Linux Security

LinuxSecurity.com: Felipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable to several integer overflows in the Real video stream demuxing code. These flaws could allow an attacker to cause a denial of service (a crash) or potentially the execution of arbitrary code by supplying a maliciously crafted video file.

LinuxSecurity.com: Dmitry E. Oboukhov discovered that the "to-upgrade" plugin of Feta, a simpler interface to APT, dpkg, and other Debian package tools creates temporary files insecurely, which may lead to local denial of service through symlink attacks.

LinuxSecurity.com: mandriva-release for Mandriva 2008 Spring should contain a product_branch set to Official, and not devel, otherwise it could lead to an error with the new mdkonline. The updated package fixes it.

LinuxSecurity.com: This update fixes several minor issues in rpmdrake: - it fixes a crash due to bad timing with the X server (#41010) - it fix empty per importance lists of updates in rpmdrake (list of all updates was OK, MandrivaUpdate was OK) (#41331) (regression introduced in 3.95 on 2007-09-14)

LinuxSecurity.com: This update fixes several minor issues in drakxtools: - it fixes management of XEN kernels in bootloader-config, when adding a new kernel, a xen entry should not replace an existing 'linux' (#40865) - it fixes a crash in rpmdrake when description begins by Gtk2::.. (#43802) It also really enable draksnapashot to use Gtk+-2's new FileChooserDialog in future.

LinuxSecurity.com: CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue.

LinuxSecurity.com: An updated pam_krb5 package that fixes a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

LinuxSecurity.com: Updated tomcat packages that fix multiple security issues are now available for Red Hat Developer Suite 3. This update has been rated as having important security impact by the Red Hat Security Response Team.

LinuxSecurity.com: Updated tomcat packages that fix several security issues are now available for Red Hat Application Server v2. This update has been rated as having important security impact by the Red Hat Security Response Team.

LinuxSecurity.com: Updated thunderbird packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

LinuxSecurity.com: Updated xen packages that resolve a couple of security issues and fix a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

LinuxSecurity.com: Updated wireshark packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

LinuxSecurity.com: pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount. The updated packages have been patched to fix the issue.

LinuxSecurity.com: A race condition in OpenAFS 1.3.40 through 1.4.5 allowed remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks (CVE-2007-6559). The updated packages have been patched to prevent this issue.

LinuxSecurity.com: New mozilla-thunderbird packages are available for Slackware 10.2, 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found on the Mozilla site: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html

LinuxSecurity.com: A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.17 (CVE-2008-0016, CVE-2008-3835, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4070). This update provides the latest Thunderbird to correct these issues.

LinuxSecurity.com: New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found here: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

LinuxSecurity.com: New mozilla-firefox packages are available for Slackware 10.2, 11.0, 12.0, 12.1, and -current to fix security issues. More details about the issues may be found on the Mozilla site: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html

LinuxSecurity.com: It was discovered that the same-origin check in Thunderbird could be bypassed. If a user had JavaScript enabled and were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the browser engine of Thunderbird. If a user had JavaScript enabled, this could allow an attacker to execute code with chrome privileges. (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060)

LinuxSecurity.com: Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.17 (CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069). This update provides the latest Firefox to correct these issues.