+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 7th, 2009 Volume 10, Number 32 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for gst-plugins-bad, libmodplug, xml-security-c, znc, xulrunner, firefox, blam, epiphany, pcmanx, mugshot, mzvoikko, miro, gnome-web-photo, kazehakase, google-gadgets, gecko-sharp, evolution-rss, galeon, perl, yelp, ruby-gnome, kernel, seahorse, hulahop, miro, chmsee, blam, irssi, django, drupal, openexr, bind, wireshark, ruby, phpmyadmin, nagios, firebird, bacula, rpm, flash-plugin, nspr, and fetchmail. The distributors include Debian, Fedora, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New gst-plugins-bad0.10 packages fix arbitrary code execution (Aug 6) ----------------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149663 * Debian: New libmodplug packages fix arbitrary code execution (Aug 4) -------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149607 * Debian: New xml-security-c packages fix signature forgery (Aug 2) ----------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149592 * Debian: New znc packages fix remote code execution (Aug 2) ---------------------------------------------------------- http://www.linuxsecurity.com/content/view/149591 * Debian: New apache/apache2-mpm-itk fix regression (Jul 30) ---------------------------------------------------------- http://www.linuxsecurity.com/content/view/149562 ------------------------------------------------------------------------ * Fedora 10 Update: xulrunner-1.9.0.13-1.fc10 (Aug 4) --------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149651 * Fedora 10 Update: firefox-3.0.13-1.fc10 (Aug 4) ----------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149652 * Fedora 10 Update: blam-1.8.5-13.fc10 (Aug 4) -------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149649 * Fedora 10 Update: epiphany-2.24.3-9.fc10 (Aug 4) ------------------------------------------------ Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149650 * Fedora 10 Update: pcmanx-gtk2-0.3.8-12.fc10 (Aug 4) --------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149638 * Fedora 10 Update: mugshot-1.2.2-12.fc10 (Aug 4) ----------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149639 * Fedora 10 Update: mozvoikko-0.9.5-13.fc10 (Aug 4) ------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149640 * Fedora 10 Update: Miro-2.0.5-3.fc10 (Aug 4) ------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149641 * Fedora 10 Update: gnome-web-photo-0.3-21.fc10 (Aug 4) ----------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149642 * Fedora 10 Update: kazehakase-0.5.6-4.fc10.5 (Aug 4) --------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149643 * Fedora 10 Update: gnome-python2-extras-2.19.1-33.fc10 (Aug 4) ------------------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149644 * Fedora 10 Update: google-gadgets-0.10.5-9.fc10 (Aug 4) ------------------------------------------------------ Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149645 * Fedora 10 Update: gecko-sharp2-0.13-11.fc10 (Aug 4) --------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149646 * Fedora 10 Update: evolution-rss-0.1.2-9.fc10 (Aug 4) ---------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149647 * Fedora 10 Update: galeon-2.0.7-13.fc10 (Aug 4) ---------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149648 * Fedora 10 Update: perl-Gtk2-MozEmbed-0.08-6.fc10.4 (Aug 4) ---------------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149635 * Fedora 10 Update: yelp-2.24.0-12.fc10 (Aug 4) --------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149636 * Fedora 10 Update: ruby-gnome2-0.19.1-1.fc10.1 (Aug 4) ----------------------------------------------------- Update to new upstream Firefox version 3.0.13, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.13 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note: Issues described in MFSA 2009-42 and MFSA 2009-43 were previously addressed via rebase of the NSS packages. http://www.linuxsecurity.com/content/view/149637 * Fedora 11 Update: kernel-2.6.29.6-217.2.3.fc11 (Aug 4) ------------------------------------------------------ Fix security bugs: CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 Add -fno- delete-null-pointer-checks gcc compile flag to protect against issues similar to CVE-2009-1897. Fix virtio_blk driver bug (reported against Fedora 10.) iwl3945 wireless driver rfkill fixes. Fix DPMS on some nVidia adapters when using the nouveau driver. http://www.linuxsecurity.com/content/view/149634 * Fedora 11 Update: mozvoikko-0.9.7-0.6.rc1.fc11 (Aug 4) ------------------------------------------------------ Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149630 * Fedora 11 Update: seahorse-plugins-2.26.2-4.fc11 (Aug 4) -------------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149631 * Fedora 11 Update: yelp-2.26.0-6.fc11 (Aug 4) -------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149632 * Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.4 (Aug 4) ---------------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149633 * Fedora 11 Update: epiphany-extensions-2.26.1-5.fc11 (Aug 4) ----------------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149620 * Fedora 11 Update: epiphany-2.26.3-3.fc11 (Aug 4) ------------------------------------------------ Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149621 * Fedora 11 Update: gnome-python2-extras-2.25.3-6.fc11 (Aug 4) ------------------------------------------------------------ Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149622 * Fedora 11 Update: galeon-2.0.7-13.fc11 (Aug 4) ---------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149623 * Fedora 11 Update: google-gadgets-0.11.0-3.fc11 (Aug 4) ------------------------------------------------------ Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149624 * Fedora 11 Update: gnome-web-photo-0.7-5.fc11 (Aug 4) ---------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149625 * Fedora 11 Update: (Aug 4) ------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149626 * Fedora 11 Update: hulahop-0.4.9-7.fc11 (Aug 4) ---------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149627 * Fedora 11 Update: Miro-2.0.5-3.fc11 (Aug 4) ------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149628 * Fedora 11 Update: ruby-gnome2-0.19.1-1.fc11.1 (Aug 4) ----------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149629 * Fedora 11 Update: xulrunner-1.9.1.2-1.fc11 (Aug 4) -------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149615 * Fedora 11 Update: firefox-3.5.2-2.fc11 (Aug 4) ---------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149616 * Fedora 11 Update: chmsee-1.0.1-10.fc11 (Aug 4) ---------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149617 * Fedora 11 Update: blam-1.8.5-13.fc11 (Aug 4) -------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149618 * Fedora 11 Update: evolution-rss-0.1.2-12.fc11 (Aug 4) ----------------------------------------------------- Update to new upstream Firefox version 3.5.2, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.2 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/149619 * Fedora 10 Update: kernel-2.6.27.29-170.2.78.fc10 (Aug 4) -------------------------------------------------------- Update to linux kernel 2.6.27.29: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.26 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.27 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.28 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.29 Fixes security bugs: CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 Adds -fno-delete- null-pointer-checks gcc compile flag to protect against issues similar to CVE-2009-1897. http://www.linuxsecurity.com/content/view/149614 * Fedora 11 Update: irssi-0.8.13-3.fc11 (Aug 3) --------------------------------------------- http://www.linuxsecurity.com/content/view/149605 * Fedora 11 Update: Django-1.0.3-6.fc11 (Aug 3) --------------------------------------------- For: http://www.djangoproject.com/weblog/2009/jul/28/security/ http://www.linuxsecurity.com/content/view/149604 * Fedora 10 Update: Django-1.0.3-6.fc10 (Aug 3) --------------------------------------------- For: http://www.djangoproject.com/weblog/2009/jul/28/security/ http://www.linuxsecurity.com/content/view/149603 * Fedora 11 Update: drupal-date-6.x.2.3-0.fc11 (Jul 31) ----------------------------------------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-046 * Project: Date (third-party module) * Version: 6.x * Date: 2009-July-29 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Date module provides a date CCK field that can be added to any content type. The Date Tools module that is bundled with Date module does not properly escape user input when displaying labels for fields on a content type. A malicious user with the 'use date tools' permission of the Date Tools sub- module, or the 'administer content types' permission could attempt a cross site scripting [1] (XSS) attack when creating a new content type, leading to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Date for Drupal 6.x prior to 6.x-2.3 Drupal core is not affected. If you do not use the contributed Date module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Date for Drupal 6.x upgrade to Date 6.x-2.3 [2] Note that the 'use date tools' permission has been renamed as 'administer date tools' to clarify that this is an administrative permission (it allows the creation of new content types via a wizard form). You will need to re-assign this permission to any roles that were using it. See also the Date project page [3]. -------- REPORTED BY --------------------------------------------------------- Stella Power [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Stella Power [5] and Karen Stevenson [6], the project maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross- site_scripting [2] http://drupal.org/node/534332 [3] http://drupal.org/project/date [4] http://drupal.org/user/66894 [5] http://drupal.org/user/66894 [6] http://drupal.org/user/45874 http://www.linuxsecurity.com/content/view/149581 * Fedora 11 Update: xml-security-c-1.5.1-1.fc11 (Jul 31) ------------------------------------------------------ Fixes CVE-2009-0217 (#511915) http://www.linuxsecurity.com/content/view/149579 * Fedora 10 Update: drupal-date-6.x.2.3-0.fc10 (Jul 31) ----------------------------------------------------- * Advisory ID: DRUPAL-SA-CONTRIB-2009-046 * Project: Date (third-party module) * Version: 6.x * Date: 2009-July-29 * Security risk: Moderately critical * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Date module provides a date CCK field that can be added to any content type. The Date Tools module that is bundled with Date module does not properly escape user input when displaying labels for fields on a content type. A malicious user with the 'use date tools' permission of the Date Tools sub- module, or the 'administer content types' permission could attempt a cross site scripting [1] (XSS) attack when creating a new content type, leading to the user gaining full administrative access. -------- VERSIONS AFFECTED --------------------------------------------------- * Date for Drupal 6.x prior to 6.x-2.3 Drupal core is not affected. If you do not use the contributed Date module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Upgrade to the latest version: * If you use Date for Drupal 6.x upgrade to Date 6.x-2.3 [2] Note that the 'use date tools' permission has been renamed as 'administer date tools' to clarify that this is an administrative permission (it allows the creation of new content types via a wizard form). You will need to re-assign this permission to any roles that were using it. See also the Date project page [3]. -------- REPORTED BY --------------------------------------------------------- Stella Power [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Stella Power [5] and Karen Stevenson [6], the project maintainer. -------- CONTACT ------------------------------------------------------------- The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Cross- site_scripting [2] http://drupal.org/node/534332 [3] http://drupal.org/project/date [4] http://drupal.org/user/66894 [5] http://drupal.org/user/66894 [6] http://drupal.org/user/45874 http://www.linuxsecurity.com/content/view/149580 * Fedora 10 Update: OpenEXR-1.6.1-8.fc10 (Jul 31) ----------------------------------------------- http://www.linuxsecurity.com/content/view/149578 * Fedora 11 Update: OpenEXR-1.6.1-8.fc11 (Jul 31) ----------------------------------------------- http://www.linuxsecurity.com/content/view/149577 * Fedora 10 Update: xml-security-c-1.5.1-1.fc10 (Jul 31) ------------------------------------------------------ Fixes CVE-2009-0217 (#511915) http://www.linuxsecurity.com/content/view/149576 ------------------------------------------------------------------------ * Gentoo: BIND Denial of Service (Aug 1) -------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Dynamic Update packets can cause a Denial of Service in the BIND daemon. http://www.linuxsecurity.com/content/view/149590 * Gentoo: OpenSC Multiple vulnerabilities (Aug 1) ----------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities were found in OpenSC. http://www.linuxsecurity.com/content/view/149588 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVSA-2009:194 ] wireshark (Aug 5) --------------------------------------------------------------------------- Vulnerabilities have been discovered in wireshark package, which could lead to application crash via radius, infiniband and afs dissectors (CVE-2009-2560, CVE-2009-2562, CVE-2009-2563). This update provides a fix for those vulnerabilities. http://www.linuxsecurity.com/content/view/149662 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:193 ] ruby (Aug 5) ---------------------------------------------------------------------- ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. This update corrects the problem, including for older ruby versions. http://www.linuxsecurity.com/content/view/149659 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:192 ] phpmyadmin (Aug 5) ---------------------------------------------------------------------------- A vulnerability has been identified and corrected in phpMyAdmin: Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted SQL bookmark (CVE-2009-2284). This update provides phpmyadmin 3.2.0.1, which is not vulnerable to this issue. http://www.linuxsecurity.com/content/view/149655 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:191 ] OpenEXR (Aug 2) ------------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in OpenEXR: Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows, related to (1) the Imf::PreviewImage::PreviewImage function and (2) compressor constructors. NOTE: some of these details are obtained from third party information (CVE-2009-1720). The decompression implementation in the Imf::hufUncompress function in OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a free of an uninitialized pointer (CVE-2009-1721). Buffer overflow in the compression implementation in OpenEXR 1.2.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2009-1722). This update provides fixes for these vulnerabilities. http://www.linuxsecurity.com/content/view/149596 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:190 ] OpenEXR (Aug 2) ------------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in OpenEXR: Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors that trigger heap-based buffer overflows, related to (1) the Imf::PreviewImage::PreviewImage function and (2) compressor constructors. NOTE: some of these details are obtained from third party information (CVE-2009-1720). The decompression implementation in the Imf::hufUncompress function in OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a free of an uninitialized pointer (CVE-2009-1721). This update provides fixes for these vulnerabilities. http://www.linuxsecurity.com/content/view/149595 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:189 ] apache-mod_auth_mysql (Aug 1) --------------------------------------------------------------------------------------- A vulnerability has been found and corrected in mod_auth_mysql: SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x allows remote attackers to execute arbitrary SQL commands via multibyte character encodings for unspecified input (CVE-2008-2384). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149589 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:188 ] php4-eaccelerator (Jul 31) ------------------------------------------------------------------------------------ A vulnerability has been found and corrected in php4-eaccelerator: encoder.php in eAccelerator allows remote attackers to execute arbitrary code by copying a local executable file to a location under the web root via the -o option, and then making a direct request to this file, related to upload of image files (CVE-2009-2353). Additionally to adressing the security issue this update also provides php4-eaccelerator 0.9.5. http://www.linuxsecurity.com/content/view/149587 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:187 ] nagios (Jul 31) ------------------------------------------------------------------------- A vulnerability has been found and corrected in nagios: statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters (CVE-2009-2288). This update provides nagios 3.1.2, which is not vulnerable to this issue. http://www.linuxsecurity.com/content/view/149586 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:186 ] firebird (Jul 31) --------------------------------------------------------------------------- A vulnerability has been found and corrected in firebird: src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6, 2.0 before 2.0.6, 2.1 before 2.1.3, and 2.5 before 2.5 Beta 2 allows remote attackers to cause a denial of service (daemon crash) via a malformed op_connect_request message that triggers an infinite loop or NULL pointer dereference (CVE-2009-2620). This update provides fixes for this vulnerability. http://www.linuxsecurity.com/content/view/149585 * Mandriva: Subject: [Security Announce] [ MDVA-2009:138 ] bacula (Jul 31) ------------------------------------------------------------------------ bacula 3.0.2 is primarily a important bug fix update to version 3.0.1 with some enhancements. http://www.linuxsecurity.com/content/view/149584 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:185 ] firefox (Jul 31) -------------------------------------------------------------------------- Security vulnerabilities have been discovered and corrected in Mozilla Firefox 3.0.x: Several flaws in Firefox browser and javascript engine could allow a malicious site to cause a denial-of-service of possibly remote code execution (CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841, CVE-2009-2043, CVE-2009-2044). Several flaws were discovered in Firefox which could lead to information disclosure and security bypass (CVE-2009-1834, CVE-2009-1835, CVE-2009-1836, CVE-2009-1839, CVE-2009-1840). Several flaws were discovered in the Firefox browser and JavaScript engines, which could allow a malicious website to cause a denial of service or possibly execute arbitrary code with user privileges. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2468) Attila Suszter discovered a flaw in the way Firefox processed Flash content, which could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2467) It was discovered that Firefox did not properly handle some SVG content, which could lead to a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2469) A flaw was discovered in the JavaScript engine which could be used to perform cross-site scripting attacks. (CVE-2009-2472) This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates. http://www.linuxsecurity.com/content/view/149583 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:184 ] apache-mod_security (Jul 31) -------------------------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in mod_security: The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference (CVE-2009-1902). The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method (CVE-2009-1903). This update provides mod_security 2.5.9, which is not vulnerable to these issues. http://www.linuxsecurity.com/content/view/149575 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:183 ] apache-mod_security (Jul 31) -------------------------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in mod_security: Multiple unspecified vulnerabilities in the ModSecurity (aka mod_security) module 2.5.0 through 2.5.5 for the Apache HTTP Server, when SecCacheTransformations is enabled, allow remote attackers to cause a denial of service (daemon crash) or bypass the product's functionality via unknown vectors related to transformation caching. (CVE-2008-5676) The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference (CVE-2009-1902). The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method (CVE-2009-1903). This update provides mod_security 2.5.9, which is not vulnerable to these issues. http://www.linuxsecurity.com/content/view/149574 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:182 ] firefox (Jul 30) -------------------------------------------------------------------------- Security vulnerabilities have been discovered and corrected in Mozilla Firefox 3.0.x: Several flaws were discovered in the Firefox browser and JavaScript engines, which could allow a malicious website to cause a denial of service or possibly execute arbitrary code with user privileges. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2468, CVE-2009-2471) Attila Suszter discovered a flaw in the way Firefox processed Flash content, which could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2467) It was discovered that Firefox did not properly handle some SVG content, which could lead to a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2469) A flaw was discovered in the JavaScript engine which could be used to perform cross-site scripting attacks. (CVE-2009-2472) This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates. http://www.linuxsecurity.com/content/view/149569 * Mandriva: Subject: [Security Announce] [ MDVA-2009:137 ] rpm (Jul 30) --------------------------------------------------------------------- This update fixes an issue with rpm: o file triggers aren't properly invoked on package removal http://www.linuxsecurity.com/content/view/149563 ------------------------------------------------------------------------ * RedHat: Important: kernel security and bug fix update (Aug 4) ------------------------------------------------------------- Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149608 * RedHat: Critical: flash-plugin security update (Jul 31) ------------------------------------------------------- An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149571 * RedHat: Critical: flash-plugin security update (Jul 31) ------------------------------------------------------- An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3 and 4 Extras. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149572 * RedHat: Critical: nspr and nss security and bug fix (Jul 31) ------------------------------------------------------------ Updated nspr and nss packages that fix security issues and bugs are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149573 * RedHat: Critical: nspr and nss security and bug fix (Jul 30) ------------------------------------------------------------ Updated nspr and nss packages that fix security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149566 * RedHat: Critical: seamonkey security update (Jul 30) ---------------------------------------------------- Updated seamonkey packages that fix a security issue are now available for Red Hat Enterprise Linux 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149567 ------------------------------------------------------------------------ * Slackware: fetchmail (Aug 6) ------------------------------ New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666 http://www.linuxsecurity.com/content/view/149665 * Slackware: mozilla-firefox (Aug 3) ------------------------------------ A new mozilla-firefox package is available for Slackware 12.2 to fix security issues. The updated packages may also be used with Slackware 11.0 or newer. More details about the issues may be found on the Mozilla website: http://www.mozilla.org/security/announce/2009/mfsa2009-42.html http://www.mozilla.org/security/announce/2009/mfsa2009-43.html http://www.linuxsecurity.com/content/view/149606 * Slackware: httpd (Aug 2) -------------------------- New httpd packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix security issues. More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956 http://www.linuxsecurity.com/content/view/149597 * Slackware: bind (Jul 30) -------------------------- New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 ISC has published an announcement here: https://www.isc.org/node/479 And CERT has published an advisory here: http://www.kb.cert.org/vuls/id/725188 http://www.linuxsecurity.com/content/view/149559 ------------------------------------------------------------------------ * SuSE: Mozilla Firefox 3.0 (Aug 6) --------------------------------- http://www.linuxsecurity.com/content/view/149664 * SuSE: flash-player (resent) (Aug 5) ----------------------------------- http://www.linuxsecurity.com/content/view/149654 * SuSE: flash-player (SUSE-SA:2009:041) (Aug 5) --------------------------------------------- http://www.linuxsecurity.com/content/view/149653 * SuSE: bind (SUSE-SA:2009:040) (Jul 30) -------------------------------------- http://www.linuxsecurity.com/content/view/149560 ------------------------------------------------------------------------ * Ubuntu: NSPR update (Aug 4) ---------------------------- USN-810-1 fixed vulnerabilities in NSS. This update provides the NSPR needed to use the new NSS. Original advisory details: Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. (CVE-2009-2404) Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-2408) Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. (CVE-2009-2409) http://www.linuxsecurity.com/content/view/149613 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
