This week, advisories were released for ghostscript, koffice, diatheke, turba2, iceape, alsa-driver, linux kernel, wordpress, dspam, splitvt, thunderbird, settroubleshoot, dbus, python, and pcre. The distributors include Debian, Fedora, Gentoo, Mandriva, and Ubuntu.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
|
EnGarde Secure Community v3.0.18 Now Available! (Dec 4) |
|
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features.
In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more.
|
|
|
|
Debian: New ghostscript packages fix arbitrary code execution (Feb 27) |
|
Chris Evans discovered a buffer overflow in the color space handling code of the Ghostscript PostScript/PDF interpreter, which might result in the execution of arbitrary code if a user is tricked into processing a malformed file. advisories/debian/debian-new-ghostscript-packages-fix-arbitrary-code-execution
|
|
Debian: New koffice packages fix multiple vulnerabilities (Feb 25) |
|
Several vulnerabilities have been discovered in xpdf code that is embedded in koffice, an integrated office suite for KDE. These flaws could allow an attacker to execute arbitrary code by inducing the user to import a specially crafted PDF document. advisories/debian/debian-new-koffice-packages-fix-multiple-vulnerabilities
|
|
Debian: New diatheke packages fix arbirary shell command execution (Feb 25) |
|
Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitising of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. advisories/debian/debian-new-diatheke-packages-fix-arbirary-shell-command-execution
|
|
Debian: New turba2 packages fix permission testing (Feb 24) |
|
Peter Paul Elfferich discovered that turba2, a contact management component for horde framework did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records. advisories/debian/debian-new-turba2-packages-fix-permission-testing
|
|
Debian: New iceape packages fix several vulnerabilities (Feb 24) |
|
Several remote vulnerabilities have been discovered in the Iceape internet suite, an unbranded version of the Seamonkey Internet Suite. The Common Vulnerabilities and Exposures project identifies the following problems: Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. advisories/debian/debian-new-iceape-packages-fix-several-vulnerabilities-79321
|
|
Debian: New alsa-driver packages fix kernel memory leak (Feb 22) |
|
Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571). advisories/debian/debian-new-alsa-driver-packages-fix-kernel-memory-leak
|
|
Debian: New Linux kernel 2.6.8 packages fix several issues (Feb 22) |
|
Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. advisories/debian/debian-new-linux-kernel-268-packages-fix-several-issues
|
|
Debian: New Linux kernel 2.4.27 packages fix several issues (Feb 22) |
|
Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. advisories/debian/debian-new-linux-kernel-2427-packages-fix-several-issues-30423
|
|
Debian: New wordpress packages fix multiple vulnerabilities (Feb 21) |
|
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. advisories/debian/debian-new-wordpress-packages-fix-multiple-vulnerabilities
|
|
Debian: New dspam packages fix information disclosure (Feb 21) |
|
Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. advisories/debian/debian-new-dspam-packages-fix-information-disclosure
|
|
Debian: New splitvt packages fix privilege escalation (Feb 21) |
|
Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. advisories/debian/debian-new-splitvt-packages-fix-privilege-escalation
|
|
|
|
Fedora 7 Update: thunderbird-2.0.0.12-1.fc7 (Feb 28) |
|
Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. advisories/fedora/fedora-7-update-thunderbird-20012-1fc7-16-46-00-135013
|
|
Fedora 8 Update: setroubleshoot-plugins-2.0.4-3.fc8 (Feb 28) |
|
This is a major upgrade of setroubleshoot. The primary difference is how audit data is captured, analyzed, and stored. Security vulnerabilities, performance, usability, and robustness have been addressed in addition to general bug fixes. advisories/fedora/fedora-8-update-setroubleshoot-plugins-204-3fc8-16-44-00-135004
|
|
Fedora 8 Update: setroubleshoot-2.0.5-2.fc8 (Feb 28) |
|
This is a major upgrade of setroubleshoot. The primary difference is how audit data is captured, analyzed, and stored. Security vulnerabilities, performance, usability, and robustness have been addressed in addition to general bug fixes. advisories/fedora/fedora-8-update-setroubleshoot-205-2fc8-16-44-00-135005
|
|
Fedora 8 Update: dbus-1.1.2-9.fc8 (Feb 28) |
|
This update fixes CVE-2008-0595. advisories/fedora/fedora-8-update-dbus-112-9fc8-16-40-00-134979
|
|
Fedora 7 Update: dbus-1.0.2-7.fc7 (Feb 28) |
|
This update fixes CVE-2008-0595. advisories/fedora/fedora-7-update-dbus-102-7fc7-16-36-00-134960
|
|
|
|
Gentoo: xine-lib User-assisted execution of arbitrary code (Feb 26) |
|
xine-lib is vulnerable to multiple buffer overflows when processing FLAC and ASF streams.
|
|
Gentoo: Python PCRE Integer overflow (Feb 23) |
|
A vulnerability within Python's copy of PCRE might lead to the execution of arbitrary code.
|
|
|
|
Mandriva: Updated dbus packages fix vulnerability (Feb 28) |
|
A vulnerability was discovered by Havoc Pennington in how the dbus-daemon applied its security policy.
|
|
Mandriva: Updated pcre packages fix vulnerability (Feb 27) |
|
A buffer overflow in PCRE 7.x before 7.6 allows remote attackers to execute arbitrary code via a regular expression that contains a character class with a large number of characters with Unicode code points greater than 255.
|
|
Mandriva: Updated cacti packages fix multiple (Feb 27) |
|
A number of vulnerabilities were found in the Cacti program, including XSS vulnerabilities, SQL injection vulnerabilities, CRLF injection vulnerabilities, and information disclosure vulnerabilities. This update provides Cacti 0.8.6k which corrects these issues.
|
|
Mandriva: Updated cups packages fix vulnerabilities (Feb 26) |
|
A flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash. The updated packages have been patched to correct these issues.
|
|
Mandriva: Updated cups packages fix multiple vulnerabilities (Feb 26) |
|
Dave Camp at Critical Path Software discovered a buffer overflow in CUPS 1.1.23 and earlier could allow local admin users to execute arbitrary code via a crafted URI to the CUPS service (CVE-2007-5848). The Red Hat Security Team also found two flaws in CUPS 1.1.x where a malicious user on the local subnet could send a set of carefully crafted IPP packets to the UDP port in such a way as to cause CUPS to crash (CVE-2008-0597) or consume memory and lead to a CUPS crash (CVE-2008-0596).
|
|
Mandriva: Updated nss_ldap package fixes race condition (Feb 25) |
|
A race condition in nss_ldap, when used in applications that use pthread and fork after a call to nss_ldap, does not properly handle the LDAP connection, which might cause nss_ldap to return the wrong user data to the wrong process, giving one user access to data belonging to another user, in some cases. The updated package hais been patched to prevent this issue.
|
|
Mandriva: Updated Firefox packages fix multiple (Feb 22) |
|
A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.12. This update provides the latest Firefox to correct these issues.
|
|
Mandriva: Updated x11-driver-video-openchrome package (Feb 21) |
|
The openchrome driver version shipped with Mandriva 2008.0 is not fully functional with most chrome based video cards available in the market. This update, requested by upstream developers, should correct the problems, and provide a more mature driver.
|
|
|
|
Ubuntu: PCRE vulnerability (Feb 21) |
|
It was discovered that PCRE did not correctly handle very long strings containing UTF8 sequences. In certain situations, an attacker could exploit applications linked against PCRE by tricking a user or automated system in processing a malicious regular expression leading to a denial of service or possibly arbitrary code execution. advisories/ubuntu/ubuntu-pcre-vulnerability-35486
|
|
Ubuntu: libcdio vulnerability (Feb 21) |
|
Devon Miller discovered that the iso-info and cd-info tools did not properly perform bounds checking. If a user were tricked into using these tools with a crafted iso image, an attacker could cause a denial of service via a core dump, and possibly execute arbitrary code. advisories/ubuntu/ubuntu-libcdio-vulnerability
|
|
Ubuntu: Qt vulnerability (Feb 21) |
|
It was discovered that QSslSocket did not properly verify SSL certificates. A remote attacker may be able to trick applications using QSslSocket into accepting invalid SSL certificates. advisories/ubuntu/ubuntu-qt-vulnerability-40968
|
Feb 29, 2008
•
Anthony Pell
PREVIOUS
NEXT
