.fc10 (Jan 22)
  -----------------------------------------------
  Update to new upstream version - 2007e.    Contains fix for a
  security issue - buffer overflow in rfc822_output_char /
  rfc822_output_data (CVE-2008-5514).

  http://www.linuxsecurity.com/content/view/147696

* Fedora 9 Update: DevIL-1.7.5-2.fc9 (Jan 22)
  -------------------------------------------
  - Fix missing symbols (rh 480269)  - Fix off by one error in
  CVE-2008-5262 check (rh 479864)

  http://www.linuxsecurity.com/content/view/147697

* Fedora 9 Update: uw-imap-2007e-1.fc9 (Jan 22)
  ---------------------------------------------
  Update to new upstream version - 2007e.    Contains fix for a
  security issue - buffer overflow in rfc822_output_char /
  rfc822_output_data (CVE-2008-5514).

  http://www.linuxsecurity.com/content/view/147698

* Fedora 10 Update: DevIL-1.7.5-2.fc10 (Jan 22)
  ---------------------------------------------
  - Fix missing symbols (rh 480269)  - Fix off by one error in
  CVE-2008-5262 check (rh 479864)

  http://www.linuxsecurity.com/content/view/147699

------------------------------------------------------------------------

* Gentoo: Net-SNMP Denial of Service (Jan 21)
  -------------------------------------------
  A vulnerability in Net-SNMP could lead to a Denial of Service.

  http://www.linuxsecurity.com/content/view/147682

* Gentoo: Scilab Insecure temporary file usage (Jan 21)
  -----------------------------------------------------
  An insecure temporary file usage has been reported in Scilab,
  allowing for symlink attacks.

  http://www.linuxsecurity.com/content/view/147681

------------------------------------------------------------------------

* Mandriva: [ MDVSA-2009:024 ] php4 (Jan 21)
  ------------------------------------------
  A buffer overflow in the imageloadfont() function in PHP allowed
  context-dependent attackers to cause a denial of service (crash) and
  potentially execute arbitrary code via a crafted font file
  (CVE-2008-3658). A buffer overflow in the memnstr() function allowed
  context-dependent attackers to cause a denial of service (crash) and
  potentially execute arbitrary code via the delimiter argument to the
  explode() function (CVE-2008-3659). PHP, when used as a FastCGI
  module, allowed remote attackers to cause a denial of service (crash)
  via a request with multiple dots preceding the extension
  (CVE-2008-3660). The updated packages have been patched to correct
  these issues.

  http://www.linuxsecurity.com/content/view/147687

* Mandriva: [ MDVSA-2009:023 ] php (Jan 21)
  -----------------------------------------
  A vulnerability in PHP allowed context-dependent attackers to cause a
  denial of service (crash) via a certain long string in the glob() or
  fnmatch() functions (CVE-2007-4782)... The updated packages have been
  patched to correct these issues.

  http://www.linuxsecurity.com/content/view/147686

* Mandriva: [ MDVSA-2009:022 ] php (Jan 21)
  -----------------------------------------
  A vulnerability in PHP allowed context-dependent attackers to cause a
  denial of service (crash) via a certain long string in the glob() or
  fnmatch() functions (CVE-2007-4782).. The updated packages have been
  patched to correct these issues.

  http://www.linuxsecurity.com/content/view/147685

* Mandriva: [ MDVSA-2009:021 ] php (Jan 21)
  -----------------------------------------
  A buffer overflow in the imageloadfont() function in PHP allowed
  context-dependent attackers to cause a denial of service (crash) and
  potentially execute arbitrary code via a crafted font file
  (CVE-2008-3658)... The updated packages have been patched to correct
  these issues.

  http://www.linuxsecurity.com/content/view/147684

* Mandriva: [ MDVSA-2009:020 ] xine-lib (Jan 21)
  ----------------------------------------------
  Failure on Ogg files manipulation can lead remote attackers to cause
  a denial of service by using crafted files (CVE-2008-3231).... This
  update provides the fix for all these security issues found in
  xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities:
  CVE-2008-5234, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239,
  CVE-2008-5240, CVE-2008-5243 are found in xine-lib 1.1.15 of Mandriva
  2009.0 and are also fixed by this update.

  http://www.linuxsecurity.com/content/view/147683

* Mandriva: [ MDVSA-2009:017 ] kdebase (Jan 16)
  ---------------------------------------------
  A vulnerability in KDM allowed a local user to cause a denial of
  service via unknown vectors (CVE-2007-5963). The updated packages
  have been patched to prevent this issue.

  http://www.linuxsecurity.com/content/view/147405

* Mandriva: [ MDVSA-2009:016 ] xen (Jan 16)
  -----------------------------------------
  Ian Jackson found a security issue in the QEMU block device drivers
  backend that could allow a guest operating system to issue a block
  device request and read or write arbitrary memory locations, which
  could then lead to privilege escalation (CVE-2008-0928)... The
  updated packages have been patched to prevent these issues.

  http://www.linuxsecurity.com/content/view/147404

* Mandriva: [ MDVSA-2009:015 ] ffmpeg (Jan 15)
  --------------------------------------------
  Several vulnerabilities have been discovered in ffmpeg, related to
  the execution of DTS generation code (CVE-2008-4866) and incorrect
  handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated
  packages have been patched to prevent this.

  http://www.linuxsecurity.com/content/view/147401

* Mandriva: [ MDVSA-2009:014 ] mplayer (Jan 15)
  ---------------------------------------------
  Several vulnerabilities have been discovered in mplayer, which could
  allow remote attackers to execute arbitrary code via a malformed
  TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer,
  related to the execution of DTS generation code (CVE-2008-4866). The
  updated packages have been patched to prevent this.

  http://www.linuxsecurity.com/content/view/147400

* Mandriva: [ MDVSA-2009:013 ] mplayer (Jan 15)
  ---------------------------------------------
  Several vulnerabilities have been discovered in mplayer, which could
  allow remote attackers to execute arbitrary code via a malformed
  TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer,
  related to the execution of DTS generation code (CVE-2008-4866) and
  incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The
  updated packages have been patched to prevent this.

  http://www.linuxsecurity.com/content/view/147399

* Mandriva: [ MDVSA-2009:012 ] mozilla-thunderbird (Jan 15)
  ---------------------------------------------------------
  A number of security vulnerabilities have been discovered and
  corrected in the latest Mozilla Thunderbird program, version 2.0.0.19
  (CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507,
  CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512). This
  update provides the latest Thunderbird to correct these issues.

  http://www.linuxsecurity.com/content/view/147396

* Mandriva: [ MDVA-2009:012 ] kphotoalbum (Jan 15)
  ------------------------------------------------
  Kphotoalbum in Mandriva Linux 2009.0 had some unimplemented functions
  that could lead to crashes.  This new package implements those
  functions and fixes the crashes.

  http://www.linuxsecurity.com/content/view/147393

* Mandriva: [ MDVA-2009:011 ] kdegraphics4 (Jan 15)
  -------------------------------------------------
  This package updates the libkdraw and libkexiv2 libraries making it
  possible to build newer versions of digikam.

  http://www.linuxsecurity.com/content/view/147392

------------------------------------------------------------------------

* RedHat: Important: kernel security and bug fix update (Jan 22)
  --------------------------------------------------------------
  Updated kernel packages that fix several security issues and several
  bugs are now available for Red Hat Enterprise MRG 1.0. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/147689

------------------------------------------------------------------------

* Slackware bind 10.2/11.0 recompile (Jan 15)
  -------------------------------------------
  Updated bind packages are available for Slackware 10.2 and 11.0 to
  address a load problem.  It was reported that the initial build of
  these updates complained that the Linux capability module was not
  present and would refuse to load.  It was determined that the
  packages which were compiled on 10.2 and 11.0 systems running 2.6
  kernels, and although the installed kernel headers are from 2.4.x, it
  picked up on this resulting in packages that would only run under 2.4
  kernels.  These new packages address the issue. As always, any
  problems noted with update patches should be reported to
  security_at_private, and we will do our best to address them as
  quickly as possible.

  http://www.linuxsecurity.com/content/view/147398

* Slackware:   ntp (Jan 15)
  -------------------------
  New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
  10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security
  issue.

  http://www.linuxsecurity.com/content/view/147388

* Slackware:   openssl (Jan 15)
  -----------------------------
  New openssl packages are available for Slackware 11.0, 12.0, 12.1,
  12.2, and -current to fix a security issue when connecting to an
  SSL/TLS server that uses a certificate containing a DSA or ECDSA key.

  http://www.linuxsecurity.com/content/view/147389

* Slackware:   bind (Jan 15)
  --------------------------
  New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
  10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security
  issue.

  http://www.linuxsecurity.com/content/view/147387

------------------------------------------------------------------------

* SuSE: bind (SUSE-SA:2009:005) (Jan 22)
  --------------------------------------
  The DNS daemon bind is used to resolve and lookup addresses on the
  inter-    net.    Some month ago a vulnerability in the DNS protocol
  and its numbers was	 published that allowed easy spoofing of DNS
  entries. The only way to pro-    tect against spoofing is to use
  DNSSEC.    Unfortunately the bind code that verifys the certification
  chain of a DNS-    SEC zone transfer does not properly check the
  return value of function    DSA_do_verify(). This allows the spoofing
  of records signed with DSA or    NSEC3DSA.

  http://www.linuxsecurity.com/content/view/147688

------------------------------------------------------------------------

* Ubuntu:Perl regression (Jan 15)
  -------------------------------
  USN-700-1 fixed vulnerabilities in Perl.  Due to problems with the
  Ubuntu 8.04 build, some Perl .ph files were missing from the
  resulting update. This update fixes the problem.  We apologize for
  the inconvenience.

  http://www.linuxsecurity.com/content/view/147397


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Best Selling Security Books &amp; More!
http://www.shopinfosecnews.org/
Received on Sun Jan 25 2009 - 22:11:04 PST

This archive was generated by hypermail 2.2.0 : Sun Jan 25 2009 - 22:25:08 PST