Linux Advisory Watch: February 18th, 2011

vuln-newsletter-admins@xxxxxxxxxxxxxxxxx · Fri, 18 Feb 2011 21:14:45 -0500 (EST)

+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| February 18th, 2011                              Volume 12, Number 8 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The 
purpose of this document is to provide our readers with a quick summary of 
each week's vendor security bulletins and pointers on methods to improve 
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be 
sure to read through to find the updates your distributor have made 
available.

Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.

http://www.linuxsecurity.com/content/view/153159

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
   ----------------------------------------------
   Guardian Digital is happy to announce the release of EnGarde Secure
   Community 3.0.22 (Version 3.0, Release 22).  This release includes
   many updated packages and bug fixes and some feature enhancements to
   the EnGarde Secure Linux Installer and the SELinux policy.

   http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2169-1: telepathy-gabble: insufficient input validati (Feb 16)
   ----------------------------------------------------------------------
   It was discovered that telepathy-gabble, the Jabber/XMMP connection
   manager for the Telepathy framework, is processing google:jingleinfo
   updates without validating their origin. This may allow an attacker
   to trick telepathy-gabble into relaying streamed media data through a
   server of his choice and thus [More...]

   http://www.linuxsecurity.com/content/view/154417

* Debian: 2168-1: openafs: Multiple vulnerabilities (Feb 16)
   ----------------------------------------------------------
   Two vulnerabilities were discovered the distributed filesystem AFS:
   CVE-2011-0430 [More...]

   http://www.linuxsecurity.com/content/view/154416

* Debian: 2167-1: phpmyadmin: sql injection (Feb 16)
   --------------------------------------------------
   It was discovered that phpMyAdmin, a a tool to administer MySQL over
   the web, when the bookmarks feature is enabled, allowed to create a
   bookmarked query which would be executed unintentionally by other
   users. [More...]

   http://www.linuxsecurity.com/content/view/154415

* Debian: 2166-1: chromium-browser: Multiple vulnerabilities (Feb 16)
   -------------------------------------------------------------------
   Several vulnerabilities were discovered in the Chromium browser. The
   Common Vulnerabilities and Exposures project identifies the following
   problems: [More...]

   http://www.linuxsecurity.com/content/view/154408

* Debian: 2165-1: ffmpeg-debian: buffer overflow (Feb 16)
   -------------------------------------------------------
   Several vulnerabilities have been discovered in FFmpeg coders, which
   are used by by MPlayer and other applications. [More...]

   http://www.linuxsecurity.com/content/view/154404

* Debian: 2164-1: shadow: insufficient input sanitiza (Feb 15)
   ------------------------------------------------------------
   Kees Cook discovered that the chfn and chsh utilities do not properly
   sanitize user input that includes newlines. An attacker could use
   this to to corrupt passwd entries and may create users or groups in
   NIS environments. [More...]

   http://www.linuxsecurity.com/content/view/154402

* Debian: 2161-2: openjdk-6: Multiple vulnerabilities (Feb 14)
   ------------------------------------------------------------
   It was discovered that the floating point parser in OpenJDK, an
   implementation of the Java platform, can enter an infinite loop when
   processing certain input strings. Such input strings represent valid
   numbers and can be contained in data supplied by an attacker over the
   [More...]

   http://www.linuxsecurity.com/content/view/154386

* Debian: 2163-1: python-django: Multiple vulnerabilities (Feb 14)
   ----------------------------------------------------------------
   Several vulnerabilities were discovered in the django web development
   framework: CVE-2011-0696 [More...]

   http://www.linuxsecurity.com/content/view/154384

* Debian: 2162-1: openssl: invalid memory access (Feb 14)
   -------------------------------------------------------
   Neel Mehta discovered that an incorrectly formatted ClientHello
   handshake message could cause OpenSSL to parse past the end of the
   message. This allows an attacker to crash an application using
   OpenSSL by triggering an invalid memory access. Additionally, some
   applications may be vulnerable [More...]

   http://www.linuxsecurity.com/content/view/154382

* Debian: 2161-1: openjdk-6: denial of service (Feb 13)
   -----------------------------------------------------
   It was discovered that the floating point parser in OpenJDK, an
   implementation of the Java platform, can enter an infinite loop when
   processing certain input strings. Such input strings represent valid
   numbers and can be contained in data supplied by an attacker over the
   [More...]

   http://www.linuxsecurity.com/content/view/154368

* Debian: 2160-1: tomcat6: Multiple vulnerabilities (Feb 13)
   ----------------------------------------------------------
   Several vulnerabilities were discovered in the Tomcat Servlet and JSP
   engine: CVE-2010-3718 [More...]

   http://www.linuxsecurity.com/content/view/154367

* Debian: 2159-1: vlc: missing input sanitising (Feb 10)
   ------------------------------------------------------
   Dan Rosenberg discovered that insufficient input validation in VLC's
   processing of Matroska/WebM containers could lead to the execution of
   arbitrary code. [More...]

   http://www.linuxsecurity.com/content/view/154346

------------------------------------------------------------------------

* Mandriva: 2011:031: python-django (Feb 18)
   ------------------------------------------
   Multiple vulnerabilities has been found and corrected in
   python-django: Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does
   not properly validate HTTP requests that contain an X-Requested-With
   header, which makes it easier for remote attackers to conduct
   cross-site [More...]

   http://www.linuxsecurity.com/content/view/154434

* Mandriva: 2011:030: tomcat5 (Feb 18)
   ------------------------------------
   Multiple vulnerabilities has been found and corrected in tomcat5:
   When running under a SecurityManager, access to the file system is
   limited but web applications are granted read/write permissions to
   the work directory. This directory is used for a variety of temporary
   [More...]

   http://www.linuxsecurity.com/content/view/154433

* Mandriva: 2011:029: kernel (Feb 17)
   -----------------------------------
   A vulnerability was discovered and corrected in the Linux 2.6 kernel:
   The X.25 implementation does not properly parse facilities, which
   allows remote attackers to cause a denial of service (heap memory
   corruption and panic) or possibly have unspecified other impact via
   malformed data, a different vulnerability [More...]

   http://www.linuxsecurity.com/content/view/154425

* Mandriva: 2011:028: openssl (Feb 15)
   ------------------------------------
   A vulnerability has been found and corrected in openssl: Incorrectly
   formatted ClientHello handshake message could cause OpenSSL to parse
   past the end of the message. This allows an attacker to crash an
   application using OpenSSL by triggering an invalid memory [More...]

   http://www.linuxsecurity.com/content/view/154391

* Mandriva: 2011:027: openoffice.org (Feb 14)
   -------------------------------------------
   Multiple vulnerabilities were discovered and corrected in
   OpenOffice.org: Multiple directory traversal vulnerabilities allow
   remote attackers to overwrite arbitrary files via a .. (dot dot) in
   an entry in an [More...]

   http://www.linuxsecurity.com/content/view/154385

* Mandriva: 2011:026: phpmyadmin (Feb 14)
   ---------------------------------------
   Multiple vulnerabilities were discovered and corrected in phpmyadmin:
   When the files README, ChangeLog or LICENSE have been removed from
   their original place (possibly by the distributor), the scripts used
   to display these files can show their full path, leading to possible
   [More...]

   http://www.linuxsecurity.com/content/view/154377

------------------------------------------------------------------------

* Red Hat: 2011:0281-01: java-1.6.0-openjdk: Important Advisory (Feb 17)
   ----------------------------------------------------------------------
   Updated java-1.6.0-openjdk packages that fix several security issues
   are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat
   Security Response Team has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/154423

* Red Hat: 2011:0282-01: java-1.6.0-sun: Critical Advisory (Feb 17)
   -----------------------------------------------------------------
   Updated java-1.6.0-sun packages that fix several security issues are
   now available for Red Hat Enterprise Linux 4 Extras, and Red Hat
   Enterprise Linux 5 and 6 Supplementary. [More...]

   http://www.linuxsecurity.com/content/view/154424

* Red Hat: 2011:0266-01: fence: Low Advisory (Feb 16)
   ---------------------------------------------------
   An updated fence package that fixes multiple security issues, several
   bugs, and adds two enhancements is now available for Red Hat Cluster
   Suite 4. The Red Hat Security Response Team has rated this update as
   having low [More...]

   http://www.linuxsecurity.com/content/view/154414

* Red Hat: 2011:0264-01: rgmanager: Low Advisory (Feb 16)
   -------------------------------------------------------
   An updated rgmanager package that fixes multiple security issues and
   several bugs is now available for Red Hat Cluster Suite 4. The Red
   Hat Security Response Team has rated this update as having low
   [More...]

   http://www.linuxsecurity.com/content/view/154413

* Red Hat: 2011:0262-01: sendmail: Low Advisory (Feb 16)
   ------------------------------------------------------
   Updated sendmail packages that fix one security issue and three bugs
   are now available for Red Hat Enterprise Linux 4. The Red Hat
   Security Response Team has rated this update as having low [More...]

   http://www.linuxsecurity.com/content/view/154412

* Red Hat: 2011:0265-01: ccs: Low Advisory (Feb 16)
   -------------------------------------------------
   Updated ccs packages that fix one security issue are now available
   for Red Hat Cluster Suite 4. The Red Hat Security Response Team has
   rated this update as having low [More...]

   http://www.linuxsecurity.com/content/view/154411

* Red Hat: 2011:0261-01: bash: Low Advisory (Feb 16)
   --------------------------------------------------
   Updated bash packages that fix one security issue and several bugs
   are now available for Red Hat Enterprise Linux 4. The Red Hat
   Security Response Team has rated this update as having low [More...]

   http://www.linuxsecurity.com/content/view/154409

* Red Hat: 2011:0260-01: python: Low Advisory (Feb 16)
   ----------------------------------------------------
   Updated python packages that fix multiple security issues and three
   bugs are now available for Red Hat Enterprise Linux 4. The Red Hat
   Security Response Team has rated this update as having low [More...]

   http://www.linuxsecurity.com/content/view/154410

* Red Hat: 2011:0257-01: subversion: Moderate Advisory (Feb 15)
   -------------------------------------------------------------
   Updated subversion packages that fix two security issues are now
   available for Red Hat Enterprise Linux 5. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154399

* Red Hat: 2011:0258-01: subversion: Moderate Advisory (Feb 15)
   -------------------------------------------------------------
   Updated subversion packages that fix three security issues are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154398

* Red Hat: 2011:0256-01: dhcp: Moderate Advisory (Feb 15)
   -------------------------------------------------------
   Updated dhcp packages that fix one security issue are now available
   for Red Hat Enterprise Linux 6. The Red Hat Security Response Team
   has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154397

* Red Hat: 2011:0214-01: java-1.6.0-openjdk: Moderate Advisory (Feb 10)
   ---------------------------------------------------------------------
   Updated java-1.6.0-openjdk packages that fix one security issue are
   now available for Red Hat Enterprise Linux 5 and 6. The Red Hat
   Security Response Team has rated this update as having moderate
   [More...]

   http://www.linuxsecurity.com/content/view/154347

------------------------------------------------------------------------

* Slackware: 2011-041-02: expat: Security Update (Feb 10)
   -------------------------------------------------------
   New expat packages are available for Slackware 11.0, 12.0, 12.1,
   12.2, 13.0, 13.1, and -current to fix security issues.  [More
   Info...]

   http://www.linuxsecurity.com/content/view/154351

* Slackware: 2011-041-04: openssl: Security Update (Feb 10)
   ---------------------------------------------------------
   New openssl packages are available for 11.0, 12.0, 12.1, 12.2, 13.0,
   13.1, and -current to fix a security issue.  [More Info...]

   http://www.linuxsecurity.com/content/view/154352

* Slackware: 2011-041-01: apr-util: Security Update (Feb 10)
   ----------------------------------------------------------
   New apr and apr-util packages are available for Slackware 11.0, 12.0,
   12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.  [More
   Info...]

   http://www.linuxsecurity.com/content/view/154348

* Slackware: 2011-041-03: httpd: Security Update (Feb 10)
   -------------------------------------------------------
   New httpd packages are available for Slackware 12.0, 12.1, 12.2,
   13.0, 13.1, and -current to fix security issues.  [More Info...]

   http://www.linuxsecurity.com/content/view/154349

* Slackware: 2011-041-05: sudo: Security Update (Feb 10)
   ------------------------------------------------------
   New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
   10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a
   security issue.  [More Info...]

   http://www.linuxsecurity.com/content/view/154350

------------------------------------------------------------------------

* SuSE: 2011-009: Flash Player (Feb 14)
   -------------------------------------
   The Adobe Flash Player was updated to the 10.2.152.26 release, fixing
   lots of bugs and security issues. Please also see:
   http://www.adobe.com/support/security/bulletins/apsb11-02.html

   http://www.linuxsecurity.com/content/view/154383

* SuSE: 2011-008: Linux kernel (Feb 11)
   -------------------------------------
   This patch updates the SUSE Linux Enterprise Server 9 kernel to fix
   various security issues and some bugs. Following security issues were
   fixed: CVE-2010-4242: The hci_uart_tty_open function in the HCI UART
   driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did not
   verify  [More...]

   http://www.linuxsecurity.com/content/view/154353

------------------------------------------------------------------------

* Ubuntu: 1067-1: Telepathy Gabble vulnerability (Feb 17)
   -------------------------------------------------------
   It was discovered that Gabble did not verify the from field of
   googlejingleinfo updates. This could allow a remote attacker to
   perform manin the middle attacks (MITM) on streamed media. [More...]

   http://www.linuxsecurity.com/content/view/154422

* Ubuntu: 1065-1: shadow vulnerability (Feb 15)
   ---------------------------------------------
   Kees Cook discovered that some shadow utilities did not correctly
   validateuser input. A local attacker could exploit this flaw to
   inject newlines intothe /etc/passwd file. If the system was
   configured to use NIS, this couldlead to existing NIS groups or users
   gaining or losing access to the system,resulting in a denial of
   service or unauthorized access. [More...]

   http://www.linuxsecurity.com/content/view/154401

* Ubuntu: 1063-1: QEMU vulnerability (Feb 14)
   -------------------------------------------
   Neil Wilson discovered that if VNC passwords were blank in
   QEMUconfigurations, access to VNC sessions was allowed without a
   passwordinstead of being disabled. A remote attacker could connect to
   runningVNC sessions of QEMU and directly control the system. By
   default, QEMUdoes not start VNC sessions. [More...]

   http://www.linuxsecurity.com/content/view/154389

* Ubuntu: 1060-1: Exim vulnerabilities (Feb 10)
   ---------------------------------------------
   It was discovered that Exim contained a design flaw in the way it
   processedalternate configuration files. An attacker that obtained
   privileges of the"Debian-exim" user could use an alternate
   configuration file to obtainroot privileges. (CVE-2010-4345)
   [More...]

   http://www.linuxsecurity.com/content/view/154345

------------------------------------------------------------------------

* Pardus: 2011-45: Django: Multiple Vulnerabilities (Feb 14)
   ----------------------------------------------------------
   Multiple vulnerabilities have been fixed in Django.

   http://www.linuxsecurity.com/content/view/154388

* Pardus: 2011-44: Poppler: Integer Overflow (Feb 14)
   ---------------------------------------------------
   A vulnerability has been fixed in poppler, which allows attackers to
   execute arbitrary commands with a specially crafted PDF file.

   http://www.linuxsecurity.com/content/view/154378

* Pardus: 2011-43: Wireshark: Uninitialized Pointer (Feb 14)
   ----------------------------------------------------------
   A vulnerability has been fixed in wireshark, which allows remote
   attackers to cause a denial of service or have unspecified other
   impact

   http://www.linuxsecurity.com/content/view/154376

* Pardus: 2011-42: Pango: Buffer Overflow (Feb 14)
   ------------------------------------------------
   A vulnerability has been fixed in Pango, which can potentially be
   exploited by malicious people to cause a denial of service
   (application crash) or possibly execute arbitrary code.

   http://www.linuxsecurity.com/content/view/154375

* Pardus: : Security Summary: Summary (Feb 14)
   --------------------------------------------
   Multiple vulnerabilities have been fixed in Linux-PAM.

   http://www.linuxsecurity.com/content/view/154374

* Pardus: 2011-40: OpenSSH: Legacy Certificate (Feb 14)
   -----------------------------------------------------
   A vulnerability has been fixed in PostgreSQL, which can potentially
   be exploited by malicious people to obtain sensitive contents or to
   conduct hash collision attacks

   http://www.linuxsecurity.com/content/view/154373

* Pardus: 2011-38: Tomcat: Multiple Vulnerabilities (Feb 14)
   ----------------------------------------------------------
   Multiple vulnerabilities have been fixed in php.

   http://www.linuxsecurity.com/content/view/154371

* Pardus: 2011-39: VLC: Multiple Vulnerabilities (Feb 14)
   -------------------------------------------------------
   Multiple vulnerabilities have been fixed in vlc, which can
   potentially be exploited by malicious people to cause a denial of
   service or possibly execute arbitrary code or commands.

   http://www.linuxsecurity.com/content/view/154372

* Pardus: 2011-37: PostgreSQL: Buffer Overflow (Feb 14)
   -----------------------------------------------------
   A vulnerability has been fixed in PostgreSQL, which can potentially
   be exploited by malicious people to cause a denial of service (crash)
   and possibly execute arbitrary code.

   http://www.linuxsecurity.com/content/view/154370

* Pardus: 2011-36: DHCP: Denial of Service (Feb 14)
   -------------------------------------------------
   A vulnerability has been fixed indhcp, which can be exploited by
   malicious users to cause a DoS (Denial of Service).

   http://www.linuxsecurity.com/content/view/154369

* Pardus: 2011-28: Patch: Arbitrary File (Feb 12)
   -----------------------------------------------
   A vulnerability have been fixed in patch, which allows an attacker to
   create arbitrary files.

   http://www.linuxsecurity.com/content/view/154358

* Pardus: 2011-30: D-BUS: Stack overflow (Feb 12)
   -----------------------------------------------
   A vulnerability have been fixed in d-bus, which allows local users to
   cause a denial of service.

   http://www.linuxsecurity.com/content/view/154359

* Pardus: 2011-27: Chromium: Multiple vulnerabilities (Feb 12)
   ------------------------------------------------------------
   Multiple vulnerabilities have been fixed in chromium-browser.

   http://www.linuxsecurity.com/content/view/154360

* Pardus: 2011-33: HPlib: Stack Overflow (Feb 12)
   -----------------------------------------------
   A vulnerability was found in hplib, which can be exploited by
   malicious people to cause denial of service

   http://www.linuxsecurity.com/content/view/154361

* Pardus: 2011-32: Subversion: Multiple (Feb 12)
   ----------------------------------------------
   A vulnerability was found in subversion, which can be exploited by
   malicious people to cause denial of service

   http://www.linuxsecurity.com/content/view/154362

* Pardus: 2011-34: OpenOffice: Multiple (Feb 12)
   ----------------------------------------------
   Multiple vulnerabilities have been fixed in openoffice.

   http://www.linuxsecurity.com/content/view/154363

* Pardus: 2011-35: PHP: Multiple vulnerabilities (Feb 12)
   -------------------------------------------------------
   Multiple vulnerabilities have been fixed in php.

   http://www.linuxsecurity.com/content/view/154364

* Pardus: 2011-29: Wget: Arbitrary Files (Feb 12)
   -----------------------------------------------
   A vulnerability have been fixed in wget, which allows an remote
   servers to create or ovewrite arbitrary files.

   http://www.linuxsecurity.com/content/view/154365

* Pardus: 2011-31: Sudo: Escalated Escalation (Feb 12)
   ----------------------------------------------------
   A vulnerability was found in sudo, which can be exploited by
   malicious, local users to perform certain actions with escalated
   privileges.

   http://www.linuxsecurity.com/content/view/154366

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------