+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 24th, 2010 Volume 11, Number 52 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2136-1: tor: buffer overflow (Dec 21) --------------------------------------------- Willem Pinckaers discovered that Tor, a tool to enable online anonymity, does not correctly handle all data read from the network. By supplying specially crafted packets a remote attacker can cause Tor to overflow its [More...] http://www.linuxsecurity.com/content/view/154005 * Debian: 2135-1: xpdf: Multiple vulnerabilities (Dec 21) ------------------------------------------------------- Joel Voss of Leviathan Security Group discovered two vulnerabilities in xpdf rendering engine, which may lead to the execution of arbitrary code if a malformed PDF file is opened. [More...] http://www.linuxsecurity.com/content/view/154002 * Debian: 2134-1: Security Summary: Summary (Dec 18) -------------------------------------------------- Security Report Summary http://www.linuxsecurity.com/content/view/153980 ------------------------------------------------------------------------ * Gentoo: 201012-01: Chromium: Multiple vulnerabilities (Dec 17) -------------------------------------------------------------- Multiple vulnerabilities have been reported in Chromium, some of whichmay allow user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/153974 ------------------------------------------------------------------------ * Mandriva: 2010:251-2: firefox (Dec 24) -------------------------------------- Security issues were identified and fixed in firefox: Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to [More...] http://www.linuxsecurity.com/content/view/154026 * Mandriva: 2010:251-1: firefox (Dec 24) -------------------------------------- Security issues were identified and fixed in firefox: Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to [More...] http://www.linuxsecurity.com/content/view/154024 * Mandriva: 2010:259: pidgin (Dec 23) ----------------------------------- A null pointer dereference due to receiving a short packet for a direct connection in the MSN code could potentially cause a denial of service. Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: [More...] http://www.linuxsecurity.com/content/view/154021 * Mandriva: 2010:258: mozilla-thunderbird (Dec 20) ------------------------------------------------ Security issues were identified and fixed in mozilla-thunderbird: Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do not properly validate downloadable fonts before use within an operating [More...] http://www.linuxsecurity.com/content/view/153992 * Mandriva: 2010:257: kernel (Dec 16) ----------------------------------- A vulnerability was discovered and corrected in the Linux 2.6 kernel: The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment [More...] http://www.linuxsecurity.com/content/view/153972 * Mandriva: 2010:256: git (Dec 16) -------------------------------- A vulnerability was discovered and corrected in git (gitweb): A cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions allows remote attackers to inject arbitrary web script or HTML code via f and fp variables (CVE-2010-3906). [More...] http://www.linuxsecurity.com/content/view/153960 ------------------------------------------------------------------------ * Red Hat: 2010:1003-01: git: Moderate Advisory (Dec 21) ------------------------------------------------------ Updated git packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154004 * Red Hat: 2010:1002-01: mod_auth_mysql: Moderate Advisory (Dec 21) ----------------------------------------------------------------- An updated mod_auth_mysql package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154003 * Red Hat: 2010:0999-01: libvpx: Moderate Advisory (Dec 20) --------------------------------------------------------- Updated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/153995 * Red Hat: 2010:1000-01: bind: Important Advisory (Dec 20) -------------------------------------------------------- Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/153994 * Red Hat: 2010:0998-01: kvm: Low Advisory (Dec 20) ------------------------------------------------- Updated kvm packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/153993 ------------------------------------------------------------------------ * Slackware: 2010-357-01: php: Security Update (Dec 24) ----------------------------------------------------- New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/154022 * Slackware: 2010-357-02: proftpd: Security Update (Dec 24) --------------------------------------------------------- New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/154023 * Slackware: 2010-350-01: bind: Security Update (Dec 16) ------------------------------------------------------ New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues that could allow attackers to successfully query private DNS records, or cause a denial of service. [More Info...] http://www.linuxsecurity.com/content/view/153971 ------------------------------------------------------------------------ * SuSE: Weekly Summary 2010:024 (Dec 23) -------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. http://www.linuxsecurity.com/content/view/154015 * SuSE: 2010-061: IBM Java 1.4.2 (Dec 17) --------------------------------------- IBM Java 1.4.2 was updated to Service Release 13 Fix Pack 6 to fix various bugs and security issues. Following CVEs are tracked for this update: CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3556 CVE-2010-3557 CVE-2010-3562 CVE-2010-3565 [More...] http://www.linuxsecurity.com/content/view/153973 ------------------------------------------------------------------------ * Ubuntu: 1033-1: Eucalyptus vulnerability (Dec 16) ------------------------------------------------- It was discovered that Eucalyptus did not verify password resets fromthe Admin UI correctly. An unauthenticated remote attacker could issuepassword reset requests to gain admin privileges in the Eucalyptusenvironment. [More...] http://www.linuxsecurity.com/content/view/153969 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
