+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | September 17th, 2010 Volume 11, Number 38 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. Authored by a group of some of the most experienced open source administrators and developers, this 400-page user guide details everything you need to know about how to make the most of your Ubuntu, Kubuntu (Ubuntu with KDE), and Xubuntu (Ubuntu with Xfce) computer. http://www.linuxsecurity.com/content/view/153159 Review: Zabbix 1.8 Network Monitoring ------------------------------------- If you have anything more than a small home network, you need to be monitoring the status of your systems to ensure they are providing the services they were designed to provide. Rihards Olups has created a comprehensive reference and usability guide for the latest version of Zabbix that anyone being tasked with implementing should have by their side. http://www.linuxsecurity.com/content/view/152990 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2109-1: samba: buffer overflow (Sep 16) ----------------------------------------------- A vulnerability has been discovered in samba, a SMB/CIFS file, print, and login server for Unix. [More...] http://www.linuxsecurity.com/content/view/153292 * Debian: 2108-1: cvsnt: programming error (Sep 14) ------------------------------------------------- It has been discovered that in cvsnt, a multi-platform version of the original source code versioning system CVS, an error in the authentication code allows a malicious, unprivileged user, through the use of a specially crafted branch name, to gain write access to any [More...] http://www.linuxsecurity.com/content/view/153265 * Debian: 2097-2: phpmyadmin: insufficient input sanitisi (Sep 11) ---------------------------------------------------------------- The update in DSA 2097 for phpMyAdmin did not correctly apply the intended changes, thereby not completely addressing the vulnerabilities. Updated packages now fix the issues described in the original advisory text below. [More...] http://www.linuxsecurity.com/content/view/153251 * Debian: 2107-1: couchdb: untrusted search path (Sep 9) ------------------------------------------------------ Dan Rosenberg discovered that in couchdb, a distributed, fault-tolerant and schema-free document-oriented database, an insecure library search path is used; a local attacker could execute arbitrary code by first dumping a maliciously crafted shared library in some [More...] http://www.linuxsecurity.com/content/view/153233 ------------------------------------------------------------------------ * Mandriva: 2010:184: samba (Sep 16) ---------------------------------- A vulnerability has been found and corrected in samba: Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a [More...] http://www.linuxsecurity.com/content/view/153293 * Mandriva: 2010:183: socat (Sep 15) ---------------------------------- A vulnerability has been found and corrected in socat: Stack-based buffer overflow in the nestlex function in nestlex.c in Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when bidirectional data relay is enabled, allows context-dependent [More...] http://www.linuxsecurity.com/content/view/153287 * Mandriva: 2010:182: kdegraphics (Sep 14) ---------------------------------------- A vulnerability has been found and corrected in kdegraphics (ksvg): Use-after-free vulnerability in the garbage-collection implementation in WebCore in WebKit in Apple Safari before 4.0 allows remote attackers to execute arbitrary code or cause a denial of service [More...] http://www.linuxsecurity.com/content/view/153275 * Mandriva: 2010:181: ntop (Sep 14) --------------------------------- A vulnerability has been found and corrected in ntop: The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an Authorization HTTP header [More...] http://www.linuxsecurity.com/content/view/153267 * Mandriva: 2010:180: rpm (Sep 13) -------------------------------- A vulnerability has been found and corrected in rpm: lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which [More...] http://www.linuxsecurity.com/content/view/153260 * Mandriva: 2010:179: libglpng (Sep 12) ------------------------------------- A vulnerability has been found and corrected in libglpng: Multiple integer overflows in glpng.c in glpng 1.45 allow context-dependent attackers to execute arbitrary code via a crafted PNG image, related to (1) the pngLoadRawF function and (2) the pngLoadF [More...] http://www.linuxsecurity.com/content/view/153259 * Mandriva: 2010:178: ocsinventory (Sep 12) ----------------------------------------- Multiple vulnerabilities has been found and corrected in ocsinventory: Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to inject arbitrary web script or HTML via (1) the query string, (2) [More...] http://www.linuxsecurity.com/content/view/153258 * Mandriva: 2010:177: tomcat5 (Sep 12) ------------------------------------ Multiple vulnerabilities has been found and corrected in tomcat5: Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, [More...] http://www.linuxsecurity.com/content/view/153257 * Mandriva: 2010:176: tomcat5 (Sep 12) ------------------------------------ Multiple vulnerabilities has been found and corrected in tomcat5: Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) \%5C (encoded backslash) sequences in a cookie value, which [More...] http://www.linuxsecurity.com/content/view/153256 * Mandriva: 2010:175: sudo (Sep 12) --------------------------------- A vulnerability has been found and corrected in sudo: Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command [More...] http://www.linuxsecurity.com/content/view/153255 * Mandriva: 2010:174: quagga (Sep 11) ----------------------------------- Stack-based buffer overflow in the bgp_route_refresh_receive function in bgp_packet.c in bgpd in Quagga before 0.99.17 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a malformed Outbound Route Filtering (ORF) record in a BGP ROUTE-REFRESH (RR) message [More...] http://www.linuxsecurity.com/content/view/153254 * Mandriva: 2010:173: firefox (Sep 11) ------------------------------------ Security issues were identified and fixed in firefox and mozilla-thinderbird: Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 [More...] http://www.linuxsecurity.com/content/view/153252 * Mandriva: 2010:172: kernel (Sep 9) ---------------------------------- Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux [More...] http://www.linuxsecurity.com/content/view/153240 ------------------------------------------------------------------------ * Red Hat: 2010:0698-01: samba3x: Critical Advisory (Sep 14) ---------------------------------------------------------- Updated samba3x packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153276 * Red Hat: 2010:0697-01: samba: Critical Advisory (Sep 14) -------------------------------------------------------- Updated samba packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. [More...] http://www.linuxsecurity.com/content/view/153277 ------------------------------------------------------------------------ * Slackware: 2010-258-03: sudo redo: Security Update (Sep 15) ----------------------------------------------------------- New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a directory permissions issue. These replacement packages restore the correct permissions to /var. [More Info...] http://www.linuxsecurity.com/content/view/153280 * Slackware: 2010-257-01: samba: Security Update (Sep 15) ------------------------------------------------------- New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/153278 * Slackware: 2010-257-02: sudo: Security Update (Sep 15) ------------------------------------------------------ New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/153279 * Slackware: 2010-253-01: mozilla-firefox: Security Update (Sep 10) ----------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153244 * Slackware: 2010-253-02: mozilla-thunderbird: Security Update (Sep 10) --------------------------------------------------------------------- New mozilla-thunderbird packages are available for Slackware 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153243 * Slackware: 2010-253-03: seamonkey: Security Update (Sep 10) ----------------------------------------------------------- New seamonkey packages are available for Slackware 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153242 ------------------------------------------------------------------------ * SuSE: 2010-040: Linux kernel (Sep 13) ------------------------------------- This SUSE Linux Enterprise 11 Service Pack 1 kernel update contains various security fixes and lots of other bugfixes. Notable larger bugfixes and changes: - 603464: Fix system freeze when doing a network crash dump with a netxen_nic driver [More...] http://www.linuxsecurity.com/content/view/153264 ------------------------------------------------------------------------ * Ubuntu: 978-2: Thunderbird regression (Sep 16) ---------------------------------------------- USN-978-1 fixed vulnerabilities in Thunderbird. Some users reportedstability problems under certain circumstances. This update fixes theproblem. [More...] http://www.linuxsecurity.com/content/view/153295 * Ubuntu: 975-2: Firefox and Xulrunner regression (Sep 16) -------------------------------------------------------- USN-975-1 fixed vulnerabilities in Firefox and Xulrunner. Some usersreported stability problems under certain circumstances. This update fixesthe problem. [More...] http://www.linuxsecurity.com/content/view/153294 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
