Debian, Fedora, Gentoo, Mandriva, Red Hat, Ubuntu Security Updates Overview
Vyatta - Linux-based Router, Firewall & VPN - Vyatta software and appliances combine the features, performance and reliability of enterprise-class networking gear with the cost-savings and flexibility of linux-based solutions. Vyatta empowers you to replace overpriced proprietary router, firewall and VPN equipment with commercially supported open-source solutions.
Free Vyatta Software & Live Webinars
LinuxSecurity.com Feature Extras:
RFID with Bio-Smart Card in Linux - In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. The fingerprint verification has to be executed on central host server for security purposes. Protocol designed allows controlling entire parameters of smart security controller like PIN options, Reader delay, real-time clock, alarm option and cardholder access conditions.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New gforge-plugin-scmcvs packages fix arbitrary shell command execution | ||
| 24th, May, 2007
Bernhard R. Link discovered that the CVS browsing interface of Gforge, a collaborative development tool, performs insufficient escaping of URLs, which allows the execution of arbitrary shell commands with the privileges of the www-data user. advisories/debian/debian-new-gforge-plugin-scmcvs-packages-fix-arbitrary-shell-command-execution |
||
| Debian: New otrs2 packages fix cross-site scripting | ||
| 28th, May, 2007
It was discovered that the Open Ticket Request System performs insufficient input sanitising for the Subaction parameter, which allows the injection of arbitrary web script code. advisories/debian/debian-new-otrs2-packages-fix-cross-site-scripting |
||
| Fedora | ||
| Fedora Core 5 Update: php-5.1.6-1.6 | ||
| 24th, May, 2007
This update fixes a number of security issues in PHP. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. advisories/fedora/fedora-core-5-update-php-516-16-02-18-00-128317 |
||
| Fedora Core 6 Update: mutt-1.4.2.3-1.fc6 | ||
| 30th, May, 2007
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. Also, a Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion. advisories/fedora/fedora-core-6-update-mutt-1423-1fc6-16-01-00-128378 |
||
| Fedora Core 5 Update: mutt-1.4.2.1-8.fc5 | ||
| 30th, May, 2007
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion. advisories/fedora/fedora-core-5-update-mutt-1421-8fc5-16-01-00-128379 |
||
| Fedora Core 6 Update: selinux-policy-2.4.6-72.fc6 | ||
| 30th, May, 2007
This Updates Fedora Core 6 SELinux policy. One change is Allow prelink sys_resource, Add transition rule to allow apps to run java in different context. Another is Allow netlable to read etc and work with init terminals and changes the file context to have all of policy at SystemLow. advisories/fedora/fedora-core-6-update-selinux-policy-246-72fc6-16-01-00-128380 |
||
| Fedora Core 6 Update: firefox-1.5.0.12-1.fc6 | ||
| 31st, May, 2007
Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. advisories/fedora/fedora-core-6-update-firefox-15012-1fc6-09-18-00-128388 |
||
| Fedora Core 6 Update: epiphany-2.16.3-5.fc6 | ||
| 31st, May, 2007
Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. advisories/fedora/fedora-core-6-update-epiphany-2163-5fc6-09-18-00-128389 |
||
| Fedora Core 6 Update: devhelp-0.12-11.fc6 | ||
| 31st, May, 2007
Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. advisories/fedora/fedora-core-6-update-devhelp-012-11fc6-09-18-00-128390 |
||
| Fedora Core 6 Update: yelp-2.16.0-13.fc6 | ||
| 31st, May, 2007
Updated firefox packages that fix several security bugs are now available Fedora Core 6. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. advisories/fedora/fedora-core-6-update-yelp-2160-13fc6-09-18-00-128391 |
||
| Fedora Core 6 Update: thunderbird-1.5.0.12-1.fc6 | ||
| 31st, May, 2007
Updated thunderbird packages that fix several security bugs are now available for Fedora Core. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. advisories/fedora/fedora-core-6-update-thunderbird-15012-1fc6-09-19-00-128392 |
||
| Fedora Core 5 Update: thunderbird-1.5.0.12-1.fc5 | ||
| 31st, May, 2007
Updated thunderbird packages that fix several security bugs are now available for Fedora Core. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. advisories/fedora/fedora-core-5-update-thunderbird-15012-1fc5-09-19-00-128393 |
||
| Fedora Core 5 Update: seamonkey-1.0.9-1.fc5 | ||
| 31st, May, 2007
Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey advisories/fedora/fedora-core-5-update-seamonkey-109-1fc5-09-19-00-128394 |
||
| Fedora Core 5 Update: devhelp-0.11-7.fc5 | ||
| 31st, May, 2007
Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. advisories/fedora/fedora-core-5-update-devhelp-011-7fc5-09-19-00-128395 |
||
| Fedora Core 5 Update: yelp-2.14.3-5.fc5 | ||
| 31st, May, 2007
Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. advisories/fedora/fedora-core-5-update-yelp-2143-5fc5-09-19-00-128396 |
||
| Fedora Core 5 Update: epiphany-2.14.3-6.fc5 | ||
| 31st, May, 2007
Updated seamonkey packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. advisories/fedora/fedora-core-5-update-epiphany-2143-6fc5-09-19-00-128397 |
||
| Fedora Core 5 Update: firefox-1.5.0.12-1.fc5 | ||
| 31st, May, 2007
Updated firefox packages that fix several security bugs are now available for Fedora Core 5. This update has been rated as having critical security impact by the Fedora Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. advisories/fedora/fedora-core-5-update-firefox-15012-1fc5-09-19-00-128398 |
||
| Gentoo | ||
| Gentoo: PHP Multiple vulnerabilities | ||
| 26th, May, 2007
PHP contains several vulnerabilities including buffer and integer overflows which could under certain conditions lead to the remote execution of arbitrary code. |
||
| Gentoo: Blackdown Java Applet privilege escalation | ||
| 26th, May, 2007
The Blackdown JDK and the Blackdown JRE suffer from the multiple unspecified vulnerabilities that already affected the Sun JDK and JRE. Chris Evans has discovered multiple buffer overflows in the Sun JDK and the Sun JRE possibly related to various AWT and font layout functions. |
||
| Gentoo: MPlayer Two buffer overflows | ||
| 30th, May, 2007
Two vulnerabilities have been discovered in MPlayer, each one could lead to the execution of arbitrary code.A buffer overflow has been reported in the DMO_VideoDecoder_Open() function in file loader/dmo/DMO_VideoDecoder.c. Another buffer overflow has been reported in the DS_VideoDecoder_Open() function in file loader/dshow/DS_VideoDecoder.c. |
||
| Gentoo: FreeType Buffer overflow | ||
| 30th, May, 2007
Victor Stinner discovered a heap-based buffer overflow in the function Get_VMetrics() in src/truetype/ttgload.c when processing TTF files with a negative n_points attribute. A remote attacker could entice a user to open a specially crafted TTF file, possibly resulting in the execution of arbitrary code with the privileges of the user running FreeType. |
||
| Mandriva | ||
| Mandriva: Updated samba packages fix multiple | ||
| 24th, May, 2007
A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. |
||
| Mandriva: Updated gnome-media packages fix bug | ||
| 24th, May, 2007
A window modality bug was preventing audio profile editing from Sound-juicer or Rhythmbox applications. This bug is fixed with the updated gnome-media package. |
||
| Red Hat | ||
| RedHat: Important: tomcat security update | ||
| 24th, May, 2007
Updated tomcat packages that fix multiple security issues and a bug are now available for Red Hat Developer Suite 3. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. advisories/red-hat/redhat-important-tomcat-security-update-RHSA-2007-0326-01 |
||
| RedHat: Important: jbossas security update | ||
| 24th, May, 2007
Updated jbossas packages that fix multiple security issues in tomcat are now available for Red Hat Application Stack. This update has been rated as having Important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-jbossas-security-update-RHSA-2007-0360-01 |
||
| RedHat: Moderate: evolution-data-server security update | ||
| 30th, May, 2007
Updated evolution-data-server package that fixes a security bug are now available for Red Hat Enterprise Linux 5.A flaw was found in the way evolution-data-server processed certain APOP authentication requests. By sending certain responses when evolution-data-server attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-evolution-data-server-security-update-8405 |
||
| RedHat: Important: mod_jk security update | ||
| 30th, May, 2007
Updated mod_jk packages that fix a security issue are now available for Red Hat Application Server.If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content. This update has been rated as having Important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-modjk-security-update-42147 |
||
| RedHat: Moderate: quagga security update | ||
| 30th, May, 2007
An updated quagga package that fixes a security bug is now available for Red Hat Enterprise Linux 3, 4 and 5.An out of bounds memory read flaw was discovered in Quagga's bgpd. A configured peer of bgpd could cause Quagga to crash, leading to a denial of service. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-quagga-security-update-RHSA-2007-0389-01 |
||
| RedHat: Moderate: file security update | ||
| 30th, May, 2007
An updated file package that fixes a security flaw is now available for Red Hat Enterprise Linux 4 and 5.The fix for CVE-2007-1536 introduced a new integer underflow flaw in the file utility. An attacker could create a carefully crafted file which, if examined by a victim using the file utility, could lead to arbitrary code execution. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-file-security-update-RHSA-2007-0391-01 |
||
| RedHat: Important: mod_jk security update | ||
| 30th, May, 2007
Updated mod_jk packages that fix a security issue are now available for Red Hat Application Stack v1.1. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content. This update has been rated as having Important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-modjk-security-update-42147 |
||
| RedHat: Critical: firefox security update | ||
| 30th, May, 2007
Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-firefox-security-update-38591 |
||
| RedHat: Critical: thunderbird security update | ||
| 30th, May, 2007
Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5.Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-thunderbird-security-update-41360 |
||
| RedHat: Critical: seamonkey security update | ||
| 30th, May, 2007
Updated seamonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4.Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause SeaMonkey to crash or potentially execute arbitrary code as the user running SeaMonkey. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-seamonkey-security-update-3241 |
||
| Ubuntu | ||
| Ubuntu: Linux kernel vulnerabilities | ||
| 24th, May, 2007
Philipp Richter discovered that the AppleTalk protocol handler did not sufficiently verify the length of packets. By sending a crafted AppleTalk packet, a remote attacker could exploit this to crash the kernel. advisories/ubuntu/ubuntu-linux-kernel-vulnerabilities-39223 |
||
| Ubuntu: PulseAudio vulnerability | ||
| 25th, May, 2007
Luigi Auriemma discovered multiple flaws in pulseaudio's network processing code. If an unauthenticated attacker sent specially crafted requests to the pulseaudio daemon, it would crash, resulting in a denial of service. advisories/ubuntu/ubuntu-pulseaudio-vulnerability-42705 |
||
| Ubuntu: freetype vulnerability | ||
| 30th, May, 2007
Victor Stinner discovered that freetype did not correctly verify the number of points in a TrueType font. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with user privileges. advisories/ubuntu/ubuntu-freetype-vulnerability |
||
