+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 3rd, 2010 Volume 11, Number 49 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2129-1: krb5: checksum verification weakn (Dec 1) --------------------------------------------------------- A vulnerability has been found in krb5, the MIT implementation of Kerberos. MIT krb5 clients incorrectly accept an unkeyed checksums in the SAM-2 [More...] http://www.linuxsecurity.com/content/view/153840 * Debian: 2128-1: libxml2: invalid memory access (Dec 1) ------------------------------------------------------ Bui Quang Minh discovered that libxml2, a library for parsing and handling XML data files, does not well process a malformed XPATH, causing crash and allowing arbitrary code execution. [More...] http://www.linuxsecurity.com/content/view/153839 * Debian: 2127-1: wireshark: denial of service (Nov 28) ----------------------------------------------------- A flaw has been found in wireshark, a network protocol analyzer. It was found that the ASN.1 BER dissector was susceptible to a stack overflow, causing the application to crash. [More...] http://www.linuxsecurity.com/content/view/153807 * Debian: 2126-1: linux-2.6: privilege escalation/denial (Nov 26) --------------------------------------------------------------- CVE-2010-2963 Kees Cook discovered an issue in the v4l 32-bit compatibility layer for 64-bit systems that allows local users with /dev/video write permission to [More...] http://www.linuxsecurity.com/content/view/153806 ------------------------------------------------------------------------ * Mandriva: 2010:246: krb5 (Nov 30) --------------------------------- Multiple vulnerabilities were discovered and corrected in krb5: An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some circumstances, this can negate the [More...] http://www.linuxsecurity.com/content/view/153834 * Mandriva: 2010:245: krb5 (Nov 30) --------------------------------- A vulnerability was discovered and corrected in krb5: An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some circumstances, this can negate the [More...] http://www.linuxsecurity.com/content/view/153833 * Mandriva: 2010:244: phpmyadmin (Nov 30) --------------------------------------- A vulnerability has been found and corrected in phpmyadmin: It was possible to conduct a XSS attack using spoofed request on the db search script (CVE-2010-4329). [More...] http://www.linuxsecurity.com/content/view/153821 * Mandriva: 2010:243: libxml2 (Nov 29) ------------------------------------ A vulnerability was discovered and corrected in libxml2: libxml2 before 2.7.8 reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application [More...] http://www.linuxsecurity.com/content/view/153816 * Mandriva: 2010:242: wireshark (Nov 28) -------------------------------------- This advisory updates wireshark to the latest version (1.2.13), fixing one security issue: Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark [More...] http://www.linuxsecurity.com/content/view/153808 ------------------------------------------------------------------------ * Red Hat: 2010:0936-01: kernel: Important Advisory (Dec 1) --------------------------------------------------------- Updated kernel packages that fix two security issues and multiple bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153846 * Red Hat: 2010:0935-01: java-1.4.2-ibm: Moderate Advisory (Dec 1) ---------------------------------------------------------------- Updated java-1.4.2-ibm packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary. [More...] http://www.linuxsecurity.com/content/view/153845 * Red Hat: 2010:0934-01: acroread: Critical Advisory (Dec 1) ---------------------------------------------------------- Updated acroread packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary. [More...] http://www.linuxsecurity.com/content/view/153844 * Red Hat: 2010:0926-01: krb5: Moderate Advisory (Nov 30) ------------------------------------------------------- Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153832 * Red Hat: 2010:0925-01: krb5: Important Advisory (Nov 30) -------------------------------------------------------- Updated krb5 packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153831 * Red Hat: 2010:0923-01: dhcp: Moderate Advisory (Nov 30) ------------------------------------------------------- Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153830 * Red Hat: 2010:0924-01: wireshark: Moderate Advisory (Nov 30) ------------------------------------------------------------ Updated wireshark packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153829 * Red Hat: 2010:0919-01: php: Moderate Advisory (Nov 29) ------------------------------------------------------ Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153818 * Red Hat: 2010:0918-01: cvs: Moderate Advisory (Nov 29) ------------------------------------------------------ An updated cvs package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153817 ------------------------------------------------------------------------ * Slackware: 2010-333-01: cups: Security Update (Nov 29) ------------------------------------------------------ New cups packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153819 ------------------------------------------------------------------------ * SuSE: Weekly Summary 2010:022 (Nov 30) -------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. List of vulnerabilities in this summary include: gdm, openssl/libopenssl-devel, poppler/libpoppler4/libpoppler-devel, quagga. http://www.linuxsecurity.com/content/view/153820 ------------------------------------------------------------------------ * Ubuntu: 1025-1: Bind vulnerabilities (Dec 1) -------------------------------------------- It was discovered that Bind would incorrectly allow a ncache entry and arrsig for the same type. A remote attacker could exploit this to causeBind to crash, resulting in a denial of service. (CVE-2010-3613) [More...] http://www.linuxsecurity.com/content/view/153838 * Ubuntu: 1024-1: OpenJDK vulnerability (Nov 30) ---------------------------------------------- It was discovered that certain system property information was beingleaked, which could allow an attacker to obtain sensitive information. [More...] http://www.linuxsecurity.com/content/view/153828 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
