[ISN] Linux Advisory Watch - February 20th 2009

From: InfoSec News <alerts_at_private>
Date: Mon, 23 Feb 2009 05:22:23 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| February 20th, 2009                              Volume 10, Number 8 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for moodle, net-snmp, fail2ban,
dnsmasq, libresample, dahdi-tools, asterisk, squid, lighttpd,
squidGuard, xine-lib, python, valgrind, openssl, dai, gedit, blender,
db46, xkeyboard-config,  rhythmbox, php, krb5, wireshark, pycrypto, and
ffmpeg.  The distributors include Debian, Fedora, Gentoo, Mandriva, and
Pardus.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New websvn packages fix information leak (Feb 15)
  ---------------------------------------------------------
  Bas van Schaik discovered that WebSVN, a tool to view Subversion
  repositories over the web, did not properly restrict access to
  private repositories, allowing a remote attacker to read significant
  parts of their content.

  http://www.linuxsecurity.com/content/view/148008

* Debian: New moodle packages fix several vulnerabilities (Feb 13)
  ----------------------------------------------------------------
  Several vulnerabilities have been discovered in Moodle, an online
  course management system.

  http://www.linuxsecurity.com/content/view/148002

------------------------------------------------------------------------

* Fedora 10 Update: net-snmp-5.4.2.1-3.fc10 (Feb 17)
  --------------------------------------------------
  fix tcp_wrappers integration (CVE-2008-6123)

  http://www.linuxsecurity.com/content/view/148020

* Fedora 9 Update: fail2ban-0.8.3-18.fc9 (Feb 14)
  -----------------------------------------------
  This updates fixes CVE-2009-0362. See     http://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2009-0362	for further details.

  http://www.linuxsecurity.com/content/view/148006

* Fedora 10 Update: fail2ban-0.8.3-18.fc10 (Feb 14)
  -------------------------------------------------
  This updates fixes CVE-2009-0362. See     http://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2009-0362	for further details.

  http://www.linuxsecurity.com/content/view/148007

* Fedora 9 Update: dnsmasq-2.45-1.fc9 (Feb 14)
  --------------------------------------------
  Update to newer upstream version - 2.45.    Version of dnsmasq
  previously shipped in Fedora 9 did not properly drop privileges,
  causing it to run as root instead of intended user nobody.  Issue was
  caused by a bug in kernel-headers used in build environment of the
  original packages. (#454415)	  New upstream version also adds DNS
  query source port randomization, mitigating DNS spoofing attacks.
  (CVE-2008-1447)

  http://www.linuxsecurity.com/content/view/148005

* Fedora 10 Update: moodle-1.9.4-1.fc10 (Feb 13)
  ----------------------------------------------
  Multiple security fixes.

  http://www.linuxsecurity.com/content/view/148003

* Fedora 9 Update: libresample-0.1.3-9.fc9 (Feb 13)
  -------------------------------------------------
  Add a patch to fix a problem with the manager interface.    Update to
  1.6.0.5 to fix AST-2009-001 / CVE-2009-0041.

  http://www.linuxsecurity.com/content/view/148000

* Fedora 9 Update: dahdi-tools-2.0.0-1.fc9 (Feb 13)
  -------------------------------------------------
  Add a patch to fix a problem with the manager interface.    Update to
  1.6.0.5 to fix AST-2009-001 / CVE-2009-0041.

  http://www.linuxsecurity.com/content/view/147998

* Fedora 9 Update: asterisk-1.6.0.5-2.fc9 (Feb 13)
  ------------------------------------------------
  Add a patch to fix a problem with the manager interface.    Update to
  1.6.0.5 to fix AST-2009-001 / CVE-2009-0041.

  http://www.linuxsecurity.com/content/view/147999

* Fedora 9 Update: moodle-1.9.4-1.fc9 (Feb 12)
  --------------------------------------------
  Multiple security fixes.

  http://www.linuxsecurity.com/content/view/147997

* Fedora 10 Update: asterisk-1.6.0.5-2.fc10 (Feb 12)
  --------------------------------------------------
  Add a patch to fix a problem with the manager interface.    Update to
  1.6.0.5 to fix AST-2009-001 / CVE-2009-0041.

  http://www.linuxsecurity.com/content/view/147996

* Fedora 9 Update: squid-3.0.STABLE13-1.fc9 (Feb 12)
  --------------------------------------------------
  upgrade to latest upstream

  http://www.linuxsecurity.com/content/view/147988

* Fedora 9 Update: lighttpd-1.4.20-6.fc9 (Feb 12)
  -----------------------------------------------
  This update fixes some moderate security issues and includes a few
  enhancements.

  http://www.linuxsecurity.com/content/view/147989

* Fedora 10 Update: squidGuard-1.2.1-2.fc10 (Feb 12)
  --------------------------------------------------
  Update to 1.2.1, and patch for SG-2008-06-13

  http://www.linuxsecurity.com/content/view/147990

* Fedora 9 Update: xine-lib-1.1.16.2-1.fc9.1 (Feb 12)
  ---------------------------------------------------
  This release contains one new security fix (CVE-2008-5240) and
  corrections of previous security fixes.  It also includes fixes for
  race conditions in gapless_switch (ref. kde bug #180339)

  http://www.linuxsecurity.com/content/view/147991

* Fedora 10 Update: python-fedora-0.3.9-1.fc10 (Feb 12)
  -----------------------------------------------------
  This release includes a bugfix to the
  fedora.client.AccountSystem().verify_password() method.
  verify_password() was incorrectly returning True (username, password
  combination was correct) for any input.  Although no known code is
  using this method to verify a user's account with the Fedora Account
  System, the existence of the method and the fact that anyone using
  this would be allowing users due to the bug makes this a high
  priority bug to fix.

  http://www.linuxsecurity.com/content/view/147992

* Fedora 10 Update: xine-lib-1.1.16.2-1.fc10 (Feb 12)
  ---------------------------------------------------
  This release contains one new security fix (CVE-2008-5240) and
  corrections of previous security fixes.  It also includes fixes for
  race conditions in gapless_switch (ref. kde bug #180339)

  http://www.linuxsecurity.com/content/view/147984

* Fedora 9 Update: squidGuard-1.2.1-2.fc9 (Feb 12)
  ------------------------------------------------
  Update to 1.2.1, and patch for SG-2008-06-13

  http://www.linuxsecurity.com/content/view/147985

* Fedora 9 Update: python-fedora-0.3.9-1.fc9 (Feb 12)
  ---------------------------------------------------
  This release includes a bugfix to the
  fedora.client.AccountSystem().verify_password() method.
  verify_password() was incorrectly returning True (username, password
  combination was correct) for any input.  Although no known code is
  using this method to verify a user's account with the Fedora Account
  System, the existence of the method and the fact that anyone using
  this would be allowing users due to the bug makes this a high
  priority bug to fix.

  http://www.linuxsecurity.com/content/view/147986

* Fedora 10 Update: squid-3.0.STABLE13-1.fc10 (Feb 12)
  ----------------------------------------------------
  upgrade to latest upstream

  http://www.linuxsecurity.com/content/view/147987

------------------------------------------------------------------------

* Gentoo: xterm User-assisted arbitrary commands execution (Feb 14)
  -----------------------------------------------------------------
  An error in the processing of special sequences in xterm may lead to
  arbitrary commands execution.

  http://www.linuxsecurity.com/content/view/148004

* Gentoo: xterm User-assisted arbitrary commands execution (Feb 12)
  -----------------------------------------------------------------
  An error in the processing of special sequences in xterm may lead to
  arbitrary commands execution.

  http://www.linuxsecurity.com/content/view/147995

* Gentoo: Valgrind Untrusted search path (Feb 12)
  -----------------------------------------------
  An untrusted search path vulnerability in Valgrind might result in
  the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/147994

* Gentoo: OpenSSL Certificate validation error (Feb 12)
  -----------------------------------------------------
  An error in the OpenSSL certificate chain validation might allow for
  spoofing attacks.

  http://www.linuxsecurity.com/content/view/147993

------------------------------------------------------------------------

* Mandriva: [ MDVSA-2009:040 ] dia (Feb 16)
  -----------------------------------------
  Python has a variable called sys.path that contains all paths where
  Python loads modules by using import scripting procedure. A wrong
  handling of that variable enables local attackers to execute
  arbitrary code via Python scripting in the current dia working
  directory (CVE-2008-5984). This update provides fix for that
  vulnerability.

  http://www.linuxsecurity.com/content/view/148013

* Mandriva: [ MDVSA-2009:039 ] gedit (Feb 16)
  -------------------------------------------
  Python has a variable called sys.path that contains all paths where
  Python loads modules by using import scripting procedure. A wrong
  handling of that variable enables local attackers to execute
  arbitrary code via Python scripting in the current gedit working
  directory (CVE-2009-0314). This update provides fix for that
  vulnerability.

  http://www.linuxsecurity.com/content/view/148012

* Mandriva: [ MDVSA-2009:038 ] blender (Feb 16)
  ---------------------------------------------
  Python has a variable called sys.path that contains all paths where
  Python loads modules by using import scripting procedure. A wrong
  handling of that variable enables local attackers to execute
  arbitrary code via Python scripting in the current Blender working
  directory (CVE-2008-4863). This update provides fix for that
  vulnerability.

  http://www.linuxsecurity.com/content/view/148011

* Mandriva: [ MDVSA-2009:037 ] bind (Feb 16)
  ------------------------------------------
  Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not
  properly check the return value from the OpenSSL EVP_VerifyFinal
  function, which allows remote attackers to bypass validation of the
  certificate chain via a malformed SSL/TLS signature, a similar
  vulnerability to CVE-2008-5077 and CVE-2009-0025. In this particular
  case the DSA_verify function was fixed with MDVSA-2009:002, this
  update does however address the RSA_verify function (CVE-2009-0265).

  http://www.linuxsecurity.com/content/view/148010

* Mandriva: [ MDVSA-2009:036 ] python (Feb 12)
  --------------------------------------------
  Multiple integer overflows in imageop.c in the imageop module in
  Python 1.5.2 through 2.5.1 allow context-dependent attackers to break
  out of the Python VM and execute arbitrary code via large integer
  values in certain arguments to the crop function, leading to a buffer
  overflow, a different vulnerability than CVE-2007-4965 and
  CVE-2008-1679. (CVE-2008-4864)

  http://www.linuxsecurity.com/content/view/147981

* Mandriva: [ MDVA-2009:023 ] db46 (Feb 12)
  -----------------------------------------
  Additional official patches have been released for db 4.6 after
  Mandriva release.

  http://www.linuxsecurity.com/content/view/147979

* Mandriva: [ MDVA-2009:022 ] xkeyboard-config (Feb 12)
  -----------------------------------------------------
  Wrong directory permissions would prevent the compilation of keyboard
  mappings. This update fixes this issue.

  http://www.linuxsecurity.com/content/view/147978

* Mandriva: [ MDVA-2009:021 ] drakxtools (Feb 12)
  -----------------------------------------------
  This update fixes several minor issues with drakxtools

  http://www.linuxsecurity.com/content/view/147977

* Mandriva: [ MDVA-2009:020 ] rhythmbox (Feb 12)
  ----------------------------------------------
  Rhythmbox could crash when handling removable devices and media
  players, like ipods. This update fixes the problem.

  http://www.linuxsecurity.com/content/view/147976

------------------------------------------------------------------------

* SuSE: Mozilla Firefox (SUSE-SA:2009:009) (Feb 16)
  -------------------------------------------------
  The Mozilla Firefox browser is updated to version 3.0.6 fixing
  various    security and stability issues.

  http://www.linuxsecurity.com/content/view/148009

------------------------------------------------------------------------

* Ubuntu:  PHP vulnerabilities (Feb 12)
  -------------------------------------
  It was discovered that PHP did not properly enforce php_admin_value
  and php_admin_flag restrictions in the Apache configuration file. A
  local attacker could create a specially crafted PHP script that would
  bypass intended security restrictions. This issue only applied to
  Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2007-5900)

  http://www.linuxsecurity.com/content/view/147983

* Ubuntu:  pam-krb5 vulnerabilities (Feb 12)
  ------------------------------------------
  It was discovered that pam_krb5 parsed environment variables when run
  with setuid applications. A local attacker could exploit this flaw to
  bypass authentication checks and gain root privileges.
  (CVE-2009-0360) Derek Chan discovered that pam_krb5 incorrectly
  handled refreshing existing credentials when used with setuid
  applications. A local attacker could exploit this to create or
  overwrite arbitrary files, and possibly gain root privileges.
  (CVE-2009-0361)

  http://www.linuxsecurity.com/content/view/147982

------------------------------------------------------------------------

* Pardus: Firefox: Multiple Vulnerabilities (Feb 17)
  --------------------------------------------------
  Some vulnerabilities have been reported in Mozilla Firefox, which can
  be exploited by malicious, local users to potentially  disclose
  sensitive  information, and by malicious people to  conduct
  cross-site  scripting  attacks,  bypass certain  security
  restrictions,  disclose  sensitive   information, or potentially to
  compromise a user's system.

  http://www.linuxsecurity.com/content/view/148019

* Pardus: Pam-krb5: Privilege Escalation (Feb 17)
  -----------------------------------------------
  Some vulnerabilities have been  reported  in	pam-krb5,  which  can
  be  exploited by malicious, local users to  overwrite  files	and  to
   gain  escalated privileges.

  http://www.linuxsecurity.com/content/view/148018

* Pardus: Libvirt: Buffer Overflow (Feb 17)
  -----------------------------------------
  A vulnerability has been reported in libvirt, which can be exploited
  by  malicious, local users to potentially gain escalated privileges.

  http://www.linuxsecurity.com/content/view/148017

* Pardus: Wireshark: Buffer Overflow (Feb 17)
  -------------------------------------------
  A vulnerability has been reported in Wireshark, which can be
  exploited  by malicious people to potentially  compromise  a	user's
  system.  The	vulnerability is caused due to a boundary error in  the
   processing  of  NetScreen  Snoop capture  files  and  can  be
  exploited  to  cause	a   stack-based buffer overflow.

  http://www.linuxsecurity.com/content/view/148016

* Pardus: Pycrypto: Buffer Overflow (Feb 17)
  ------------------------------------------
  Buffer  overflow in  the  PyCrypto  ARC2  module  2.0.1  allows
  remote  attackers to cause a denial of service and possibly  execute
  arbitrary  code via a large ARC2 key length.

  http://www.linuxsecurity.com/content/view/148015

* Pardus: Ffmpeg and Mplayer: Denial of (Feb 17)
  ----------------------------------------------
  Tobias Klein has reported a vulnerability in FFmpeg, which
  potentially  can be exploited by malicious people to compromise an
  application using  the library. This vulnerability also effects
  Mplayer.

  http://www.linuxsecurity.com/content/view/148014

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Mon Feb 23 2009 - 03:22:23 PST

This archive was generated by hypermail 2.2.0 : Mon Feb 23 2009 - 03:27:27 PST