Debian, Fedora, And Ubuntu Security Advisories: Critical Updates
Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.
In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.
LinuxSecurity.com Feature Extras:
Review: Ruby by Example - Learning a new language cannot be complete without a few 'real world' examples. 'Hello world!'s and fibonacci sequences are always nice as an introduction to certain aspects of programming, but soon or later you crave something meatier to chew on. 'Ruby by Example: Concepts and Code' by Kevin C. Baird provides a wealth of knowledge via general to specialized examples of the dynamic object oriented programming language, Ruby. Want to build an mp3 playlist processor? How about parse out secret codes from 'Moby Dick'? Read on!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian: New Linux 2.6.18 packages fix several vulnerabilities | ||
31st, August, 2007
Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the below vulnerabilities. advisories/debian/debian-new-linux-2618-packages-fix-several-vulnerabilities-45410 |
||
| Debian: New vim packages fix several vulnerabilities | ||
1st, September, 2007
Several vulnerabilities have been discovered in the vim editor. Ulf Harnhammar discovered that a format string flaw in helptags_one() from src/ex_cmds.c (triggered through the "helptags" command) can lead to the execution of arbitrary code. advisories/debian/debian-new-vim-packages-fix-several-vulnerabilities-28252 |
||
| Debian: New id3lib3.8.3 packages fix denial of service | ||
1st, September, 2007
Nikolaus Schulz discovered that a programming error in id3lib, an ID3 Tag Library, may lead to denial of service through symlink attacks. advisories/debian/debian-new-id3lib383-packages-fix-denial-of-service-42421 |
||
| Debian: New clamav packages fix several vulnerabilities | ||
1st, September, 2007
Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. advisories/debian/debian-new-clamav-packages-fix-several-vulnerabilities-27806 |
||
| Debian: New pptpd packages fix regression | ||
2nd, September, 2007
It was discovered that the PoPToP Point to Point Tunneling Server contains a programming error, which allows the tear-down of a PPTP connection through a malformed GRE packet, resulting in denial of service. advisories/debian/debian-new-pptpd-packages-fix-regression |
||
| Debian: New krb5 packages fix arbitrary code execution | ||
4th, September, 2007
It was discovered that a buffer overflow of the RPC library of the MIT Kerberos reference implementation allows the execution of arbitrary code. advisories/debian/debian-new-krb5-packages-fix-arbitrary-code-execution-52839 |
||
| Debian: New librpcsecgss packages fix arbitrary code execution | ||
4th, September, 2007
It was discovered that a buffer overflow of the library for secure RPC communication over the rpcsec_gss protocol allows the execution of arbitrary code. advisories/debian/debian-new-librpcsecgss-packages-fix-arbitrary-code-execution-86263 |
||
| Debian: New krb5 packages fix arbitrary code execution | ||
6th, September, 2007
It was discovered that a buffer overflow of the RPC library of the MIT Kerberos reference implementation allows the execution of arbitrary code. The original patch from DSA-1367-1 didn't address the problem fully. This update delivers an updated fix. advisories/debian/debian-new-krb5-packages-fix-arbitrary-code-execution-52839 |
||
| Debian: New gforge packages fix SQL injection | ||
6th, September, 2007
Sumit I. Siddharth discovered that Gforge, a collaborative development tool performs insufficient input sanitising, which allows SQL injection. advisories/debian/debian-new-gforge-packages-fix-sql-injection-80172 |
||
| Fedora 7 Update: vavoom-1.24-3.fc7 | ||
4th, September, 2007
Security update fixing various format strings vulnerabilities and a DOS vulnerability in the vavoom server, this fixes: CVE-2007-4533, CVE-2007-4534 & CVE-2007-4535. Also see bugzilla bug 256621. advisories/fedora/fedora-7-update-vavoom-124-3fc7-18-48-00-129332 |
||
| Fedora 7 Update: gallery2-2.2-0.7.. | ||
4th, September, 2007
Security fix release for Gallery 2.2 series. Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked items" in (a) WebDAV and (b) Reupload modules. advisories/fedora/fedora-7-update-gallery2-22-07-18-49-00-129335 |
||
| Mandriva: Updated clamav packages vulnerabilities | ||
31st, August, 2007
A vulnerability in ClamAV was discovered that could allow remote attackers to cause a denial of service via a crafted RTF file or a crafted HTML document with a data: URI, both of which trigger a NULL dereference (CVE-2007-4510). |
||
| Mandriva: Updated tar packages fix vulnerabilities | ||
4th, September, 2007
Dmitry V. Levin discovered a path traversal flaw in how GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary fiels that the user running tar has write access to. Updated packages have been patched to prevent these issues. |
||
| Mandriva: Updated krb5 packages fix vulnerabilities | ||
6th, September, 2007
A stack buffer overflow vulnerability was discovered in the RPC library used by Kerberos' kadmind program by Tenable Network Security. A remote unauthenticated user who could access kadmind would be able to trigger the flaw and cause it to crash (CVE-2007-3999). |
||
| Mandriva: Updated eggdrop package fix remote buffer overflow | ||
6th, September, 2007
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message. Updated packages fix this issue. |
||
| Mandriva: Updated kdebase and kdelibs packages fix location | ||
6th, September, 2007
konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed. (CVE-2007-3820) |
||
| Mandriva: Updated MySQL packages fix vulnerabilities | ||
6th, September, 2007
A vulnerability was found in MySQL's authentication protocol, making it possible for a remote unauthenticated attacker to send a specially crafted authentication request to the MySQL server causing it to crash (CVE-2007-3780). |
||
| Mandriva: Updated krb5 packages fix vulnerabilities | ||
7th, September, 2007
A stack buffer overflow vulnerability was discovered in the RPC library used by Kerberos' kadmind program by Tenable Network Security. A remote unauthenticated user who could access kadmind would be able to trigger the flaw and cause it to crash (CVE-2007-3999). |
||
| RedHat: Moderate: aide security update | ||
4th, September, 2007
A flaw was discovered in the way file checksums were stored in the AIDE database. A packaging flaw in the Red Hat AIDE rpm resulted in the file database not containing any file checksum information. This could prevent AIDE from detecting certain file modifications. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-aide-security-update-RHSA-2007-0539-01 |
||
| RedHat: Moderate: kernel security and bugfix update | ||
4th, September, 2007
Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-kernel-security-and-bugfix-update-61033 |
||
| RedHat: Moderate: cyrus-sasl security and bug fix update | ||
4th, September, 2007
An updated cyrus-sasl package that addresses a security issue and fixes various other bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-cyrus-sasl-security-and-bug-fix-update-RHSA-2007-0795-01 |
||
| RedHat: Moderate: star security update | ||
4th, September, 2007
An updated star package that fixes a path traversal flaw is now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-star-security-update-RHSA-2007-0873-01 |
||
| RedHat: Moderate: cyrus-sasl security update | ||
4th, September, 2007
Updated cyrus-sasl packages that correct a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-cyrus-sasl-security-update-RHSA-2007-0878-01 |
||
| RedHat: Important: krb5 security update | ||
4th, September, 2007
Updated krb5 packages that fix two security flaws are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-krb5-security-update-66067 |
||
| RedHat: Important: krb5 security update | ||
7th, September, 2007
Updated krb5 packages that correct a security flaw are now available for Red Hat Enterprise Linux 5. The MIT Kerberos Team discovered a problem with the originally published patch for svc_auth_gss.c (CVE-2007-3999). A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. advisories/red-hat/redhat-important-krb5-security-update-66067 |
||
| Slackware: java (jre, jdk) | ||
31st, August, 2007
Sun has released security advisories pertaining to both the Java Runtime Environment and the Standard Edition Development Kit. One such advisory may be found here: |
||
| Ubuntu: Linux kernel vulnerabilities | ||
31st, August, 2007
A buffer overflow was discovered in the Moxa serial driver. Local attackers could execute arbitrary code and gain root privileges. (CVE-2005-0504) advisories/ubuntu/ubuntu-linux-kernel-vulnerabilities-39223 |
||
| Ubuntu: Linux kernel vulnerabilities | ||
31st, August, 2007
A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. advisories/ubuntu/ubuntu-linux-kernel-vulnerabilities-39223 |
||
| Ubuntu: Kerberos vulnerability | ||
4th, September, 2007
It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges. advisories/ubuntu/ubuntu-kerberos-vulnerability-25212 |
||
| Ubuntu: Kerberos vulnerability | ||
7th, September, 2007
Original advisory details: It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges. advisories/ubuntu/ubuntu-kerberos-vulnerability-25212 |
||
