[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Linux Advisory Watch: July 25th, 2008
From: InfoSec News <alerts () infosecnews ! org>
Date: 2008-07-25 12:31:59
Message-ID: Pine.LNX.4.61.0807250731420.26580 () conundrum ! infosecnews ! org
[Download RAW message or body]
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 25th, 2008 Volume 9, Number 30 |
| |
| Editorial Team: Dave Wreski <dwreski@linuxsecurity.com> |
| Benjamin D. Thomas <bthomas@linuxsecurity.com> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for clamav, xulrunner, iceweasel,
lighthttpd, libgd2, ruby, xemacs, wireshark, mysql, thunderbird, php,
acroread, dnsmasq, firefox, and seamonkey. The distributors include
Debian, Mandriva, Red Hat, Slackware, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Security Features of Firefox 3.0
--------------------------------
Lets take a look at the security features of the newly released Firefox
3.0. Since it's release on Tuesday I have been testing it out to see
how the new security enhancements work and help in increase user
browsing security. One of the exciting improvements for me was how
Firefox handles SSL secured web sites while browsing the Internet.
There are also many other security features that this article will look
at. For example, improved plugin and addon security.
Read on for more security features of Firefox 3.0.
http://www.linuxsecurity.com/content/view/138972
---
Review: The Book of Wireless
----------------------------
"The Book of Wireless" by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of
Wireless networks today anyone with a computer should at least know the
basics of wireless. Also, with the wireless networking, users need to
know how to protect themselves from wireless networking attacks.
http://www.linuxsecurity.com/content/view/136167
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
-------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.19 (Version 3.0, Release 19). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/136174
------------------------------------------------------------------------
* Debian: new clamav packages fix denial of service (Jul 24)
----------------------------------------------------------
Damian Put discovered a vulnerability in the ClamAV anti-virus
toolkit's parsing of Petite-packed Win32 executables. The weakness
leads to an invalid memory access, and could enable an attacker to
crash clamav by supplying a maliciously crafted Petite-compressed
binary for scanning. In some configurations, such as when clamav is
used in combination with mail servers, this could cause a system to
"fail open," facilitating a follow-on viral attack.
http://www.linuxsecurity.com/content/view/140238
* Debian: New xulrunner packages fix several vulnerabilities (Jul 23)
-------------------------------------------------------------------
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
http://www.linuxsecurity.com/content/view/140196
* Debian: New iceweasel packages fix several vulnerabilities (Jul 23)
-------------------------------------------------------------------
Several remote vulnerabilities have been discovered in the Iceweasel
web browser, an unbranded version of the Firefox browser.It was
discovered that missing boundary checks on a reference counter for
CSS objects can lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/140194
* Debian: New lighttpd packages fix regression (Jul 23)
-----------------------------------------------------
It was discovered that lighttpd, a fast webserver with minimal memory
footprint, was didn't correctly handle SSL errors. This could allow
a remote attacker to disconnect all active SSL connections.
http://www.linuxsecurity.com/content/view/140193
* Debian: new libgd2 packages fix multiple vulnerabilities (Jul 22)
-----------------------------------------------------------------
Grayscale PNG files containing invalid tRNS chunk CRC values
could cause a denial of service (crash), if a maliciously crafted
image is loaded into an application using libgd.
http://www.linuxsecurity.com/content/view/140069
* Debian: New ruby1.8 packages fix several vulnerabilities (Jul 21)
-----------------------------------------------------------------
Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may lead to denial of service or the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/140064
------------------------------------------------------------------------
* Mandriva: Updated xemacs packages fix vulnerability (Jul 23)
------------------------------------------------------------
A vulnerability in xemacs was found where an attacker could provide a
group of files containing local variable definitions and arbitrary
Lisp code to be executed when one of the provided files is opened by
xemacs (CVE-2008-2142). The updated packages have been patched to
correct this issue.
http://www.linuxsecurity.com/content/view/140198
* Mandriva: Updated emacs packages fix vulnerability (Jul 23)
-----------------------------------------------------------
A vulnerability in emacs was found where an attacker could provide a
group of files containing local variable definitions and arbitrary
Lisp code to be executed when one of the provided files is opened by
emacs (CVE-2008-2142). The updated packages have been patched to
correct this issue.
http://www.linuxsecurity.com/content/view/140197
* Mandriva: Updated wireshark packages fix denial of service vulnerability (Jul 22)
---------------------------------------------------------------------------------
A vulnerability was found in Wireshark, that could cause it to crash
while processing malicious packets. This update provides Wireshark
1.0.2, which is not vulnerable to that.
http://www.linuxsecurity.com/content/view/140073
* Mandriva: Updated libxslt packages fix buffer overflow vulnerability (Jul 21)
-----------------------------------------------------------------------------
A buffer overflow vulnerability in libxslt could be exploited via an
XSL style sheet file with a long XLST transformation match condition,
which could possibly lead to the execution of arbitrary code
(CVE-2008-1767). The updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/140068
* Mandriva: Updated mysql packages fix vulnerabilities (Jul 19)
-------------------------------------------------------------
Multiple buffer overflows in yaSSL, which is used in MySQL, allowed
remote attackers to execute arbitrary code (CVE-2008-0226) or cause a
denial of service via a special Hello packet (CVE-2008-0227). Sergei
Golubchik found that MySQL did not properly validate optional data or
index directory paths given in a CREATE TABLE statement; as well it
would not, under certain conditions, prevent two databases from using
the same paths for data or index files. This could allow an
authenticated user with appropriate privilege to create tables in one
database to read and manipulate data in tables later created in other
databases, regardless of GRANT privileges (CVE-2008-2079). The
updated packages have been patched to correct these issues.
http://www.linuxsecurity.com/content/view/140060
* Mandriva: Updated mysql packages fix vulnerabilities (Jul 19)
-------------------------------------------------------------
Sergei Golubchik found that MySQL did not properly validate optional
data or index directory paths given in a CREATE TABLE statement; as
well it would not, under certain conditions, prevent two databases
from using the same paths for data or index files. This could allow
an authenticated user with appropriate privilege to create tables in
one database to read and manipulate data in tables later created in
other databases, regardless of GRANT privileges (CVE-2008-2079). The
updated packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/140059
* Mandriva: Updated Firefox packages fix vulnerabilities (Jul 17)
---------------------------------------------------------------
Security vulnerabilities have been discovered and corrected in the
latest Mozilla Firefox program, version 2.0.0.16 (CVE-2008-2785,
CVE-2008-2933).
http://www.linuxsecurity.com/content/view/140006
------------------------------------------------------------------------
* RedHat: Moderate: thunderbird security update (Jul 23)
------------------------------------------------------
Updated thunderbird packages that fix a security issue are now
available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux
5. This update has been rated as having moderate security impact by
the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/140199
* RedHat: Important: kernel security and bug fix update (Jul 23)
--------------------------------------------------------------
Updated kernel packages that fix a security issue and several bugs
are now available for Red Hat Enterprise Linux 4. This update has
been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/140191
* RedHat: Moderate: php security update (Jul 22)
----------------------------------------------
Updated PHP packages that fix several security issues are now
available for Red Hat Application Stack v1. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/140070
* RedHat: Critical: acroread security update (Jul 21)
---------------------------------------------------
Updated acroread packages that fix various security issues are now
available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/140063
------------------------------------------------------------------------
* Slackware: dnsmasq (Jul 23)
-----------------------------
New dnsmasq packages are available for Slackware 10.0, 10.1, 10.2,
11.0, 12.0, 12.1, and -current to address possible DNS cache
poisoning issues. More details about this issue may be found in the
Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.linuxsecurity.com/content/view/140200
* Slackware: mozilla-firefox (Jul 17)
-------------------------------------
New mozilla-firefox packages are available for Slackware 10.2, 11.0,
12.0, and 12.1 to fix security issues. More details about the issues
may be found on the Mozilla site:
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
http://www.linuxsecurity.com/content/view/139938
* Slackware: seamonkey (Jul 17)
-------------------------------
New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
and -current to fix security issues. More details about the issues
may be found here:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.htm
l
http://www.linuxsecurity.com/content/view/139939
------------------------------------------------------------------------
* Ubuntu: PHP vulnerabilities (Jul 23)
-------------------------------------
It was discovered that PHP did not properly check the length of the
string parameter to the fnmatch function. An attacker could cause a
denial of service in the PHP interpreter if a script passed untrusted
input to the fnmatch function. (CVE-2007-4782)
http://www.linuxsecurity.com/content/view/140195
* Ubuntu: Dnsmasq vulnerability (Jul 22)
---------------------------------------
Dan Kaminsky discovered weaknesses in the DNS protocol as implemented
by Dnsmasq. A remote attacker could exploit this to spoof DNS entries
and poison DNS caches. Among other things, this could lead to
misdirected email and web traffic.
http://www.linuxsecurity.com/content/view/140072
* Ubuntu: Firefox vulnerabilities (Jul 17)
-----------------------------------------
A flaw was discovered in the browser engine. A variable could be made
to overflow causing the browser to crash. If a user were tricked into
opening a malicious web page, an attacker could cause a denial of
service or possibly execute arbitrary code with the privileges of the
user invoking the program. (CVE-2008-2785)
http://www.linuxsecurity.com/content/view/140005
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic