+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 24th, 2009 Volume 10, Number 30 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for xulrunner, gst-plugins, pulseaudito, dbus, fckeditor, mozvoikko, perl-gtk, yelp, ruby, chmsee, eclipse, epiphany, evoluation, galeon, hulahop, java, miro, firefox, blam, wxGTK, moin, mediawiki, libtiff, compat, wordpress, poppler, seamonkey, bluez, net-snmp, dhcp, and pulseaudi. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, SuSE, Ubuntu, and Pardus. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New xulrunner packages fix several vulnerabilities (Jul 23) ------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149461 * Debian: New gst-plugins-good0.10 packages fix arbitrary code execution (Jul 19) ------------------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149401 * Debian: New pulseaudio packages fix privilege escalation (Jul 18) ----------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149399 * Debian: New dbus packages fix denial of service (Jul 18) -------------------------------------------------------- http://www.linuxsecurity.com/content/view/149398 * Debian: New fckeditor packages fix arbitrary code execution (Jul 16) -------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149390 ------------------------------------------------------------------------ * Fedora 11 Update: (Jul 22) -------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149456 * Fedora 11 Update: mozvoikko-0.9.7-0.5.rc1.fc11 (Jul 22) ------------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149457 * Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.3 (Jul 22) ----------------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149458 * Fedora 11 Update: yelp-2.26.0-5.fc11 (Jul 22) --------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149459 * Fedora 11 Update: ruby-gnome2-0.19.0-3.fc11.1 (Jul 22) ------------------------------------------------------ Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149460 * Fedora 11 Update: chmsee-1.0.1-9.fc11 (Jul 22) ---------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149444 * Fedora 11 Update: eclipse-3.4.2-13.fc11 (Jul 22) ------------------------------------------------ Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149445 * Fedora 11 Update: epiphany-2.26.3-2.fc11 (Jul 22) ------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149446 * Fedora 11 Update: epiphany-extensions-2.26.1-4.fc11 (Jul 22) ------------------------------------------------------------ Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149447 * Fedora 11 Update: evolution-rss-0.1.2-11.fc11 (Jul 22) ------------------------------------------------------ Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149448 * Fedora 11 Update: galeon-2.0.7-12.fc11 (Jul 22) ----------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149449 * Fedora 11 Update: gnome-python2-extras-2.25.3-5.fc11 (Jul 22) ------------------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149450 * Fedora 11 Update: gnome-web-photo-0.7-4.fc11 (Jul 22) ----------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149451 * Fedora 11 Update: google-gadgets-0.11.0-2.fc11 (Jul 22) ------------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149452 * Fedora 11 Update: hulahop-0.4.9-6.fc11 (Jul 22) ----------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149453 * Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-25.b16.fc11 (Jul 22) ----------------------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149454 * Fedora 11 Update: Miro-2.0.5-2.fc11 (Jul 22) -------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149455 * Fedora 11 Update: firefox-3.5.1-1.fc11 (Jul 22) ----------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149441 * Fedora 11 Update: xulrunner-1.9.1.1-1.fc11 (Jul 22) --------------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149442 * Fedora 11 Update: blam-1.8.5-12.fc11 (Jul 22) --------------------------------------------- Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149443 * Fedora 10 Update: wxGTK-2.8.10-2.fc10 (Jul 22) ---------------------------------------------- added fix for CVE-2009-2369 http://www.linuxsecurity.com/content/view/149440 * Fedora 11 Update: wxGTK-2.8.10-2.fc11 (Jul 22) ---------------------------------------------- added fix for CVE-2009-2369 http://www.linuxsecurity.com/content/view/149439 * Fedora 10 Update: perl-IO-Socket-SSL-1.26-1.fc10 (Jul 19) --------------------------------------------------------- This update to version 1.26 fixes an issue where only the prefix of the hostname was checked if there was no wildcard present, so for example www.example.org would match a certificate starting with www.exam. http://www.linuxsecurity.com/content/view/149415 * Fedora 11 Update: moin-1.8.4-2.fc11 (Jul 19) -------------------------------------------- This update removes the filemanager directory from the embedded FCKeditor, it contains code with know security vulnerabilities, even though that code couldn't be invoked when Moin was used with the default settings. Moin was probably not affected, but installing this update is still recommended as a security measure. CVE-2009-2265 is the related CVE identifier. http://www.linuxsecurity.com/content/view/149414 * Fedora 11 Update: mediawiki-1.15.1-48.fc11 (Jul 19) --------------------------------------------------- This update upgrades mediawiki code to 1.15.1 and fixes some path references. Upstream comments: This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1. A cross-site scripting (XSS) vulnerability was discovered. Only versions 1.14.0, 1.15.0 and release candidates for those releases are affected. http://www.linuxsecurity.com/content/view/149413 * Fedora 11 Update: libtiff-3.8.2-14.fc11 (Jul 19) ------------------------------------------------ CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE) Not the same as last week's libtiff security issue ... http://www.linuxsecurity.com/content/view/149412 * Fedora 10 Update: compat-wxGTK26-2.6.4-10.fc10 (Jul 19) ------------------------------------------------------- Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10 http://www.linuxsecurity.com/content/view/149410 * Fedora 11 Update: mingw32-libtiff-3.8.2-17.fc11 (Jul 19) -------------------------------------------------------- - update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) http://www.linuxsecurity.com/content/view/149411 * Fedora 10 Update: moin-1.6.4-3.fc10 (Jul 19) -------------------------------------------- This update removes the filemanager and _samples directories from the embedded FCKeditor, they contain code with know security vulnerabilities, even though that code couldn't be invoked when Moin was used with the default settings. Moin was probably not affected, but installing this update is still recommended as a security measure. CVE-2009-2265 is the related CVE identifier. http://www.linuxsecurity.com/content/view/149409 * Fedora 11 Update: compat-wxGTK26-2.6.4-10.fc11 (Jul 19) ------------------------------------------------------- Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10 http://www.linuxsecurity.com/content/view/149407 * Fedora 10 Update: mediawiki-1.15.1-48.fc10 (Jul 19) --------------------------------------------------- This update upgrades mediawiki code to 1.15.1 and fixes some path references. Upstream comments: This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1. A cross-site scripting (XSS) vulnerability was discovered. Only versions 1.14.0, 1.15.0 and release candidates for those releases are affected. http://www.linuxsecurity.com/content/view/149408 * Fedora 10 Update: wordpress-2.8.1-1.fc10 (Jul 19) ------------------------------------------------- http://www.linuxsecurity.com/content/view/149406 * Fedora 10 Update: libtiff-3.8.2-14.fc10 (Jul 19) ------------------------------------------------ CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE) Not the same as last week's libtiff security issue ... http://www.linuxsecurity.com/content/view/149405 * Fedora 10 Update: mingw32-libtiff-3.8.2-17.fc10 (Jul 19) -------------------------------------------------------- - update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) Bugzilla: #511015 http://www.linuxsecurity.com/content/view/149404 * Fedora 11 Update: perl-IO-Socket-SSL-1.26-1.fc11 (Jul 19) --------------------------------------------------------- This update to version 1.26 fixes an issue where only the prefix of the hostname was checked if there was no wildcard present, so for example www.example.org would match a certificate starting with www.exam. http://www.linuxsecurity.com/content/view/149402 * Fedora 11 Update: wordpress-2.8.1-1.fc11 (Jul 19) ------------------------------------------------- http://www.linuxsecurity.com/content/view/149403 * Fedora 10 Update: perl-5.10.0-73.fc10 (Jul 16) ---------------------------------------------- This security update fixes an off-by-one overflow in Compress::Raw::Zlib (CVE-2009-1391) Moreover, it contains a subtle change to the configuration that does not affect the Perl interpreter itself, but fixes the propagation of the chosen options to the modules. For example, a rebuild of perl-Wx against perl-5.10.0-73 will fix bug 508496. http://www.linuxsecurity.com/content/view/149385 * Fedora 11 Update: poppler-0.10.7-2.fc11 (Jul 16) ------------------------------------------------ An update to the latest stable upstream release fixing many bugs, as well as addressing several security issues. Release announcement, http://lists.freedesktop.org/archives/poppler/2009-May/004721.html http://www.linuxsecurity.com/content/view/149384 * Fedora 11 Update: seamonkey-1.1.17-1.fc11 (Jul 16) -------------------------------------------------- Update to upstream version 1.1.17, fixing multiple security flaws: http://www.mozilla.org/security/known- vulnerabilities/seamonkey11.html#seamonkey1.1.17 http://www.linuxsecurity.com/content/view/149383 * Fedora 10 Update: seamonkey-1.1.17-1.fc10 (Jul 16) -------------------------------------------------- Update to upstream version 1.1.17, fixing multiple security flaws: http://www.mozilla.org/security/known- vulnerabilities/seamonkey11.html#seamonkey1.1.17 http://www.linuxsecurity.com/content/view/149382 ------------------------------------------------------------------------ * Gentoo: Python Integer overflows (Jul 19) ----------------------------------------- Multiple integer overflows in Python have an unspecified impact. http://www.linuxsecurity.com/content/view/149419 * Gentoo: Nagios Execution of arbitrary code (Jul 19) --------------------------------------------------- Multiple vulnerabilities in Nagios may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/149418 * Gentoo: Rasterbar libtorrent Directory traversal (Jul 17) --------------------------------------------------------- A directory traversal vulnerability in Rasterbar libtorrent might allow a remote attacker to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/149392 * Gentoo: PulseAudio Local privilege escalation (Jul 16) ------------------------------------------------------ A vulnerability in PulseAudio may allow a local user to execute code with escalated privileges. http://www.linuxsecurity.com/content/view/149386 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2009:132 ] gnome-power-manager (Jul 20) ------------------------------------------------------------------------------------- The gnome-power-manager package shipped in Mandriva 2009 Spring is not working without the gnome-session running in user's Desktop Environment. This update fixes this issue making gnome-power-manager work fine even if gnome-session is not started. http://www.linuxsecurity.com/content/view/149426 * Mandriva: Subject: [Security Announce] [ MDVA-2009:131 ] bluez (Jul 19) ----------------------------------------------------------------------- In mandriva 2009.1 the bluetooth alsa plugins were installed on the root lib dir. This prevent A2DP bluetooth devices from working because they search those libs on the standart lib directory. http://www.linuxsecurity.com/content/view/149424 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19) ----------------------------------------------------------------------------------------- A vulnerability has been found and corrected in perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149423 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19) ----------------------------------------------------------------------------------------- A vulnerability has been found and corrected in perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149422 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:156 ] net-snmp (Jul 19) --------------------------------------------------------------------------- A vulnerability has been found and corrected in net-snmp: agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309 (CVE-2009-1887). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149421 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:155 ] git (Jul 19) ---------------------------------------------------------------------- A vulnerability has been found and corrected in git: git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments (CVE-2009-2108). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149420 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:154 ] dhcp (Jul 19) ----------------------------------------------------------------------- A vulnerability has been found and corrected in ISC DHCP: ISC DHCP Server is vulnerable to a denial of service, caused by the improper handling of DHCP requests. If the host definitions are mixed using dhcp-client-identifier and hardware ethernet, a remote attacker could send specially-crafted DHCP requests to cause the server to stop responding (CVE-2009-1892). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149417 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17) ----------------------------------------------------------------------- A vulnerability has been found and corrected in ISC DHCP: Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients (CVE-2007-0062). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149397 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17) ----------------------------------------------------------------------- A vulnerability has been found and corrected in ISC DHCP: Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients (CVE-2007-0062). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149396 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17) ----------------------------------------------------------------------------- A vulnerability has been found and corrected in pulseaudio: Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149395 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17) ----------------------------------------------------------------------------- A vulnerability has been found and corrected in pulseaudio: Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149394 ------------------------------------------------------------------------ * RedHat: Moderate: libtiff security update (Jul 16) -------------------------------------------------- Updated libtiff packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149391 ------------------------------------------------------------------------ * SuSE: Linux Kernel (SUSE-SA:2009:038) (Jul 23) ---------------------------------------------- http://www.linuxsecurity.com/content/view/149462 ------------------------------------------------------------------------ * Ubuntu: Ruby vulnerabilities (Jul 20) -------------------------------------- It was discovered that Ruby did not properly validate certificates. An attacker could exploit this and present invalid or revoked X.509 certificates. (CVE-2009-0642) It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. (CVE-2009-1904) http://www.linuxsecurity.com/content/view/149427 ------------------------------------------------------------------------ * Pardus: Perl IO::Socket::SSL: Security (Jul 22) ----------------------------------------------- exploited by malicious people to bypass certain security restrictions. http://www.linuxsecurity.com/content/view/149438 * Pardus: WxGtk: Integer Overflow (Jul 19) ---------------------------------------- exploited by malicious people to potentially compromise a user's system. http://www.linuxsecurity.com/content/view/149416 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------