Debian, Gentoo: Security Advisories and Fix Information
Oct 12, 2007
•
Anthony Pell
4 - 7 min read
Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.
In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.
LinuxSecurity.com Feature Extras:
Review: Ruby by Example - Learning a new language cannot be complete without a few 'real world' examples. 'Hello world!'s and fibonacci sequences are always nice as an introduction to certain aspects of programming, but soon or later you crave something meatier to chew on. 'Ruby by Example: Concepts and Code' by Kevin C. Baird provides a wealth of knowledge via general to specialized examples of the dynamic object oriented programming language, Ruby. Want to build an mp3 playlist processor? How about parse out secret codes from 'Moby Dick'? Read on!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian: New xen-utils packages fix several vulnerabilities | ||
5th, October, 2007
Several local vulnerabilities have been discovered in the Xen hypervisor packages which may lead to the execution of arbitrary code. By use of a specially crafted grub configuration file a domU user may be able to execute arbitrary code upon the dom0 when pygrub is being used. advisories/debian/debian-new-xen-utils-packages-fix-several-vulnerabilities |
||
| Debian: New lighttpd packages fix buffer overflow | ||
7th, October, 2007
A problem was discovered in lighttpd, a fast webserver with minimal memory footprint, which could allow the execution of arbitary code via the overflow of CGI variables when mod_fcgi was enabled. advisories/debian/debian-new-lighttpd-packages-fix-buffer-overflow |
||
| Debian: New openssl packages fix arbitrary code execution | ||
10th, October, 2007
An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. advisories/debian/debian-new-openssl-packages-fix-arbitrary-code-execution-75110 |
||
| Debian: New xfs packages fix arbitrary code execution | ||
10th, October, 2007
Sean Larsson discovered that two code paths inside the X Font Server handle integer values insecurely, which may lead to the execution of arbitrary code. advisories/debian/debian-new-xfs-packages-fix-arbitrary-code-execution |
||
| Gentoo: PHP Multiple vulnerabilities | ||
7th, October, 2007
PHP contains several vulnerabilities including buffer and integer overflows which could lead to the remote execution of arbitrary code. |
||
| Gentoo: libvorbis Multiple vulnerabilities | ||
7th, October, 2007
A buffer overflow vulnerability and several memory corruptions have been discovered in libvorbis. David Thiel of iSEC Partners discovered a heap-based buffer overflow in the _01inverse() function in res0.c and a boundary checking error in the vorbis_info_clear() function in info.c (CVE-2007-3106 and CVE-2007-4029). libvorbis is also prone to several Denial of Service vulnerabilities in form of infinite loops and invalid memory access with unknown impact (CVE-2007-4065 and CVE-2007-4066). |
||
| Gentoo: libsndfile Buffer overflow | ||
7th, October, 2007
A buffer overflow vulnerability has been discovered in libsndfile. Robert Buchholz of the Gentoo Security team discovered that the flac_buffer_copy() function does not correctly handle FLAC streams with variable block sizes which leads to a heap-based buffer overflow (CVE-2007-4974). |
||
| Gentoo: Tk Buffer overflow | ||
7th, October, 2007
A buffer overflow vulnerability has been discovered in Tk. Reinhard Max discovered a boundary error in Tk when processing an interlaced GIF with two frames where the second is smaller than the first one. |
||
| Mandriva: Updated libvorbis packages fix vulnerabilities | ||
10th, October, 2007
More vulnerabilities in libvorbis were found that could be used to cause an application linked to libvorbis to crash or execute arbitrary code if used to open a carefully crafted OGG file. Updated packages have been patched to prevent this issue. |
||
| RedHat: Moderate: kdebase security update | ||
8th, October, 2007
Updated kdebase packages that resolve several security flaws are now available for Red Hat Enterprise Linux 4 and 5. Kees Huijgen found a flaw in the way KDM handled logins when autologin and "shutdown with password" were enabled. A local user would have been able to login via KDM as any user without requiring a password. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-kdebase-security-update-RHSA-2007-0905-01 |
||
| RedHat: Moderate: kdelibs security update | ||
8th, October, 2007
Updated kdelibs packages that resolve several security flaws are now available for Red Hat Enterprise Linux 4 and 5. Two cross-site-scripting flaws were found in the way Konqueror processes certain HTML content. This could result in a malicious attacker presenting misleading content to an unsuspecting user. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-kdelibs-security-update-69675 |
||
| RedHat: Moderate: pwlib security update | ||
8th, October, 2007
Updated pwlib packages that fix a security issue are now available for Red Hat Enterprise Linux 5. A memory management flaw was discovered in PWLib. An attacker could use this flaw to crash an application, such as Ekiga, which is linked with pwlib (CVE-2007-4897). This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-pwlib-security-update-RHSA-2007-0932-01 |
||
| RedHat: Moderate: opal security update | ||
8th, October, 2007
Updated opal packages that fix a security issue are now available for Red Hat Enterprise Linux 5. A flaw was discovered in the way opal handled certain Session Initiation Protocol (SIP) packets. An attacker could use this flaw to crash an application, such as Ekiga, which is linked with opal. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-opal-security-update-RHSA-2007-0957-01 |
||
| Ubuntu: xen-3.0 vulnerability | ||
9th, October, 2007
Joris van Rantwijk discovered that the Xen host did not correctly validate the contents of a Xen guests's grug.conf file. Xen guest root users could exploit this to run arbitrary commands on the host when the guest system was rebooted. advisories/ubuntu/ubuntu-xen-30-vulnerability |
||
| Ubuntu: MySQL vulnerabilities | ||
11th, October, 2007
Neil Kettle discovered that MySQL could be made to dereference a NULL pointer and divide by zero. An authenticated user could exploit this with a crafted IF clause, leading to a denial of service. (CVE-2007-2583) Victoria Reznichenko discovered that MySQL did not always require the DROP privilege. An authenticated user could exploit this via RENAME TABLE statements to rename arbitrary tables, possibly gaining additional database access. advisories/ubuntu/ubuntu-mysql-vulnerabilities-82610 |
||
PREVIOUS
NEXT
