+------------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| May 2nd, 2008 Volume 9, Number 18 |
| |
| Editorial Team: Dave Wreski <dwreski@private> |
| Benjamin D. Thomas <bthomas@private> |
+------------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week security advisories were issued for JRockit, KDE, SILC, dbmail,
gstreamer-plugins-good, iceape, java-1.4.2-bea, java-1.5.0-bea,
java-1.6.0-bea, kronolith2, ldm, libpng, perl, phpgedview, phpmyadmin,
speex, thunderbird, tomcat, vorbis-tools, wireshark, wml, wordpress, and
xulrunner. The distributors included Debian, Fedora, Gentoo, Mandriva,
Red Hat, and Slackware.
---
>> Linux+DVD Magazine <<
Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software. The majority of our readers is between 15 and 40
years old. They are interested in current news from the Linux world,
upcoming projects etc.
In each issue you can find information concerning typical use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
http://www.linuxsecurity.com/ads/adclick.php?bannerid=3D26
---
Review: The Book of Wireless
----------------------------
=93The Book of Wireless=94 by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of Wireless
networks today anyone with a computer should at least know the basics of
wireless. Also, with the wireless networking, users need to know how to
protect themselves from wireless networking attacks.
http://www.linuxsecurity.com/content/view/136167
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
--------------------------------------------------------------------------
* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
-------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.19 (Version 3.0, Release 19). This release includes many
updated packages and bug fixes and some feature enhancements to the
EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/136174
--------------------------------------------------------------------------
* Debian: New asterisk packages fix denial of service (Apr 30)
------------------------------------------------------------
Joel R. Voss discovered that the IAX2 module of Asterisk, a free
software PBX and telephony toolkit performs insufficient validation of
IAX2 protocol messages, which may lead to denial of service.
http://www.linuxsecurity.com/content/view/136679
* Debian: New iceape packages fix arbitrary code execution (Apr 28)
-----------------------------------------------------------------
It was discovered that crashes in the Javascript engine of Iceape, an
unbranded version of the Seamonkey internet suite could potentially
lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/136539
* Debian: New ldm packages fix information disclosure (Apr 28)
------------------------------------------------------------
Christian Herzog discovered that within the Linux Terminal Server
Project, it was possible to connect to X on any LTSP client from any
host on the network, making client windows and keystrokes visible to
that host.
http://www.linuxsecurity.com/content/view/136538
* Debian: New kronolith2 packages fix cross site scripting (Apr 28)
-----------------------------------------------------------------
"The-0utl4w" discovered that the Kronolith, calendar component for the
Horde Framework, didn't properly sanitise URL input, leading to a
cross-site scripting vulnerability in the add event screen.
http://www.linuxsecurity.com/content/view/136535
* Debian: New perl packages fix denial of service (Apr 27)
--------------------------------------------------------
It has been discovered that the Perl interpreter may encounter a buffer
overflow condition when compiling certain regular expressions
containing Unicode characters. This also happens if the offending
characters are contained in a variable reference protected by the
Q...E quoting construct. When encountering this condition, the Perl
interpreter typically crashes, but arbitrary code execution cannot be
ruled out.
http://www.linuxsecurity.com/content/view/136530
* Debian: New phpgedview packages fix cross site scripting (Apr 27)
-----------------------------------------------------------------
It was discovered that phpGedView, an application to provide online
access to genealogical data, performed insufficient input sanitising on
some parameters, making it vulnerable to cross site scripting.
http://www.linuxsecurity.com/content/view/136529
* Debian: New wml packages fix denial of service (Apr 27)
-------------------------------------------------------
Frank Lichtenheld and Nico Golde discovered that WML, an off-line
HTML generation toolkit, creates insecure temporary files in the
eperl and ipp backends and in the wmg.cgi script, which could lead
to local denial of service by overwriting files.
http://www.linuxsecurity.com/content/view/136528
* Debian: New xulrunner packages fix arbitrary code execution (Apr 24)
--------------------------------------------------------------------
It was discovered that crashes in the Javascript engine of xulrunner,
the Gecko engine library, could potentially lead to the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/136520
* Debian: New iceape packages fix regression (Apr 24)
---------------------------------------------------
Several remote vulnerabilities have been discovered in the Iceape
internet suite, an unbranded version of the Seamonkey Internet Suite.
The Common Vulnerabilities and Exposures project identifies the
following problems:
http://www.linuxsecurity.com/content/view/136519
* Debian: New phpmyadmin packages fix several vulnerabilities (Apr 24)
--------------------------------------------------------------------
Several remote vulnerabilities have been discovered in phpMyAdmin, an
application to administrate MySQL over the WWW. The Common
Vulnerabilities and Exposures project identifies the following
problems:
http://www.linuxsecurity.com/content/view/136518
* Debian: New perl packages fix denial of service (Apr 24)
--------------------------------------------------------
It has been discovered that the Perl interpreter may encounter a buffer
overflow condition when compiling certain regular expressions
containing Unicode characters. This also happens if the offending
characters are contained in a variable reference protected by the
Q...E quoting construct. When encountering this condition, the Perl
interpreter typically crashes, but arbitrary code execution cannot be
ruled out.
http://www.linuxsecurity.com/content/view/136517
--------------------------------------------------------------------------
* Fedora 8 Update: dbmail-2.2.9-1.fc8 (Apr 29)
--------------------------------------------
Fix possible authentication bypass in authldap authentication module
when dbmail is used with LDAP servers allowing anonymous logins -
CVE-2007-6714 (#443019).
http://www.linuxsecurity.com/content/view/136590
* Fedora 7 Update: wordpress-2.5.1-1.fc7 (Apr 29)
-----------------------------------------------
This updates contains security fixes:
http://wordpress.org/development/2008/04/wordpress-251/
http://www.linuxsecurity.com/content/view/136565
--------------------------------------------------------------------------
* Gentoo: KDE start_kdeinit Multiple vulnerabilities (Apr 29)
-----------------------------------------------------------
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D Multiple vulnerabilities in star=
t_kdeinit
could possibly allow a local attacker to execute arbitrary code with
root privileges.
http://www.linuxsecurity.com/content/view/136541
* Gentoo: JRockit Multiple vulnerabilities (Apr 24)
-------------------------------------------------
Multiple vulnerabilities have been identified in BEA JRockit.
http://www.linuxsecurity.com/content/view/136516
* Gentoo: SILC Multiple vulnerabilities (Apr 24)
----------------------------------------------
Multiple vulnerabilities were found in SILC Client, Server, and
Toolkit, allowing for Denial of Service and execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/136515
--------------------------------------------------------------------------
* Mandriva: Updated speex packages fix vulnerabilities (Apr 29)
-------------------------------------------------------------
A vulnerability in the Speex library was found where it did not
properly validate input values read from the Speex files headers. An
attacker could create a malicious Speex file that would crash an
application or potentially allow the execution of arbitrary code with
the privileges of the application calling the Speex library
(CVE-2008-1686). The updated packages have been patched to correct this
issue.
http://www.linuxsecurity.com/content/view/136670
* Mandriva: Updated gstreamer-plugins-good packages fix (Apr 29)
--------------------------------------------------------------
A vulnerability in the Speex library was found where it did not
properly validate input values read from the Speex files headers. An
attacker could create a malicious Speex file that would crash an
application or potentially allow the execution of arbitrary code with
the privileges of the application calling the Speex library
(CVE-2008-1686). The speex plugin in the gstreamer-plugins-good package
is similarly affected by this issue. The updated packages have been
patched to correct this issue.
http://www.linuxsecurity.com/content/view/136669
* Mandriva: Updated vorbis-tools packages fix vulnerabilities (Apr 29)
--------------------------------------------------------------------
A vulnerability in the Speex library was found where it did not
properly validate input values read from the Speex files headers. An
attacker could create a malicious Speex file that would crash an
application or potentially allow the execution of arbitrary code with
the privileges of the application calling the Speex library
(CVE-2008-1686). The ogg123 application in vorbis-tools is similarly
affected by this issue. The updated packages have been patched to
correct this issue.
http://www.linuxsecurity.com/content/view/136668
* Mandriva: Updated wireshark packages fix denial of service (Apr 24)
-------------------------------------------------------------------
A few vulnerabilities were found in Wireshark, that could cause it to
crash or hang under certain conditions. This update provides Wireshark
1.0.0, which is not vulnerable to the issues.
http://www.linuxsecurity.com/content/view/136521
--------------------------------------------------------------------------
* RedHat: Moderate: thunderbird security update (Apr 30)
------------------------------------------------------
Updated thunderbird packages that fix a security issue are now
available for Red Hat Enterprise Linux 4 and 5. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/136678
* RedHat: Moderate: tomcat security update (Apr 28)
-------------------------------------------------
Updated tomcat packages that fix multiple security issues are now
available for Red Hat Developer Suite 3. This update has been rated as
having moderate security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/136531
* RedHat: Moderate: java-1.4.2-bea security update (Apr 28)
---------------------------------------------------------
Updated java-1.4.2-bea packages that fix a security issue are now
available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise
Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This
update has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/136532
* RedHat: Moderate: java-1.5.0-bea security update (Apr 28)
---------------------------------------------------------
Updated java-1.5.0-bea packages that correct several security issues
are now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/136533
* RedHat: Moderate: java-1.6.0-bea security update (Apr 28)
---------------------------------------------------------
Updated java-1.6.0-bea packages that correct several security issues
are now available for Red Hat Enterprise Linux 5 Supplementary. This
update has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/136534
--------------------------------------------------------------------------
* Slackware: libpng (Apr 29)
----------------------------
New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, and -current to fix a security issue. More
details about this issue may be found in the Common Vulnerabilities and
Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-1382 Additional
information can be found in the libpng source, or in this file on the
libpng FTP site:
ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.2.27-README.txt
http://www.linuxsecurity.com/content/view/136540
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Comments