+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | March 20th, 2010 Volume 11, Number 12 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Vulnerabilities in Web Applications ----------------------------------- This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures. http://www.linuxsecurity.com/content/view/118427 A Secure Nagios Server ---------------------- This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2020-1: ikiwiki: insufficient input sanitiza (Mar 20) ------------------------------------------------------------- Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a wiki compiler, performs insufficient input sanitization on data:image/svg+xml URIs. As these can contain script code this can be used by an attacker to conduct cross-site scripting attacks. [More...] http://www.linuxsecurity.com/content/view/151947 * Debian: 2019-1: pango1.0: missing input sanitization (Mar 20) ------------------------------------------------------------- Marc Schoenefeld discovered an improper input sanitization in Pango, a library for layout and rendering of text, leading to array indexing error. If a local user was tricked into loading a specially-crafted font file in an [More...] http://www.linuxsecurity.com/content/view/151946 * Debian: 2018-1: php5: DoS (crash) (Mar 18) ------------------------------------------ Auke van Slooten discovered that PHP 5, an hypertext preprocessor, crashes (because of a NULL pointer dereference) when processing invalid XML-RPC requests. [More...] http://www.linuxsecurity.com/content/view/151937 * Debian: : drbd8: privilege escalation (Mar 15) ---------------------------------------------- A local vulnerability has been discovered in drbd8. Philipp Reisner fixed an issue in the drbd kernel module that allows local users to send netlink packets to perform actions that should be [More...] http://www.linuxsecurity.com/content/view/151906 * Debian: 2017-1: pulseaudio: insecure temporary director (Mar 15) ---------------------------------------------------------------- Dan Rosenberg discovered that the PulseAudio sound server creates a temporary directory with a predictable name. This allows a local attacker to create a Denial of Service condition or possibly disclose sensitive information to unprivileged users. [More...] http://www.linuxsecurity.com/content/view/151900 * Debian: 2016-1: drupal6: Multiple vulnerabilities (Mar 13) ---------------------------------------------------------- Several vulnerabilities (SA-CORE-2010-001) have been discovered in drupal6, a fully-featured content management framework. [More...] http://www.linuxsecurity.com/content/view/151895 * Debian: 2014-1: moin: Multiple vulnerabilities (Mar 12) ------------------------------------------------------- Several vulnerabilities have been discovered in moin, a python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/151888 ------------------------------------------------------------------------ * Mandriva: 2010:062: curl (Mar 19) --------------------------------- A vulnerability has been found and corrected in curl: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might [More...] http://www.linuxsecurity.com/content/view/151945 ------------------------------------------------------------------------ * Red Hat: 2010:0155-01: java-1.4.2-ibm: Moderate Advisory (Mar 17) ----------------------------------------------------------------- Updated java-1.4.2-ibm packages that fix one security issue and a bug are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. [More...] http://www.linuxsecurity.com/content/view/151928 * Red Hat: 2010:0154-02: thunderbird: Moderate Advisory (Mar 17) -------------------------------------------------------------- An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151927 * Red Hat: 2010:0153-02: thunderbird: Moderate Advisory (Mar 17) -------------------------------------------------------------- An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151926 * Red Hat: 2010:0149-01: kernel: Important Advisory (Mar 17) ---------------------------------------------------------- Updated kernel packages that fix three security issues and multiple bugs are now available for Red Hat Enterprise Linux 5.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/151920 * Red Hat: 2010:0148-01: kernel: Important Advisory (Mar 17) ---------------------------------------------------------- Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 5.2 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/151919 * Red Hat: 2010:0147-01: kernel: Important Advisory (Mar 16) ---------------------------------------------------------- Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/151918 * Red Hat: 2010:0146-01: kernel: Important Advisory (Mar 16) ---------------------------------------------------------- Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/151917 * Red Hat: 2010:0145-01: cpio: Moderate Advisory (Mar 15) ------------------------------------------------------- An updated cpio package that fixes two security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red [More...] http://www.linuxsecurity.com/content/view/151907 * Red Hat: 2010:0144-01: cpio: Moderate Advisory (Mar 15) ------------------------------------------------------- An updated cpio package that fixes two security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red [More...] http://www.linuxsecurity.com/content/view/151905 * Red Hat: 2010:0142-01: tar: Moderate Advisory (Mar 15) ------------------------------------------------------ An updated tar package that fixes one security issue is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red [More...] http://www.linuxsecurity.com/content/view/151904 * Red Hat: 2010:0141-01: tar: Moderate Advisory (Mar 15) ------------------------------------------------------ An updated tar package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red [More...] http://www.linuxsecurity.com/content/view/151903 * Red Hat: 2010:0143-01: cpio: Moderate Advisory (Mar 15) ------------------------------------------------------- An updated cpio package that fixes one security issue is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red [More...] http://www.linuxsecurity.com/content/view/151902 * Red Hat: 2010:0140-01: pango: Moderate Advisory (Mar 15) -------------------------------------------------------- Updated pango and evolution28-pango packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red [More...] http://www.linuxsecurity.com/content/view/151901 ------------------------------------------------------------------------ * SuSE: 2010-017: OpenOffice.org (Mar 16) --------------------------------------- This update of OpenOffice_org includes fixes for the following vulnerabilities: - CVE-2009-0217: XML signature weakness - CVE-2009-2949: XPM Import Integer Overflow - CVE-2009-2950: GIF Import Heap Overflow [More...] http://www.linuxsecurity.com/content/view/151908 * SuSE: Weekly Summary 2010:006 (Mar 15) -------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. http://www.linuxsecurity.com/content/view/151897 ------------------------------------------------------------------------ * Ubuntu: 914-1: Linux kernel vulnerabilities (Mar 16) ---------------------------------------------------- Mathias Krause discovered that the Linux kernel did not correctly handlemissing ELF interpreters. A local attacker could exploit this to cause thesystem to crash, leading to a denial of service. (CVE-2010-0307) [More...] http://www.linuxsecurity.com/content/view/151916 * Ubuntu: 912-1: Audio File Library vulnerability (Mar 16) -------------------------------------------------------- It was discovered that Audio File Library contained a heap-based bufferoverflow. If a user or automated system processed a crafted WAV file, anattacker could cause a denial of service via application crash, or possiblyexecute arbitrary code with the privileges of the user invoking theprogram. The default compiler options for Ubuntu should reduce this [More...] http://www.linuxsecurity.com/content/view/151909 * Ubuntu: 913-1: libpng vulnerabilities (Mar 16) ---------------------------------------------- It was discovered that libpng did not properly initialize memory whendecoding certain 1-bit interlaced images. If a user or automated systemwere tricked into processing crafted PNG images, an attacker could possiblyuse this flaw to read sensitive information stored in memory. This issueonly affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04. (CVE-2009-2042) [More...] http://www.linuxsecurity.com/content/view/151910 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------