+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 15th, 2010 Volume 11, Number 42 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 Review: Zabbix 1.8 Network Monitoring ------------------------------------- If you have anything more than a small home network, you need to be monitoring the status of your systems to ensure they are providing the services they were designed to provide. http://www.linuxsecurity.com/content/view/152990 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2120-1: postgresql-8.3: privilege escalation (Oct 12) ------------------------------------------------------------- Tim Bunce discovered that PostgreSQL, a database server software, does not properly separate interpreters for server-side stored procedures which run in different security contexts. As a result, non-privileged authenticated database users might gain additional privileges. [More...] http://www.linuxsecurity.com/content/view/153465 * Debian: 2116-1: poppler: Multiple vulnerabilities (Oct 12) ---------------------------------------------------------- Joel Voss of Leviathan Security Group discovered two vulnerabilities in the Poppler PDF rendering library, which may lead to the execution of arbitrary code if a malformed PDF file is opened. [More...] http://www.linuxsecurity.com/content/view/153464 * Debian: 2115-2: moodle: Multiple vulnerabilities (Oct 11) --------------------------------------------------------- DSA-2115-1 introduced a regression because it lacked a dependency on the wwwconfig-common package, leading to installations problems. This update addresses this issue. For reference, the text of the original advisory is provided below. [More...] http://www.linuxsecurity.com/content/view/153454 * Debian: 2118-1: subversion: logic flaw (Oct 8) ---------------------------------------------- Kamesh Jayachandran and C. Michael Pilat discovered that the mod_dav_svn module of subversion, a version control system, is not properly enforcing access rules which are scope-limited to named repositories. If the SVNPathAuthz option is set to "short_circuit" set this may enable an [More...] http://www.linuxsecurity.com/content/view/153453 ------------------------------------------------------------------------ * Mandriva: 2010:204: avahi (Oct 14) ---------------------------------- A vulnerability was discovered and corrected in avahi: The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with [More...] http://www.linuxsecurity.com/content/view/153488 * Mandriva: 2010:203: automake (Oct 13) ------------------------------------- A vulnerability was discovered and corrected in automake: The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure [More...] http://www.linuxsecurity.com/content/view/153479 * Mandriva: 2010:202: krb5 (Oct 13) --------------------------------- A vulnerability was discovered and corrected in krb5: The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which [More...] http://www.linuxsecurity.com/content/view/153477 * Mandriva: 2010:201: freetype2 (Oct 13) -------------------------------------- A vulnerability was discovered and corrected in freetype2: Marc Schoenefeld found an input stream position error in the way FreeType font rendering engine processed input file streams. If a user loaded a specially-crafted font file with an application [More...] http://www.linuxsecurity.com/content/view/153475 * Mandriva: 2010:200: wireshark (Oct 13) -------------------------------------- It was discovered that the ASN.1 BER dissector in wireshark was susceptible to a stack overflow (CVE-2010-3445). For 2010.0 and 2010.1 wireshark was upgraded to v1.2.12 which is not vulnerable to this issue and was patched for CS4 and MES5 to resolve [More...] http://www.linuxsecurity.com/content/view/153472 * Mandriva: 2010:199: subversion (Oct 12) --------------------------------------- A vulnerability was discovered and corrected in subversion: authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not [More...] http://www.linuxsecurity.com/content/view/153463 * Mandriva: 2010:198: kernel (Oct 7) ---------------------------------- Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an [More...] http://www.linuxsecurity.com/content/view/153450 ------------------------------------------------------------------------ * Red Hat: 2010:0771-01: kernel-rt: Moderate Advisory (Oct 14) ------------------------------------------------------------ Updated kernel-rt packages that fix multiple security issues and upgrade the kernel-rt kernel to version 2.6.33.7-rt29 are now available for Red Hat Enterprise MRG 1.3. [More...] http://www.linuxsecurity.com/content/view/153486 * Red Hat: 2010:0770-01: java-1.6.0-sun: Critical Advisory (Oct 14) ----------------------------------------------------------------- Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153487 * Red Hat: 2010:0768-01: java-1.6.0-openjdk: Important Advisory (Oct 13) ---------------------------------------------------------------------- Updated java-1.6.0-openjdk packages that fix several security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153476 * Red Hat: 2010:0758-01: kernel-rt: Important Advisory (Oct 7) ------------------------------------------------------------ Updated kernel-rt packages that fix two security issues and three bugs are now available for Red Hat Enterprise MRG 1.2. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153451 * Red Hat: 2010:0755-01: cups: Important Advisory (Oct 7) ------------------------------------------------------- Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153449 * Red Hat: 2010:0750-01: xpdf: Important Advisory (Oct 7) ------------------------------------------------------- An updated xpdf package that fixes one security issue is now available for Red Hat Enterprise Linux 3. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153448 * Red Hat: 2010:0753-01: kdegraphics: Important Advisory (Oct 7) -------------------------------------------------------------- Updated kdegraphics packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153446 * Red Hat: 2010:0754-01: cups: Important Advisory (Oct 7) ------------------------------------------------------- Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 3. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153447 * Red Hat: 2010:0752-01: gpdf: Important Advisory (Oct 7) ------------------------------------------------------- An updated gpdf package that fixes two security issues is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153442 * Red Hat: 2010:0749-01: poppler: Important Advisory (Oct 7) ---------------------------------------------------------- Updated poppler packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153443 * Red Hat: 2010:0751-01: xpdf: Important Advisory (Oct 7) ------------------------------------------------------- An updated xpdf package that fixes two security issues is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153444 ------------------------------------------------------------------------ * SuSE: 2010-050: Linux kernel (Oct 13) ------------------------------------- This SUSE Linux Enterprise 11 Service Pack 1 kernel contains various security fixes and lots of other bugfixes. Following security issues were fixed: CVE-2010-2960: local users could crash the system by causing a NULL deref in the keyctl_session_to_parent() function [More...] http://www.linuxsecurity.com/content/view/153473 * SuSE: 2010-049: Mozilla Firefox (Oct 12) ---------------------------------------- Mozilla Firefox was updated to version 3.6.10, fixing various bugs and security issues. Mozilla Thunderbird was updated to version 3.0.8 on openSUSE, fixing the same bugs. Mozilla Seamonkey was updated to version 2.0.8 on openSUSE, fixing [More...] http://www.linuxsecurity.com/content/view/153459 * SuSE: 2010-048: acroread (Oct 11) --------------------------------- Specially crafted PDF documents could crash acroread or lead to execution of arbitrary code. acroread was updated to version 9.4 which addresses the issues. Please see Adobe's site for more information: http://www.adobe.com/support/security/bulletins/apsb10-21.html [More...] http://www.linuxsecurity.com/content/view/153455 ------------------------------------------------------------------------ * Ubuntu: 1004-1: Django vulnerability (Oct 13) --------------------------------------------- It was discovered that Django did not properly sanitize the cookie valuewhen applying CSRF protections resulting in a cross-site scripting (XSS)vulnerability. With cross-site scripting vulnerabilities, if a user weretricked into viewing server output during a crafted server request, aremote attacker could exploit this to modify the contents, or steal [More...] http://www.linuxsecurity.com/content/view/153478 * Ubuntu: 1002-2: PostgreSQL vulnerability (Oct 7) ------------------------------------------------ USN-1002-1 fixed vulnerabilities in PostgreSQL. This update provides thecorresponding update for Ubuntu 10.10. [More...] http://www.linuxsecurity.com/content/view/153445 * Ubuntu: 1002-1: PostgreSQL vulnerability (Oct 7) ------------------------------------------------ It was discovered that PostgreSQL did not properly enforce permissionswithin sessions when PL/Perl and PL/Tcl functions or operators wereredefined. A remote authenticated attacker could exploit this to executearbitrary code with permissions of a different user, possibly leading toprivilege escalation. [More...] http://www.linuxsecurity.com/content/view/153441 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
