From: InfoSec News <alerts_at_private>
Date: Mon, 7 Jul 2008 05:14:35 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 4th, 2008 Volume 9, Number 27 |
| |
| Editorial Team: Dave Wreski <dwreski_at_private> |
| Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for sympa, dbus, selinux-policy,
libetpan, perl, python, libgnomeeui, xine-lib, firefox, seamonkey,
ruby, samba, and openssl. The distributors include Debian, Fedora,
Gentoo, Red Hat, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Security Features of Firefox 3.0
--------------------------------
Lets take a look at the security features of the newly released Firefox
3.0. Since it's release on Tuesday I have been testing it out to see
how the new security enhancements work and help in increase user
browsing security. One of the exciting improvements for me was how
Firefox handles SSL secured web sites while browsing the Internet.
There are also many other security features that this article will look
at. For example, improved plugin and addon security.
Read on for more security features of Firefox 3.0.
http://www.linuxsecurity.com/content/view/138972
---
Review: The Book of Wireless
----------------------------
"The Book of Wireless" by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of
Wireless networks today anyone with a computer should at least know the
basics of wireless. Also, with the wireless networking, users need to
know how to protect themselves from wireless networking attacks.
http://www.linuxsecurity.com/content/view/136167
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
-------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.19 (Version 3.0, Release 19). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/136174
------------------------------------------------------------------------
* Debian: New sympa packages fix denial of service (Jul 1)
--------------------------------------------------------
It was discovered that sympa, a modern mailing list manager, would
crash when processing certain types of malformed messages.
http://www.linuxsecurity.com/content/view/139296
* Debian: New dbus packages fix privilege escalation (Jun 26)
-----------------------------------------------------------
Havoc Pennington discovered that DBus, a simple interprocess
messaging system, performs insufficient validation of security
policies, which might allow local privilege escalation.
http://www.linuxsecurity.com/content/view/139131
------------------------------------------------------------------------
* Fedora 9 Update: selinux-policy-3.3.1-72.fc9 (Jul 1)
----------------------------------------------------
SELinux Reference Policy - modular. Based off of reference policy:
Checked out revision 2624.
http://www.linuxsecurity.com/content/view/139248
* Fedora 8 Update: libetpan-0.54-1.fc8 (Jun 26)
---------------------------------------------
Update to new upstream version 0.54 fixing a crash (NULL pointer
dereference) in the mail message header parser. Note: There is no
application in Fedora using libetpan library for which such crash
could be considered a security issue. This can only be a security
sensitive issue for some 3rd party, not packages applications.
http://www.linuxsecurity.com/content/view/139125
* Fedora 9 Update: perl-5.10.0-27.fc9 (Jun 26)
--------------------------------------------
CVE-2008-2827 perl: insecure use of chmod in rmtree
http://www.linuxsecurity.com/content/view/139106
------------------------------------------------------------------------
* Gentoo: Motion Execution of arbitrary code (Jul 1)
--------------------------------------------------
Multiple vulnerabilities in Motion might result in the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/139295
* Gentoo: Python Multiple integer overflows (Jul 1)
-------------------------------------------------
Multiple integer overflows may allow for Denial of Service.
http://www.linuxsecurity.com/content/view/139294
------------------------------------------------------------------------
* Mandriva: Updated libgnomeui2 packages fix text rendering bug (Jun 30)
----------------------------------------------------------------------
A missing initialization was preventing correct text rendering in the
GTK2 file selector, when using non-UTF8 locales. This updated
package fixes this issue, as well as memory leaks and also includes
new translations from the GNOME 2.22.2 release.
http://www.linuxsecurity.com/content/view/139239
* Mandriva: Updated xine-lib packages fix vulnerability in (Jun 26)
-----------------------------------------------------------------
A vulnerability in the Speex library was found where it did not
properly validate input values read from the Speex files headers. An
attacker could create a malicious Speex file that would crash an
application or potentially allow the execution of arbitrary code with
the privileges of the application calling the Speex library
(CVE-2008-1686).
http://www.linuxsecurity.com/content/view/139134
------------------------------------------------------------------------
* RedHat: Critical: firefox security update (Jul 2)
-------------------------------------------------
Updated firefox packages that fix several security issues are now
available for Red Hat Enterprise Linux 5. This update has been rated
as having critical security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/139334
* RedHat: Moderate: Red Hat Application Stack v1.3 (Jul 2)
--------------------------------------------------------
Red Hat Application Stack v1.3 is now available. This update fixes a
security issue and adds several enhancements. This updated has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/139335
* RedHat: Moderate: Red Hat Application Stack v2.1 (Jul 2)
--------------------------------------------------------
Red Hat Application Stack v2.1 is now available. This update fixes
various security issues and adds several enhancements. This update
has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/139336
* RedHat: Critical: seamonkey security update (Jul 2)
---------------------------------------------------
This update has been rated as having critical security impact by the
Red Hat Security Response Team.Several flaws were found in the
processing of malformed web content. A web page containing malicious
content could cause SeaMonkey to crash or, potentially, execute
arbitrary code as the user running SeaMonkey.
http://www.linuxsecurity.com/content/view/139332
* RedHat: Critical: firefox security update (Jul 2)
-------------------------------------------------
An updated firefox package that fixes several security issues is now
available for Red Hat Enterprise Linux 4. Multiple flaws were found
in the processing of malformed JavaScript content. A web page
containing such malicious content could cause Firefox to crash or,
potentially, execute arbitrary code as the user running Firefox.
http://www.linuxsecurity.com/content/view/139333
------------------------------------------------------------------------
* Slackware: ruby (Jun 28)
--------------------------
New ruby packages are available for Slackware 11.0, 12.0, 12.1, and
-current to fix security issues. More details about this issue may be
found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2726
http://www.linuxsecurity.com/content/view/139178
------------------------------------------------------------------------
* Ubuntu: Firefox vulnerabilities (Jul 2)
----------------------------------------
Various flaws were discovered in the browser engine. By tricking a
user into opening a malicious web page, an attacker could cause a
denial of service via application crash, or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2798, CVE-2008-2799)
http://www.linuxsecurity.com/content/view/139331
* Ubuntu: Samba regression (Jun 30)
----------------------------------
Samba developers discovered that nmbd could be made to overrun a
buffer during the processing of GETDC logon server requests. When
samba is configured as a Primary or Backup Domain Controller, a
remote attacker could send malicious logon requests and possibly
cause a denial of service. (CVE-2007-4572)
http://www.linuxsecurity.com/content/view/139235
* Ubuntu: Ruby vulnerabilities (Jun 26)
--------------------------------------
Drew Yao discovered several vulnerabilities in Ruby which lead to
integer overflows. If a user or automated system were tricked into
running a malicious script, an attacker could cause a denial of
service or execute arbitrary code with the privileges of the user
invoking the program.
http://www.linuxsecurity.com/content/view/139133
* Ubuntu: OpenSSL vulnerabilities (Jun 26)
-----------------------------------------
It was discovered that OpenSSL was vulnerable to a double-free when
using TLS server extensions. A remote attacker could send a crafted
packet and cause a denial of service via application crash in
applications linked against OpenSSL. Ubuntu 8.04 LTS does not compile
TLS server extensions by default. (CVE-2008-0891) It was discovered
that OpenSSL could dereference a NULL pointer. If a user or automated
system were tricked into connecting to a malicious server with
particular cipher suites, a remote attacker could cause a denial of
service via application crash. (CVE-2008-1672)
http://www.linuxsecurity.com/content/view/139127
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request_at_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Received on Mon Jul 07 2008 - 03:14:35 PDT
Comments