Linux Advisory Watch: January 6th, 2012

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| January 6th, 2012                                Volume 13, Number 1 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The 
purpose of this document is to provide our readers with a quick summary of 
each week's vendor security bulletins and pointers on methods to improve 
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be 
sure to read through to find the updates your distributor have made 
available.

Password guessing as an attack vector
-------------------------------------
Using password guessing as an attack vector. Over the years we've been
taught a strong password must be long and complex to be considered
secure. Some of us have taken that notion to heart and always ensure
our passwords are strong. But some don't give a second thought to the
complexity or length of our password.

http://www.linuxsecurity.com/content/view/156412

------------------------------------------------------------------------
* Debian: 2381-1: squid3: invalid memory deallocation (Jan 6)
   -----------------------------------------------------------
   It was discovered that the IPv6 support code in Squid does not
   properly handle certain DNS responses, resulting in deallocation of
   an invalid pointer and a daemon crash. [More...]

   http://www.linuxsecurity.com/content/view/156522

* Debian: 2380-1: foomatic-filters: shell command injection (Jan 4)
   -----------------------------------------------------------------
   It was discovered that the foomatic-filters, a support package for
   setting up printers, allowed authenticated users to submit crafted
   print jobs which would execute shell commands on the print servers.
   [More...]

   http://www.linuxsecurity.com/content/view/156516

* Debian: 2379-1: krb5: Multiple vulnerabilities (Jan 4)
   ------------------------------------------------------
   It was discovered that the Key Distribution Center (KDC) in Kerberos
   5 crashes when processing certain crafted requests: CVE-2011-1528
   [More...]

   http://www.linuxsecurity.com/content/view/156515

* Debian: 2378-1: ffmpeg: Multiple vulnerabilities (Jan 3)
   --------------------------------------------------------
   Several vulnerabilities have been discovered in ffmpeg, a multimedia
   player, server and encoder. Multiple input validations in the
   decoders for QDM2, VP5, VP6, VMD and SVQ1 files could lead to the
   execution of arbitrary code. [More...]

   http://www.linuxsecurity.com/content/view/156508

* Debian: 2377-1: cyrus-imapd-2.2: NULL pointer dereference (Jan 1)
   -----------------------------------------------------------------
   It was discovered that cyrus-imapd, a highly scalable mail system
   designed for use in enterprise environments, is not properly parsing
   mail headers when a client makes use of the IMAP threading feature.
   As a result, a NULL pointer is dereferenced which crashes the daemon.
   An attacker can trigger [More...]

   http://www.linuxsecurity.com/content/view/156505

* Debian: 2376-2: ipmitool: insecure pid file (Dec 31)
   ----------------------------------------------------
   It was discovered that OpenIPMI, the Intelligent Platform Management
   Interface library and tools, used too wide permissions PID file,
   which allows local users to kill arbitrary processes by writing to
   this file. [More...]

   http://www.linuxsecurity.com/content/view/156503

* Debian: 2263-2: movabletype-opensource: Multiple vulnerabilities (Dec 30)
   -------------------------------------------------------------------------
   Advisory DSA 2363-1 did not include a package for the Debian 5.0
   'Lenny' suite at that time. This update adds that package. The
   original advisory text follows. [More...]

   http://www.linuxsecurity.com/content/view/156499

* Debian: 2376-1: ipmitool: insecure pid file (Dec 30)
   ----------------------------------------------------
   It was discovered that OpenIPMI, the Intelligent Platform Management
   Interface library and tools, used too wide permissions PID file,
   which allows local users to kill arbitrary processes by writing to
   this file. [More...]

   http://www.linuxsecurity.com/content/view/156498

------------------------------------------------------------------------

* Gentoo: 201201-02: MySQL: Multiple vulnerabilities (Jan 5)
   ----------------------------------------------------------
   Multiple vulnerabilities were found in MySQL, some of which may
   allowexecution of arbitrary code.

   http://www.linuxsecurity.com/content/view/156521

* Gentoo: 201201-01: phpMyAdmin: Multiple vulnerabilities (Jan 4)
   ---------------------------------------------------------------
   Multiple vulnerabilities were found in phpMyAdmin, the most severe
   ofwhich allows the execution of arbitrary PHP code.

   http://www.linuxsecurity.com/content/view/156517

------------------------------------------------------------------------

* Mandriva: 2012:002: t1lib (Jan 2)
   ---------------------------------
   A vulnerability has been found and corrected in t1lib: t1lib 5.1.2
   and earlier uses an invalid pointer in conjunction with a dereference
   operation, which allows remote attackers to execute arbitrary code
   via a specially crafted Type 1 font in a PDF document [More...]

   http://www.linuxsecurity.com/content/view/156507

* Mandriva: 2012:001: fcgi (Jan 2)
   --------------------------------
   A vulnerability has been found and corrected in fcgi: The FCGI (aka
   Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast,
   uses environment variable values from one request during processing
   of a later request, which allows remote attackers to bypass [More...]

   http://www.linuxsecurity.com/content/view/156506

* Mandriva: 2011:198: phpmyadmin (Dec 31)
   ---------------------------------------
   Multiple vulnerabilities has been found and corrected in phpmyadmin:
   Importing a specially-crafted XML file which contains an XML entity
   injection permits to retrieve a local file (limited by the privileges
   of the user running the web server) (CVE-2011-4107). [More...]

   http://www.linuxsecurity.com/content/view/156504

* Mandriva: 2011:197: php (Dec 30)
   --------------------------------
   Multiple vulnerabilities has been discovered and corrected in php:
   Integer overflow in the exif_process_IFD_TAG function in exif.c in
   the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows
   remote attackers to read the contents of arbitrary memory locations
   or [More...]

   http://www.linuxsecurity.com/content/view/156500

------------------------------------------------------------------------

* Ubuntu: 1320-1: FFmpeg vulnerabilities (Jan 5)
   ----------------------------------------------
   FFmpeg could be made to crash or run programs as your login if
   itopened a specially crafted file.

   http://www.linuxsecurity.com/content/view/156520

* Ubuntu: 1319-1: Linux kernel (OMAP4) vulnerabilities (Jan 5)
   ------------------------------------------------------------
   Several security issues were fixed in the kernel.

   http://www.linuxsecurity.com/content/view/156519

* Ubuntu: 1318-1: Linux kernel (FSL-IMX51) vulnerabilities (Jan 5)
   ----------------------------------------------------------------
   Several security issues were fixed in the kernel.

   http://www.linuxsecurity.com/content/view/156518

* Ubuntu: 1317-1: Ghostscript vulnerabilities (Jan 4)
   ---------------------------------------------------
   Ghostscript could be made to crash or run programs as your login if
   itopened a specially crafted file.

   http://www.linuxsecurity.com/content/view/156509
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------



[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux