+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 19th, 2010 Volume 11, Number 47 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: Zabbix 1.8 Network Monitoring ------------------------------------- If you have anything more than a small home network, you need to be monitoring the status of your systems to ensure they are providing the services they were designed to provide. http://www.linuxsecurity.com/content/view/152990 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2038-3: pidgin: Multiple vulnerabilities (Nov 13) --------------------------------------------------------- The packages for Pidgin released as DSA 2038-2 had a regression, as they unintentionally disabled the Silc, Simple, and Yahoo instant messaging protocols. This update restore that functionality. For reference the original advisory text below. [More...] http://www.linuxsecurity.com/content/view/153713 ------------------------------------------------------------------------ * Gentoo: 201011-01: GNU C library: Multiple vulnerabilities (Nov 15) ------------------------------------------------------------------- Multiple vulnerabilities were found in glibc, the worst of whichallowing local attackers to execute arbitrary code as root. http://www.linuxsecurity.com/content/view/153725 ------------------------------------------------------------------------ * Mandriva: 2010:239: php (Nov 19) -------------------------------- A possible double free flaw was found in the imap extension for php (CVE-2010-4150). A GC corrupting flaw was found in Zend/zend_gc.c for php-5.3.x that under certain circumstances could case a segmention fault (crash). [More...] http://www.linuxsecurity.com/content/view/153761 * Mandriva: 2010:238: openssl (Nov 17) ------------------------------------ A vulnerability was discovered in openssl that causes a race condition within the TLS extension parsing code and which can be exploited to cause a heap-based buffer overflow (CVE-2010-3864). Packages for 2009.0 are provided as of the Extended Maintenance [More...] http://www.linuxsecurity.com/content/view/153751 * Mandriva: 2010:237: perl-CGI (Nov 16) ------------------------------------- A new version of the CGI Perl module has been released to CPAN, which fixes several security bugs which directly affect Bugzilla (these two security bugs where first discovered as affecting Bugzilla, then identified as being bugs in CGI.pm itself). [More...] http://www.linuxsecurity.com/content/view/153738 * Mandriva: 2010:236: freetype2 (Nov 16) -------------------------------------- Multiple vulnerabilities were discovered and corrected in freetype2: An error within the "Ins_SHZ()" function in src/truetype/ttinterp.c when handling the "SHZ" bytecode instruction can be exploited to cause a crash and potentially execute arbitrary code via a specially [More...] http://www.linuxsecurity.com/content/view/153732 * Mandriva: 2010:235: freetype2 (Nov 16) -------------------------------------- Multiple vulnerabilities were discovered and corrected in freetype2: An error exists in the "ft_var_readpackedpoints()" function in src/truetype/ttgxvar.c when processing TrueType GX fonts and can be exploited to cause a heap-based buffer overflow via a specially [More...] http://www.linuxsecurity.com/content/view/153730 * Mandriva: 2010:234: cups (Nov 15) --------------------------------- Multiple vulnerabilities were discovered and corrected in cups: Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS, allows remote attackers to hijack the authentication of administrators for requests that change settings (CVE-2010-0540). [More...] http://www.linuxsecurity.com/content/view/153728 * Mandriva: 2010:233: cups (Nov 15) --------------------------------- Multiple vulnerabilities were discovered and corrected in cups: Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS, allows remote attackers to hijack the authentication of administrators for requests that change settings (CVE-2010-0540). [More...] http://www.linuxsecurity.com/content/view/153727 * Mandriva: 2010:232: cups (Nov 15) --------------------------------- Multiple vulnerabilities were discovered and corrected in cups: Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS, allows remote attackers to hijack the authentication of administrators for requests that change settings (CVE-2010-0540). [More...] http://www.linuxsecurity.com/content/view/153726 * Mandriva: 2010:231: poppler (Nov 12) ------------------------------------ Multiple vulnerabilities were discovered and corrected in poppler: The Gfx::getPos function in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference [More...] http://www.linuxsecurity.com/content/view/153712 * Mandriva: 2010:230: poppler (Nov 12) ------------------------------------ Multiple vulnerabilities were discovered and corrected in poppler: The Gfx::getPos function in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference [More...] http://www.linuxsecurity.com/content/view/153711 * Mandriva: 2010:227: proftpd (Nov 11) ------------------------------------ Multiple vulnerabilities were discovered and corrected in proftpd: Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify [More...] http://www.linuxsecurity.com/content/view/153705 ------------------------------------------------------------------------ * Red Hat: 2010:0896-01: thunderbird: Moderate Advisory (Nov 17) -------------------------------------------------------------- An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153750 * Red Hat: 2010:0895-01: systemtap: Moderate Advisory (Nov 17) ------------------------------------------------------------ Updated systemtap packages that fix one security issue are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153749 * Red Hat: 2010:0894-01: systemtap: Important Advisory (Nov 17) ------------------------------------------------------------- Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153748 * Red Hat: 2010:0893-01: kernel: Important Advisory (Nov 16) ---------------------------------------------------------- Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5.3 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153745 * Red Hat: 2010:0889-01: freetype: Important Advisory (Nov 16) ------------------------------------------------------------ Updated freetype packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153743 * Red Hat: 2010:0891-01: pam: Moderate Advisory (Nov 16) ------------------------------------------------------ Updated pam packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153744 * Red Hat: 2010:0888-01: openssl: Important Advisory (Nov 16) ----------------------------------------------------------- Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153740 * Red Hat: 2010:0892-01: openswan: Moderate Advisory (Nov 16) ----------------------------------------------------------- Updated openswan packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153741 * Red Hat: 2010:0890-01: pidgin: Moderate Advisory (Nov 16) --------------------------------------------------------- Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153742 ------------------------------------------------------------------------ * Slackware: 2010-317-01: mozilla-thunderbird: Security Update (Nov 14) --------------------------------------------------------------------- New mozilla-thunderbird packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153714 ------------------------------------------------------------------------ * SuSE: Weekly Summary 2010:021 (Nov 16) -------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. List of vulnerabilities in this summary include: mysql, dhcp, monotone, moodle, openssl/libopenssl-devel, none. http://www.linuxsecurity.com/content/view/153731 * SuSE: 2010-057: Linux kernel (Nov 11) ------------------------------------- This update of the SUSE Linux Enterprise 11 SP1 fixes three critical security issues and some bugs. Following security issues were fixed: CVE-2010-3904: A local privilege escalation in RDS sockets allowed local attackers to gain root privileges. [More...] http://www.linuxsecurity.com/content/view/153698 ------------------------------------------------------------------------ * Ubuntu: 1017-1: MySQL vulnerabilities (Nov 11) ---------------------------------------------- It was discovered that MySQL incorrectly handled certain requests with theUPGRADE DATA DIRECTORY NAME command. An authenticated user could exploitthis to make MySQL crash, causing a denial of service. This issue onlyaffected Ubuntu 9.10 and 10.04 LTS. (CVE-2010-2008) [More...] http://www.linuxsecurity.com/content/view/153699 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
