+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | March 11th, 2011 Volume 12, Number 11 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Review: The Official Ubuntu Book -------------------------------- If you haven't used Linux before, are new to Ubuntu, or would like a quick update on the latest in open source advancements for the desktop, then The Official Ubuntu Book is a great place to start. http://www.linuxsecurity.com/content/view/153159 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * Debian: 2190-1: wordpress: Multiple vulnerabilities (Mar 11) ------------------------------------------------------------ Two XSS bugs and one potential information disclosure issue were discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the [More...] http://www.linuxsecurity.com/content/view/154611 * Debian: 2189-1: chromium-browser: Multiple vulnerabilities (Mar 10) ------------------------------------------------------------------- Several vulnerabilities were discovered in the Chromium browser. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/154602 * Debian: 2188-1: webkit: Multiple vulnerabilities (Mar 10) --------------------------------------------------------- Several vulnerabilities have been discovered in webkit, a Web content engine library for Gtk+. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/154598 * Debian: 2187-1: icedove: Multiple vulnerabilities (Mar 10) ---------------------------------------------------------- Several vulnerabilities have been discovered in Icedove, an unbranded version of the Thunderbird mail/news client. CVE-2010-1585 [More...] http://www.linuxsecurity.com/content/view/154597 * Debian: 2186-1: iceweasel: Multiple vulnerabilities (Mar 10) ------------------------------------------------------------ Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. [More...] http://www.linuxsecurity.com/content/view/154596 * Debian: 2185-1: proftpd-dfsg: integer overflow (Mar 9) ------------------------------------------------------ It was discovered that an integer overflow in the SFTP file transfer module of the ProFTPD daemon could lead to denial of service. The oldstable distribution (lenny) is not affected. [More...] http://www.linuxsecurity.com/content/view/154582 * Debian: 2184-1: isc-dhcp: denial of service (Mar 5) --------------------------------------------------- It was discovered that the ISC DHCPv6 server does not correctly process requests which come from unexpected source addresses, leading to an assertion failure and a daemon crash. [More...] http://www.linuxsecurity.com/content/view/154555 * Debian: 2183-1: nbd: buffer overflow (Mar 5) -------------------------------------------- It was discovered a regression of a buffer overflow (CVE-2005-3534) in nbd, the Network Block Device server, that could allow arbitrary code execution on the NBD server via a large request. [More...] http://www.linuxsecurity.com/content/view/154554 * Debian: 2182-1: logwatch: shell command injection (Mar 4) --------------------------------------------------------- Dominik George discovered that logwatch does not guard against shell meta-characters in crafted log file names (such as those produced by Samba). As a result, an attacker might be able to execute shell commands on the system running logwatch. [More...] http://www.linuxsecurity.com/content/view/154551 * Debian: 2181-1: subversion: denial of service (Mar 4) ----------------------------------------------------- Philip Martin discovered that HTTP-based Subversion servers crash when processing lock requests on repositories which support unauthenticated read access. [More...] http://www.linuxsecurity.com/content/view/154547 * Debian: 2180-1: iceape: Multiple vulnerabilities (Mar 3) -------------------------------------------------------- Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey: CVE-2010-1585 [More...] http://www.linuxsecurity.com/content/view/154546 ------------------------------------------------------------------------ * Mandriva: 2011:044: wireshark (Mar 8) ------------------------------------- This advisory updates wireshark to the latest version (1.2.15), fixing several security issues: Wireshark 1.5.0, 1.4.3, and earlier frees an uninitialized pointer during processing of a .pcap file in the pcap-ng format, which allows [More...] http://www.linuxsecurity.com/content/view/154579 * Mandriva: 2011:043: libtiff (Mar 8) ----------------------------------- A buffer overflow was discovered in libtiff which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with CCITT Group 4 encoding (CVE-2011-0192). [More...] http://www.linuxsecurity.com/content/view/154568 * Mandriva: 2011:042: mozilla-thunderbird (Mar 7) ----------------------------------------------- Security issues were identified and fixed in mozilla-thunderbird: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 allow remote attackers to cause [More...] http://www.linuxsecurity.com/content/view/154564 * Mandriva: 2011:041: firefox (Mar 4) ----------------------------------- Cross-site request forgery (CSRF) vulnerability in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, allows remote attackers to hijack the authentication of arbitrary users for requests that were initiated by a plugin and received a 307 redirect to a page on a different web site. (CVE-2011-0059) [More...] http://www.linuxsecurity.com/content/view/154553 * Mandriva: 2011:040: pango (Mar 3) --------------------------------- A vulnerability has been found and corrected in pango: It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted [More...] http://www.linuxsecurity.com/content/view/154541 ------------------------------------------------------------------------ * Red Hat: 2011:0347-01: openldap: Moderate Advisory (Mar 10) ----------------------------------------------------------- Updated openldap packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154606 * Red Hat: 2011:0330-01: kernel-rt: Important Advisory (Mar 10) ------------------------------------------------------------- Updated kernel-rt packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise MRG 1.3. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154605 * Red Hat: 2011:0346-01: openldap: Moderate Advisory (Mar 10) ----------------------------------------------------------- Updated openldap packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154604 * Red Hat: 2011:0345-01: qemu-kvm: Moderate Advisory (Mar 10) ----------------------------------------------------------- Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154603 * Red Hat: 2011:0337-01: vsftpd: Important Advisory (Mar 9) --------------------------------------------------------- An updated vsftpd package that fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154594 * Red Hat: 2011:0335-01: tomcat6: Important Advisory (Mar 9) ---------------------------------------------------------- Updated tomcat6 packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154595 * Red Hat: 2011:0336-01: tomcat5: Important Advisory (Mar 9) ---------------------------------------------------------- Updated tomcat5 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154593 * Red Hat: 2011:0332-01: scsi-target-utils: Important Advisory (Mar 9) -------------------------------------------------------------------- An updated scsi-target-utils package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154592 * Red Hat: 2011:0328-01: subversion: Moderate Advisory (Mar 8) ------------------------------------------------------------ Updated subversion packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154580 * Red Hat: 2011:0327-01: subversion: Moderate Advisory (Mar 8) ------------------------------------------------------------ Updated subversion packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/154577 * Red Hat: 2011:0329-01: kernel: Important Advisory (Mar 8) --------------------------------------------------------- Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154578 * Red Hat: 2011:0324-01: logwatch: Important Advisory (Mar 7) ----------------------------------------------------------- An updated logwatch package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/154565 ------------------------------------------------------------------------ * Slackware: 2011-070-01: subversion: Security Update (Mar 11) ------------------------------------------------------------ New subversion packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More Info...] http://www.linuxsecurity.com/content/view/154608 * Slackware: 2011-068-01: seamonkey: Security Update (Mar 9) ---------------------------------------------------------- New seamonkey packages are available for Slackware 12.2, 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/154590 * Slackware: 2011-068-02: mozilla-firefox: Security Update (Mar 9) ---------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 13.0, 13.1, and -current to fix security issues. [More Info...] http://www.linuxsecurity.com/content/view/154591 ------------------------------------------------------------------------ * SuSE: 2011-012: Linux kernel (Mar 8) ------------------------------------ The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.29 and fixes various bugs and security issues. CVE-2010-3875: The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel [More...] http://www.linuxsecurity.com/content/view/154573 * SuSE: 2011-011: acroread (Mar 7) -------------------------------- Specially crafted PDF documents could crash acroread or lead to execution of arbitrary code. acroread was updated to version 9.4.2 to address the issues. http://www.linuxsecurity.com/content/view/154561 ------------------------------------------------------------------------ * Ubuntu: 1087-1: libvpx vulnerability (Mar 11) --------------------------------------------- Chris Evans discovered that libvpx did not properly perform boundschecking. If an application using libvpx opened a specially crafted WebMfile, an attacker could cause a denial of service. [More...] http://www.linuxsecurity.com/content/view/154612 * Ubuntu: 1086-1: Linux kernel (EC2) vulnerabilities (Mar 8) ---------------------------------------------------------- Dan Rosenberg discovered that multiple terminal ioctls did not correctlyinitialize structure memory. A local attacker could exploit this toread portions of kernel stack memory, leading to a loss of privacy.(CVE-2010-4076, CVE-2010-4077) [More...] http://www.linuxsecurity.com/content/view/154581 * Ubuntu: 1049-2: Firefox and Xulrunner vulnerabilities (Mar 7) ------------------------------------------------------------- USN-1049-1 fixed vulnerabilities in Firefox and Xulrunner. That updateintroduced a regression where some Java applets would fail to load. Thisupdate fixes the problem. [More...] http://www.linuxsecurity.com/content/view/154566 * Ubuntu: 1084-1: avahi vulnerability (Mar 7) ------------------------------------------- It was discovered that Avahi incorrectly handled empty UDP packets. Aremote attacker could send a specially-crafted packet and cause Avahi tohang, resulting in a denial of service. [More...] http://www.linuxsecurity.com/content/view/154562 * Ubuntu: 1085-1: tiff vulnerabilities (Mar 7) -------------------------------------------- Sauli Pahlman discovered that the TIFF library incorrectly handled invalidtd_stripbytecount fields. If a user or automated system were tricked intoopening a specially crafted TIFF image, a remote attacker could crash theapplication, leading to a denial of service. This issue only affectedUbuntu 10.04 LTS and 10.10. (CVE-2010-2482) [More...] http://www.linuxsecurity.com/content/view/154563 ------------------------------------------------------------------------ * Pardus: 2011-54: Samba: Memory Corruption (Mar 3) ------------------------------------------------- A vulnerability have been fixed in samba, which allows attackers to cause a denial of service. http://www.linuxsecurity.com/content/view/154540 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
