[ISN] Linux Advisory Watch - September 6th 2009 (fwd)

From: InfoSec News <alerts_at_private>
Date: Tue, 8 Sep 2009 02:09:52 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| September 6th, 2009                             Volume 10, Number 37 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for ikiwiki, xemacs, fetchmail,
openoffice, mapserver, qt, htmldoc, firebird, httpd, irssi, xmlrpc,
kdebase, nss, postfix, mysql, rgmanager, cman, gfs, nfs-utils,
kernel-rt, and dnsmasq.  The distributors include Debian, Fedora,
Mandriva, Red Hat, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New devscripts packages fix remote code execution (Sep 2)
  -----------------------------------------------------------------
  Raphael Geissert discovered that uscan, a program to check for
  availability of new source code versions which is part of the
  devscripts package, runs Perl code downloaded from potentially
  untrusted sources to implement its URL and version mangling
  functionality.

  http://www.linuxsecurity.com/content/view/149956

* Debian: New mysql-dfsg-5.0 packages fix arbitrary code (Sep 2)
  --------------------------------------------------------------
  In MySQL 4.0.0 through 5.0.83, multiple format string vulnerabilities
  in the dispatch_command() function in libmysqld/sql_parse.cc in
  mysqld allow remote authenticated users to cause a denial of service
  (daemon crash) and potentially the execution of arbitrary code via
  format string specifiers in a database name in a COM_CREATE_DB or
  COM_DROP_DB request.

  http://www.linuxsecurity.com/content/view/149955

* Debian: New dnsmasq packages fix remote code execution (Sep 1)
  --------------------------------------------------------------
  Several remote vulnerabilities have been discovered in the TFTP
  component of dnsmasq.

  http://www.linuxsecurity.com/content/view/149941

* Debian: New ikiwiki packages fix information disclosure (Aug 31)
  ----------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149924

------------------------------------------------------------------------

* Fedora 11 Update: xemacs-21.5.29-2.fc11 (Sep 4)
  -----------------------------------------------
  This update fixes multiple buffer overflows when reading large image
  files, or maliciously created image files whose headers misrepresent
  the actual image size.    The update also addresses multiple font
  issues, some of which cause warnings on startup.  Some warnings
  remain, however, unless an ISO8859-13 fonts (e.g., terminus) is
  installed.  Also note that some warnings remain on Rawhide pending a
  resolution for bz 507637.

  http://www.linuxsecurity.com/content/view/149966

* Fedora 10 Update: fetchmail-6.3.8-9.fc10 (Sep 4)
  ------------------------------------------------
  If fetchmail is running in daemon mode, it must be restarted for this
  update to take effect (use the "fetchmail --quit" command to stop the
  fetchmail process).

  http://www.linuxsecurity.com/content/view/149967

* Fedora 11 Update: fetchmail-6.3.9-5.fc11 (Sep 4)
  ------------------------------------------------
  If fetchmail is running in daemon mode, it must be restarted for this
  update to take effect (use the "fetchmail --quit" command to stop the
  fetchmail process).

  http://www.linuxsecurity.com/content/view/149965

* Fedora 10 Update: xemacs-21.5.28-10.fc10 (Sep 4)
  ------------------------------------------------
  This update fixes multiple buffer overflows when reading large image
  files, or maliciously created image files whose headers misrepresent
  the actual image size.

  http://www.linuxsecurity.com/content/view/149964

* Fedora 10 Update: openoffice.org-3.0.1-15.6.fc10 (Sep 4)
  --------------------------------------------------------
  CVE-2009-0200/CVE-2009-0201: Harden .doctable insert/delete record
  import handling.

  http://www.linuxsecurity.com/content/view/149963

* Fedora 10 Update: mapserver-5.2.3-1.fc10 (Sep 2)
  ------------------------------------------------
  Changing imagepath and imageurl no longer allowed via URL, New fix
  for incomplete CVE-2009-0840 security fix made in 5.2.2, Fixed seg
  fault if font not found with label ANGLE FOLLOW (#2973)

  http://www.linuxsecurity.com/content/view/149960

* Fedora 11 Update: mapserver-5.2.3-1.fc11 (Sep 2)
  ------------------------------------------------
  Changing imagepath and imageurl no longer allowed via URL, New fix
  for incomplete CVE-2009-0840 security fix made in 5.2.2, Fixed seg
  fault if font not found with label ANGLE FOLLOW (#2973)

  http://www.linuxsecurity.com/content/view/149957

* Fedora 11 Update: qt-4.5.2-3.fc11 (Sep 2)
  -----------------------------------------
  security fix for CVE-2009-2700

  http://www.linuxsecurity.com/content/view/149958

* Fedora 10 Update: qt-4.5.2-3.fc10 (Sep 2)
  -----------------------------------------
  security fix for CVE-2009-2700

  http://www.linuxsecurity.com/content/view/149959

* Fedora 10 Update: htmldoc-1.8.27-8.fc10 (Aug 31)
  ------------------------------------------------
  Fix scanf issues found by Gentoo. Fix FTBFS on Fedora 12.

  http://www.linuxsecurity.com/content/view/149930

* Fedora 11 Update: htmldoc-1.8.27-12.fc11 (Aug 31)
  -------------------------------------------------
  Fix scanf issues found by Gentoo. Fix FTBFS on Fedora 12.

  http://www.linuxsecurity.com/content/view/149929

* Fedora 11 Update: firebird-2.1.3.18185.0-2.fc11 (Aug 31)
  --------------------------------------------------------
  Upgrade from previous package version may be a problem  since
  previous version remove /var/run/firebird and it shouldn't	This
  release fix this problem for future updates  If you are in that case
  (no longer /var/run/firebird directory after upgrade), just reinstall
  firebird-2.1.3.18185.0-2 package    or create /var/run/firebird owned
  by user firebird

  http://www.linuxsecurity.com/content/view/149928

* Fedora 11 Update: httpd-2.2.13-1.fc11 (Aug 31)
  ----------------------------------------------
  This update includes the latest release of the Apache HTTP Server,
  version 2.2.13, fixing several security issues:    * Fix a potential
  Denial-of-Service attack against mod_deflate or other modules, by
  forcing the server to consume CPU time in compressing a large file
  after a client disconnects. (CVE-2009-1891)	 * Prevent the
  "Includes" Option from being enabled in an .htaccess file if the
  AllowOverride restrictions do not permit it. (CVE-2009-1195)	  * Fix
  a potential Denial-of-Service attack against mod_proxy in a reverse
  proxy configuration, where a remote attacker can force a proxy
  process to consume CPU time indefinitely. (CVE-2009-1890)    *
  mod_proxy_ajp: Avoid delivering content from a previous request which
  failed to send a request body.  (CVE-2009-1191)    Many bug fixes are
  also included; see the upstream changelog for further details:
  http://www.apache.org/dist/httpd/CHANGES_2.2.13

  http://www.linuxsecurity.com/content/view/149927

* Fedora 10 Update: irssi-0.8.13-3.fc10 (Aug 31)
  ----------------------------------------------


  http://www.linuxsecurity.com/content/view/149926

* Fedora 10 Update: firebird-2.1.3.18185.0-2.fc10 (Aug 31)
  --------------------------------------------------------
  Upgrade from previous package version may be a problem  since
  previous version remove /var/run/firebird and it shouldn't	This
  release fix this problem for future updates  If you are in that case
  (no longer /var/run/firebird directory after upgrade), just reinstall
  firebird-2.1.3.18185.0-2 package    or create /var/run/firebird owned
  by user firebird

  http://www.linuxsecurity.com/content/view/149925

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2009:158 ] xmlrpc-c (Sep 3)
  -------------------------------------------------------------------------
  This update resolves a missing dependency for the recent KDE4
  updates.

  http://www.linuxsecurity.com/content/view/149962

* Mandriva: Subject: [Security Announce] [ MDVA-2009:157 ] kdebase4-workspace (Sep 2)
  -----------------------------------------------------------------------------------
  krandrtray from KDE4 is known to have some issues. A patch was added
  that makes krandrtray open its configuration module when the system
  tray icon is clicked.

  http://www.linuxsecurity.com/content/view/149954

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:197 ] nss (Sep 1)
  ---------------------------------------------------------------------
  Security issues in nss prior to 3.12.3 could lead to a
  man-in-the-middle attack via a spoofed X.509 certificate
  (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
  cause a denial-of-service and possible code execution via a long
  domain name in X.509 certificate (CVE-2009-2404). This update
  provides the latest versions of NSS and NSPR libraries which are not
  vulnerable to those attacks.

  http://www.linuxsecurity.com/content/view/149940

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:224 ] postfix (Aug 30)
  --------------------------------------------------------------------------
  A vulnerability has been found and corrected in postfix: Postfix 2.5
  before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file
  even when this file is not owned by the recipient, which allows local
  users to read e-mail messages by creating a mailbox file
  corresponding to another user's account name (CVE-2008-2937). This
  update provides a solution to this vulnerability.

  http://www.linuxsecurity.com/content/view/149918

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:223 ] xerces-c (Aug 30)
  ---------------------------------------------------------------------------
  A vulnerability has been found and corrected in xerces-c: Stack
  consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache
  Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to
  cause a denial of service (application crash) via vectors involving
  nested parentheses and invalid byte values in simply nested DTD
  structures, as demonstrated by the Codenomicon XML fuzzing framework
  (CVE-2009-1885). This update provides a solution to this
  vulnerability.

  http://www.linuxsecurity.com/content/view/149917

------------------------------------------------------------------------

* RedHat: Important: openoffice.org security update (Sep 4)
  ---------------------------------------------------------
  Updated openoffice.org packages that correct security issues are now
  available for Red Hat Enterprise Linux 3, 4, and 5. This update has
  been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149968

* RedHat: Moderate: mysql security and bug fix update (Sep 2)
  -----------------------------------------------------------
  Updated mysql packages that fix various security issues and several
  bugs are now available for Red Hat Enterprise Linux 5. This update
  has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149953

* RedHat: Low: gdm security and bug fix update (Sep 2)
  ----------------------------------------------------
  Updated gdm packages that fix a security issue and several bugs are
  now available for Red Hat Enterprise Linux 5. This update has been
  rated as having low security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/149952

* RedHat: Low: rgmanager security, bug fix, (Sep 2)
  -------------------------------------------------
  An updated rgmanager package that fixes multiple security issues,
  various bugs, and adds enhancements is now available for Red Hat
  Enterprise Linux 5.

  http://www.linuxsecurity.com/content/view/149950

* RedHat: Low: cman security, bug fix, (Sep 2)
  --------------------------------------------
  Updated cman packages that fix several security issues, various bugs,
  and add enhancements are now available for Red Hat Enterprise Linux
  5. This update has been rated as having low security impact by the
  Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149951

* RedHat: Low: gfs2-utils security and bug fix update (Sep 2)
  -----------------------------------------------------------
  An updated gfs2-utils package that fixes multiple security issues and
  various bugs is now available for Red Hat Enterprise Linux 5. This
  update has been rated as having low security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149949

* RedHat: Moderate: openssl security, bug fix, (Sep 2)
  ----------------------------------------------------
  Updated openssl packages that fix several security issues, various
  bugs, and add enhancements are now available for Red Hat Enterprise
  Linux 5. This update has been rated as having moderate security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149948

* RedHat: Low: ecryptfs-utils security, bug fix, (Sep 2)
  ------------------------------------------------------
  Updated ecryptfs-utils packages that fix a security issue, various
  bugs, and add enhancements are now available for Red Hat Enterprise
  Linux 5. This update has been rated as having low security impact by
  the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149946

* RedHat: Low: nfs-utils security and bug fix update (Sep 2)
  ----------------------------------------------------------
  An updated nfs-utils package that fixes a security issue and several
  bugs is now available. This update has been rated as having low
  security impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149947

* RedHat: Low: openssh security, bug fix, (Sep 2)
  -----------------------------------------------
  Updated openssh packages that fix a security issue, a bug, and add
  enhancements are now available for Red Hat Enterprise Linux 5. This
  update has been rated as having low security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149945

* RedHat: Important: Red Hat Enterprise Linux 5.4 kernel (Sep 2)
  --------------------------------------------------------------
  Updated kernel packages that fix security issues, address several
  hundred bugs and add numerous enhancements are now available as part
  of the ongoing support and maintenance of Red Hat Enterprise Linux
  version 5. This is the fourth regular update.

  http://www.linuxsecurity.com/content/view/149943

* RedHat: Low: lftp security and bug fix update (Sep 2)
  -----------------------------------------------------
  An updated lftp package that fixes one security issue and various
  bugs is now available for Red Hat Enterprise Linux 5. This update has
  been rated as having low security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/149944

* RedHat: Important: kernel-rt security and bug fix update (Sep 1)
  ----------------------------------------------------------------
  Updated kernel-rt packages that fix several security issues and
  various bugs are now available for Red Hat Enterprise MRG 1.1. This
  update has been rated as having important security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149938

* RedHat: Important: kernel-rt security and bug fix update (Sep 1)
  ----------------------------------------------------------------
  Updated kernel-rt packages that fix several security issues and
  various bugs are now available for Red Hat Enterprise MRG 1.1. This
  update has been rated as having important security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149937

* RedHat: Important: dnsmasq security update (Aug 31)
  ---------------------------------------------------
  An updated dnsmasq package that fixes two security issues is now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having important security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/149931

------------------------------------------------------------------------

* Ubuntu:  Dnsmasq vulnerabilities (Sep 1)
  ----------------------------------------
  IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn
  Coco, Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq
  did not properly validate its input when processing TFTP requests for
  files with long names. A remote attacker could cause a denial of
  service or execute arbitrary code with user privileges.

  http://www.linuxsecurity.com/content/view/149942

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


________________________________________
Please Donate to the Ron Santo Walk to 
Cure Diabetes with Ethan's Crew!
http://www.c4i.org/ethan.html
Received on Tue Sep 08 2009 - 00:09:52 PDT

This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 00:23:54 PDT