+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 5th, 2010 Volume 11, Number 45 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2124-1: xulrunner: Multiple vulnerabilities (Nov 1) ----------------------------------------------------------- Several vulnerabilities have been discovered in Xulrunner, the component that provides the core functionality of Iceweasel, Debian's variant of Mozilla's browser technology. [More...] http://www.linuxsecurity.com/content/view/153615 * Debian: 2123-1: nss: Multiple vulnerabilities (Nov 1) ----------------------------------------------------- Several vulnerabilities have been discovered in Mozilla's Network Security Services (NSS) library. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/153613 ------------------------------------------------------------------------ * Mandriva: 2010:220: pam (Nov 4) ------------------------------- Multiple vulnerabilities were discovered and corrected in pam: The pam_xauth module did not verify the return values of the setuid() and setgid() system calls. A local, unprivileged user could use this flaw to execute the xauth command with root privileges and make it [More...] http://www.linuxsecurity.com/content/view/153633 * Mandriva: 2010:202-1: krb5 (Nov 2) ---------------------------------- A vulnerability was discovered and corrected in krb5: The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which [More...] http://www.linuxsecurity.com/content/view/153621 * Mandriva: 2010:219: mozilla-thunderbird (Nov 1) ----------------------------------------------- A security issue was identified and fixed in mozilla-thunderbird: Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, when JavaScript is enabled, allows remote attackers to execute arbitrary code via unknown vectors, as exploited [More...] http://www.linuxsecurity.com/content/view/153604 * Mandriva: 2010:218: php (Oct 31) -------------------------------- Multiple vulnerabilities were discovered and corrected in php: Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service [More...] http://www.linuxsecurity.com/content/view/153602 * Mandriva: 2010:217: dovecot (Oct 30) ------------------------------------ Multiple vulnerabilities was discovered and corrected in dovecot: Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access [More...] http://www.linuxsecurity.com/content/view/153601 * Mandriva: 2010:216: python (Oct 30) ----------------------------------- Multiple vulnerabilities was discovered and corrected in python: The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should [More...] http://www.linuxsecurity.com/content/view/153600 * Mandriva: 2010:215: python (Oct 30) ----------------------------------- Multiple vulnerabilities was discovered and corrected in python: Buffer underflow in the rgbimg module in Python 2.5 allows remote attackers to cause a denial of service (application crash) via a large ZSIZE value in a black-and-white (aka B/W) RGB image that triggers [More...] http://www.linuxsecurity.com/content/view/153599 * Mandriva: 2010:214: kernel (Oct 29) ----------------------------------- A vulnerability was discovered and corrected in the Linux 2.6 kernel: A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space [More...] http://www.linuxsecurity.com/content/view/153597 * Mandriva: 2010:213: xulrunner (Oct 28) -------------------------------------- A vulnerability was discovered and corrected in xulrunner: Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, when JavaScript is enabled, allows remote attackers to execute arbitrary code via unknown vectors, as exploited [More...] http://www.linuxsecurity.com/content/view/153579 ------------------------------------------------------------------------ * Red Hat: 2010:0825-01: mysql: Moderate Advisory (Nov 3) ------------------------------------------------------- Updated mysql packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153631 * Red Hat: 2010:0824-01: mysql: Moderate Advisory (Nov 3) ------------------------------------------------------- Updated mysql packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153632 * Red Hat: 2010:0819-01: pam: Moderate Advisory (Nov 1) ----------------------------------------------------- Updated pam packages that fix three security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153614 * Red Hat: 2010:0811-01: cups: Important Advisory (Oct 28) -------------------------------------------------------- Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153588 * Red Hat: 2010:0812-01: thunderbird: Moderate Advisory (Oct 28) -------------------------------------------------------------- An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153589 ------------------------------------------------------------------------ * Slackware: 2010-305-03: proftpd: Security Update (Nov 1) -------------------------------------------------------- New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to a fix security issue. [More Info...] http://www.linuxsecurity.com/content/view/153617 * Slackware: 2010-305-02: pidgin: Security Update (Nov 1) ------------------------------------------------------- New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/153616 * Slackware: 2010-305-01: seamonkey: Security Update (Nov 1) ---------------------------------------------------------- New seamonkey packages are available for Slackware 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153603 * Slackware: 2010-301-01: glibc: Security Update (Oct 29) ------------------------------------------------------- New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/153592 * Slackware: 2010-301-02: mozilla-firefox: Security Update (Oct 29) ----------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153591 ------------------------------------------------------------------------ * SuSE: 2010-055: flash-player (Nov 5) ------------------------------------ Adobe Flash Player was updated to version 10.1.102.64 to fix a critical security issue. http://www.linuxsecurity.com/content/view/153641 * SuSE: Weekly Summary 2010:020 (Nov 3) ------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. List of vulnerabilities in this summary include: NetworkManager, bind, clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail, postgresql. http://www.linuxsecurity.com/content/view/153630 * SuSE: 2010-054: Linux kernel (Nov 3) ------------------------------------ This security update of the SUSE Linux Enterprise 11 GA and openSUSE 11.1 kernel updates the kernel to 2.6.27.54 and fixes various security issues and other bugs. The SUSE Linux Enterprise Server 11 kernel was released last week, the openSUSE 11.1 kernel with the same source base yesterday. [More...] http://www.linuxsecurity.com/content/view/153626 * SuSE: 2010-053: Linux kernel (Oct 28) ------------------------------------- The openSUSE 11.2 and 11.3 kernels were updated to fix 2 critical security issues and some small bugs. Following security issues were fixed: CVE-2010-3904: A local privilege escalation in RDS sockets allowed local attackers to gain root privileges. [More...] http://www.linuxsecurity.com/content/view/153580 * SuSE: 2010-052: glibc (Oct 28) ------------------------------ The Linux C library glibc was updated to fix critical security issues and several bugs: CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This specific issue did not affect SUSE as an assertion triggers [More...] http://www.linuxsecurity.com/content/view/153578 ------------------------------------------------------------------------ * Ubuntu: 1013-1: FreeType vulnerabilities (Nov 4) ------------------------------------------------ Marc Schoenefeld discovered that FreeType did not correctly handle certainmalformed font files. If a user were tricked into using a specially craftedfont file, a remote attacker could cause FreeType to crash or possiblyexecute arbitrary code with user privileges. This issue only affectedUbuntu 6.06 LTS, 8.04 LTS, 9.10 and 10.04 LTS. (CVE-2010-3311) [More...] http://www.linuxsecurity.com/content/view/153636 * Ubuntu: 1012-1: CUPS vulnerability (Nov 4) ------------------------------------------ Emmanuel Bouillon discovered that CUPS did not properly handle certainInternet Printing Protocol (IPP) packets. A remote attacker could use thisflaw to cause a denial of service or possibly execute arbitrary code. Inthe default installation in Ubuntu 8.04 LTS and later, attackers would beisolated by the CUPS AppArmor profile. [More...] http://www.linuxsecurity.com/content/view/153637 * Ubuntu: 1011-3: Xulrunner vulnerability (Oct 29) ------------------------------------------------ USN-1011-1 fixed a vulnerability in Firefox. This update provides thecorresponding update for Xulrunner. [More...] http://www.linuxsecurity.com/content/view/153590 * Ubuntu: 1010-1: OpenJDK vulnerabilities (Oct 28) ------------------------------------------------ Marsh Ray and Steve Dispensa discovered a flaw in the TLS andSSLv3 protocols. If an attacker could perform a man in the middleattack at the start of a TLS connection, the attacker could injectarbitrary content at the beginning of the user's session. USN-923-1disabled SSL/TLS renegotiation by default; this update implements [More...] http://www.linuxsecurity.com/content/view/153587 * Ubuntu: 1011-2: Thunderbird vulnerability (Oct 28) -------------------------------------------------- USN-1011-1 fixed a vulnerability in Firefox. This update provides thecorresponding update for Thunderbird. [More...] http://www.linuxsecurity.com/content/view/153586 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
