+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 18th, 2011 Volume 12, Number 47 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Demystifying the Chinese Hacking Industry: Earning 6 Million a Night -------------------------------------------------------------------- An Interview with a Member of the Chown Group (COG) about the billion dollar hacking business in China http://www.linuxsecurity.com/content/view/156163 ------------------------------------------------------------------------ * Debian: 2347-1: bind9: improper assert (Nov 16) ----------------------------------------------- It was discovered that BIND, a DNS server, crashes while processing certain sequences of recursive DNS queries, leading to a denial of service. Authoritative-only server configurations are not affected by this issue. [More...] http://www.linuxsecurity.com/content/view/156236 * Debian: 2346-2: proftpd-dfsg: Multiple vulnerabilities (Nov 16) --------------------------------------------------------------- The ProFTPD security update, DSA-2346-1, introduced a regression, preventing successful TLS connections. This regression does not affected the stable distribution (squeeze), nor the testing and unstable distributions. [More...] http://www.linuxsecurity.com/content/view/156234 * Debian: 2346-1: proftpd-dfsg: Multiple vulnerabilities (Nov 15) --------------------------------------------------------------- Several vulnerabilities were discovered in ProFTPD, an FTP server: ProFTPD incorrectly uses data from an unencrypted input buffer after encryption has been enabled with STARTTLS, an issue [More...] http://www.linuxsecurity.com/content/view/156230 * Debian: 2345-1: icedove: Multiple vulnerabilities (Nov 11) ---------------------------------------------------------- Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird. CVE-2011-3647 [More...] http://www.linuxsecurity.com/content/view/156211 * Debian: 2344-1: python-django-piston: deserialization vulnerabili (Nov 11) -------------------------------------------------------------------------- It was discovered that the Piston framework can deserializes untrusted YAML and Pickle data, leading to remote code execution. (CVE-2011-4103) The old stable distribution (lenny) does not contain a [More...] http://www.linuxsecurity.com/content/view/156210 ------------------------------------------------------------------------ * Gentoo: 201111-03: OpenTTD: Multiple vulnerabilities (Nov 11) ------------------------------------------------------------- Multiple vulnerabilities were found in OpenTTD which could lead toexecution of arbitrary code, a Denial of Service, or privilegeescalation. http://www.linuxsecurity.com/content/view/156212 * Gentoo: 201111-04: phpDocumentor: Function call injection (Nov 11) ------------------------------------------------------------------ phpDocumentor bundles Smarty which contains an input sanitation flaw,allowing attackers to call arbitrary PHP functions. http://www.linuxsecurity.com/content/view/156213 ------------------------------------------------------------------------ * Mandriva: 2011:176-1: bind (Nov 17) ----------------------------------- A vulnerability was discovered and corrected in bind: Cache lookup could return RRSIG data associated with nonexistent records, leading to an assertion failure. [ISC RT #26590] (CVE-2011-4313). [More...] http://www.linuxsecurity.com/content/view/156248 * Mandriva: 2011:176: bind (Nov 16) --------------------------------- A vulnerability was discovered and corrected in bind: Cache lookup could return RRSIG data associated with nonexistent records, leading to an assertion failure. [ISC RT #26590] (CVE-2011-4313). [More...] http://www.linuxsecurity.com/content/view/156238 * Mandriva: 2011:175: poppler (Nov 15) ------------------------------------ Multiple security vulnerabilities has been discovered and corrected in poppler: An out-of-bounds reading flaw in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file [More...] http://www.linuxsecurity.com/content/view/156228 * Mandriva: 2011:174: graphite2 (Nov 14) -------------------------------------- Unspecified vulnerabilities were discovered in graphite2 conserning specially crafted TTF fonts and which has unknown impact. As a preemptive measure the new 1.0.3 version is being provided where this is fixed. [More...] _____________________________________________________________________ __ http://www.linuxsecurity.com/content/view/156219 * Mandriva: 2011:172: libreoffice (Nov 11) ---------------------------------------- Multiple vulnerabilies has been discovered and corrected in libreoffice: Stack-based buffer overflow in the Lotus Word Pro import filter in LibreOffice before 3.3.3 allows remote attackers to execute arbitrary [More...] http://www.linuxsecurity.com/content/view/156215 * Mandriva: 2011:171: networkmanager (Nov 11) ------------------------------------------- Security issues were identified and fixed in networkmanager: GNOME NetworkManager before 0.8.6 does not properly enforce the auth_admin element in PolicyKit, which allows local users to bypass intended wireless network sharing restrictions via unspecified vectors [More...] http://www.linuxsecurity.com/content/view/156214 * Mandriva: 2011:170: java-1.6.0-openjdk (Nov 11) ----------------------------------------------- Security issues were identified and fixed in openjdk (icedtea6) and icedtea-web: IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality [More...] http://www.linuxsecurity.com/content/view/156209 ------------------------------------------------------------------------ * Red Hat: 2011:1458-01: bind: Important Advisory (Nov 17) -------------------------------------------------------- Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/156247 * Red Hat: 2011:1459-01: bind97: Important Advisory (Nov 17) ---------------------------------------------------------- Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/156246 * Red Hat: 2011:1455-01: freetype: Important Advisory (Nov 16) ------------------------------------------------------------ Updated freetype packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/156237 * Red Hat: 2011:1445-01: flash-plugin: Critical Advisory (Nov 11) --------------------------------------------------------------- An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/156204 ------------------------------------------------------------------------ * Ubuntu: 1267-1: FreeType vulnerabilities (Nov 18) ------------------------------------------------- FreeType could be made to crash or run programs as your login if itopened a specially crafted font file. http://www.linuxsecurity.com/content/view/156250 * Ubuntu: 1266-1: OpenLDAP vulnerability (Nov 17) ----------------------------------------------- An OpenLDAP server could potentially be made to crash if it receivedspecially crafted network traffic from an authenticated user. http://www.linuxsecurity.com/content/view/156241 * Ubuntu: 1263-1: IcedTea-Web, OpenJDK 6 vulnerabilities (Nov 16) --------------------------------------------------------------- Multiple OpenJDK 6 and IcedTea-Web vulnerabilities have been fixed. http://www.linuxsecurity.com/content/view/156235 * Ubuntu: 1262-1: Light Display Manager vulnerabilities (Nov 15) -------------------------------------------------------------- Several security issues were fixed in Light Display Manager. http://www.linuxsecurity.com/content/view/156229 * Ubuntu: 1261-1: Quagga vulnerabilities (Nov 15) ----------------------------------------------- Quagga could be made to crash or run programs if it received speciallycrafted network traffic. http://www.linuxsecurity.com/content/view/156222 * Ubuntu: 1260-1: Linux kernel (OMAP4) vulnerability (Nov 14) ----------------------------------------------------------- A security issue was fixed in the kernel. http://www.linuxsecurity.com/content/view/156220 * Ubuntu: 1251-1: Firefox and Xulrunner vulnerabilities (Nov 10) -------------------------------------------------------------- Multiple vulnerabilities have been fixed in Firefox and Xulrunner. http://www.linuxsecurity.com/content/view/156203 * Ubuntu: 1258-1: ClamAV vulnerability (Nov 10) --------------------------------------------- ClamAV could be made to crash or run programs as your login if it opened aspecially crafted file. http://www.linuxsecurity.com/content/view/156202 * Ubuntu: 1257-1: radvd vulnerabilities (Nov 10) ---------------------------------------------- radvd could be made to crash or overwrite certain files if it receivedspecially crafted network traffic. http://www.linuxsecurity.com/content/view/156201 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------
