+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 14th, 2009 Volume 10, Number 33 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for ruby, libmxl2, imagemagick, camlimages, squid3, mantis, subversion, memcached, fetchmail, viewvc, ocaml, wordpress, xmlsec, libvorbis, apr, java, libTIFF, mmc, samba, coreutils, openldap, nss, urpmi, curl, java, and Firefox. The distributors include Debian, Fedora, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New Ruby packages fix several issues (Aug 12) ----------------------------------------------------- http://www.linuxsecurity.com/content/view/149744 * Debian: New libxml2 packages fix several issues (Aug 10) -------------------------------------------------------- http://www.linuxsecurity.com/content/view/149723 * Debian: New imagemagick packages fix several vulnerabilities (Aug 10) --------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149717 * Debian: New camlimages packages fix arbitrary code execution (Aug 9) -------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149711 * Debian: New squid3 packages fix regression (Aug 9) -------------------------------------------------- http://www.linuxsecurity.com/content/view/149710 * Debian: New mantis packages fix information leak (Aug 8) -------------------------------------------------------- http://www.linuxsecurity.com/content/view/149706 * Debian: New subversion packages fix arbitrary code execution (Aug 8) -------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149705 * Debian: New APR packages fix arbitrary code execution (Aug 8) ------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149704 * Debian: New memcached packages fix arbitrary code execution (Aug 7) ------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149690 * Debian: New fetchmail packages fix SSL certificate verification weakness (Aug 7) -------------------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149689 * Debian: New gst-plugins-bad0.10 packages fix arbitrary code execution (Aug 6) ----------------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/149663 ------------------------------------------------------------------------ * Fedora 11 Update: viewvc-1.1.2-2.fc11 (Aug 12) ---------------------------------------------- CHANGES in 1.1.2: - security fix: validate the 'view' parameter to avoid XSS attack - security fix: avoid printing illegal parameter names and values - add optional support for character encoding detection (issue #400) - fix username case handling in svnauthz module (issue #419) - fix cvsdbadmin/svnadmin rebuild error on missing repos (issue #420) - don't drop leading blank lines from colorized file contents (issue #422) - add file.ezt template logic for optionally hiding binary file contents Also includes: Install and populate mimetypes.conf. This should hopefully help when colouring syntax using pygments. Install and populate mimetypes.conf. http://www.linuxsecurity.com/content/view/149748 * Fedora 11 Update: ocaml-camlimages-3.0.1-7.fc11.2 (Aug 12) ---------------------------------------------------------- CVE 2009-2295 http://www.linuxsecurity.com/content/view/149746 * Fedora 10 Update: viewvc-1.0.9-1.fc10 (Aug 12) ---------------------------------------------- CHANGES in 1.0.9: - security fix: validate the 'view' parameter to avoid XSS attack - security fix: avoid printing illegal parameter names and values Also includes: Patch by Patrick Monnerat to make allow_tar work on F-10. http://www.linuxsecurity.com/content/view/149747 * Fedora 11 Update: libxml2-2.7.3-3.fc11 (Aug 11) ----------------------------------------------- two patches for parsing problems raised by Ficora http://www.linuxsecurity.com/content/view/149737 * Fedora 10 Update: libxml2-2.7.3-2.fc10 (Aug 11) ----------------------------------------------- two patches for parsing problems raised by ficora http://www.linuxsecurity.com/content/view/149736 * Fedora 10 Update: wordpress-2.8.3-2.fc10 (Aug 11) ------------------------------------------------- security update to fix "Remote admin reset password": http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137 .html http://www.linuxsecurity.com/content/view/149735 * Fedora 11 Update: wordpress-2.8.3-2.fc11 (Aug 11) ------------------------------------------------- security update to fix "Remote admin reset password": http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137 .html http://www.linuxsecurity.com/content/view/149733 * Fedora 11 Update: xmlsec1-1.2.12-1.fc11 (Aug 11) ------------------------------------------------ http://www.linuxsecurity.com/content/view/149734 * Fedora 10 Update: xmlsec1-1.2.12-1.fc10 (Aug 11) ------------------------------------------------ http://www.linuxsecurity.com/content/view/149732 * Fedora 11 Update: subversion-1.6.4-2.fc11 (Aug 10) -------------------------------------------------- This update includes the latest stable release of Subversion, fixing many bugs and a security issue: Matt Lewis reported multiple heap overflow flaws in Subversion (servers and clients) when parsing binary deltas. Malicious users with commit access to a vulnerable server could uses these flaws to cause a heap overflow on the server running Subversion. A malicious Subversion server could use these flaws to cause a heap overflow on vulnerable clients when they attempt to checkout or update, resulting in a crash or, possibly, arbitrary code execution on the vulnerable client. (CVE-2009-2411) This update also adds support for storing passwords in the GNOME Keyring or KDE Wallet, via the new subversion-gnome and subversion-kde subpackages. For more details of the bug fixes included in this update, see: http://svn.collab.net/repos/svn/tags/1.6.4/CHANGES http://www.linuxsecurity.com/content/view/149727 * Fedora 11 Update: libvorbis-1.2.0-8.fc11 (Aug 10) ------------------------------------------------- Fixes CVE-2009-2663 http://www.linuxsecurity.com/content/view/149726 * Fedora 10 Update: libvorbis-1.2.0-6.fc10 (Aug 10) ------------------------------------------------- Fixes CVE-2009-2663 http://www.linuxsecurity.com/content/view/149725 * Fedora 10 Update: subversion-1.6.4-2.fc10 (Aug 10) -------------------------------------------------- This update includes the latest stable release of Subversion, including several enhancements, many bug fixes, and a fix for a security issue: Matt Lewis reported multiple heap overflow flaws in Subversion (servers and clients) when parsing binary deltas. Malicious users with commit access to a vulnerable server could uses these flaws to cause a heap overflow on the server running Subversion. A malicious Subversion server could use these flaws to cause a heap overflow on vulnerable clients when they attempt to checkout or update, resulting in a crash or, possibly, arbitrary code execution on the vulnerable client. (CVE-2009-2411) Version 1.6 offers many bug fixes and enhancements over 1.5, with the notable major features: - identical files share storage space in repository - file-externals support for intra-repository files - "tree" conflicts now handled more gracefully - repository root relative URL support on most commands For more information on changes in 1.6, see the release notes: http://subversion.tigris.org/svn_1.6_releasenotes.html This update includes the latest release of Subversion, version 1.6.2. Version 1.6 offers many bug fixes and enhancements over 1.5, with the notable major features: * identical files share storage space in repository * file- externals support for intra-repository files * "tree" conflicts now handled more gracefully * repository root relative URL support on most commands http://www.linuxsecurity.com/content/view/149724 * Fedora 10 Update: apr-1.3.8-1.fc10 (Aug 7) ------------------------------------------ CVE-2009-2412: allocator alignment fixes Full details here: http://www.apache.org/dist/apr/patches/ http://www.linuxsecurity.com/content/view/149681 * Fedora 11 Update: apr-util-1.3.9-1.fc11 (Aug 7) ----------------------------------------------- CVE-2009-2412: allocator alignment fixes Full details here: http://www.apache.org/dist/apr/patches/ http://www.linuxsecurity.com/content/view/149680 * Fedora 11 Update: apr-1.3.8-1.fc11 (Aug 7) ------------------------------------------ CVE-2009-2412: allocator alignment fixes Full details here: http://www.apache.org/dist/apr/patches/ http://www.linuxsecurity.com/content/view/149678 * Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 (Aug 7) ---------------------------------------------------------------- Urgent security fixes have been included. http://www.linuxsecurity.com/content/view/149679 * Fedora 10 Update: wordpress-2.8.3-1.fc10 (Aug 7) ------------------------------------------------ Update to upstream version 2.8.3: http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rel ease/ http://www.linuxsecurity.com/content/view/149676 * Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 (Aug 7) ---------------------------------------------------------------- Urgent security updates have been included http://www.linuxsecurity.com/content/view/149677 * Fedora 10 Update: apr-util-1.3.9-1.fc10 (Aug 7) ----------------------------------------------- CVE-2009-2412: allocator alignment fixes Full details here: http://www.apache.org/dist/apr/patches/ http://www.linuxsecurity.com/content/view/149675 * Fedora 11 Update: wordpress-2.8.3-1.fc11 (Aug 7) ------------------------------------------------ Update to upstream version 2.8.3: http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rel ease/ http://www.linuxsecurity.com/content/view/149674 ------------------------------------------------------------------------ * Gentoo: Adobe products Multiple vulnerabilities (Aug 7) ------------------------------------------------------- Multiple vulnerabilities in Adobe Reader and Adobe Flash Player allow for attacks including the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/149687 * Gentoo: libTIFF User-assisted execution of arbitrary code (Aug 7) ----------------------------------------------------------------- Multiple boundary checking vulnerabilities in libTIFF may allow for the remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/149686 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVSA-2009:201 ] fetchmail (Aug 12) ---------------------------------------------------------------------------- A vulnerability has been found and corrected in fetchmail: socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-2666). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/149745 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:200 ] libxml (Aug 12) ------------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in libxml: Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework (CVE-2009-2414). Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework (CVE-2009-2416). This update provides a solution to these vulnerabilities. http://www.linuxsecurity.com/content/view/149739 * Mandriva: Subject: [Security Announce] [ MDVA-2009:150 ] mmc (Aug 11) --------------------------------------------------------------------- Problems were discovered with the mmc-wizard: After configuring a DNS server with mmc-wizard, how to add a MX DNS entry in the mmc (Mandriva Directory server)? The version of Mandriva Directory Server in mes5 is 2.3.1. http://mds.mandriva.org/ shows that the MDS 2.3.2 correct this problem. First point in release features is: - a new functionality for DNS zones management: support for MX and NS records. Additionally squidGuard was missing and therefore squidGuard-1.4 is provided with this updgrade as well. http://www.linuxsecurity.com/content/view/149730 * Mandriva: Subject: [Security Announce] [ MDVA-2009:149 ] gtkmm2.4 (Aug 11) -------------------------------------------------------------------------- A memory allocation bug in gtkmm would make applications using the library crash on the x86_64 architecture. This update corrects the problem. http://www.linuxsecurity.com/content/view/149729 * Mandriva: Subject: [Security Announce] [ MDVA-2009:148 ] samba (Aug 10) ----------------------------------------------------------------------- Interoperability problems were discovered with samba-3.2.7/samba-3.2.13 in Enterprise Server 5 and samba-3.0.23d in Corporate Server 4. This update provides samba 3.0.36 to address these issues. Additionally this upgrade also fixes many upstream bugs. http://www.linuxsecurity.com/content/view/149718 * Mandriva: Subject: [Security Announce] [ MDVA-2009:147 ] indilib (Aug 10) ------------------------------------------------------------------------- urpmi kstars or urpmi kdeedu4 results in dependency problems. This update addresses this issue. http://www.linuxsecurity.com/content/view/149716 * Mandriva: Subject: [Security Announce] [ MDVA-2009:146 ] coreutils (Aug 9) -------------------------------------------------------------------------- There is no man page for the su command. This update fixes this problem making the man page for the su command show again. http://www.linuxsecurity.com/content/view/149709 * Mandriva: Subject: [Security Announce] [ MDVA-2009:145 ] x11-driver-input-synaptics (Aug 9) ------------------------------------------------------------------------------------------- The synaptics touchpad driver shipped with 2009.1 has problems correctly identifying and scaling the right hand scroll zone on certain hardware (including the ASUS EeePC 701). This updated version addresses this and several other minor issues. Fixing (among others) Mandriva bug #51845. http://www.linuxsecurity.com/content/view/149708 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:199 ] subversion (Aug 8) ---------------------------------------------------------------------------- A vulnerability has been found and corrected in subversion: Multiple integer overflows in the libsvn_delta library in Subversion before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and remote Subversion servers to execute arbitrary code via an svndiff stream with large windows that trigger a heap-based buffer overflow, a related issue to CVE-2009-2412 (CVE-2009-2411). This update provides a solution to this vulnerability and in turn upgrades subversion where possible to provide additional features and upstream bugfixes and adds required dependencies where needed. http://www.linuxsecurity.com/content/view/149707 * Mandriva: Subject: [Security Announce] [ MDVA-2009:144 ] libv4l (Aug 8) ----------------------------------------------------------------------- This update addresses the issue of urpmi preventing installation of both i586/x86_64 versions of libv4l wrappers (Mandriva bug #45316). Updated packages are provided to fix this issue. http://www.linuxsecurity.com/content/view/149703 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:161-1 ] squid (Aug 8) ------------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in squid: Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses (CVE-2009-2621). Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses (CVE-2009-2622). This update provides fixes for these vulnerabilities. Update: Additional upstream security patches were applied: Debug warnings fills up the logs. Upstream Bug 2728: regression: assertion failed: http.cc:705: !eof http://www.linuxsecurity.com/content/view/149702 * Mandriva: Subject: [Security Announce] [ MDVA-2009:143 ] openldap (Aug 7) ------------------------------------------------------------------------- The script ldap-hot-db-backup in /etc/cron.daily doesn't work because the db_archive, db_stat tools are missing. db_archive, db_stat tools depends of db4-utils. http://www.linuxsecurity.com/content/view/149701 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:198 ] firefox (Aug 7) ------------------------------------------------------------------------- Security issues were identified and fixed in firefox 3.0.x: Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location (CVE-2009-2654). Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client (CVE-2009-2404). IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions (CVE-2009-2408). This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates. http://www.linuxsecurity.com/content/view/149700 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:197 ] nss (Aug 7) --------------------------------------------------------------------- Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate (CVE-2009-2404). This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. http://www.linuxsecurity.com/content/view/149699 * Mandriva: Subject: [Security Announce] [ MDVA-2009:142 ] mandriva-doc (Aug 7) ----------------------------------------------------------------------------- Minor bugs has been fixed in the mandriva-doc-mes5 package: - Fix both en and fr menu access for documentation - Fix fr link to french documentation - Update en documentation http://www.linuxsecurity.com/content/view/149698 * Mandriva: Subject: [Security Announce] [ MDVA-2009:141 ] urpmi (Aug 7) ---------------------------------------------------------------------- This update fixes a minor issue with urpmi: - no error message and 0 exit code when using CD/DVD media and hal isn't running http://www.linuxsecurity.com/content/view/149697 * Mandriva: Subject: [Security Announce] [ MDVA-2009:140 ] x11-driver-video-openchrome (Aug 7) -------------------------------------------------------------------------------------------- This update fixes three issues with the openchrome driver for VIA video cards. - Fix a segmentation fault when using the EXA acceleration architecture. - Fix a segmentation fault on hardware that do not support Xv. - Improve EXA performance on a fallback case. http://www.linuxsecurity.com/content/view/149696 * Mandriva: Subject: [Security Announce] [ MDVA-2009:139 ] ocsinventory-agent (Aug 7) ----------------------------------------------------------------------------------- This fix add a requires smartmontools and bump release 1.02.1 (internal 1.0.1). http://www.linuxsecurity.com/content/view/149695 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:196 ] samba (Aug 7) ----------------------------------------------------------------------- Multiple vulnerabilities has been found and corrected in samba: Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename (CVE-2009-1886). The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory (CVE-2009-1888). This update provides samba 3.2.13 to address these issues. http://www.linuxsecurity.com/content/view/149693 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:195-1 ] apr (Aug 6) ----------------------------------------------------------------------- A vulnerability has been identified and corrected in apr and apr-util: Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information (CVE-2009-2412). This update provides fixes for these vulnerabilities. Update: apr-util packages were missing for Mandriva Enterprise Server 5 i586, this has been adressed with this update. http://www.linuxsecurity.com/content/view/149669 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:195 ] apr (Aug 6) --------------------------------------------------------------------- A vulnerability has been identified and corrected in apr and apr-util: Fix potential overflow in pools (apr) and rmm (apr-util), where size alignment was taking place (CVE-2009-2412). This update provides fixes for these vulnerabilities. http://www.linuxsecurity.com/content/view/149667 ------------------------------------------------------------------------ * RedHat: Moderate: curl security update (Aug 13) ----------------------------------------------- Updated curl packages that fix security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149749 * RedHat: Important: kernel security and bug fix update (Aug 13) -------------------------------------------------------------- Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149750 * RedHat: Critical: nspr and nss security update (Aug 12) ------------------------------------------------------- Updated nspr and nss packages that fix security issues are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149738 * RedHat: Moderate: httpd security and bug fix update (Aug 10) ------------------------------------------------------------ Updated httpd packages that fix multiple security issues and a bug are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149721 * RedHat: Moderate: libxml and libxml2 security update (Aug 10) ------------------------------------------------------------- Updated libxml and libxml2 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149722 * RedHat: Moderate: apr and apr-util security update (Aug 10) ----------------------------------------------------------- Updated apr and apr-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149720 * RedHat: Important: subversion security update (Aug 10) ------------------------------------------------------ Updated subversion packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149719 * RedHat: Important: java-1.6.0-openjdk security and bug (Aug 6) -------------------------------------------------------------- Updated java-1.6.0-openjdk packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149672 * RedHat: Critical: java-1.6.0-ibm security update (Aug 6) -------------------------------------------------------- Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149673 * RedHat: Critical: java-1.5.0-sun security update (Aug 6) -------------------------------------------------------- Updated java-1.5.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149670 * RedHat: Critical: java-1.6.0-sun security update (Aug 6) -------------------------------------------------------- Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/149671 ------------------------------------------------------------------------ * Slackware: subversion (Aug 7) ------------------------------- New subversion packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix a security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411 http://www.linuxsecurity.com/content/view/149682 * Slackware: apr-util (Aug 7) ----------------------------- New apr-util packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 http://www.linuxsecurity.com/content/view/149683 * Slackware: apr (Aug 7) ------------------------ New apr packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 http://www.linuxsecurity.com/content/view/149684 * Slackware: fetchmail (Aug 6) ------------------------------ New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security issue. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666 http://www.linuxsecurity.com/content/view/149665 ------------------------------------------------------------------------ * SuSE: Sun Java (SUSE-SA:2009:043) (Aug 7) ----------------------------------------- http://www.linuxsecurity.com/content/view/149688 * SuSE: Mozilla Firefox 3.0 (Aug 6) --------------------------------- http://www.linuxsecurity.com/content/view/149664 ------------------------------------------------------------------------ * Ubuntu: libxml2 vulnerabilities (Aug 11) ----------------------------------------- It was discovered that libxml2 did not correctly handle root XML document element DTD definitions. If a user were tricked into processing a specially crafted XML document, a remote attacker could cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2009-2414) It was discovered that libxml2 did not correctly parse Notation and Enumeration attribute types. If a user were tricked into processing a specially crafted XML document, a remote attacker could cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2009-2416) USN-644-1 fixed a vulnerability in libxml2. This advisory provides the corresponding update for Ubuntu 9.04. Original advisory details: It was discovered that libxml2 did not correctly handle long entity names. If a user were tricked into processing a specially crafted XML document, a remote attacker could execute arbitrary code with user privileges or cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2008-3529) http://www.linuxsecurity.com/content/view/149731 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------