≡ Menu

important security

Linux / BSD and UNIX like operating systems includes software from the OpenSSL Project. The OpenSSL is commercial-grade, industry-strength, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general purpose cryptography library.

The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation.

This update has been rated as having important security impact on FreeBSD, all version of Ubuntu / Debian, Red Hat (RHEL), CentOS, Fedora and other open source operating system that depends upon OpenSSL.
[click to continue…]

Debian GNU/Linux 4.0 Update 6 Released

Didn't take long to release new updated version.

The Debian project is pleased to announce the sixth update of its stable distribution Debian GNU/Linux 4.0 (codename "etch"). This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. This update has been rated as having important security impact. You are advised to upgrade system ASAP.
[click to continue…]

Debian project today released a pair of security updates to plug at least ten security holes in its core called Linux kernel. Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. This update has been rated as having important security impact.
[click to continue…]

Red Hat today released kernel updates to fix at least 15 security flaws in its core called Linux kernel. RHEL users can grab the latest updates from RHN website or by simply running yum update command. This update has been rated as having important security impact.
[click to continue…]

Critical Red Hat Enterprise Linux Kernel Update

Red Hat issued an update version of Linux operating system core called kernel that plugs various security holes for RHEL 5.x. This update has been rated as having important security impact. All users are advised to upgrade kernel package.

Security fixes:

a) A missing capability check was found in the Linux kernel do_change_type routine. This could allow a local unprivileged user to gain privileged access or cause a denial of service. (CVE-2008-2931, Important)

b) A flaw was found in the Linux kernel Direct-IO implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important)

c) Tobias Klein reported a missing check in the Linux kernel Open Sound System (OSS) implementation. This deficiency could lead to a possible information leak. (CVE-2008-3272, Moderate)

d) a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

e) A flaw was found in the Linux kernel tmpfs implementation. This could allow a local unprivileged user to read sensitive information from the kernel. (CVE-2007-6417, Moderate)

Bug fix

a) A kernel crash may have occurred on heavily-used Samba servers after 24 to 48 hours of use.

b) On certain systems, if multiple InfiniBand queue pairs simultaneously fell into an error state, an overrun may have occurred, stopping traffic.

c) With bridging, when forward delay was set to zero, setting an interface to the forwarding state was delayed by one or possibly two timers, depending on whether STP was enabled. This may have caused long delays in moving an interface to the forwarding state. This issue caused packet loss when migrating virtual machines, preventing them from being migrated without interrupting applications.

How do I update my kernel?

Login as root and type:
# uname -mrs
# yum update
# reboot
# uname -mrs

Mozilla hat issued important security update for Firefox package that that fix various security issues are now available from Mozilla, Red Hat, and other distributions. Mozilla announced Firefox 2.0.0.15 security and stability update available for download. This update has been rated as having critical security impact by the Mozialla. All Mozilla Firefox users should upgrade to this updated package, which contains backported patches that correct many issues.

How do I update FireFox 3.x or 1.5.x or 2.x under Red Hat / CentOS Linux?

Simply type the following command at a shell prompt:
# yum update

How do I update Firefox under Debian / Ububtu Linux?

Open terminal and type the following commands:
$ apt-get update
$ apt-get upgrade

After a standard system upgrade you need to restart Firefox to effect the necessary changes.

Security Issues Details

From the CVE database:
Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799)

Several problems were discovered in the JavaScript engine. If a user were tricked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-2800) Collin Jackson discovered various flaws in the JavaScript engine which allowed JavaScript to be injected into signed JAR files. If a user were tricked into opening malicious web content, an attacker may be able to execute arbitrary code with the privileges of a different website or link content within the JAR file to an
attacker-controlled JavaScript file. (CVE-2008-2801)

It was discovered that Firefox would allow non-privileged XUL documents to load chrome scripts from the fastload file. This could allow an attacker to execute arbitrary JavaScript code with chrome privileges. (CVE-2008-2802)

A flaw was discovered in Firefox that allowed overwriting trusted objects viaozIJSSubScriptLoader.loadSubScript(). If a user were tricked into opening a malicious web page, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2803)

Claudio Santambrogio discovered a vulnerability in Firefox which could lead to stealing of arbitrary files. If a user were tricked into opening malicious content, an attacker could force the browser into uploading local files to the remote server. (CVE-2008-2805)

Gregory Fleischer discovered a flaw in Java LiveConnect. An attacker could exploit this to bypass the same-origin policy and create arbitrary socket connections to other domains. (CVE-2008-2806) Daniel Glazman found that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. If a user were tricked into installing a malicious add-on, the browser may be able to see data from other programs.(CVE-2008-2807)

Masahiro Yamada discovered that Firefox did not properly sanitize file URLs in directory listings, resulting in files from directory listings being opened in unintended ways or not being able to be
opened by the browser at all. (CVE-2008-2808)

John G. Myers discovered a weakness in the trust model used by Firefox regarding alternate names on self-signed certificates. If a user were tricked into accepting a certificate containing alternate name entries, an attacker could impersonate another server. (CVE-2008-2809)

A flaw was discovered in the way Firefox opened URL files. If a user were tricked into opening a bookmark to a malicious web page, the page could potentially read from local files on the user's computer. (CVE-2008-2810)

A vulnerability was discovered in the block reflow code of Firefox. This vulnerability could be used by an attacker to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2811)

Security Update for Red Hat Linux Kernel

Red Hat has issued a security update for its Kernel that fixes issues related to following packages. This update has been rated as having important security impact on RHEL 4.x / 5.x, and you are recommended to update system as soon as possible.

=> Updated GFS-kernel, gnbd-kernel,dlm-kernel, cmirror-kernel, cman-kernel, Virtualization_Guide, Cluster_Administration, and lobal_File_System packages that fix module loading and others issues under RHEL 4.x and 5.x available now.

How do I update my system?

Simply type the following two commands:
# yum update
Sample output:

Loading "rhnplugin" plugin
Loading "security" plugin
rhel-x86_64-server-vt-5   100% |=========================| 1.2 kB    00:00
rhel-x86_64-server-5      100% |=========================| 1.2 kB    00:00
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package kernel.x86_64 0:2.6.18-92.1.6.el5 set to be installed
---> Package kernel-devel.x86_64 0:2.6.18-92.1.6.el5 set to be installed
---> Package kernel-headers.x86_64 0:2.6.18-92.1.6.el5 set to be updated
---> Package Deployment_Guide-en-US.noarch 0:5.2-11 set to be updated
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:2.6.18-53.1.21.el5 set to be erased
---> Package kernel.x86_64 0:2.6.18-92.1.6.el5 set to be installed
---> Package kernel-devel.x86_64 0:2.6.18-92.1.6.el5 set to be installed
---> Package kernel-headers.x86_64 0:2.6.18-92.1.6.el5 set to be updated
---> Package Deployment_Guide-en-US.noarch 0:5.2-11 set to be updated
---> Package kernel-devel.x86_64 0:2.6.18-53.1.21.el5 set to be erased
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 kernel                  x86_64     2.6.18-92.1.6.el5  rhel-x86_64-server-5   16 M
 kernel-devel            x86_64     2.6.18-92.1.6.el5  rhel-x86_64-server-5  5.0 M
Updating:
 Deployment_Guide-en-US  noarch     5.2-11           rhel-x86_64-server-5  3.5 M
 kernel-headers          x86_64     2.6.18-92.1.6.el5  rhel-x86_64-server-5  880 k
Removing:
 kernel                  x86_64     2.6.18-53.1.21.el5  installed          75 M
 kernel-devel            x86_64     2.6.18-53.1.21.el5  installed          15 M
Transaction Summary
=============================================================================
Install      2 Package(s)
Update       2 Package(s)
Remove       2 Package(s)
Total download size: 25 M
Is this ok [y/N]: y