+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 18th, 2009 Volume 10, Number 38 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for icu, openssl, rails, iceweasel, xulrunner, uginx, nagios2, devscripts, dovcot, kdesdk, kdegames, oxygen-icon-theme, kdepim, kdenetwork, kdeutils, kdeedu, ocaml-camlimages, puppet, firefox, ikiwiki, mozvoikko, hulahop, miro, kazehakase, yelp, ruby, epiphany, seahorse, chmsee, pcmanx, blam, galeon, perl, mugshot, znc, wireshark, irssi, horde, silc-toolkit, kvm, nss, htmldoc, freeradius, and openexr. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu. --- >> Linux+DVD Magazine << In each issue you can find information concerning the best use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. Catch up with what professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software are doing! http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Review: Googling Security: How Much Does Google Know About You -------------------------------------------------------------- If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business and what you can do to protect yourself. http://www.linuxsecurity.com/content/view/145939 --- A Secure Nagios Server ---------------------- Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! (Dec 9) ------------------------------------------------------ Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: New icu packages correct multibyte sequence parsing (Sep 16) -------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150146 * Debian: New openssl packages deprecate MD2 hash signatures (Sep 15) ------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150140 * Debian: New rails packages fix cross-site scripting (Sep 15) ------------------------------------------------------------ http://www.linuxsecurity.com/content/view/150135 * Debian: New iceweasel packages fix several vulnerabilities (Sep 14) ------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150071 * Debian: New xulrunner packages fix several vulnerabilities (Sep 14) ------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150070 * Debian: New nginx packages fix arbitrary code execution (Sep 14) ---------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150069 * Debian: New nagios2 packages fix regression (Sep 14) ---------------------------------------------------- http://www.linuxsecurity.com/content/view/150068 * Debian: New devscripts packages fix regressions (Sep 11) -------------------------------------------------------- http://www.linuxsecurity.com/content/view/150004 * Debian: New nagios2 packages fix several cross-site scriptings (Sep 10) ----------------------------------------------------------------------- http://www.linuxsecurity.com/content/view/150001 ------------------------------------------------------------------------ * Fedora 10 Update: nginx-0.7.62-1.fc10 (Sep 15) ---------------------------------------------- http://www.linuxsecurity.com/content/view/150139 * Fedora 11 Update: nginx-0.7.62-1.fc11 (Sep 15) ---------------------------------------------- http://www.linuxsecurity.com/content/view/150138 * Fedora 10 Update: planet-2.0-10.fc10 (Sep 15) --------------------------------------------- security patch to sanitize content from rss feeds for javascript http://www.linuxsecurity.com/content/view/150130 * Fedora 11 Update: planet-2.0-10.fc11 (Sep 15) --------------------------------------------- Security update for sanitizing input from rss feeds. http://www.linuxsecurity.com/content/view/150129 * Fedora 10 Update: dovecot-1.1.18-2.fc10 (Sep 15) ------------------------------------------------ dovecot-sieve updated to 1.1.7 It is derived from CMU sieve used by cyrus- imapd and was affected by CVE-2009-2632 too. See upstream announcement for further details: http://dovecot.org/list/dovecot- news/2009-September/000135.html http://www.linuxsecurity.com/content/view/150128 * Fedora 10 Update: kdesdk-4.3.1-1.fc10 (Sep 15) ---------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150123 * Fedora 10 Update: kdetoys-4.3.1-1.fc10 (Sep 15) ----------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150124 * Fedora 10 Update: kdegames-4.3.1-4.fc10 (Sep 15) ------------------------------------------------ This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150125 * Fedora 10 Update: oxygen-icon-theme-4.3.1-1.fc10 (Sep 15) --------------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150126 * Fedora 10 Update: kde-l10n-4.3.1-2.fc10 (Sep 15) ------------------------------------------------ This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150127 * Fedora 10 Update: kdelibs-experimental-4.3.1-1.fc10 (Sep 15) ------------------------------------------------------------ This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150116 * Fedora 10 Update: kdepim-4.3.1-1.fc10 (Sep 15) ---------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150117 * Fedora 10 Update: kdenetwork-4.3.1-1.fc10 (Sep 15) -------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150118 * Fedora 10 Update: kdepim-runtime-4.3.1-1.fc10 (Sep 15) ------------------------------------------------------ This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150119 * Fedora 10 Update: kdeutils-4.3.1-1.fc10 (Sep 15) ------------------------------------------------ This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150120 * Fedora 10 Update: kdepimlibs-4.3.1-1.fc10 (Sep 15) -------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150121 * Fedora 10 Update: kdeplasma-addons-4.3.1-1.fc10 (Sep 15) -------------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150122 * Fedora 10 Update: kdeedu-4.3.1-1.fc10 (Sep 15) ---------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150111 * Fedora 10 Update: kdebindings-4.3.1-3.fc10 (Sep 15) --------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150112 * Fedora 10 Update: kdegraphics-4.3.1-1.fc10 (Sep 15) --------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150113 * Fedora 10 Update: kdelibs-4.3.1-3.fc10 (Sep 15) ----------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150114 * Fedora 10 Update: kdemultimedia-4.3.1-1.fc10 (Sep 15) ----------------------------------------------------- This updates KDE to 4.3.1, the latest upstream bugfix release. The main improvements are: * KDE 4.3 is now also available in Croatian. * A crash when editing toolbar setup has been fixed. * Support for transferring files through SSH using KIO::Fish has been fixed. * A number of bugs in KWin, KDE's window and compositing manager has been fixed. * A large number of bugs in KMail, KDE's email client are now gone. See http://kde.org/announcements/announce-4.3.1.php for more information. In addition, this update: * fixes a potential security issue (CVE-2009-2702) with certificate validation in the KIO KSSL code. It is believed that the affected code is not actually used (the code in Qt, for which a security update was already issued, is) and thus the issue is only potential, but KSSL is being patched just in case, * splits PolicyKit-kde out of kdebase-workspace again to avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is desired instead (#519654). http://www.linuxsecurity.com/content/view/150115 * Fedora 10 Update: ocaml-camlimages-3.0.1-3.fc10.2 (Sep 11) ---------------------------------------------------------- http://www.linuxsecurity.com/content/view/150058 * Fedora 11 Update: puppet-0.24.8-4.fc11 (Sep 11) ----------------------------------------------- This update fixes a number of bugs in both the packaging and upstream source. See the package changelog and bug reports for complete details. http://www.linuxsecurity.com/content/view/150057 * Fedora 11 Update: xulrunner-1.9.1.3-1.fc11 (Sep 11) --------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150054 * Fedora 11 Update: firefox-3.5.3-1.fc11 (Sep 11) ----------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150055 * Fedora 11 Update: ikiwiki-3.1415926-1.fc11 (Sep 11) --------------------------------------------------- Fix CVE-2009-2944, see bz 520543. http://www.linuxsecurity.com/content/view/150056 * Fedora 11 Update: gnome-python2-extras-2.25.3-7.fc11 (Sep 11) ------------------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150044 * Fedora 11 Update: mozvoikko-0.9.7-0.7.rc1.fc11 (Sep 11) ------------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150045 * Fedora 11 Update: evolution-rss-0.1.4-3.fc11 (Sep 11) ----------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150046 * Fedora 11 Update: google-gadgets-0.11.0-5.fc11 (Sep 11) ------------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150047 * Fedora 11 Update: hulahop-0.4.9-8.fc11 (Sep 11) ----------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150048 * Fedora 11 Update: Miro-2.5.2-4.fc11 (Sep 11) -------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150049 * Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.5 (Sep 11) ----------------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150050 * Fedora 11 Update: kazehakase-0.5.7-2.fc11 (Sep 11) -------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150051 * Fedora 11 Update: yelp-2.26.0-7.fc11 (Sep 11) --------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150052 * Fedora 11 Update: ruby-gnome2-0.19.1-2.fc11 (Sep 11) ---------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150053 * Fedora 11 Update: epiphany-extensions-2.26.1-6.fc11 (Sep 11) ------------------------------------------------------------ Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150034 * Fedora 11 Update: monodevelop-2.0-5.fc11 (Sep 11) ------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150035 * Fedora 11 Update: eclipse-3.4.2-15.fc11 (Sep 11) ------------------------------------------------ Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150036 * Fedora 11 Update: epiphany-2.26.3-4.fc11 (Sep 11) ------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150037 * Fedora 11 Update: seahorse-plugins-2.26.2-5.fc11 (Sep 11) --------------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150038 * Fedora 11 Update: chmsee-1.0.1-11.fc11 (Sep 11) ----------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150039 * Fedora 11 Update: gnome-web-photo-0.7-6.fc11 (Sep 11) ----------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150040 * Fedora 11 Update: pcmanx-gtk2-0.3.8-8.fc11 (Sep 11) --------------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150041 * Fedora 11 Update: blam-1.8.5-14.fc11 (Sep 11) --------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150042 * Fedora 11 Update: galeon-2.0.7-14.fc11 (Sep 11) ----------------------------------------------- Update to new upstream Firefox version 3.5.3, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.3 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150043 * Fedora 10 Update: perl-Gtk2-MozEmbed-0.08-6.fc10.5 (Sep 11) ----------------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150031 * Fedora 10 Update: firefox-3.0.14-1.fc10 (Sep 11) ------------------------------------------------ Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150032 * Fedora 10 Update: xulrunner-1.9.0.14-1.fc10 (Sep 11) ---------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150033 * Fedora 10 Update: evolution-rss-0.1.4-3.fc10 (Sep 11) ----------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150025 * Fedora 10 Update: kazehakase-0.5.6-4.fc10.6 (Sep 11) ---------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150026 * Fedora 10 Update: pcmanx-gtk2-0.3.8-13.fc10 (Sep 11) ---------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150027 * Fedora 10 Update: google-gadgets-0.10.5-10.fc10 (Sep 11) -------------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150028 * Fedora 10 Update: yelp-2.24.0-13.fc10 (Sep 11) ---------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150029 * Fedora 10 Update: mugshot-1.2.2-13.fc10 (Sep 11) ------------------------------------------------ Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150030 * Fedora 10 Update: epiphany-2.24.3-10.fc10 (Sep 11) -------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150016 * Fedora 10 Update: epiphany-extensions-2.24.3-5.fc10 (Sep 11) ------------------------------------------------------------ Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150017 * Fedora 10 Update: Miro-2.0.5-4.fc10 (Sep 11) -------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150018 * Fedora 10 Update: ruby-gnome2-0.19.1-2.fc10 (Sep 11) ---------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150019 * Fedora 10 Update: blam-1.8.5-14.fc10 (Sep 11) --------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150020 * Fedora 10 Update: gnome-python2-extras-2.19.1-34.fc10 (Sep 11) -------------------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150021 * Fedora 10 Update: gecko-sharp2-0.13-12.fc10 (Sep 11) ---------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150022 * Fedora 10 Update: mozvoikko-0.9.5-14.fc10 (Sep 11) -------------------------------------------------- Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150023 * Fedora 10 Update: gnome-web-photo-0.3-22.fc10 (Sep 11) ------------------------------------------------------ Update to new upstream Firefox version 3.0.14, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.14 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. http://www.linuxsecurity.com/content/view/150024 * Fedora 10 Update: puppet-0.24.8-4.fc10 (Sep 11) ----------------------------------------------- This update fixes a number of bugs in both the packaging and upstream source. See the package changelog and bug reports for complete details. http://www.linuxsecurity.com/content/view/150014 * Fedora 10 Update: ikiwiki-2.72-2.fc10 (Sep 11) ---------------------------------------------- Fix CVE-2009-2944, see bz 520543. http://www.linuxsecurity.com/content/view/150015 * Fedora 10 Update: postgresql-8.3.8-1.fc10 (Sep 11) -------------------------------------------------- Update to PostgreSQL 8.3.8, for various fixes described at http://www.postgresql.org/docs/8.3/static/release-8-3-8.html including three security issues http://www.linuxsecurity.com/content/view/150013 * Fedora 11 Update: postgresql-8.3.8-1.fc11 (Sep 11) -------------------------------------------------- Update to PostgreSQL 8.3.8, for various fixes described at http://www.postgresql.org/docs/8.3/static/release-8-3-8.html including three security issues http://www.linuxsecurity.com/content/view/150012 ------------------------------------------------------------------------ * Gentoo: ZNC Directory traversal (Sep 13) ---------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D A directory traversal was found in ZNC, allowing for overwriting of arbitrary files. http://www.linuxsecurity.com/content/view/150064 * Gentoo: Wireshark Denial of Service (Sep 13) -------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in Wireshark which allow for Denial of Service. http://www.linuxsecurity.com/content/view/150063 * Gentoo: Lynx Arbitrary command execution (Sep 12) ------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D An incomplete fix for an issue related to the Lynx URL handler might allow for the remote execution of arbitrary commands. http://www.linuxsecurity.com/content/view/150062 * Gentoo: HTMLDOC User-assisted execution of arbitrary (Sep 12) ------------------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Multiple insecure calls to the sscanf() function in HTMLDOC might result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/150059 * Gentoo: irssi Execution of arbitrary code (Sep 12) -------------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D A remotely exploitable off-by-one error leading to a heap overflow was found in irssi which might result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/150060 * Gentoo: Horde Multiple vulnerabilities (Sep 12) ----------------------------------------------- =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in Horde and two modules, allowing for the execution of arbitrary code, information disclosure, or Cross-Site Scripting. http://www.linuxsecurity.com/content/view/150061 ------------------------------------------------------------------------ * Mandriva: Subject: [Security Announce] [ MDVA-2009:161 ] silc-toolkit (Sep 18) ------------------------------------------------------------------------------ The silc-toolkit was linked in a wrong way, it depended on symbols no longer exported by libidn. This made it impossible to use the SILC protocol from pidgin. This update changes the linking to use the included IDN resolver instead of libidn. http://www.linuxsecurity.com/content/view/150152 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:235 ] silc-toolkit (Sep 15) ------------------------------------------------------------------------------- Multiple vulnerabilities was discovered and corrected in silc-toolkit: Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. http://www.linuxsecurity.com/content/view/150134 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:234-1 ] silc-toolkit (Sep 15) --------------------------------------------------------------------------------- Multiple vulnerabilities was discovered and corrected in silc-toolkit: Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. Update: Packages for MES5 was not provided previousely, this update addresses this problem. http://www.linuxsecurity.com/content/view/150133 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:234 ] silc-toolkit (Sep 15) ------------------------------------------------------------------------------- Multiple vulnerabilities was discovered and corrected in silc-toolkit: Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. http://www.linuxsecurity.com/content/view/150132 * Mandriva: Subject: [Security Announce] [ MDVA-2009:160 ] kvm (Sep 14) --------------------------------------------------------------------- The required symbolic link or binary /usr/bin/qemu-kvm was missing. The virtual machines generated with virt-manager is depending on it. http://www.linuxsecurity.com/content/view/150072 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:232 ] libsamplerate (Sep 11) -------------------------------------------------------------------------------- A security vulnerability has been identified and fixed in libsamplerate: Lev Givon discovered a buffer overflow in libsamplerate that could lead to a segfault with specially crafted python code. This problem has been fixed with libsamplerate-0.1.7 but older versions are affected. This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/150011 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:197-2 ] nss (Sep 11) ------------------------------------------------------------------------ Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate (CVE-2009-2404). This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. Update: This update also provides fixed packages for Mandriva Linux 2008.1 and fixes mozilla-thunderbird error messages. http://www.linuxsecurity.com/content/view/150010 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:228 ] libneon (Sep 11) -------------------------------------------------------------------------- A vulnerability has been found and corrected in neon: neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. (CVE-2009-2474) This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/150009 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:231 ] htmldoc (Sep 11) -------------------------------------------------------------------------- A security vulnerability has been identified and fixed in htmldoc: Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries (CVE-2009-3050). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/150008 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:230 ] pidgin (Sep 11) ------------------------------------------------------------------------- Security vulnerabilities has been identified and fixed in pidgin: The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376 (CVE-2009-2694). Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers to cause a denial of service (crash) via a link in a Yahoo IM (CVE-2009-3025) protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the require TLS/SSL preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions (CVE-2009-3026). libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a denial of service (NULL pointer dereference and application crash) via a TOPIC message that lacks a topic string (CVE-2009-2703). The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an SLP invite message that lacks certain required fields, as demonstrated by a malformed message from a KMess client (CVE-2009-3083). The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c in the MSN protocol plugin in libpurple 2.6.0 and 2.6.1, as used in Pidgin before 2.6.2, allows remote attackers to cause a denial of service (application crash) via a handwritten (aka Ink) message, related to an uninitialized variable and the incorrect UTF16-LE charset name (CVE-2009-3084). The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images (CVE-2009-3085). This update provides pidgin 2.6.2, which is not vulnerable to these issues. http://www.linuxsecurity.com/content/view/150007 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:229 ] cyrus-imapd (Sep 11) ------------------------------------------------------------------------------ A vulnerability has been found and corrected in cyrus-imapd: Buffer overflow in the SIEVE script component (sieve/script.c) in cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14 allows local users to execute arbitrary code and read or modify arbitrary messages via a crafted SIEVE script, related to the incorrect use of the sizeof operator for determining buffer length, combined with an integer signedness error (CVE-2009-2632). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/150006 * Mandriva: Subject: [Security Announce] [ MDVA-2009:159 ] hplip (Sep 10) ----------------------------------------------------------------------- This update resolves a runtime error with hplip found after the KDE4 updates and in conjunction with the newer python-qt4-gui package. This version upgrade provides hplip v3.9.2 that addresses this problem. http://www.linuxsecurity.com/content/view/150003 * Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] freeradius (Sep 10) ----------------------------------------------------------------------------- A vulnerability has been found and corrected in freeradius: The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes. NOTE: this is a regression error related to CVE-2003-0967 (CVE-2009-3111). This update provides a solution to this vulnerability. http://www.linuxsecurity.com/content/view/150002 ------------------------------------------------------------------------ * RedHat: Moderate: freeradius security update (Sep 17) ----------------------------------------------------- Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/150148 * RedHat: Important: kernel security and bug fix update (Sep 15) -------------------------------------------------------------- Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/150131 ------------------------------------------------------------------------ * Slackware: mozilla-firefox (Sep 14) ------------------------------------- New mozilla-firefox packages are available for Slackware 12.2, 13.0, and -current to fix security issues. The Firefox 3.0.14 package may also be used with Slackware 11.0 or newer. More details about the issues may be found on the Mozilla website: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html http://www.mozilla.org/security/known-vulnerabilities/firefox35.html http://www.linuxsecurity.com/content/view/150065 ------------------------------------------------------------------------ * Ubuntu: FreeRADIUS vulnerability (Sep 16) ------------------------------------------ It was discovered that FreeRADIUS did not correctly handle certain malformed attributes. A remote attacker could exploit this flaw and cause the FreeRADIUS server to crash, resulting in a denial of service. http://www.linuxsecurity.com/content/view/150147 * Ubuntu: OpenSSL vulnerability (Sep 14) --------------------------------------- Dan Kaminsky discovered OpenSSL would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. This update handles this issue by completely disabling MD2 for certificate validation. http://www.linuxsecurity.com/content/view/150073 * Ubuntu: OpenEXR vulnerabilities (Sep 14) ----------------------------------------- Drew Yao discovered several flaws in the way OpenEXR handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1720, CVE-2009-1721) It was discovered that OpenEXR did not properly handle certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-1722) http://www.linuxsecurity.com/content/view/150074 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
