+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 17th, 2010 Volume 11, Number 51 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2133-1: collectd: denial of service (Dec 13) ---------------------------------------------------- It was discovered that collectd, a statistics collection and monitoring daemon, is prone to a denial of service attach via a crafted network packet. [More...] http://www.linuxsecurity.com/content/view/153938 * Debian: 2132-1: xulrunner: Multiple vulnerabilities (Dec 11) ------------------------------------------------------------ Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/153925 * Debian: 2130-1: bind9: Multiple vulnerabilities (Dec 10) -------------------------------------------------------- Several remote vulnerabilities have been discovered in BIND, an implementation of the DNS protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/153922 * Debian: 2131-1: exim4: arbitrary code execution (Dec 10) -------------------------------------------------------- Several vulnerabilities have been found in exim4 that allow a remote attacker to execute arbitrary code as root user. Exploits for these issues have been seen in the wild. [More...] http://www.linuxsecurity.com/content/view/153918 ------------------------------------------------------------------------ * Gentoo: 201012-01: Chromium: Multiple vulnerabilities (Dec 17) -------------------------------------------------------------- Multiple vulnerabilities have been reported in Chromium, some of whichmay allow user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/153974 ------------------------------------------------------------------------ * Mandriva: 2010:257: kernel (Dec 16) ----------------------------------- A vulnerability was discovered and corrected in the Linux 2.6 kernel: The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment [More...] http://www.linuxsecurity.com/content/view/153972 * Mandriva: 2010:256: git (Dec 16) -------------------------------- A vulnerability was discovered and corrected in git (gitweb): A cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions allows remote attackers to inject arbitrary web script or HTML code via f and fp variables (CVE-2010-3906). [More...] http://www.linuxsecurity.com/content/view/153960 * Mandriva: 2010:255: php-intl (Dec 15) ------------------------------------- A vulnerability was discovered and corrected in php-intl: Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application [More...] http://www.linuxsecurity.com/content/view/153952 * Mandriva: 2010:254: php (Dec 15) -------------------------------- This is a maintenance and security update that upgrades php to 5.3.4 for 2010.0/2010.1. Security Enhancements and Fixes in PHP 5.3.4: [More...] http://www.linuxsecurity.com/content/view/153951 * Mandriva: 2010:253: bind (Dec 14) --------------------------------- Multiple vulnerabilities were discovered and corrected in bind: named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the [More...] http://www.linuxsecurity.com/content/view/153948 * Mandriva: 2010:252: perl-CGI-Simple (Dec 14) -------------------------------------------- A vulnerability was discovered and corrected in perl-CGI-Simple: CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP [More...] http://www.linuxsecurity.com/content/view/153947 * Mandriva: 2010:251: firefox (Dec 9) ----------------------------------- Security issues were identified and fixed in firefox: Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to [More...] http://www.linuxsecurity.com/content/view/153910 * Mandriva: 2010:250: perl-CGI-Simple (Dec 9) ------------------------------------------- A vulnerability was discovered and corrected in perl-CGI-Simple: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows [More...] http://www.linuxsecurity.com/content/view/153903 ------------------------------------------------------------------------ * Red Hat: 2010:0987-01: java-1.6.0-ibm: Critical Advisory (Dec 15) ----------------------------------------------------------------- Updated java-1.6.0-ibm packages that fix several security issues and two bugs are now available for Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary. [More...] http://www.linuxsecurity.com/content/view/153959 * Red Hat: 2010:0979-01: openssl: Moderate Advisory (Dec 13) ---------------------------------------------------------- Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153935 * Red Hat: 2010:0978-01: openssl: Moderate Advisory (Dec 13) ---------------------------------------------------------- Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153936 * Red Hat: 2010:0976-01: bind: Important Advisory (Dec 13) -------------------------------------------------------- Updated bind packages that fix three security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153934 * Red Hat: 2010:0975-01: bind: Important Advisory (Dec 13) -------------------------------------------------------- Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153932 * Red Hat: 2010:0977-01: openssl: Moderate Advisory (Dec 13) ---------------------------------------------------------- Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153933 * Red Hat: 2010:0970-01: exim: Critical Advisory (Dec 10) ------------------------------------------------------- Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. [More...] http://www.linuxsecurity.com/content/view/153923 * Red Hat: 2010:0967-01: seamonkey: Critical Advisory (Dec 9) ----------------------------------------------------------- Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153908 * Red Hat: 2010:0969-02: thunderbird: Moderate Advisory (Dec 9) ------------------------------------------------------------- An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153909 * Red Hat: 2010:0968-01: thunderbird: Moderate Advisory (Dec 9) ------------------------------------------------------------- An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153905 * Red Hat: 2010:0966-01: firefox: Critical Advisory (Dec 9) --------------------------------------------------------- Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/153906 ------------------------------------------------------------------------ * Slackware: 2010-350-01: bind: Security Update (Dec 16) ------------------------------------------------------ New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues that could allow attackers to successfully query private DNS records, or cause a denial of service. [More Info...] http://www.linuxsecurity.com/content/view/153971 * Slackware: 2010-344-01: seamonkey: Security Update (Dec 11) ----------------------------------------------------------- New seamonkey packages are available for Slackware 12.2, 13.0, and 13.1 to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153924 * Slackware: 2010-343-01: mozilla-firefox: Security Update (Dec 10) ----------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153912 * Slackware: 2010-343-02: mozilla-thunderbird: Security Update (Dec 10) --------------------------------------------------------------------- New mozilla-thunderbird packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/153913 ------------------------------------------------------------------------ * SuSE: 2010-061: IBM Java 1.4.2 (Dec 17) --------------------------------------- IBM Java 1.4.2 was updated to Service Release 13 Fix Pack 6 to fix various bugs and security issues. Following CVEs are tracked for this update: CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3556 CVE-2010-3557 CVE-2010-3562 CVE-2010-3565 [More...] http://www.linuxsecurity.com/content/view/153973 * SuSE: 2010-060: Linux kernel (Dec 14) ------------------------------------- This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. Following security issues were fixed: CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before [More...] http://www.linuxsecurity.com/content/view/153940 * SuSE: 2010-059: exim (Dec 13) ----------------------------- The unprivileged user exim is running as could tell the exim daemon to read a different config file and leverage that to escalate privileges to root (CVE-2010-4345). A buffer overflow in exim allowed remote attackers to execute [More...] http://www.linuxsecurity.com/content/view/153926 ------------------------------------------------------------------------ * Ubuntu: 1033-1: Eucalyptus vulnerability (Dec 16) ------------------------------------------------- It was discovered that Eucalyptus did not verify password resets fromthe Admin UI correctly. An unauthenticated remote attacker could issuepassword reset requests to gain admin privileges in the Eucalyptusenvironment. [More...] http://www.linuxsecurity.com/content/view/153969 * Ubuntu: 1024-2: OpenJDK regression (Dec 14) ------------------------------------------- USN-1024-1 fixed vulnerabilities in OpenJDK. Some of the additionalbackported improvements could interfere with the compilation of certainJava software. This update fixes the problem. [More...] http://www.linuxsecurity.com/content/view/153949 * Ubuntu: 1031-1: ClamAV vulnerabilities (Dec 9) ---------------------------------------------- Arkadiusz Miskiewicz and others discovered that the PDF processingcode in libclamav improperly validated input. This could allow aremote attacker to craft a PDF document that could crash clamav orpossibly execute arbitrary code. (CVE-2010-4260, CVE-2010-4479) [More...] http://www.linuxsecurity.com/content/view/153907 * Ubuntu: 1019-1: Firefox and Xulrunner vulnerabilities (Dec 9) ------------------------------------------------------------- Jesse Ruderman, Andreas Gal, Nils, Brian Hackett, and Igor Bukanovdiscovered several memory issues in the browser engine. An attacker couldexploit these to crash the browser or possibly run arbitrary code as theuser invoking the program. (CVE-2010-3776, CVE-2010-3777, CVE-2010-3778) [More...] http://www.linuxsecurity.com/content/view/153904 * Ubuntu: 1030-1: Kerberos vulnerabilities (Dec 9) ------------------------------------------------ It was discovered that Kerberos did not properly determine theacceptability of certain checksums. A remote attacker could use certainchecksums to alter the prompt message, modify a response to a KeyDistribution Center (KDC) or forge a KRB-SAFE message. (CVE-2010-1323) [More...] http://www.linuxsecurity.com/content/view/153902 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
