Linux Advisory Watch: April 23rd, 2010

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| April 23rd, 2010                                Volume 11, Number 17 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

SSH: Best Practices
-------------------
If you're reading LinuxSecurity.com then it's a safe bet that you are
already using SSH, but are you using it in the best way possible?  Have
you configured it to be as limited and secure as possible?<BR/>Read on for
my best practices for using Secure Shell.

http://www.linuxsecurity.com/content/view/133312


Review: Linux Firewalls
-----------------------
Security is at the forefront of everyone's mind and a firewall can be an
integral part of your Linux defense. But is Michael's Rash's "Linux
Firewalls," the newest release from NoStarchPress, up for the challenge?
Eckie S. here at Linuxsecurity.com gives you the low-down on this newest
addition to the Linux security resource library and how it's one of the
best ways to crack down on attacks to your Linux network.

http://www.linuxsecurity.com/content/view/130392

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
  ----------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2038-1: pidgin: Multiple vulnerabilities (Apr 18)
  ---------------------------------------------------------
  Several remote vulnerabilities have been discovered in Pidgin, a
  multi protocol instant messaging client. The Common Vulnerabilities
  and Exposures project identifies the following problems: [More...]

  http://www.linuxsecurity.com/content/view/152175

* Debian: 2037-1: kdm (kdebase): race condition (Apr 17)
  ------------------------------------------------------
  Sebastian Krahmer discovered that a race condition in the KDE Desktop
  Environment's KDM display manager, allow a local user to elevate
  privileges to root. [More...]

  http://www.linuxsecurity.com/content/view/152174

* Debian: 2036-1: jasper: programming error (Apr 17)
  --------------------------------------------------
  It was discovered that the JasPer JPEG-2000 runtime library allowed
  an attacker to create a crafted input file that could lead to denial
  of service and heap corruption. [More...]

  http://www.linuxsecurity.com/content/view/152173

* Debian: 2035-1: apache2: multiple issues (Apr 17)
  -------------------------------------------------
  Two issues have been found in the Apache HTTPD web server:
  CVE-2010-0408 [More...]

  http://www.linuxsecurity.com/content/view/152172

* Debian: 2034-1: phpmyadmin: Multiple vulnerabilities (Apr 17)
  -------------------------------------------------------------
  Several vulnerabilities have been discovered in phpMyAdmin, a tool to
  administer MySQL over the web. The Common Vulnerabilities and
  Exposures project identifies the following problems: [More...]

  http://www.linuxsecurity.com/content/view/152166

* Debian: 2033-1: ejabberd: heap overflow (Apr 15)
  ------------------------------------------------
  It was discovered that in ejabberd, a distributed XMPP/Jabber server
  written in Erlang, a problem in ejabberd_c2s.erl allows remote
  authenticated users to cause a denial of service by sending a large
  number of c2s (client2server) messages; that triggers an overload of
  the [More...]

  http://www.linuxsecurity.com/content/view/152149

------------------------------------------------------------------------

* Mandriva: 2010:070-1: firefox (Apr 20)
  --------------------------------------
  Security issues were identified and fixed in firefox: Security
  researcher regenrecht reported (via TippingPoint's Zero Day
  Initiative) a potential reuse of a deleted image frame in Firefox
  3.6's handling of multipart/x-mixed-replace images. Although no
  exploit was [More...]

  http://www.linuxsecurity.com/content/view/152204

* Mandriva: 2010:083: emacs (Apr 20)
  ----------------------------------
  A vulnerability has been found and corrected in emacs:
  lib-src/movemail.c in movemail in emacs 22 and 23 allows local users
  to read, modify, or delete arbitrary mailbox files via a symlink
  attack, related to improper file-permission checks (CVE-2010-0825).
  [More...]

  http://www.linuxsecurity.com/content/view/152196

* Mandriva: 2010:076-1: openssl (Apr 19)
  --------------------------------------
  This update fixes several security issues in openssl: - The
  ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through
  0.9.8m allows remote attackers to cause a denial of service (crash)
  via a malformed record in a TLS connection (CVE-2010-0740) - OpenSSL
  before 0.9.8m does not check for a NULL return value [More...]

  http://www.linuxsecurity.com/content/view/152184

* Mandriva: 2010:076-1: openssl (Apr 19)
  --------------------------------------
  This update fixes several security issues in openssl: - The
  ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through
  0.9.8m allows remote attackers to cause a denial of service (crash)
  via a malformed record in a TLS connection (CVE-2010-0740) - OpenSSL
  before 0.9.8m does not check for a NULL return value [More...]

  http://www.linuxsecurity.com/content/view/152183

* Mandriva: 2010:082: clamav (Apr 18)
  -----------------------------------
  Multiple vulnerabilities has been found and corrected in clamav:
  ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z
  file formats, which allows remote attackers to bypass virus detection
  via a crafted archive that is compatible with standard archive
  utilities [More...]

  http://www.linuxsecurity.com/content/view/152177

* Mandriva: 2010:081: apache-mod_auth_shadow (Apr 18)
  ---------------------------------------------------
  A vulnerability has been found and corrected in
  apache-mod_auth_shadow: A race condition was found in the way
  mod_auth_shadow used an external helper binary to validate user
  credentials (username / password pairs). A remote attacker could use
  this flaw to bypass intended [More...]

  http://www.linuxsecurity.com/content/view/152176

* Mandriva: 2010:080: brltty (Apr 17)
  -----------------------------------
  A vulnerability has been found and corrected in brltty: Untrusted
  search path vulnerability in libbrlttybba.so in brltty 3.7.2 allows
  local users to gain privileges via a crafted library, related to an
  incorrect RPATH setting (CVE-2008-3279). [More...]

  http://www.linuxsecurity.com/content/view/152171

* Mandriva: 2010:079: irssi (Apr 17)
  ----------------------------------
  Multiple vulnerabilities has been found and corrected in irssi: Irssi
  before 0.8.15, when SSL is used, does not verify that the server
  hostname matches a domain name in the subject's Common Name (CN)
  field or a Subject Alternative Name field of the X.509 certificate,
  [More...]

  http://www.linuxsecurity.com/content/view/152170

* Mandriva: 2010:076: openssl (Apr 17)
  ------------------------------------
  This update fixes several security issues in openssl: - The
  ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through
  0.9.8m allows remote attackers to cause a denial of service (crash)
  via a malformed record in a TLS connection (CVE-2010-0740) - OpenSSL
  before 0.9.8m does not check for a NULL return value [More...]

  http://www.linuxsecurity.com/content/view/152169

* Mandriva: 2010:078: sudo (Apr 17)
  ---------------------------------
  A vulnerability has been found and corrected in sudo: The command
  matching functionality in sudo 1.6.8 through 1.7.2p5 does not
  properly handle when a file in the current working directory has the
  same name as a pseudo-command in the sudoers file and the PATH
  [More...]

  http://www.linuxsecurity.com/content/view/152168

* Mandriva: 2010:077: nss_db (Apr 17)
  -----------------------------------
  A vulnerability has been found and corrected in nss_db: The Free
  Software Foundation (FSF) Berkeley DB NSS module (aka libnss-db)
  2.2.3pre1 reads the DB_CONFIG file in the current working directory,
  which allows local users to obtain sensitive information [More...]

  http://www.linuxsecurity.com/content/view/152167

* Mandriva: 2010:075: openoffice.org (Apr 15)
  -------------------------------------------
  This updates provides a security update to the OpenOffice.org
  described as follow: OpenOffice's xmlsec uses a bundled Libtool which
  might load .la file in the current working directory allowing local
  users to gain [More...]

  http://www.linuxsecurity.com/content/view/152152

* Mandriva: 2010:074: kdebase (Apr 15)
  ------------------------------------
  A vulnerability has been found and corrected in kdm
  (kdebase/kdebase4-workspace): KDM contains a race condition that
  allows local attackers to make arbitrary files on the system
  world-writeable. This can happen [More...]

  http://www.linuxsecurity.com/content/view/152150

------------------------------------------------------------------------

* Red Hat: 2010:0362-01: scsi-target-utils: Important Advisory (Apr 20)
  ---------------------------------------------------------------------
  An updated scsi-target-utils package that fixes one security issue is
  now available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/152202

* Red Hat: 2010:0361-01: sudo: Moderate Advisory (Apr 20)
  -------------------------------------------------------
  An updated sudo package that fixes one security issue is now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/152201

* Red Hat: 2010:0360-01: wireshark: Moderate Advisory (Apr 20)
  ------------------------------------------------------------
  Updated wireshark packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3, 4, and 5. The Red Hat
  Security Response Team has rated this update as having moderate
  [More...]

  http://www.linuxsecurity.com/content/view/152200

* Red Hat: 2010:0356-02: java-1.6.0-sun: Critical Advisory (Apr 19)
  -----------------------------------------------------------------
  Updated java-1.6.0-sun packages that fix two security issues are now
  available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.
  The Red Hat Security Response Team has rated this update as having
  critical [More...]

  http://www.linuxsecurity.com/content/view/152186

------------------------------------------------------------------------

* Slackware: 2010-110-01: sudo: Security Update (Apr 20)
  ------------------------------------------------------
  New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
  10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix
  security issues.  [More Info...]

  http://www.linuxsecurity.com/content/view/152206

* Slackware: 2010-110-02: kdebase-workspace: Security Update (Apr 20)
  -------------------------------------------------------------------
  New kdebase-workspace packages are available for Slackware 13.0 and
  -current to fix a security issue with KDM.  [More Info...]

  http://www.linuxsecurity.com/content/view/152205

------------------------------------------------------------------------

* SuSE: 2010-022: acroread (Apr 21)
  ---------------------------------
  Specially crafted PDF documents could crash acroread or even lead to
  execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/152212

------------------------------------------------------------------------

* Ubuntu: 929-2: irssi regression (Apr 20)
  ----------------------------------------
  USN-929-1 fixed vulnerabilities in irssi. The upstream changes
  introduced aregression when using irssi with SSL and an IRC proxy.
  This update fixesthe problem. [More...]

  http://www.linuxsecurity.com/content/view/152203

* Ubuntu: 932-1: KDM vulnerability (Apr 19)
  -----------------------------------------
  Sebastian Krahmer discovered a race condition in the KDE Display
  Manager(KDM). A local attacker could exploit this to change the
  permissions onarbitrary files, thus allowing privilege escalation.
  [More...]

  http://www.linuxsecurity.com/content/view/152185

* Ubuntu: 931-1: FFmpeg vulnerabilities (Apr 19)
  ----------------------------------------------
  It was discovered that FFmpeg contained multiple security issues
  whenhandling certain multimedia files. If a user were tricked into
  opening acrafted multimedia file, an attacker could cause a denial of
  service viaapplication crash, or possibly execute arbitrary code with
  the privilegesof the user invoking the program. [More...]

  http://www.linuxsecurity.com/content/view/152182

* Ubuntu: 929-1: irssi vulnerabilities (Apr 15)
  ---------------------------------------------
  It was discovered that irssi did not perform certificate host
  validationwhen using SSL connections. An attacker could exploit this
  to perform a manin the middle attack to view sensitive information or
  alter encryptedcommunications. (CVE-2010-1155) [More...]

  http://www.linuxsecurity.com/content/view/152153

* Ubuntu: 890-6: CMake vulnerabilities (Apr 15)
  ---------------------------------------------
  USN-890-1 fixed vulnerabilities in Expat. This update provides
  thecorresponding updates for CMake. [More...]

  http://www.linuxsecurity.com/content/view/152151

* Ubuntu: 928-1: Sudo vulnerability (Apr 15)
  ------------------------------------------
  Valerio Costamagna discovered that sudo did not properly validate the
  pathfor the 'sudoedit' pseudo-command when the PATH contained only a
  dot ('.').If secure_path and ignore_dot were disabled, a local
  attacker could exploitthis to execute arbitrary code as root if sudo
  was configured to allow theattacker to use sudoedit. By default,
  secure_path is used and the sudoedit [More...]

  http://www.linuxsecurity.com/content/view/152148

------------------------------------------------------------------------

* Pardus: 2010-55: ClamAV: Multiple Vulnerabilities (Apr 20)
  ----------------------------------------------------------
  A weakness and a vulnerability have been fixed in ClamAV, which can
  be exploited by malicious people to bypass the scanning functionality
  or potentially compromise a vulnerable system.

  http://www.linuxsecurity.com/content/view/152193

* Pardus: 2010-51: Qemu: Denial of Service (Apr 20)
  -------------------------------------------------
  A vulnerability has been fixed in Qemu, which could be exploited by
  attackers to cause a denial of service.

  http://www.linuxsecurity.com/content/view/152194

* Pardus: 2010-56: Libnids: Denial of Service (Apr 20)
  ----------------------------------------------------
  A vulnerability has been reported in Libnids, which can be exploited
  by malicious people to cause a DoS (Denial of Service).

  http://www.linuxsecurity.com/content/view/152195

* Pardus: 2010-53: Mit-kerberos: Denial of Service (Apr 20)
  ---------------------------------------------------------
  A vulnerability has been fixed in mit-kerberos, which could be
  exploited by attackers to cause a denial of service.

  http://www.linuxsecurity.com/content/view/152189

* Pardus: 2010-52: Memcached: Denial of Service (Apr 20)
  ------------------------------------------------------
  A vulnerability has been fixed in memcached, which could be exploited
  by attackers to cause a denial of service.

  http://www.linuxsecurity.com/content/view/152190

* Pardus: 2010-50: KDM: Privilege Escalation (Apr 20)
  ---------------------------------------------------
  A security issue has been fixed in KDE, which can be exploited by
  malicious, local users to gain escalated privileges.

  http://www.linuxsecurity.com/content/view/152191

* Pardus: 2010-54: Cups: Privilege Escalation (Apr 20)
  ----------------------------------------------------
  A vulnerability has been fixed in Cups, which can be exploited by
  malicious people to bypass certain privileges.

  http://www.linuxsecurity.com/content/view/152192

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux