+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 29th, 2010 Volume 11, Number 44 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 Review: Zabbix 1.8 Network Monitoring ------------------------------------- If you have anything more than a small home network, you need to be monitoring the status of your systems to ensure they are providing the services they were designed to provide. http://www.linuxsecurity.com/content/view/152990 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2122-1: glibc: missing input sanitization (Oct 22) ---------------------------------------------------------- Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU libc allows local users to gain root privileges using a crafted LD_AUDIT environment variable. [More...] http://www.linuxsecurity.com/content/view/153544 ------------------------------------------------------------------------ * Mandriva: 2010:213: xulrunner (Oct 28) -------------------------------------- A vulnerability was discovered and corrected in xulrunner: Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, when JavaScript is enabled, allows remote attackers to execute arbitrary code via unknown vectors, as exploited [More...] http://www.linuxsecurity.com/content/view/153579 * Mandriva: 2010:212: glibc (Oct 24) ---------------------------------- A vulnerability in the GNU C library (glibc) was discovered which could escalate the privilegies for local users (CVE-2010-3856). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: [More...] http://www.linuxsecurity.com/content/view/153553 * Mandriva: 2010:211: mozilla-thunderbird (Oct 22) ------------------------------------------------ Security issues were identified and fixed in mozilla-thunderbird: The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length [More...] http://www.linuxsecurity.com/content/view/153548 * Mandriva: 2010:210: firefox (Oct 22) ------------------------------------ Security issues were identified and fixed in firefox: Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard IP address in the subject's Common Name field of [More...] http://www.linuxsecurity.com/content/view/153546 * Mandriva: 2010:209: libsmi (Oct 22) ----------------------------------- A buffer overflow was discovered in libsmi when long OID was given in numerical form. This could lead to arbitraty code execution (CVE-2010-2891). Packages for 2009.0 are provided as of the Extended Maintenance [More...] http://www.linuxsecurity.com/content/view/153545 * Mandriva: 2010:208: pidgin (Oct 21) ----------------------------------- A security vulnerability has been identified and fixed in pidgin: It has been discovered that eight denial of service conditions exist in libpurple all due to insufficient validation of the return value from purple_base64_decode(). Invalid or malformed data received in [More...] http://www.linuxsecurity.com/content/view/153536 ------------------------------------------------------------------------ * Red Hat: 2010:0811-01: cups: Important Advisory (Oct 28) -------------------------------------------------------- Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153588 * Red Hat: 2010:0812-01: thunderbird: Moderate Advisory (Oct 28) -------------------------------------------------------------- An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153589 * Red Hat: 2010:0810-01: seamonkey: Critical Advisory (Oct 27) ------------------------------------------------------------ Updated seamonkey packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153574 * Red Hat: 2010:0807-01: java-1.5.0-ibm: Critical Advisory (Oct 27) ----------------------------------------------------------------- Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153573 * Red Hat: 2010:0809-01: xulrunner: Critical Advisory (Oct 27) ------------------------------------------------------------ Updated xulrunner packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153571 * Red Hat: 2010:0808-01: firefox: Critical Advisory (Oct 27) ---------------------------------------------------------- An updated firefox package that fixes one security issue is now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153572 * Red Hat: 2010:0792-01: kernel: Important Advisory (Oct 25) ---------------------------------------------------------- Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153556 * Red Hat: 2010:0793-01: glibc: Important Advisory (Oct 25) --------------------------------------------------------- Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153557 * Red Hat: 2010:0788-01: pidgin: Moderate Advisory (Oct 21) --------------------------------------------------------- Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153542 ------------------------------------------------------------------------ * Slackware: 2010-301-01: glibc: Security Update (Oct 29) ------------------------------------------------------- New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/153592 * Slackware: 2010-301-02: mozilla-firefox: Security Update (Oct 29) ----------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153591 * Slackware: 2010-300-01: seamonkey: Security Update (Oct 27) ----------------------------------------------------------- New seamonkey packages are available for Slackware 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153570 * Slackware: 2010-295-03: mozilla-thunderbird: Security Update (Oct 22) --------------------------------------------------------------------- New mozilla-thunderbird packages are available for Slackware 13.1 and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153550 * Slackware: 2010-295-01: glibc: Security Update (Oct 22) ------------------------------------------------------- New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/153551 * Slackware: 2010-295-02: mozilla-firefox: Security Update (Oct 22) ----------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153549 ------------------------------------------------------------------------ * SuSE: 2010-053: Linux kernel (Oct 28) ------------------------------------- The openSUSE 11.2 and 11.3 kernels were updated to fix 2 critical security issues and some small bugs. Following security issues were fixed: CVE-2010-3904: A local privilege escalation in RDS sockets allowed local attackers to gain root privileges. [More...] http://www.linuxsecurity.com/content/view/153580 * SuSE: 2010-052: glibc (Oct 28) ------------------------------ The Linux C library glibc was updated to fix critical security issues and several bugs: CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This specific issue did not affect SUSE as an assertion triggers [More...] http://www.linuxsecurity.com/content/view/153578 * SuSE: Weekly Summary 2010:019 (Oct 25) -------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. List of vulnerabilities in this summary include: OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3. http://www.linuxsecurity.com/content/view/153554 ------------------------------------------------------------------------ * Ubuntu: 1011-3: Xulrunner vulnerability (Oct 29) ------------------------------------------------ USN-1011-1 fixed a vulnerability in Firefox. This update provides thecorresponding update for Xulrunner. [More...] http://www.linuxsecurity.com/content/view/153590 * Ubuntu: 1010-1: OpenJDK vulnerabilities (Oct 28) ------------------------------------------------ Marsh Ray and Steve Dispensa discovered a flaw in the TLS andSSLv3 protocols. If an attacker could perform a man in the middleattack at the start of a TLS connection, the attacker could injectarbitrary content at the beginning of the user's session. USN-923-1disabled SSL/TLS renegotiation by default; this update implements [More...] http://www.linuxsecurity.com/content/view/153587 * Ubuntu: 1011-2: Thunderbird vulnerability (Oct 28) -------------------------------------------------- USN-1011-1 fixed a vulnerability in Firefox. This update provides thecorresponding update for Thunderbird. [More...] http://www.linuxsecurity.com/content/view/153586 * Ubuntu: 1011-1: Firefox vulnerability (Oct 27) ---------------------------------------------- Morten Krakvik discovered a heap-based buffer overflow in Firefox. If auser were tricked into navigating to a malicious site, an attacker couldcause a denial of service or possibly execute arbitrary code as the userinvoking the program. [More...] http://www.linuxsecurity.com/content/view/153575 * Ubuntu: 959-2: PAM vulnerability (Oct 25) ----------------------------------------- USN-959-1 fixed vulnerabilities in PAM. This update provides thecorresponding updates for Ubuntu 10.10. [More...] http://www.linuxsecurity.com/content/view/153555 * Ubuntu: 1008-3: libvirt update (Oct 23) --------------------------------------- USN-1008-1 fixed vulnerabilities in libvirt. The update for Ubuntu 10.04LTS reverted a recent bug fix update. This update fixes the problem. [More...] http://www.linuxsecurity.com/content/view/153552 * Ubuntu: 1008-2: Virtinst update (Oct 21) ---------------------------------------- Libvirt in Ubuntu 10.04 LTS now no longer probes qemu disks for the imageformat and defaults to 'raw' when the format is not specified in the XML.This change in behavior breaks virt-install --import because virtinst inUbuntu 10.04 LTS did not allow for specifying a disk format and does notspecify a format in the XML. This update adds the 'format=' option when [More...] http://www.linuxsecurity.com/content/view/153543 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------