+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 10th, 2010 Volume 11, Number 15 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Vulnerabilities in Web Applications ----------------------------------- This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures. http://www.linuxsecurity.com/content/view/118427 A Secure Nagios Server ---------------------- This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2030-1: mahara: sql injection (Apr 6) --------------------------------------------- It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names. [More...] http://www.linuxsecurity.com/content/view/152083 * Debian: 2029-1: imlib2: Multiple vulnerabilities (Apr 5) -------------------------------------------------------- It was discovered that imlib2, a library to load and process several image formats, did not properly process various image file types. Several heap and stack based buffer overflows - partly due to integer overflows - in the ARGB, BMP, JPEG, LBM, PNM, TGA and XPM loaders can [More...] http://www.linuxsecurity.com/content/view/152079 * Debian: 2028-1: xpdf: Multiple vulnerabilities (Apr 5) ------------------------------------------------------ Several vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following [More...] http://www.linuxsecurity.com/content/view/152078 * Debian: 2027-1: xulrunner: Multiple vulnerabilities (Apr 3) ----------------------------------------------------------- Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/152065 * Debian: 2026-1: netpbm-free: stack-based buffer overflow (Apr 2) ---------------------------------------------------------------- Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly [More...] http://www.linuxsecurity.com/content/view/152063 ------------------------------------------------------------------------ * Mandriva: 2010:069: nss (Apr 6) ------------------------------- A vulnerability has been found and corrected in nss: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, [More...] http://www.linuxsecurity.com/content/view/152090 ------------------------------------------------------------------------ * Red Hat: 2010:0343-01: krb5: Important Advisory (Apr 6) ------------------------------------------------------- Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/152089 * Red Hat: 2010:0342-01: kernel: Important Advisory (Apr 6) --------------------------------------------------------- Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/152088 ------------------------------------------------------------------------ * Slackware: 2010-095-01: mozilla-thunderbird: Security Update (Apr 5) -------------------------------------------------------------------- New mozilla-thunderbird packages are available for Slackware 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/152068 * Slackware: 2010-095-02: mozilla-firefox: Security Update (Apr 5) ---------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 12.2, 13.0, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/152066 * Slackware: 2010-095-03: seamonkey: Security Update (Apr 5) ---------------------------------------------------------- New seamonkey packages are available for Slackware 12.2, 13.0, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/152067 ------------------------------------------------------------------------ * SuSE: Weekly Summary 2010:008 (Apr 7) ------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. List of vulnerabilities in this summary include: gnome-screensaver, tomcat5, tomcat6, libtheora, java-1_6_0-sun, samba. http://www.linuxsecurity.com/content/view/152093 ------------------------------------------------------------------------ * Ubuntu: 926-1: ClamAV vulnerabilities (Apr 8) --------------------------------------------- It was discovered that ClamAV did not properly verify its input whenprocessing CAB files. A remote attacker could send a specially craftedCAB file to evade malware detection. (CVE-2010-0098) [More...] http://www.linuxsecurity.com/content/view/152105 * Ubuntu: 925-1: MoinMoin vulnerabilities (Apr 8) ----------------------------------------------- It was discovered that MoinMoin did not properly sanitize its input whenprocessing Despam actions, resulting in cross-site scripting (XSS)vulnerabilities. If a privileged wiki user were tricked into performingthe Despam action on a page with a crafted title, a remote attacker couldexploit this to execute JavaScript code. (CVE-2010-0828) [More...] http://www.linuxsecurity.com/content/view/152104 * Ubuntu: 923-1: OpenJDK vulnerabilities (Apr 7) ---------------------------------------------- Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3protocols. If an attacker could perform a man in the middle attack at thestart of a TLS connection, the attacker could inject arbitrary contentat the beginning of the user's session. (CVE-2009-3555) [More...] http://www.linuxsecurity.com/content/view/152091 * Ubuntu: 924-1: Kerberos vulnerabilities (Apr 7) ----------------------------------------------- Sol Jerome discovered that the Kerberos kadmind service did not correctlyfree memory. An unauthenticated remote attacker could send speciallycrafted traffic to crash the kadmind process, leading to a denial ofservice. (CVE-2010-0629) [More...] http://www.linuxsecurity.com/content/view/152092 ------------------------------------------------------------------------ * Pardus: 2010-46: OpenSSL: Denial of Service (Apr 6) --------------------------------------------------- A vulnerability has been fixed in OpenSSL, which can be exploited by malicious people to manipulate certain data and cause a DoS (Denial of Service) http://www.linuxsecurity.com/content/view/152080 * Pardus: 2010-47: Firefox: Multiple Vulnerabilities (Apr 6) ---------------------------------------------------------- Multiple vulnerabilities have been fixed in Firefox. http://www.linuxsecurity.com/content/view/152081 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------