+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 27th, 2008 Volume 9, Number 26 |
| |
| Editorial Team: Dave Wreski <dwreski@linuxsecurity.com> |
| Benjamin D. Thomas <bthomas@linuxsecurity.com> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for libetpan, perl, kernel,
jdk/jre, freetype, libvorbis, openssl, clamav, freetype2, fetchmail,
sblim, and IBMJava2. The distributors include Debian, Fedora, Gentoo,
Mandriva, Red Hat, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Security Features of Firefox 3.0
--------------------------------
Lets take a look at the security features of the newly released Firefox
3.0. Since it's release on Tuesday I have been testing it out to see
how the new security enhancements work and help in increase user
browsing security. One of the exciting improvements for me was how
Firefox handles SSL secured web sites while browsing the Internet.
There are also many other security features that this article will look
at. For example, improved plugin and addon security.
Read on for more security features of Firefox 3.0.
http://www.linuxsecurity.com/content/view/138972
---
Review: The Book of Wireless
----------------------------
"The Book of Wireless" by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of
Wireless networks today anyone with a computer should at least know the
basics of wireless. Also, with the wireless networking, users need to
know how to protect themselves from wireless networking attacks.
http://www.linuxsecurity.com/content/view/136167
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
-------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.19 (Version 3.0, Release 19). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/136174
------------------------------------------------------------------------
* Debian: New libtk-img packages fix arbitrary code execution (Jun 19)
--------------------------------------------------------------------
It was discovered that a buffer overflow in the GIF image parsing
code of Tk, a cross-platform graphical toolkit, could lead to denial
of service and potentially the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/138786
------------------------------------------------------------------------
* Fedora 8 Update: libetpan-0.54-1.fc8 (Jun 26)
---------------------------------------------
Update to new upstream version 0.54 fixing a crash (NULL pointer
dereference) in the mail message header parser. Note: There is no
application in Fedora using libetpan library for which such crash
could be considered a security issue. This can only be a security
sensitive issue for some 3rd party, not packages applications.
http://www.linuxsecurity.com/content/view/139125
* Fedora 9 Update: perl-5.10.0-27.fc9 (Jun 26)
--------------------------------------------
CVE-2008-2827 perl: insecure use of chmod in rmtree
http://www.linuxsecurity.com/content/view/139106
* Fedora 8 Update: kernel-2.6.25.6-27.fc8 (Jun 20)
------------------------------------------------
The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6
and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic
modules; and (b) the gxsnmp package; does not properly validate
length values during decoding of ASN.1 BER data, which allows remote
attackers to cause a denial of service (crash) or execute arbitrary
code via (1) a length greater than the working buffer, which can lead
to an unspecified overflow; (2) an oid length of zero, which can lead
to an off-by-one error; or (3) an indefinite length for a primitive
encoding.
http://www.linuxsecurity.com/content/view/138800
------------------------------------------------------------------------
* Gentoo: IBM JDK/JRE Multiple vulnerabilities (Jun 25)
-----------------------------------------------------
Multiple vulnerabilities have been found in IBM Java Development Kit
(JDK) and Java Runtime Environment (JRE), resulting in the execution
of arbitrary code.
http://www.linuxsecurity.com/content/view/139050
* Gentoo: FreeType User-assisted execution of arbitrary code (Jun 23)
-------------------------------------------------------------------
Font parsing vulnerabilities in FreeType might lead to user-assisted
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/138977
* Gentoo: libvorbis Multiple vulnerabilities (Jun 23)
---------------------------------------------------
Multiple vulnerabilities in libvorbis might lead to the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/138976
* Gentoo: OpenSSL Denial of Service (Jun 23)
------------------------------------------
Two vulnerabilities might allow for a Denial of Service of daemons
using OpenSSL.
http://www.linuxsecurity.com/content/view/138975
* Gentoo: X.Org X server Multiple vulnerabilities (Jun 19)
--------------------------------------------------------
Multiple vulnerabilities have been discovered in the X.Org X server,
possibly allowing for the remote execution of arbitrary code with
root privileges.
http://www.linuxsecurity.com/content/view/138785
------------------------------------------------------------------------
* Mandriva: Updated clamav packages fix vulnerability (Jun 24)
------------------------------------------------------------
A vulnerability was discovered in ClamAV and corrected with the
0.93.1 release: libclamav/petite.c in ClamAV before 0.93.1 allows
remote attackers to cause a denial of service via a crafted Petite
file that triggers an out-of-bounds read. (CVE-2008-2713) Other bugs
have also been corrected in 0.93.1 which is being provided with this
update.
http://www.linuxsecurity.com/content/view/138983
* Mandriva: Updated freetype2 packages fix vulnerabilities (Jun 23)
-----------------------------------------------------------------
Multiple vulnerabilities were discovered in FreeType's Printer Font
Binary (PFB) font-file format parser. If a user were to load a
carefully crafted font file with a program linked against FreeType,
it could cause the application to crash or potentially execute
arbitrary code (CVE-2008-1806, CVE-2008-1807, CVE-2008-1808). The
updated packages have been patched to prevent this issue.
http://www.linuxsecurity.com/content/view/138973
* Mandriva: Updated fetchmail packages fix DoS vulnerability (Jun 20)
-------------------------------------------------------------------
A flaw in fetchmail was discovered that allowed remote attackers to
cause a denial of service (crash and persistent mail failure) via a
malformed message with long headers. The crash only occured when
fetchmail was called in '-v -v' mode (CVE-2008-2711). The updated
packages have been patched to prevent this issue.
http://www.linuxsecurity.com/content/view/138788
------------------------------------------------------------------------
* RedHat: Important: kernel security and bug fix update (Jun 25)
--------------------------------------------------------------
Updated kernel packages that fix several security issues and a bug
are now available for Red Hat Enterprise Linux 4. This update has
been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/139053
* RedHat: Important: sblim security update (Jun 24)
-------------------------------------------------
Updated sblim packages that resolve a security issue are now
available for Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux
5. It was discovered that certain sblim libraries had an RPATH
(runtime library search path) set in the ELF (Executable and Linking
Format) header. This RPATH pointed to a sub-directory of a
world-writable, temporary directory. A local user could create a file
with the same name as a library required by sblim (such as libc.so)
and place it in the directory defined in the RPATH. This file could
then execute arbitrary code with the privileges of the user running
an application that used sblim (eg
http://www.linuxsecurity.com/content/view/138979
* RedHat: Moderate: IBMJava2 security update (Jun 24)
---------------------------------------------------
IBMJava2-JRE and IBMJava2-SDK packages that correct several security
issues are available for Red Hat Enterprise Linux 2.1.A flaw was
found in the applet class loader. An untrusted applet could use this
flaw to circumvent network access restrictions, possibly connecting
to services hosted on the machine that executed the applet.
http://www.linuxsecurity.com/content/view/138978
* RedHat: Important: freetype security update (Jun 20)
----------------------------------------------------
Multiple flaws were discovered in FreeType's Printer Font Binary
(PFB) font-file format parser. If a user loaded a carefully crafted
font-file with a program linked against FreeType, it could cause the
application to crash, or possibly execute arbitrary code.
http://www.linuxsecurity.com/content/view/138791
* RedHat: Important: freetype security update (Jun 20)
----------------------------------------------------
Multiple flaws were discovered in FreeType's Printer Font Binary
(PFB) and TrueType Font (TTF) font-file format parsers. If a user
loaded a carefully crafted font-file with a program linked against
FreeType, it could cause the application to crash, or possibly
execute arbitrary code.
http://www.linuxsecurity.com/content/view/138792
------------------------------------------------------------------------
* Ubuntu: OpenSSL vulnerabilities (Jun 26)
-----------------------------------------
It was discovered that OpenSSL was vulnerable to a double-free when
using TLS server extensions. A remote attacker could send a crafted
packet and cause a denial of service via application crash in
applications linked against OpenSSL. Ubuntu 8.04 LTS does not compile
TLS server extensions by default. (CVE-2008-0891) It was discovered
that OpenSSL could dereference a NULL pointer. If a user or automated
system were tricked into connecting to a malicious server with
particular cipher suites, a remote attacker could cause a denial of
service via application crash. (CVE-2008-1672)
http://www.linuxsecurity.com/content/view/139127
* Ubuntu: Linux kernel vulnerabilities (Jun 19)
----------------------------------------------
It was discovered that the ALSA /proc interface did not write the
correct number of bytes when reporting memory allocations. A local
attacker might be able to access sensitive kernel memory, leading to
a loss of privacy. (CVE-2007-4571)
http://www.linuxsecurity.com/content/view/138787
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
Received on Tue Jul 1 01:41:01 2008