|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: InfoSec News (alerts
infosecnews.org)
Date: Mon Jan 19 2009 - 03:23:58 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| January 16th, 2009 Volume 10, Number 3 |
| |
| Editorial Team: Dave Wreski <dwreskilinuxsecurity.com> |
| Benjamin D. Thomas <bthomaslinuxsecurity.com> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week advisories were released for xulrunner, bind9, ntp, openssl,
lasso, zaptel, gforge, tqsllib, amarok, xine, avahi, mplayer, jhead,
steamripper, d-bus, ndiswrapper, virtualbox, qemu, kvm, xterm,
pam_mount, python, squirrelmail, java, hplip, cups, audiofile,
valgrind, and samba. The distributors include Debian, Fedora, Gentoo,
Mandriva, Red Hat, Ubuntu, and Pardus.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New xulrunner packages fix several vulnerabilities (Jan 14)
-------------------------------------------------------------------
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems...
http://www.linuxsecurity.com/content/view/147167
* Debian: New bind9 packages fix cryptographic weakness (Jan 12)
--------------------------------------------------------------
It was discovered that BIND, an implementation of the DNS protocol
suite, does not properly check the result of an OpenSSL function
which is used to verify DSA cryptographic signatures. As a result,
incorrect DNS resource records in zones protected by DNSSEC could be
accepted as genuine.
http://www.linuxsecurity.com/content/view/147140
* Debian: New ntp packages fix cryptographic weakness (Jan 12)
------------------------------------------------------------
It has been discovered that NTP, an implementation of the Network
Time Protocol, does not properly check the result of an OpenSSL
function for verifying cryptographic signatures, which may ultimately
lead to the acceptance of unauthenticated time information. (Note
that cryptographic authentication of time servers is often not
enabled in the first place.)
http://www.linuxsecurity.com/content/view/147139
* Debian: New OpenSSL packages fix cryptographic weakness (Jan 12)
----------------------------------------------------------------
It was discovered that OpenSSL does not properly verify DSA
signatures on X.509 certificates due to an API misuse, potentially
leading to the acceptance of incorrect X.509 certificates as genuine
(CVE-2008-5077).
http://www.linuxsecurity.com/content/view/147138
* Debian: New lasso packages fix validation bypass (Jan 11)
---------------------------------------------------------
It was discovered that Lasso, a library for Liberty Alliance and SAML
protocols performs incorrect validation of the return value of
OpenSSL's DSA_verify() function.
http://www.linuxsecurity.com/content/view/147130
* Debian: New zaptel packages fix privilege escalation (Jan 11)
-------------------------------------------------------------
An array index error in zaptel, a set of drivers for telephony
hardware, could allow users to crash the system or escalate their
privileges by overwriting kernel memory (CVE-2008-5396).
http://www.linuxsecurity.com/content/view/147127
* Debian: New gforge packages fix SQL injection (Jan 9)
-----------------------------------------------------
It was discovered that GForge, a collaborative development tool,
insufficiently sanitises some input allowing a remote attacker to
perform SQL injection.
http://www.linuxsecurity.com/content/view/147118
------------------------------------------------------------------------
* Fedora 9 Update: tqsllib-2.0-5.fc9 (Jan 14)
-------------------------------------------
The TrustedQSL library incorrectly checked the result after calling
the EVP_VerifyFinal function, allowing a malformed signature to be
treated as a good signature rather than as an error. Package includes
a patch to fix EVP_VerifyFinal result check.
http://www.linuxsecurity.com/content/view/147350
* Fedora 10 Update: amarok-2.0.1.1-1.fc10 (Jan 14)
------------------------------------------------
An update to the latest release, includes new features such as
queuing, playlist search and filtering as well as "stop after current
track". And, long awaited and finally available: sorting the
collection by composer. Also includes a security fix concerning
the parsing of malformed Audible digital audio files. For further
details, see http://amarok.kde.org/en/releases/2.0.1.1
http://www.linuxsecurity.com/content/view/147354
* Fedora 9 Update: xine-lib-1.1.16-1.fc9.1 (Jan 14)
-------------------------------------------------
This updates xine-lib to the upstream 1.1.16 release. This fixes
several bugs, including the security issues CVE-2008-5234 vector 1,
CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240 vectors 3
& 4 and CVE-2008-5243. See
http://sourceforge.net/project/shownotes.php?release_id=652075&group_
id=9655 for the full list of changes. In addition, the Fedora
xine-lib package now includes the demuxers for the MPEG container
format, which are not patent- encumbered. (The decoders for actual
MPEG video and audio data are still excluded due to software
patents.)
http://www.linuxsecurity.com/content/view/147348
* Fedora 9 Update: nfs-utils-1.1.2-9.fc9 (Jan 14)
-----------------------------------------------
- Added warnings to tcp wrapper code when mounts are denied due to
misconfigured DNS configurations. - gssd: By default, don't spam
syslog when users' credentials expire Re-enabled and fixed/enhanced
tcp wrappers.
http://www.linuxsecurity.com/content/view/147320
* Fedora 10 Update: xine-lib-1.1.16-1.fc10 (Jan 14)
-------------------------------------------------
This updates xine-lib to the upstream 1.1.16 release. This fixes
several bugs, including the security issues CVE-2008-5234 vector 1,
CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240 vectors 3
& 4 and CVE-2008-5243. See
http://sourceforge.net/project/shownotes.php?release_id=652075&group_
id=9655 for the full list of changes. In addition, the Fedora
xine-lib package now includes the demuxers for the MPEG container
format, which are not patent- encumbered. (The decoders for actual
MPEG video and audio data are still excluded due to software
patents.)
http://www.linuxsecurity.com/content/view/147297
* Fedora 10 Update: bind-9.5.1-1.P1.fc10 (Jan 14)
-----------------------------------------------
Update to 9.5.1-P1 maintenance release which fixes CVE-2009-0025.
This update also address following issues: - sample config file was
outdated - specifying a fixed query source was broken
http://www.linuxsecurity.com/content/view/147268
* Fedora 10 Update: tqsllib-2.0-5.fc10 (Jan 14)
---------------------------------------------
The TrustedQSL library incorrectly checked the result after calling
the EVP_VerifyFinal function, allowing a malformed signature to be
treated as a good signature rather than as an error. Package includes
a patch to fix EVP_VerifyFinal result check.
http://www.linuxsecurity.com/content/view/147228
* Fedora 9 Update: bind-9.5.1-1.P1.fc9 (Jan 14)
---------------------------------------------
Update to 9.5.1-P1 maintenance release which includes fix for
CVE-2009-0025. This update also fixes rare crash of host utility.
http://www.linuxsecurity.com/content/view/147188
* Fedora 10 Update: nfs-utils-1.1.4-6.fc10 (Jan 14)
-------------------------------------------------
Added warnings to tcp wrapper code when mounts are denied due to
misconfigured DNS configurations. gssd: By default, don't spam
syslog when users' credentials expire
http://www.linuxsecurity.com/content/view/147171
------------------------------------------------------------------------
* Gentoo: Avahi Denial of Service (Jan 14)
----------------------------------------
A Denial of Service vulnerability has been discovered in Avahi.
http://www.linuxsecurity.com/content/view/147168
* Gentoo: Adobe Reader User-assisted execution of arbitrary code (Jan 13)
-----------------------------------------------------------------------
Adobe Reader is vulnerable to execution of arbitrary code.
http://www.linuxsecurity.com/content/view/147144
* Gentoo: Online-Bookmarks Multiple vulnerabilities (Jan 12)
----------------------------------------------------------
Multiple vulnerabilities have been reported in Online-Bookmarks.
http://www.linuxsecurity.com/content/view/147141
* Gentoo: MPlayer Multiple vulnerabilities (Jan 12)
-------------------------------------------------
Multiple vulnerabilities in MPlayer may lead to the execution of
arbitrary code or a Denial of Service.
http://www.linuxsecurity.com/content/view/147137
* Gentoo: JHead Multiple vulnerabilities (Jan 12)
-----------------------------------------------
Multiple vulnerabilities in JHead might lead to the execution of
arbitrary code or data loss.
http://www.linuxsecurity.com/content/view/147136
* Gentoo: Tremulous User-assisted execution of arbitrary (Jan 11)
---------------------------------------------------------------
A buffer overflow vulnerability has been discovered in Tremulous.
http://www.linuxsecurity.com/content/view/147129
* Gentoo: Streamripper Multiple vulnerabilities (Jan 11)
------------------------------------------------------
Multiple buffer overflows have been discovered in Streamripper,
allowing for user-assisted execution of arbitrary code.
http://www.linuxsecurity.com/content/view/147128
* Gentoo: D-Bus Denial of Service (Jan 10)
----------------------------------------
An error condition can cause D-Bus to crash.
http://www.linuxsecurity.com/content/view/147126
* Gentoo: pdnsd Denial of Service and cache poisoning (Jan 10)
------------------------------------------------------------
Two errors in pdnsd allow for Denial of Service and cache poisoning.
http://www.linuxsecurity.com/content/view/147125
* Gentoo: JHead Multiple vulnerabilities (Jan 10)
-----------------------------------------------
Multiple vulnerabilities in JHead might lead to the execution of
arbitrary code or data loss.
http://www.linuxsecurity.com/content/view/147124
* Gentoo: NDISwrapper Arbitrary remote code execution (Jan 10)
------------------------------------------------------------
Multiple buffer overflows might lead to remote execution of arbitrary
code with root privileges.
http://www.linuxsecurity.com/content/view/147123
------------------------------------------------------------------------
* Mandriva: [ MDVSA-2009:011 ] virtualbox (Jan 14)
------------------------------------------------
A vulnerability have been discovered and corrected in VirtualBox,
affecting versions prior to 2.0.6, which allows local users to
overwrite arbitrary files via a symlink attack on a
/tmp/.vbox-qateam-ipc/lock temporary file (CVE-2008-5256). The
updated packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147169
* Mandriva: [ MDVSA-2009:010 ] qemu (Jan 14)
------------------------------------------
A security vulnerability have been discovered and corrected in VNC
server of qemu 0.9.1 and earlier, which could lead to a
denial-of-service attack (CVE-2008-2382). The updated packages have
been patched to prevent this.
http://www.linuxsecurity.com/content/view/147155
* Mandriva: [ MDVSA-2009:009 ] kvm (Jan 14)
-----------------------------------------
Security vulnerabilities have been discovered and corrected in VNC
server of kvm version 79 and earlier, which could lead to
denial-of-service attacks (CVE-2008-2382), and make it easier for
remote crackers to guess the VNC password (CVE-2008-5714). The
updated packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147154
* Mandriva: [ MDVSA-2009:008 ] qemu (Jan 14)
------------------------------------------
Security vulnerabilities have been discovered and corrected in VNC
server of qemu version 0.9.1 and earlier, which could lead to
denial-of-service attacks (CVE-2008-2382), and make it easier for
remote crackers to guess the VNC password (CVE-2008-5714). The
updated packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147153
* Mandriva: [ MDVSA-2009:007 ] ntp (Jan 13)
-----------------------------------------
A flaw was found in how NTP checked the return value of signature
verification. A remote attacker could use this to bypass certificate
validation by using a malformed SSL/TLS signature (CVE-2009-0021).
The updated packages have been patched to prevent this issue.
http://www.linuxsecurity.com/content/view/147152
* Mandriva: [ MDVSA-2009:006 ] openoffice.org (Jan 13)
----------------------------------------------------
Heap-based overflow on functions to manipulate WMF and EMF files in
OpenOffice.org documments enables remote attackers to execute
arbitrary code on documments holding certain crafted either WMF or
EMF files (CVE-2008-2237) (CVE-2008-2238). This update provide the
fix for these security issues and further openoffice.org-voikko
package has been updated as it depends on openoffice.org packages.
http://www.linuxsecurity.com/content/view/147145
* Mandriva: [ MDVA-2009:010 ] bind (Jan 12)
-----------------------------------------
A build issue with the BIND9 packages in Mandriva Linux 2009.0
prevents IPv6 from working correctly. This is due to POSIX not
including the IPv6 Advanced Socket API, so glibc hides parts of this
API as a result. The end result is a breakage in how IPv6 works.
Compiling BIND9 with -D_GNU_SOURCE fixes this issue, and the updated
packages use this additional flag.
http://www.linuxsecurity.com/content/view/147142
* Mandriva: [ MDVSA-2009:005 ] xterm (Jan 11)
-------------------------------------------
A vulnerability has been discovered in xterm, which can be exploited
by malicious people to compromise a user's system. The vulnerability
is caused due to xterm not properly processing the DECRQSS Device
Control Request Status String escape sequence. This can be exploited
to inject and execute arbitrary shell commands by e.g. tricking a
user into displaying a malicious text file containing a specially
crafted escape sequence via the more command in xterm
(CVE-2008-2383). The updated packages have been patched to prevent
this.
http://www.linuxsecurity.com/content/view/147131
* Mandriva: [ MDVSA-2009:002 ] bind (Jan 10)
------------------------------------------
A flaw was found in how BIND checked the return value of the OpenSSL
DSA_do_verify() function. On systems that use DNSSEC, a malicious
zone could present a malformed DSA certificate and bypass proper
certificate validation, which would allow for spoofing attacks
(CVE-2009-0025). The updated packages have been patched to prevent
this issue.
http://www.linuxsecurity.com/content/view/147122
* Mandriva: [ MDVSA-2009:004 ] pam_mount (Jan 9)
----------------------------------------------
passwdehd script in pam_mount would allow local users to overwrite
arbitrary files via a symlink attack on a temporary file. The updated
packages have been patched to prevent this.
http://www.linuxsecurity.com/content/view/147121
* Mandriva: [ MDVSA-2009:003 ] python (Jan 9)
-------------------------------------------
Multiple integer overflows in imageop.c in the imageop module in
Python 1.5.2 through 2.5.1 allow context-dependent attackers to break
out of the Python VM and execute arbitrary code via large integer
values in certain arguments to the crop function, leading to a buffer
overflow, a different vulnerability than CVE-2007-4965 and
CVE-2008-1679. (CVE-2008-4864)
Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6,
allow context-dependent attackers to have an unknown impact via a
large integer value in the tabsize argument to the expandtabs method,
as implemented by (1) the string_expandtabs function in
Objects/stringobject.c and (2) the unicode_expandtabs function in
Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists
because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031) The
updated Python packages have been patched to correct these issues.
http://www.linuxsecurity.com/content/view/147120
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:001 ] openssl (Jan 8)
-------------------------------------------------------------------------
A vulnerability was found by the Google Security Team with how
OpenSSL checked the verification of certificates. An attacker in
control of a malicious server or able to effect a man-in-the-middle
attack, could present a malformed SSL/TLS signature from a
certificate chain to a vulnerable client, which would then bypass the
certificate validation (CVE-2008-5077). The updated packages have
been patched to prevent this issue.
http://www.linuxsecurity.com/content/view/147117
------------------------------------------------------------------------
* RedHat: Important: kernel security and bug fix update (Jan 14)
--------------------------------------------------------------
Updated kernel packages that resolve several security issues and fix
various bugs are now available for Red Hat Enterprise Linux 4. This
update has been rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147166
* RedHat: Critical: java-1.6.0-ibm security update (Jan 13)
---------------------------------------------------------
Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147150
* RedHat: Critical: java-1.5.0-ibm security update (Jan 13)
---------------------------------------------------------
Updated java-1.5.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147151
* RedHat: Moderate: squirrelmail security update (Jan 12)
-------------------------------------------------------
An updated squirrelmail package that resolves various security issues
is now available for Red Hat Enterprise Linux 3, 4 and 5. This update
has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/147133
* RedHat: Moderate: avahi security update (Jan 12)
------------------------------------------------
Updated avahi packages that fix a security issue are now available
for Red Hat Enterprise Linux 5. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147134
* RedHat: Moderate: bind security update (Jan 8)
----------------------------------------------
Updated Bind packages to correct a security issue are now available
for Red Hat Enterprise Linux 2.1, 3, 4, and 5. A flaw was discovered
in the way BIND checked the return value of the OpenSSL DSA_do_verify
function. On systems using DNSSEC, a malicious zone could present a
malformed DSA certificate and bypass proper certificate validation,
allowing spoofing attacks. (CVE-2009-0025) This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/147114
* RedHat: Important: kernel security update (Jan 8)
-------------------------------------------------
Updated kernel packages that fix a number of security issues are now
available for Red Hat Enterprise Linux 2.1 running on 32-bit
architectures. This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/147112
------------------------------------------------------------------------
* Slackware: ntp (Jan 15)
-------------------------
New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security
issue.
http://www.linuxsecurity.com/content/view/147388
* Slackware: openssl (Jan 15)
-----------------------------
New openssl packages are available for Slackware 11.0, 12.0, 12.1,
12.2, and -current to fix a security issue when connecting to an
SSL/TLS server that uses a certificate containing a DSA or ECDSA key.
http://www.linuxsecurity.com/content/view/147389
* Slackware: bind (Jan 15)
--------------------------
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security
issue.
http://www.linuxsecurity.com/content/view/147387
------------------------------------------------------------------------
* SuSE: Mozilla (SUSE-SA:2009:002) (Jan 14)
-----------------------------------------
Various Mozilla browser suite programs were updated to the last
ecurity release. The Mozilla Firefox 3.0.5 browser, Seamonkey 1.1.14
and xulrunner190 update were already published before Christmas,
please see SUSE-SA:2008:058. Mozilla Firefox for older products was
updated to 2.0.0.19 and Mozilla Thunderbird was updated to 2.0.0.19.
Other packages received backports.
http://www.linuxsecurity.com/content/view/147156
* SuSE: Sun Java (SUSE-SA:2009:001) (Jan 13)
------------------------------------------
Sun Java received several security fixes. Numerous security issues
such as privilege escalations, and sandbox breakouts were fixed.
http://www.linuxsecurity.com/content/view/147149
------------------------------------------------------------------------
* Ubuntu: HPLIP vulnerability (Jan 13)
------------------------------------
It was discovered that an installation script in the HPLIP package
would change permissions on the hplip config files located in user's
home directories. A local user could exploit this and change
permissions on arbitrary files upon an HPLIP installation or upgrade,
which could lead to root privileges.
http://www.linuxsecurity.com/content/view/147148
* Ubuntu: CUPS vulnerabilities (Jan 12)
--------------------------------------
It was discovered that CUPS didn't properly handle adding a large
number of RSS subscriptions. A local user could exploit this and
cause CUPS to crash, leading to a denial of service. This issue only
applied to Ubuntu 7.10, 8.04 LTS and 8.10. (CVE-2008-5183) It was
discovered that CUPS did not authenticate users when adding and
cancelling RSS subscriptions. An unprivileged local user could bypass
intended restrictions and add a large number of RSS subscriptions.
This issue only applied to Ubuntu 7.10 and 8.04 LTS. (CVE-2008-5184)
It was discovered that the PNG filter in CUPS did not properly handle
certain malformed images. If a user or automated system were tricked
into opening a crafted PNG image file, a remote attacker could cause
a denial of service or execute arbitrary code with user privileges.
In Ubuntu 7.10, 8.04 LTS, and 8.10, attackers would be isolated by
the AppArmor CUPS profile. (CVE-2008-5286) It was discovered that the
example pstopdf CUPS filter created log files in an insecure way.
Local users could exploit a race condition to create or overwrite
files with the privileges of the user invoking the program. This
issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS.
(CVE-2008-5377)
http://www.linuxsecurity.com/content/view/147135
------------------------------------------------------------------------
* Pardus: Bind: Spoofing (Jan 14)
-------------------------------
A vulnerability has been reported in ISC BIND, which potentially can
be exploited by malicious people to conduct spoofing attacks.
http://www.linuxsecurity.com/content/view/147163
* Pardus: Ntp: Security Bypass (Jan 14)
-------------------------------------
NTP does not properly check the return value from the
OpenSSL EVP_VerifyFinal function, which allows remote attackers
to bypass validation of the certificate chain via a malformed
SSL/TLS signature for DSA and ECDSA keys.
http://www.linuxsecurity.com/content/view/147164
* Pardus: audiofile: Heap Overflow (Jan 14)
-----------------------------------------
There is a bug in libaudiofile when attempting to decode the
file, libaudiofile writes past the buffer in msadpcm.c.
http://www.linuxsecurity.com/content/view/147165
* Pardus: Openssl: Spoofing (Jan 14)
----------------------------------
A vulnerability has been reported in OpenSSL, which can be exploited
by malicious people to conduct spoofing attacks.
http://www.linuxsecurity.com/content/view/147161
* Pardus: Valgrind: Untrusted Path (Jan 14)
-----------------------------------------
Untrusted search path vulnerability in valgrind allows local users
to execute arbitrary programs via a Trojan horse
http://www.linuxsecurity.com/content/view/147162
* Pardus: Samba Security Bypass (Jan 8)
-------------------------------------
A security issue has been reported in Samba, which can be exploited
by malicious users to bypass certain security restrictions.
http://www.linuxsecurity.com/content/view/147113
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestlinuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_______________________________________________
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]