This week, advisories were released for libcdaudio, ekg, net-snmp, optipng, libpng, rgmanger, gallery, gnutls, kernel, ruby, seamonkey, firefox, flash-plugin, acroread, httpd, gnutls, cups, netpbm, and tk. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu.

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA) program, designated by the National Security Agency as providing academically excellent education in Information Assurance, provides you with the skills to manage and lead an organization-wide information security program and the tools to fluently communicate the intricacies of information security at an executive level. Learn more

LinuxSecurity.com Feature Extras:

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Never Installed a Firewall on Ubuntu? Try Firestarter - When I typed on Google "Do I really need a firewall?" 695,000 results came across. And I'm pretty sure they must be saying "Hell yeah!". In my opinion, no one would ever recommend anyone to sit naked on the internet keeping in mind the insecurity internet carries these days, unless you really know what you are doing.

Read on for more information on Firestarter.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

EnGarde Secure Community 3.0.21 Now Available (Oct 7)

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.21 (Version 3.0, Release 21). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce.
Debian: New libcdaudio packages fix arbitrary code execution (Nov 12)

It was discovered that a heap overflow in the CDDB retrieval code of libcdaudio, a library for controlling a CD-ROM when playing audio CDs, may result in the execution of arbitrary code.

advisories/debian/debian-new-libcdaudio-packages-fix-arbitrary-code-execution
Debian: New ekg packages fix denial of service (Nov 10)

It was discovered that ekg, a console Gadu Gadu client performs insufficient input sanitising in the code to parse contact descriptions, which may result in denial of service.

advisories/debian/debian-new-ekg-packages-fix-denial-of-service
Debian: New net-snmp packages fix several vulnerabilities (Nov 9)

Several vulnerabilities have been discovered in NET SNMP, a suite of Simple Network Management Protocol applications. Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length, which allows spoofing of authenticated SNMPv3 packets.

advisories/debian/debian-new-net-snmp-packages-fix-several-vulnerabilities
Fedora 8 Update: optipng-0.6.2-1.fc8 (Nov 12)

The main reason for this update is a buffer overflow that is removed in this version, that could be triggered by processing specially crafted bitmap images (*.bmp).

advisories/fedora/fedora-8-update-optipng-062-1fc8-22-38-00-144214
Fedora 8 Update: libpng10-1.0.41-1.fc8 (Nov 12)

This update includes an upstream fix for a memory leak within the "png_handle_tEXt()" function in pngrutil.c, which can be exploited by malicious people to cause a DoS (Denial of Service) via a specially crafted PNG image.

advisories/fedora/fedora-8-update-libpng10-1041-1fc8-22-38-00-144215
Fedora 9 Update: rgmanager-2.03.09-1.fc9 (Nov 6)

A major code audit did show several unsecure use of /tmp. This update addresses those issues across the whole code.

advisories/fedora/fedora-9-update-rgmanager-20309-1fc9-22-02-00-144022
Gentoo: Graphviz User-assisted execution of arbitrary (Nov 9)

A buffer overflow in Graphviz might lead to user-assisted execution of arbitrary code via a DOT file.
Gentoo: FAAD2 User-assisted execution of arbitrary code (Nov 9)

A buffer overflow in FAAD2 might lead to user-assisted execution of arbitrary code via an MP4 file.
Gentoo: Gallery Multiple vulnerabilities (Nov 9)

Multiple vulnerabilities in Gallery may lead to execution of arbitrary code, disclosure of local files or theft of user's credentials.
Mandriva: Subject: [Security Announce] [ MDVSA-2008:227 ] gnutls (Nov 12)

Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates (CVE-2008-4989). The updated packages have been patched to correct this issue.
Mandriva: Subject: [Security Announce] [ MDVSA-2008:224-1 ] kernel (Nov 7)

The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries. (CVE-2008-3528)
Mandriva: Subject: [Security Announce] [ MDVSA-2008:226 ] ruby (Nov 6)

A denial of service condition was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite loop and crash (CVE-2008-3443).
RedHat: Critical: seamonkey security update (Nov 12)

Updated seamonkey packages that fix security issues are now available for Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-critical-seamonkey-security-update-3241
RedHat: Critical: firefox security update (Nov 12)

An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-critical-firefox-security-update-38591
RedHat: Important: flash-plugin security update (Nov 12)

An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 3 and 4 Extras. This update has been rated as having important security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-important-flash-plugin-security-update-30048
RedHat: Critical: acroread security update (Nov 12)

Updated acroread packages that fix various security issues are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-critical-acroread-security-update-6060
RedHat: Moderate: httpd security and bug fix update (Nov 11)

Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-moderate-httpd-security-and-bug-fix-update-74214
RedHat: Moderate: gnutls security update (Nov 11)

Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

advisories/red-hat/redhat-moderate-gnutls-security-update-RHSA-2008-0982-01
Slackware: cups (Nov 8)

New cups packages are available for Slackware 12.0, 12.1, and -current to fix security issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3641
Ubuntu: gnome-screensaver vulnerabilities (Nov 11)

It was discovered that the notify feature in gnome-screensaver could let a local attacker read the clipboard contents of a locked session by using Ctrl-V. (CVE-2007-6389) Alan Matsuoka discovered that gnome-screensaver did not properly handle network outages when using a remote authentication service. During a network interruption, or by disconnecting the network cable, a local attacker could gain access to locked sessions. (CVE-2008-0887)

advisories/ubuntu/ubuntu-gnome-screensaver-vulnerabilities
Ubuntu: Netpbm vulnerability (Nov 6)

It was discovered that Netpbm could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

advisories/ubuntu/ubuntu-netpbm-vulnerability
Ubuntu: Tk vulnerability (Nov 6)

It was discovered that Tk could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

advisories/ubuntu/ubuntu-tk-vulnerability-85503