+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | February 4th, 2011 Volume 12, Number 6 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2157-1: postgresql-8.3, postgresql-8.4, postgresql-9.0: buffer overflow (Feb 3) --------------------------------------------------------------------------------------- It was discovered that PostgreSQL's intarray contrib module does not properly handle integers with a large number of digits, leading to a server crash and potentially arbitary code execution. [More...] http://www.linuxsecurity.com/content/view/154301 * Debian: 2156-1: pcscd: buffer overflow (Jan 31) ----------------------------------------------- MWR InfoSecurity identified a buffer overflow in pcscd, middleware to access a smart card via PC/SC, which could lead to the execution of arbitrary code. [More...] http://www.linuxsecurity.com/content/view/154263 * Debian: 2154-2: exim4: privilege escalation / regr (Jan 30) ----------------------------------------------------------- The updated packages from DSA-2154-1 introduced a regression which prevented unprivileged users from using 'exim4 -bf' to test filter configurations. This update fixes this problem. [More...] http://www.linuxsecurity.com/content/view/154262 * Debian: 2155-1: freetype: Multiple vulnerabilities (Jan 30) ----------------------------------------------------------- Two buffer overflows were found in the Freetype font library, which could lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in [More...] http://www.linuxsecurity.com/content/view/154261 * Debian: 2154-1: exim4: privilege escalation (Jan 30) ---------------------------------------------------- A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim user to obtain root privileges by specifying an alternate configuration file using the -C option or by using the macro override facility (-D option). Unfortunately, fixing this vulnerability is not [More...] http://www.linuxsecurity.com/content/view/154260 * Debian: 2153-1: linux-2.6: privilege escalation/denial (Jan 30) --------------------------------------------------------------- Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/154259 * Debian: 2152-1: hplip: buffer overflow (Jan 27) ----------------------------------------------- Sebastian Krahmer discovered a buffer overflow in the SNMP discovery code of the HP Linux Printing and Imaging System, which could result in the execution of arbitrary code. [More...] http://www.linuxsecurity.com/content/view/154249 ------------------------------------------------------------------------ * Red Hat: 2011:0198-01: postgresql84: Moderate Advisory (Feb 3) -------------------------------------------------------------- Updated postgresql84 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154305 * Red Hat: 2011:0197-01: postgresql: Moderate Advisory (Feb 3) ------------------------------------------------------------ Updated postgresql packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154304 * Red Hat: 2011:0195-01: php: Moderate Advisory (Feb 3) ----------------------------------------------------- Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154302 * Red Hat: 2011:0196-01: php53: Moderate Advisory (Feb 3) ------------------------------------------------------- Updated php53 packages that fix three security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154303 * Red Hat: 2011:0182-01: openoffice.org: Important Advisory (Jan 28) ------------------------------------------------------------------ Updated openoffice.org packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154256 * Red Hat: 2011:0183-01: openoffice.org: Important Advisory (Jan 28) ------------------------------------------------------------------ Updated openoffice.org packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154257 * Red Hat: 2011:0180-01: pango: Moderate Advisory (Jan 27) -------------------------------------------------------- Updated pango and evolution28-pango packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154246 ------------------------------------------------------------------------ * Ubuntu: 1058-1: PostgreSQL vulnerability (Feb 3) ------------------------------------------------ Geoff Keating reported that a buffer overflow exists in the intarraymodule's input function for the query_int type. This could allow anattacker to cause a denial of service or possibly execute arbitrarycode as the postgres user. [More...] http://www.linuxsecurity.com/content/view/154306 * Ubuntu: 1057-1: Linux kernel vulnerabilities (Feb 3) ---------------------------------------------------- Dave Chinner discovered that the XFS filesystem did not correctly orderinode lookups when exported by NFS. A remote attacker could exploit this toread or write disk blocks that had changed file assignment or had becomeunlinked, leading to a loss of privacy. (CVE-2010-2943) [More...] http://www.linuxsecurity.com/content/view/154300 * Ubuntu: 1056-1: OpenOffice.org vulnerabilities (Feb 2) ------------------------------------------------------ Charlie Miller discovered several heap overflows in PPT processing. Ifa user or automated system were tricked into opening a specially craftedPPT document, a remote attacker could execute arbitrary code with userprivileges. Ubuntu 10.10 was not affected. (CVE-2010-2935, CVE-2010-2936) [More...] http://www.linuxsecurity.com/content/view/154291 * Ubuntu: 1055-1: OpenJDK vulnerabilities (Feb 1) ----------------------------------------------- It was discovered that IcedTea for Java did not properly verifysignatures when handling multiply signed or partially signed JAR files,allowing an attacker to cause code to execute that appeared to comefrom a verified source. (CVE-2011-0025) [More...] http://www.linuxsecurity.com/content/view/154283 * Ubuntu: 1053-1: Subversion vulnerabilities (Feb 1) -------------------------------------------------- It was discovered that Subversion incorrectly handled certain 'partialaccess' privileges in rare scenarios. Remote authenticated users could usethis flaw to obtain sensitive information (revision properties). This issueonly applied to Ubuntu 6.06 LTS. (CVE-2007-2448) [More...] http://www.linuxsecurity.com/content/view/154282 ------------------------------------------------------------------------ * Pardus: 2011-22: CCID: Integer Overflow (Feb 2) ----------------------------------------------- A flaw was fixed in ccid, which could be exploited by physically proximate attackers to execute arbitrary code . http://www.linuxsecurity.com/content/view/154288 * Pardus: 2011-23: VLC: Heap Corruption (Feb 2) --------------------------------------------- Two vulnerabilities have been identified in VLC Media Player, which could be exploited by attackers. http://www.linuxsecurity.com/content/view/154289 * Pardus: 2011-24: pcsc-lite: Buffer Overflow (Feb 2) --------------------------------------------------- Multiple vulnerabilities have been fixed in pcsclite. http://www.linuxsecurity.com/content/view/154290 * Pardus: 2011-19: Phpmyadmin: XSS Vulnerability (Jan 31) ------------------------------------------------------- Cross-site scripting XSS vulnerability has been fixed in phpmyadmin. http://www.linuxsecurity.com/content/view/154271 * Pardus: 2011-21: Wireshark: Multiple Vulnerabilities (Jan 31) ------------------------------------------------------------- Multiple vulnerabilities have been fixed in wireshark. http://www.linuxsecurity.com/content/view/154272 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
