+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 15th, 2010 Volume 11, Number 47 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2038-3: pidgin: Multiple vulnerabilities (Nov 13) --------------------------------------------------------- The packages for Pidgin released as DSA 2038-2 had a regression, as they unintentionally disabled the Silc, Simple, and Yahoo instant messaging protocols. This update restore that functionality. For reference the original advisory text below. [More...] http://www.linuxsecurity.com/content/view/153713 ------------------------------------------------------------------------ * Mandriva: 2010:231: poppler (Nov 12) ------------------------------------ Multiple vulnerabilities were discovered and corrected in poppler: The Gfx::getPos function in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference [More...] http://www.linuxsecurity.com/content/view/153712 * Mandriva: 2010:230: poppler (Nov 12) ------------------------------------ Multiple vulnerabilities were discovered and corrected in poppler: The Gfx::getPos function in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference [More...] http://www.linuxsecurity.com/content/view/153711 * Mandriva: 2010:227: proftpd (Nov 11) ------------------------------------ Multiple vulnerabilities were discovered and corrected in proftpd: Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify [More...] http://www.linuxsecurity.com/content/view/153705 * Mandriva: 2010:226: dhcp (Nov 10) --------------------------------- A vulnerability was discovered and corrected in ISC dhcp: ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before 4.2.0-P1 allows remote attackers to cause a denial of service (crash) via a DHCPv6 packet containing a Relay-Forward message without an [More...] http://www.linuxsecurity.com/content/view/153683 * Mandriva: 2010:225-1: libmbfl (Nov 10) -------------------------------------- A vulnerability was discovered and corrected in libmbfl (php): * Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter) (CVE-2010-4156). [More...] http://www.linuxsecurity.com/content/view/153674 * Mandriva: 2010:225: libmbfl (Nov 9) ----------------------------------- A vulnerability was discovered and corrected in libmbfl (php): * Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter) (CVE-2010-4156). [More...] http://www.linuxsecurity.com/content/view/153672 * Mandriva: 2010:224: php (Nov 9) ------------------------------- A vulnerability was discovered and corrected in php: A flaw in ext/xml/xml.c could cause a cross-site scripting (XSS) vulnerability (CVE-2010-3870). [More...] http://www.linuxsecurity.com/content/view/153671 * Mandriva: 2010:223: mysql (Nov 9) --------------------------------- Multiple vulnerabilities were discovered and corrected in mysql: * During evaluation of arguments to extreme-value functions (such as LEAST() and GREATEST()), type errors did not propagate properly, causing the server to crash (CVE-2010-3833). [More...] http://www.linuxsecurity.com/content/view/153669 * Mandriva: 2010:222: mysql (Nov 9) --------------------------------- Multiple vulnerabilities were discovered and corrected in mysql: * Joins involving a table with with a unique SET column could cause a server crash (CVE-2010-3677). [More...] http://www.linuxsecurity.com/content/view/153668 * Mandriva: 2010:155-1: mysql (Nov 8) ----------------------------------- Multiple vulnerabilities has been found and corrected in mysql: MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# [More...] http://www.linuxsecurity.com/content/view/153659 ------------------------------------------------------------------------ * Red Hat: 2010:0867-02: flash-plugin: Critical Advisory (Nov 10) --------------------------------------------------------------- An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153697 * Red Hat: 2010:0866-02: cups: Important Advisory (Nov 10) -------------------------------------------------------- Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153696 * Red Hat: 2010:0864-02: freetype: Important Advisory (Nov 10) ------------------------------------------------------------ Updated freetype packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153695 * Red Hat: 2010:0863-02: krb5: Important Advisory (Nov 10) -------------------------------------------------------- Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153694 * Red Hat: 2010:0861-02: firefox: Critical Advisory (Nov 10) ---------------------------------------------------------- Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153693 * Red Hat: 2010:0873-02: java-1.5.0-ibm: Critical Advisory (Nov 10) ----------------------------------------------------------------- Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153691 * Red Hat: 2010:0865-02: java-1.6.0-openjdk: Important Advisory (Nov 10) ---------------------------------------------------------------------- Updated java-1.6.0-openjdk packages that fix several security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153689 * Red Hat: 2010:0859-03: poppler: Important Advisory (Nov 10) ----------------------------------------------------------- Updated poppler packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153690 * Red Hat: 2010:0862-02: nss: Low Advisory (Nov 10) ------------------------------------------------- Updated nss packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/153688 * Red Hat: 2010:0858-03: bzip2: Important Advisory (Nov 10) --------------------------------------------------------- Updated bzip2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153687 * Red Hat: 2010:0872-02: glibc: Important Advisory (Nov 10) --------------------------------------------------------- Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153686 * Red Hat: 2010:0842-01: kernel: Important Advisory (Nov 10) ---------------------------------------------------------- Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153684 * Red Hat: 2010:0860-02: samba: Critical Advisory (Nov 10) -------------------------------------------------------- Updated samba packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153685 * Red Hat: 2010:0839-01: kernel: Moderate Advisory (Nov 9) -------------------------------------------------------- Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153670 * Red Hat: 2010:0834-01: flash-plugin: Critical Advisory (Nov 8) -------------------------------------------------------------- An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4 Extras. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153658 ------------------------------------------------------------------------ * Slackware: 2010-317-01: mozilla-thunderbird: Security Update (Nov 14) --------------------------------------------------------------------- New mozilla-thunderbird packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153714 ------------------------------------------------------------------------ * SuSE: 2010-057: Linux kernel (Nov 11) ------------------------------------- This update of the SUSE Linux Enterprise 11 SP1 fixes three critical security issues and some bugs. Following security issues were fixed: CVE-2010-3904: A local privilege escalation in RDS sockets allowed local attackers to gain root privileges. [More...] http://www.linuxsecurity.com/content/view/153698 * SuSE: 2010-056: Mozilla suite (Nov 8) ------------------------------------- Various Mozilla suite components, including Firefox, were updated to fix various bugs and security issues. Mozilla Firefox was updated to version 3.6.12. On SUSE Linux Enterprise 10 Service Pack 3, Mozilla Firefox was updated to version 3.5.15. [More...] http://www.linuxsecurity.com/content/view/153650 ------------------------------------------------------------------------ * Ubuntu: 1017-1: MySQL vulnerabilities (Nov 11) ---------------------------------------------- It was discovered that MySQL incorrectly handled certain requests with theUPGRADE DATA DIRECTORY NAME command. An authenticated user could exploitthis to make MySQL crash, causing a denial of service. This issue onlyaffected Ubuntu 9.10 and 10.04 LTS. (CVE-2010-2008) [More...] http://www.linuxsecurity.com/content/view/153699 * Ubuntu: 1016-1: libxml2 vulnerability (Nov 10) ---------------------------------------------- Bui Quang Minh discovered that libxml2 did not properly process XPathnamespaces and attributes. If an application using libxml2 opened aspecially crafted XML file, an attacker could cause a denial of service orpossibly execute code as the user invoking the program. [More...] http://www.linuxsecurity.com/content/view/153692 * Ubuntu: 1015-1: libvpx vulnerability (Nov 10) --------------------------------------------- Christoph Diehl discovered that libvpx did not properly perform boundschecking. If an application using libvpx opened a specially craftedWebM file, an attacker could cause a denial of service or possibly executecode as the user invoking the program. [More...] http://www.linuxsecurity.com/content/view/153682 * Ubuntu: 1008-4: libvirt regression (Nov 8) ------------------------------------------ USN-1008-1 fixed vulnerabilities in libvirt. The upstream fixes forCVE-2010-2238 changed the behavior of libvirt such that the domainXML could not specify 'host_device' as the qemu sub-type. While libvirt0.8.3 and later will longer support specifying this sub-type, thisupdate restores the old behavior on Ubuntu 10.04 LTS. [More...] http://www.linuxsecurity.com/content/view/153660 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
