≡ Menu

critical security

Red Hat today released kernel updates to fix at least 15 security flaws in its core called Linux kernel. RHEL users can grab the latest updates from RHN website or by simply running yum update command. This update has been rated as having important security impact.
[click to continue…]

Last week one or more of Red Hat's servers got cracked. Now, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. The intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only).

This update has been rated as having critical security impact. If your Red hat based server directly connected to the Internet, immediately patch up the system.

From the RHN announcement:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test
the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than
those of official Red Hat subscribers.

Following products are affected:
=> Red Hat Desktop (v. 4)
=> Red Hat Enterprise Linux (v. 5 server)
=> Red Hat Enterprise Linux AS (v. 4)
=> Red Hat Enterprise Linux AS (v. 4.5.z)
=> Red Hat Enterprise Linux Desktop (v. 5 client)
=> Red Hat Enterprise Linux ES (v. 4)
=> Red Hat Enterprise Linux ES (v. 4.5.z)
=> Red Hat Enterprise Linux WS (v. 4)

How do I patch up my system?

Login as the root and type the following command:
# yum update

This is the main reason I don't use Fedora in a production.

More information:

Now, Red hat did not disclosed how the hell attacker got in to the server. I'd like to know more about that - was it 0 day bug or plain old good social engineering hack?

Updated for accuracy - CentOS is not affected by this bug, see the comments below.

Firefox 3.0.1 has been released and available for download. This update has been rated as having critical security impact by the Mozilla. Use the following instructions to upgrade Firefox.

Security Issues

An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785)

A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933)

Download Firefox 3.0.1

=> Visit offical site to grab Firefox 3.0.1

How do I upgrade Firefox to version 3.0.1?

See how to install firefox-3.0.1.tar.bz2 in Linux

How do I update Firefox under Redhat / Fedora / CentOS Linux?

Simply type the following command, enter:
# yum update

How do I update Firefox under Debian / Ubuntu Linux?

Open terminal and simply type the following commands, enter:
$ sudo apt-get update
$ sudo apt-get upgrade

Mozilla hat issued important security update for Firefox package that that fix various security issues are now available from Mozilla, Red Hat, and other distributions. Mozilla announced Firefox 2.0.0.15 security and stability update available for download. This update has been rated as having critical security impact by the Mozialla. All Mozilla Firefox users should upgrade to this updated package, which contains backported patches that correct many issues.

How do I update FireFox 3.x or 1.5.x or 2.x under Red Hat / CentOS Linux?

Simply type the following command at a shell prompt:
# yum update

How do I update Firefox under Debian / Ububtu Linux?

Open terminal and type the following commands:
$ apt-get update
$ apt-get upgrade

After a standard system upgrade you need to restart Firefox to effect the necessary changes.

Security Issues Details

From the CVE database:
Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799)

Several problems were discovered in the JavaScript engine. If a user were tricked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-2800) Collin Jackson discovered various flaws in the JavaScript engine which allowed JavaScript to be injected into signed JAR files. If a user were tricked into opening malicious web content, an attacker may be able to execute arbitrary code with the privileges of a different website or link content within the JAR file to an
attacker-controlled JavaScript file. (CVE-2008-2801)

It was discovered that Firefox would allow non-privileged XUL documents to load chrome scripts from the fastload file. This could allow an attacker to execute arbitrary JavaScript code with chrome privileges. (CVE-2008-2802)

A flaw was discovered in Firefox that allowed overwriting trusted objects viaozIJSSubScriptLoader.loadSubScript(). If a user were tricked into opening a malicious web page, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2803)

Claudio Santambrogio discovered a vulnerability in Firefox which could lead to stealing of arbitrary files. If a user were tricked into opening malicious content, an attacker could force the browser into uploading local files to the remote server. (CVE-2008-2805)

Gregory Fleischer discovered a flaw in Java LiveConnect. An attacker could exploit this to bypass the same-origin policy and create arbitrary socket connections to other domains. (CVE-2008-2806) Daniel Glazman found that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. If a user were tricked into installing a malicious add-on, the browser may be able to see data from other programs.(CVE-2008-2807)

Masahiro Yamada discovered that Firefox did not properly sanitize file URLs in directory listings, resulting in files from directory listings being opened in unintended ways or not being able to be
opened by the browser at all. (CVE-2008-2808)

John G. Myers discovered a weakness in the trust model used by Firefox regarding alternate names on self-signed certificates. If a user were tricked into accepting a certificate containing alternate name entries, an attacker could impersonate another server. (CVE-2008-2809)

A flaw was discovered in the way Firefox opened URL files. If a user were tricked into opening a bookmark to a malicious web page, the page could potentially read from local files on the user's computer. (CVE-2008-2810)

A vulnerability was discovered in the block reflow code of Firefox. This vulnerability could be used by an attacker to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2811)