Linux Advisory Watch: April 2nd, 2010

vuln-newsletter-admins@xxxxxxxxxxxxxxxxx · Fri, 2 Apr 2010 18:35:02 -0400 (EDT)

+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| April 2nd, 2010                                 Volume 11, Number 14 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

Vulnerabilities in Web Applications
-----------------------------------
This paper aims to raise awareness by discussing common vulnerabilities
and mistakes in web application development. It also considers mitigating
factors, strategies and corrective measures.

http://www.linuxsecurity.com/content/view/118427

A Secure Nagios Server
----------------------
This article will not show you how to install Nagios since there are tons
of them out there but it will show you in detail ways to improve your
Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
  ----------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2026-1: netpbm-free: stack-based buffer overflow (Apr 2)
  ----------------------------------------------------------------
  Marc Schoenefeld discovered a stack-based buffer overflow in the XPM
  reader implementation in netpbm-free, a suite of image manipulation
  utilities. An attacker could cause a denial of service (application
  crash) or possibly [More...]

  http://www.linuxsecurity.com/content/view/152063

* Debian: 2025-1: icedove: several vulnerabilities (Mar 31)
  ---------------------------------------------------------
  Several remote vulnerabilities have been discovered in the Icedove
  mail client, an unbranded version of the Thunderbird mail client. The
  Common Vulnerabilities and Exposures project identifies the following
  problems: [More...]

  http://www.linuxsecurity.com/content/view/152041

* Debian: 2024-1: moin: insufficient input sanitisi (Mar 31)
  ----------------------------------------------------------
  Jamie Strandboge discovered that moin, a python clone of WikiWiki,
  does not sufficiently sanitize the page name in "Despam" action,
  allowing remote attackers to perform cross-site scripting (XSS)
  attacks. [More...]

  http://www.linuxsecurity.com/content/view/152040

* Debian: 2023-1: curl: buffer overflow (Mar 27)
  ----------------------------------------------
  Wesley Miaw discovered that libcurl, a multi-protocol file transfer
  library, is prone to a buffer overflow via the callback function when
  an application relies on libcurl to automatically uncompress data.
  Note that this only affects applications that trust libcurl's maximum
  limit [More...]

  http://www.linuxsecurity.com/content/view/152006

------------------------------------------------------------------------

* Mandriva: 2010:068: php (Mar 27)
  --------------------------------
  A vulnerability has been found and corrected in php: The xmlrpc
  extension in PHP 5.3.1 does not properly handle a missing methodName
  element in the first argument to the xmlrpc_decode_request function,
  which allows context-dependent attackers to cause a denial of
  [More...]

  http://www.linuxsecurity.com/content/view/152005

* Mandriva: 2010:067: kernel (Mar 25)
  -----------------------------------
  This update provides a fix to the correction of CVE-2010-0307, which
  resulted in crashes when running i586 applications on x86_64. To
  update your kernel, please follow the directions located at:
  [More...]

  http://www.linuxsecurity.com/content/view/151996

------------------------------------------------------------------------

* Red Hat: 2010:0339-01: java-1.6.0-openjdk: Important Advisory (Mar 31)
  ----------------------------------------------------------------------
  Updated java-1.6.0-openjdk packages that fix several security issues
  are now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/152058

* Red Hat: 2010:0337-01: java-1.6.0-sun: Critical Advisory (Mar 31)
  -----------------------------------------------------------------
  Updated java-1.6.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. The Red Hat Security Response Team has rated this
  update as having critical [More...]

  http://www.linuxsecurity.com/content/view/152057

* Red Hat: 2010:0338-01: java-1.5.0-sun: Critical Advisory (Mar 31)
  -----------------------------------------------------------------
  The java-1.5.0-sun packages as shipped in Red Hat Enterprise Linux 4
  Extras and 5 Supplementary contain security flaws and should not be
  used. The Red Hat Security Response Team has rated this update as
  having critical [More...]

  http://www.linuxsecurity.com/content/view/152056

* Red Hat: 2010:0332-01: firefox: Critical Advisory (Mar 30)
  ----------------------------------------------------------
  Updated firefox packages that fix several security issues are now
  available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
  Response Team has rated this update as having critical [More...]

  http://www.linuxsecurity.com/content/view/152039

* Red Hat: 2010:0333-01: seamonkey: Critical Advisory (Mar 30)
  ------------------------------------------------------------
  Updated seamonkey packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security
  Response Team has rated this update as having critical [More...]

  http://www.linuxsecurity.com/content/view/152038

* Red Hat: 2010:0330-01: GFS: Moderate Advisory (Mar 30)
  ------------------------------------------------------
  Updated GFS packages that fix one security issue are now available
  for Red Hat Enterprise Linux 3.9, kernel release 2.4.21-63.EL. The
  Red Hat Security Response Team has rated this update as having
  moderate [More...]

  http://www.linuxsecurity.com/content/view/152036

* Red Hat: 2010:0331-01: GFS-kernel: Moderate Advisory (Mar 30)
  -------------------------------------------------------------
  Updated GFS-kernel packages that fix one security issue are now
  available for Red Hat Enterprise Linux 4.8, kernel release
  2.6.9-89.0.20.EL. The Red Hat Security Response Team has rated this
  update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/152037

* Red Hat: 2010:0329-01: curl: Moderate Advisory (Mar 30)
  -------------------------------------------------------
  Updated curl packages that fix one security issue are now available
  for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response
  Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/152034

* Red Hat: 2010:0321-04: automake: Low Advisory (Mar 30)
  ------------------------------------------------------
  Updated automake, automake14, automake15, automake16, and automake17
  packages that fix one security issue are now available for Red Hat
  Enterprise Linux 5. [More...]

  http://www.linuxsecurity.com/content/view/152035

* Red Hat: 2010:0291-04: gfs-kmod: Moderate Advisory (Mar 30)
  -----------------------------------------------------------
  Updated gfs-kmod packages that fix one security issue, numerous bugs,
  and add one enhancement are now available for Red Hat Enterprise
  Linux 5.5, kernel release 2.6.18-194.el5. [More...]

  http://www.linuxsecurity.com/content/view/152033

* Red Hat: 2010:0273-05: curl: Moderate Advisory (Mar 30)
  -------------------------------------------------------
  Updated curl packages that fix one security issue, various bugs, and
  add enhancements are now available for Red Hat Enterprise Linux 5.
  The Red Hat Security Response Team has rated this update as having
  moderate [More...]

  http://www.linuxsecurity.com/content/view/152032

* Red Hat: 2010:0271-04: kvm: Important Advisory (Mar 30)
  -------------------------------------------------------
  Updated kvm packages that fix one security issue, multiple bugs, and
  add enhancements are now available for Red Hat Enterprise Linux 5.
  The Red Hat Security Response Team has rated this update as having
  [More...]

  http://www.linuxsecurity.com/content/view/152031

* Red Hat: 2010:0181-05: brltty: Low Advisory (Mar 30)
  ----------------------------------------------------
  Updated brltty packages that fix one security issue and several bugs
  are now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having low [More...]

  http://www.linuxsecurity.com/content/view/152030

* Red Hat: 2010:0258-04: pam_krb5: Low Advisory (Mar 30)
  ------------------------------------------------------
  Updated pam_krb5 packages that fix one security issue and various
  bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having low [More...]

  http://www.linuxsecurity.com/content/view/152029

* Red Hat: 2010:0237-05: sendmail: Low Advisory (Mar 30)
  ------------------------------------------------------
  Updated sendmail packages that fix two security issues and several
  bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having low [More...]

  http://www.linuxsecurity.com/content/view/152028

* Red Hat: 2010:0198-04: openldap: Moderate Advisory (Mar 30)
  -----------------------------------------------------------
  Updated openldap packages that fix one security issue and several
  bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having moderate
  [More...]

  http://www.linuxsecurity.com/content/view/152027

* Red Hat: 2010:0221-04: squid: Low Advisory (Mar 30)
  ---------------------------------------------------
  An updated squid package that fixes two security issues and several
  bugs is now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having low [More...]

  http://www.linuxsecurity.com/content/view/152026

* Red Hat: 2010:0175-01: httpd: Low Advisory (Mar 25)
  ---------------------------------------------------
  Updated httpd packages that fix one security issue, a bug, and add an
  enhancement are now available for Red Hat Enterprise Linux 4. The Red
  Hat Security Response Team has rated this update as having low
  [More...]

  http://www.linuxsecurity.com/content/view/151995

* Red Hat: 2010:0168-01: httpd: Moderate Advisory (Mar 25)
  --------------------------------------------------------
  Updated httpd packages that fix two security issues and add an
  enhancement are now available for Red Hat Enterprise Linux 5. The Red
  Hat Security Response Team has rated this update as having moderate
  [More...]

  http://www.linuxsecurity.com/content/view/151985

* Red Hat: 2010:0167-01: gnutls: Moderate Advisory (Mar 25)
  ---------------------------------------------------------
  Updated gnutls packages that fix two security issues are now
  available for Red Hat Enterprise Linux 4. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151984

* Red Hat: 2010:0164-01: openssl097a: Moderate Advisory (Mar 25)
  --------------------------------------------------------------
  Updated openssl097a packages that fix a security issue are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151982

* Red Hat: 2010:0173-02: openssl096b: Important Advisory (Mar 25)
  ---------------------------------------------------------------
  Updated openssl096b packages that fix one security issue are now
  available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security
  Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/151983

* Red Hat: 2010:0165-01: nss: Moderate Advisory (Mar 25)
  ------------------------------------------------------
  Updated nss packages that fix a security issue are now available for
  Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team
  has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151981

* Red Hat: 2010:0163-01: openssl: Moderate Advisory (Mar 25)
  ----------------------------------------------------------
  Updated openssl packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151979

* Red Hat: 2010:0162-01: openssl: Important Advisory (Mar 25)
  -----------------------------------------------------------
  Updated openssl packages that fix several security issues are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/151980

* Red Hat: 2010:0166-01: gnutls: Moderate Advisory (Mar 25)
  ---------------------------------------------------------
  Updated gnutls packages that fix two security issues are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151978

------------------------------------------------------------------------

* Slackware: 2010-090-03: seamonkey: Security Update (Mar 31)
  -----------------------------------------------------------
  New seamonkey packages are available for Slackware 11.0, 12.0, and
  12.1 to fix security issues. For more information, see:  [More
  Info...]

  http://www.linuxsecurity.com/content/view/152053

* Slackware: 2010-090-01: openssl: Security Update (Mar 31)
  ---------------------------------------------------------
  New openssl packages are available for Slackware 11.0, 12.0, 12.1,
  12.2, 13.0, and -current to fix security issues. More details about
  the issues may be found in the Common Vulnerabilities and Exposures
  (CVE) database: A recompiled proftpd package is required if you run
  ProFTPD.  [More Info...]

  http://www.linuxsecurity.com/content/view/152054

* Slackware: 2010-090-02: mozilla-firefox: Security Update (Mar 31)
  -----------------------------------------------------------------
  New mozilla-firefox packages are available for Slackware 13.0 and
  -current to fix security issues. More details about the issues may be
  found on the Mozilla website:  [More Info...]

  http://www.linuxsecurity.com/content/view/152055

------------------------------------------------------------------------

* SuSE: Weekly Summary 2010:007 (Mar 30)
  --------------------------------------
  To avoid flooding mailing lists with SUSE Security Announcements for
  minor issues, SUSE Security releases weekly summary reports for the
  low profile vulnerability fixes. The SUSE Security Summary Reports do
  not list or download URLs like the SUSE Security Announcements that
  are released for more severe vulnerabilities.  List of
  vulnerabilities in this summary include: cifs-mount/samba,
  compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5,
  mysql, pulseaudio, squid/squid3, viewvc.

  http://www.linuxsecurity.com/content/view/152020

* SuSE: 2010-019: Linux kernel (Mar 30)
  -------------------------------------
  This update fixes lots of bugs and some security issues in the SUSE
  Linux Enterprise 10 SP 3 kernel. CVE-2009-4020: Stack-based buffer
  overflow in the hfs subsystem in the Linux kernel allows remote
  attackers to have an unspecified impact via a crafted Hierarchical
  File System (HFS) filesystem, related to  [More...]

  http://www.linuxsecurity.com/content/view/152019

------------------------------------------------------------------------

* Pardus: 2010-42: tar/cpio: Buffer Overflow (Mar 29)
  ---------------------------------------------------
  A vulnerability has been fixed in GNU tar, which can potentially be
  exploited by malicious people to compromise a vulnerable system.

  http://www.linuxsecurity.com/content/view/152014

* Pardus: 2010-43: Curl: Excessive Data Length in (Mar 29)
  --------------------------------------------------------
  A security issue has been fixed in cURL / libcURL, which can
  potentially be exploited by malicious people to cause a DoS (Denial
  of Service) or compromise an application using the library

  http://www.linuxsecurity.com/content/view/152015

* Pardus: 2010-45: Apache: Multiple Vulnerabilities (Mar 29)
  ----------------------------------------------------------
  Multiple vulnerabilities have been fixed in Apache, where one has
  unknown impacts and others can be exploited by malicious people to
  gain access to potentially sensitive information or cause a DoS
  (Denial of Service).

  http://www.linuxsecurity.com/content/view/152010

* Pardus: 2010-44: Php: Multiple Vulnerabilities (Mar 29)
  -------------------------------------------------------
  Multiple vulnerabilities have been fixed in PHP, which can be
  exploited by malicious users to bypass certain security restrictions.

  http://www.linuxsecurity.com/content/view/152011

* Pardus: 2010-41: Libpng: Denial of Service (Mar 29)
  ---------------------------------------------------
  A vulnerability has been reported in libpng, which can be exploited
  by malicious people to cause a DoS (Denial of Service).

  http://www.linuxsecurity.com/content/view/152012

* Pardus: 2010-40: Pango: Denial of Service (Mar 29)
  --------------------------------------------------
  A vulnerability was fixed in Pango, which can allow remote or local
  user to cause denial of service conditions

  http://www.linuxsecurity.com/content/view/152013

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------