Linux Advisory Watch: April 22nd, 2011

vuln-newsletter-admins@xxxxxxxxxxxxxxxxx · Fri, 22 Apr 2011 17:10:46 -0400 (EDT)

+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| April 22nd, 2011                                Volume 12, Number 17 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The 
purpose of this document is to provide our readers with a quick summary of 
each week's vendor security bulletins and pointers on methods to improve 
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be 
sure to read through to find the updates your distributor have made 
available.

sec-wall: Open Source Security Proxy
------------------------------------
sec-wall, a recently released security proxy is a one-stop place for
everything related to securing HTTP/HTTPS traffic. Designed as a
pragmatic solution to the question of securing servers using SSL/TLS
certificates, WS-Security, HTTP Basic/Digest Auth, custom HTTP headers,
XPath expressions with an option of modifying HTTP headers and URLs on
the fly.

http://www.linuxsecurity.com/content/view/154884

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* Debian: 2224-1: openjdk-6: Multiple vulnerabilities (Apr 20)
   ------------------------------------------------------------
   Several security vulnerabilities were discovered in OpenJDK, an
   implementation of the Java platform. CVE-2010-4351 [More...]

   http://www.linuxsecurity.com/content/view/154915

* Debian: 2223-1: doctrine: SQL injection (Apr 20)
   ------------------------------------------------
   It was discovered that Doctrine, a PHP library for implementing
   object persistence, contains SQL injection vulnerabilities.
   (CVE-2011-1522) The exact impact depends on the application which
   uses the Doctrine library. [More...]

   http://www.linuxsecurity.com/content/view/154913

* Debian: 2222-1: tinyproxy: incorrect ACL processing (Apr 20)
   ------------------------------------------------------------
   Christoph Martin discovered that incorrect ACL processing in
   TinyProxy, a lightweight, non-caching, optionally anonymizing http
   proxy could lead to unintended network access rights. [More...]

   http://www.linuxsecurity.com/content/view/154912

* Debian: 2221-1: libmojolicious-perl: directory traversal (Apr 19)
   -----------------------------------------------------------------
   Viacheslav Tykhanovskyi discovered a directory traversal
   vulnerability in Mojolicious, a Perl Web Application Framework. The
   oldstable distribution (lenny) doesn't contain libmojolicious-perl.
   [More...]

   http://www.linuxsecurity.com/content/view/154903

* Debian: 2220-1: request-tracker3.6, request-tracker3.8: Multiple vulnerabilities (Apr 19)
   -----------------------------------------------------------------------------------------
   Several vulnerabilities were in Request Tracker, an issue tracking
   system. CVE-2011-1685 [More...]

   http://www.linuxsecurity.com/content/view/154899

* Debian: 2219-1: xmlsec1: arbitrary file overwrite (Apr 18)
   ----------------------------------------------------------
   Nicolas Gregoire discovered that the XML Security Library xmlsec
   allowed remote attackers to create or overwrite arbitrary files
   through specially crafted XML files using the libxslt output
   extension and a ds:Transform element during signature verification.
   [More...]

   http://www.linuxsecurity.com/content/view/154889

------------------------------------------------------------------------

* Mandriva: 2011:077: krb5 (Apr 22)
   ---------------------------------
   A vulnerability has been found and corrected in krb5: The
   process_chpw_request function in schpw.c in the password-changing
   functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9
   frees an invalid pointer, which allows remote attackers to execute
   [More...]

   http://www.linuxsecurity.com/content/view/154927

* Mandriva: 2011:076: xrdb (Apr 21)
   ---------------------------------
   A vulnerability has been found and corrected in xrdb: xrdb.c in xrdb
   before 1.0.9 in X.Org X11R7.6 and earlier allows remote attackers to
   execute arbitrary commands via shell metacharacters in a hostname
   obtained from a (1) DHCP or (2) XDMCP message (CVE-2011-0465).
   [More...]

   http://www.linuxsecurity.com/content/view/154921

* Mandriva: 2011:075: kdelibs4 (Apr 20)
   -------------------------------------
   A vulnerability has been found and corrected in kdelibs4: Cross-site
   scripting (XSS) vulnerability in the KHTMLPart::htmlError function in
   khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1
   allows remote attackers to inject arbitrary web script or [More...]

   http://www.linuxsecurity.com/content/view/154911

------------------------------------------------------------------------

* Red Hat: 2011:0464-01: kdelibs: Moderate Advisory (Apr 21)
   ----------------------------------------------------------
   Updated kdelibs packages that fix two security issues are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154923

* Red Hat: 2011:0465-01: kdenetwork: Important Advisory (Apr 21)
   --------------------------------------------------------------
   Updated kdenetwork packages that fix one security issue are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/154922

* Red Hat: 2011:0455-01: polkit: Important Advisory (Apr 19)
   ----------------------------------------------------------
   Updated polkit packages that fix one security issue are now available
   for Red Hat Enterprise Linux 6. The Red Hat Security Response Team
   has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/154902

* Red Hat: 2011:0452-01: libtiff: Important Advisory (Apr 18)
   -----------------------------------------------------------
   Updated libtiff packages that fix one security issue are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/154887

* Red Hat: 2011:0451-01: flash-plugin: Critical Advisory (Apr 18)
   ---------------------------------------------------------------
   An updated Adobe Flash Player package that fixes one security issue
   is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
   The Red Hat Security Response Team has rated this update as having
   critical [More...]

   http://www.linuxsecurity.com/content/view/154886

* Red Hat: 2011:0447-01: krb5: Moderate Advisory (Apr 14)
   -------------------------------------------------------
   Updated krb5 packages that fix one security issue are now available
   for Red Hat Enterprise Linux 6. The Red Hat Security Response Team
   has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154875

------------------------------------------------------------------------

* Slackware: 2011-110-01: rdesktop: Security Update (Apr 22)
   ----------------------------------------------------------
   New rdesktop packages are available for Slackware 11.0, 12.0, 12.1,
   12.2, 13.0, 13.1, and -current to fix a security issue.  [More
   Info...]

   http://www.linuxsecurity.com/content/view/154926

* Slackware: 2011-109-01: polkit: Security Update (Apr 20)
   --------------------------------------------------------
   New polkit packages are available for Slackware 13.1 and -current to
   fix a security issue.  [More Info...]

   http://www.linuxsecurity.com/content/view/154906

* Slackware: 2011-108-01: acl: Security Update (Apr 18)
   -----------------------------------------------------
   New acl packages are available for Slackware 11.0, 12.0, 12.1, 12.2,
   13.0, 13.1, and -current to fix a security issue.  [More Info...]

   http://www.linuxsecurity.com/content/view/154890

------------------------------------------------------------------------

* SuSE: Weekly Summary 2011:007 (Apr 19)
   --------------------------------------
   To avoid flooding mailing lists with SUSE Security Announcements for
   minor issues, SUSE Security releases weekly summary reports for the
   low profile vulnerability fixes. The SUSE Security Summary Reports do
   not list or download URLs like the SUSE Security Announcements that
   are released for more severe vulnerabilities.  List of
   vulnerabilities in this summary include: NetworkManager,
   OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6,
   freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman,
   moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser,
   rsyslog, telepathy-gabble, wireshark.

   http://www.linuxsecurity.com/content/view/154892

* SuSE: 2011-018: flash-player (Apr 18)
   -------------------------------------
   Specially crafted Flash files as delivered by web sites or as
   .swf-files could exploit the flash player to execute arbitrary code
   with the privileges of the user viewing these files. CVE-2011-0611
   has been assigned to this issue.

   http://www.linuxsecurity.com/content/view/154885

* SuSE: 2011-017: Linux kernel (Apr 18)
   -------------------------------------
   The openSUSE 11.2 kernel was updated to fix lots of security issues.
   This will probably be the last 11.2 kernel update released by the
   SUSE Security Team, as our suppport for 11.2 ends in 1 month.
   Following security issues were fixed: CVE-2011-1493: In the rose
   networking stack, when parsing the  [More...]

   http://www.linuxsecurity.com/content/view/154880

------------------------------------------------------------------------

* Ubuntu: 1120-1: tiff vulnerability (Apr 21)
   -------------------------------------------

   http://www.linuxsecurity.com/content/view/154917

* Ubuntu: 1119-1: Linux kernel (OMAP4) vulnerabilities (Apr 20)
   -------------------------------------------------------------

   http://www.linuxsecurity.com/content/view/154914

* Ubuntu: 1117-1: PolicyKit vulnerability (Apr 19)
   ------------------------------------------------

   http://www.linuxsecurity.com/content/view/154905

* Ubuntu: 1116-1: Kerberos vulnerability (Apr 19)
   -----------------------------------------------

   http://www.linuxsecurity.com/content/view/154904

* Ubuntu: 1108-2: DHCP vulnerability (Apr 19)
   -------------------------------------------

   http://www.linuxsecurity.com/content/view/154901

* Ubuntu: 1115-1: language-selector vulnerability (Apr 19)
   --------------------------------------------------------

   http://www.linuxsecurity.com/content/view/154900

* Ubuntu: 1113-1: Postfix vulnerabilities (Apr 18)
   ------------------------------------------------

   http://www.linuxsecurity.com/content/view/154888

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------