Linux Advisory Watch - July 24th 2009
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 24th, 2009 Volume 10, Number 30 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for xulrunner, gst-plugins,
pulseaudito, dbus, fckeditor, mozvoikko, perl-gtk, yelp, ruby, chmsee,
eclipse, epiphany, evoluation, galeon, hulahop, java, miro, firefox,
blam, wxGTK, moin, mediawiki, libtiff, compat, wordpress, poppler,
seamonkey, bluez, net-snmp, dhcp, and pulseaudi. The distributors
include Debian, Fedora, Gentoo, Mandriva, Red Hat, SuSE, Ubuntu, and
Pardus.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New xulrunner packages fix several vulnerabilities (Jul 23)
-------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149461
* Debian: New gst-plugins-good0.10 packages fix arbitrary code execution (Jul 19)
-------------------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149401
* Debian: New pulseaudio packages fix privilege escalation (Jul 18)
-----------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149399
* Debian: New dbus packages fix denial of service (Jul 18)
--------------------------------------------------------
http://www.linuxsecurity.com/content/view/149398
* Debian: New fckeditor packages fix arbitrary code execution (Jul 16)
--------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149390
------------------------------------------------------------------------
* Fedora 11 Update: (Jul 22)
--------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149456
* Fedora 11 Update: mozvoikko-0.9.7-0.5.rc1.fc11 (Jul 22)
-------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149457
* Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.3 (Jul 22)
-----------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149458
* Fedora 11 Update: yelp-2.26.0-5.fc11 (Jul 22)
---------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149459
* Fedora 11 Update: ruby-gnome2-0.19.0-3.fc11.1 (Jul 22)
------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149460
* Fedora 11 Update: chmsee-1.0.1-9.fc11 (Jul 22)
----------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149444
* Fedora 11 Update: eclipse-3.4.2-13.fc11 (Jul 22)
------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149445
* Fedora 11 Update: epiphany-2.26.3-2.fc11 (Jul 22)
-------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149446
* Fedora 11 Update: epiphany-extensions-2.26.1-4.fc11 (Jul 22)
------------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149447
* Fedora 11 Update: evolution-rss-0.1.2-11.fc11 (Jul 22)
------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149448
* Fedora 11 Update: galeon-2.0.7-12.fc11 (Jul 22)
-----------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149449
* Fedora 11 Update: gnome-python2-extras-2.25.3-5.fc11 (Jul 22)
-------------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149450
* Fedora 11 Update: gnome-web-photo-0.7-4.fc11 (Jul 22)
-----------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149451
* Fedora 11 Update: google-gadgets-0.11.0-2.fc11 (Jul 22)
-------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149452
* Fedora 11 Update: hulahop-0.4.9-6.fc11 (Jul 22)
-----------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149453
* Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-25.b16.fc11 (Jul 22)
-----------------------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149454
* Fedora 11 Update: Miro-2.0.5-2.fc11 (Jul 22)
--------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149455
* Fedora 11 Update: firefox-3.5.1-1.fc11 (Jul 22)
-----------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149441
* Fedora 11 Update: xulrunner-1.9.1.1-1.fc11 (Jul 22)
---------------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149442
* Fedora 11 Update: blam-1.8.5-12.fc11 (Jul 22)
---------------------------------------------
Update to new upstream Firefox version 3.5.1, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.1 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/149443
* Fedora 10 Update: wxGTK-2.8.10-2.fc10 (Jul 22)
----------------------------------------------
added fix for CVE-2009-2369
http://www.linuxsecurity.com/content/view/149440
* Fedora 11 Update: wxGTK-2.8.10-2.fc11 (Jul 22)
----------------------------------------------
added fix for CVE-2009-2369
http://www.linuxsecurity.com/content/view/149439
* Fedora 10 Update: perl-IO-Socket-SSL-1.26-1.fc10 (Jul 19)
---------------------------------------------------------
This update to version 1.26 fixes an issue where only the prefix of
the hostname was checked if there was no wildcard present, so for
example www.example.org would match a certificate starting with
www.exam.
http://www.linuxsecurity.com/content/view/149415
* Fedora 11 Update: moin-1.8.4-2.fc11 (Jul 19)
--------------------------------------------
This update removes the filemanager directory from the embedded
FCKeditor, it contains code with know security vulnerabilities, even
though that code couldn't be invoked when Moin was used with the
default settings. Moin was probably not affected, but installing this
update is still recommended as a security measure. CVE-2009-2265 is
the related CVE identifier.
http://www.linuxsecurity.com/content/view/149414
* Fedora 11 Update: mediawiki-1.15.1-48.fc11 (Jul 19)
---------------------------------------------------
This update upgrades mediawiki code to 1.15.1 and fixes some path
references. Upstream comments: This is a security and bugfix release
of MediaWiki 1.15.1 and 1.14.1. A cross-site scripting (XSS)
vulnerability was discovered. Only versions 1.14.0, 1.15.0 and
release candidates for those releases are affected.
http://www.linuxsecurity.com/content/view/149413
* Fedora 11 Update: libtiff-3.8.2-14.fc11 (Jul 19)
------------------------------------------------
CVE-2009-2347 libtiff: integer overflows in various inter-color
spaces conversion tools (crash, ACE) Not the same as last week's
libtiff security issue ...
http://www.linuxsecurity.com/content/view/149412
* Fedora 10 Update: compat-wxGTK26-2.6.4-10.fc10 (Jul 19)
-------------------------------------------------------
Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10
http://www.linuxsecurity.com/content/view/149410
* Fedora 11 Update: mingw32-libtiff-3.8.2-17.fc11 (Jul 19)
--------------------------------------------------------
- update upstream URL - Fix some more LZW decoding vulnerabilities
(CVE-2009-2285)
http://www.linuxsecurity.com/content/view/149411
* Fedora 10 Update: moin-1.6.4-3.fc10 (Jul 19)
--------------------------------------------
This update removes the filemanager and _samples directories from the
embedded FCKeditor, they contain code with know security
vulnerabilities, even though that code couldn't be invoked when Moin
was used with the default settings. Moin was probably not affected,
but installing this update is still recommended as a security
measure. CVE-2009-2265 is the related CVE identifier.
http://www.linuxsecurity.com/content/view/149409
* Fedora 11 Update: compat-wxGTK26-2.6.4-10.fc11 (Jul 19)
-------------------------------------------------------
Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10
http://www.linuxsecurity.com/content/view/149407
* Fedora 10 Update: mediawiki-1.15.1-48.fc10 (Jul 19)
---------------------------------------------------
This update upgrades mediawiki code to 1.15.1 and fixes some path
references. Upstream comments: This is a security and bugfix release
of MediaWiki 1.15.1 and 1.14.1. A cross-site scripting (XSS)
vulnerability was discovered. Only versions 1.14.0, 1.15.0 and
release candidates for those releases are affected.
http://www.linuxsecurity.com/content/view/149408
* Fedora 10 Update: wordpress-2.8.1-1.fc10 (Jul 19)
-------------------------------------------------
http://www.linuxsecurity.com/content/view/149406
* Fedora 10 Update: libtiff-3.8.2-14.fc10 (Jul 19)
------------------------------------------------
CVE-2009-2347 libtiff: integer overflows in various inter-color
spaces conversion tools (crash, ACE) Not the same as last week's
libtiff security issue ...
http://www.linuxsecurity.com/content/view/149405
* Fedora 10 Update: mingw32-libtiff-3.8.2-17.fc10 (Jul 19)
--------------------------------------------------------
- update upstream URL - Fix some more LZW decoding
vulnerabilities (CVE-2009-2285) Bugzilla: #511015
http://www.linuxsecurity.com/content/view/149404
* Fedora 11 Update: perl-IO-Socket-SSL-1.26-1.fc11 (Jul 19)
---------------------------------------------------------
This update to version 1.26 fixes an issue where only the prefix of
the hostname was checked if there was no wildcard present, so for
example www.example.org would match a certificate starting with
www.exam.
http://www.linuxsecurity.com/content/view/149402
* Fedora 11 Update: wordpress-2.8.1-1.fc11 (Jul 19)
-------------------------------------------------
http://www.linuxsecurity.com/content/view/149403
* Fedora 10 Update: perl-5.10.0-73.fc10 (Jul 16)
----------------------------------------------
This security update fixes an off-by-one overflow in
Compress::Raw::Zlib (CVE-2009-1391) Moreover, it contains a subtle
change to the configuration that does not affect the Perl interpreter
itself, but fixes the propagation of the chosen options to the
modules. For example, a rebuild of perl-Wx against perl-5.10.0-73
will fix bug 508496.
http://www.linuxsecurity.com/content/view/149385
* Fedora 11 Update: poppler-0.10.7-2.fc11 (Jul 16)
------------------------------------------------
An update to the latest stable upstream release fixing many bugs, as
well as addressing several security issues. Release announcement,
http://lists.freedesktop.org/archives/poppler/2009-May/004721.html
http://www.linuxsecurity.com/content/view/149384
* Fedora 11 Update: seamonkey-1.1.17-1.fc11 (Jul 16)
--------------------------------------------------
Update to upstream version 1.1.17, fixing multiple security flaws:
http://www.mozilla.org/security/known-
vulnerabilities/seamonkey11.html#seamonkey1.1.17
http://www.linuxsecurity.com/content/view/149383
* Fedora 10 Update: seamonkey-1.1.17-1.fc10 (Jul 16)
--------------------------------------------------
Update to upstream version 1.1.17, fixing multiple security flaws:
http://www.mozilla.org/security/known-
vulnerabilities/seamonkey11.html#seamonkey1.1.17
http://www.linuxsecurity.com/content/view/149382
------------------------------------------------------------------------
* Gentoo: Python Integer overflows (Jul 19)
-----------------------------------------
Multiple integer overflows in Python have an unspecified impact.
http://www.linuxsecurity.com/content/view/149419
* Gentoo: Nagios Execution of arbitrary code (Jul 19)
---------------------------------------------------
Multiple vulnerabilities in Nagios may lead to the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/149418
* Gentoo: Rasterbar libtorrent Directory traversal (Jul 17)
---------------------------------------------------------
A directory traversal vulnerability in Rasterbar libtorrent might
allow a remote attacker to overwrite arbitrary files.
http://www.linuxsecurity.com/content/view/149392
* Gentoo: PulseAudio Local privilege escalation (Jul 16)
------------------------------------------------------
A vulnerability in PulseAudio may allow a local user to execute code
with escalated privileges.
http://www.linuxsecurity.com/content/view/149386
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2009:132 ] gnome-power-manager (Jul 20)
-------------------------------------------------------------------------------------
The gnome-power-manager package shipped in Mandriva 2009 Spring is
not working without the gnome-session running in user's Desktop
Environment. This update fixes this issue making gnome-power-manager
work fine even if gnome-session is not started.
http://www.linuxsecurity.com/content/view/149426
* Mandriva: Subject: [Security Announce] [ MDVA-2009:131 ] bluez (Jul 19)
-----------------------------------------------------------------------
In mandriva 2009.1 the bluetooth alsa plugins were installed on the
root lib dir. This prevent A2DP bluetooth devices from working
because they search those libs on the standart lib directory.
http://www.linuxsecurity.com/content/view/149424
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19)
-----------------------------------------------------------------------------------------
A vulnerability has been found and corrected in
perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in
Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in
AMaViS, SpamAssassin, and possibly other products, allows
context-dependent attackers to cause a denial of service (hang or
crash) via a crafted zlib compressed stream that triggers a
heap-based buffer overflow, as exploited in the wild by
Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update
provides fixes for this vulnerability.
http://www.linuxsecurity.com/content/view/149423
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19)
-----------------------------------------------------------------------------------------
A vulnerability has been found and corrected in
perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in
Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in
AMaViS, SpamAssassin, and possibly other products, allows
context-dependent attackers to cause a denial of service (hang or
crash) via a crafted zlib compressed stream that triggers a
heap-based buffer overflow, as exploited in the wild by
Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update
provides fixes for this vulnerability.
http://www.linuxsecurity.com/content/view/149422
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:156 ] net-snmp (Jul 19)
---------------------------------------------------------------------------
A vulnerability has been found and corrected in net-snmp:
agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise
Linux (RHEL) 3 allows remote attackers to cause a denial of service
(daemon crash) via a crafted SNMP GETBULK request that triggers a
divide-by-zero error. NOTE: this vulnerability exists because of an
incorrect fix for CVE-2008-4309 (CVE-2009-1887). This update provides
fixes for this vulnerability.
http://www.linuxsecurity.com/content/view/149421
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:155 ] git (Jul 19)
----------------------------------------------------------------------
A vulnerability has been found and corrected in git: git-daemon in
git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial
of service (infinite loop and CPU consumption) via a request
containing extra unrecognized arguments (CVE-2009-2108). This update
provides fixes for this vulnerability.
http://www.linuxsecurity.com/content/view/149420
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:154 ] dhcp (Jul 19)
-----------------------------------------------------------------------
A vulnerability has been found and corrected in ISC DHCP: ISC DHCP
Server is vulnerable to a denial of service, caused by the improper
handling of DHCP requests. If the host definitions are mixed using
dhcp-client-identifier and hardware ethernet, a remote attacker could
send specially-crafted DHCP requests to cause the server to stop
responding (CVE-2009-1892). This update provides fixes for this
vulnerability.
http://www.linuxsecurity.com/content/view/149417
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17)
-----------------------------------------------------------------------
A vulnerability has been found and corrected in ISC DHCP: Integer
overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1;
and the DHCP server in EMC VMware Workstation before 5.5.5 Build
56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build
56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build
54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4
Build 56528; allows remote attackers to cause a denial of service
(daemon crash) or execute arbitrary code via a malformed DHCP packet
with a large dhcp-max-message-size that triggers a stack-based buffer
overflow, related to servers configured to send many DHCP options to
clients (CVE-2007-0062). This update provides fixes for this
vulnerability.
http://www.linuxsecurity.com/content/view/149397
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17)
-----------------------------------------------------------------------
A vulnerability has been found and corrected in ISC DHCP: Integer
overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1;
and the DHCP server in EMC VMware Workstation before 5.5.5 Build
56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build
56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build
54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4
Build 56528; allows remote attackers to cause a denial of service
(daemon crash) or execute arbitrary code via a malformed DHCP packet
with a large dhcp-max-message-size that triggers a stack-based buffer
overflow, related to servers configured to send many DHCP options to
clients (CVE-2007-0062). This update provides fixes for this
vulnerability.
http://www.linuxsecurity.com/content/view/149396
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17)
-----------------------------------------------------------------------------
A vulnerability has been found and corrected in pulseaudio: Tavis
Ormandy and Julien Tinnes of the Google Security Team discovered that
pulseaudio, when installed setuid root, does not drop privileges
before re-executing itself to achieve immediate bindings. This can be
exploited by a user who has write access to any directory on the file
system containing /usr/bin to gain local root access. The user needs
to exploit a race condition related to creating a hard link
(CVE-2009-1894). This update provides fixes for this vulnerability.
http://www.linuxsecurity.com/content/view/149395
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17)
-----------------------------------------------------------------------------
A vulnerability has been found and corrected in pulseaudio: Tavis
Ormandy and Julien Tinnes of the Google Security Team discovered that
pulseaudio, when installed setuid root, does not drop privileges
before re-executing itself to achieve immediate bindings. This can be
exploited by a user who has write access to any directory on the file
system containing /usr/bin to gain local root access. The user needs
to exploit a race condition related to creating a hard link
(CVE-2009-1894). This update provides fixes for this vulnerability.
http://www.linuxsecurity.com/content/view/149394
------------------------------------------------------------------------
* RedHat: Moderate: libtiff security update (Jul 16)
--------------------------------------------------
Updated libtiff packages that fix several security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5. This update has
been rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/149391
------------------------------------------------------------------------
* SuSE: Linux Kernel (SUSE-SA:2009:038) (Jul 23)
----------------------------------------------
http://www.linuxsecurity.com/content/view/149462
------------------------------------------------------------------------
* Ubuntu: Ruby vulnerabilities (Jul 20)
--------------------------------------
It was discovered that Ruby did not properly validate certificates.
An attacker could exploit this and present invalid or revoked X.509
certificates. (CVE-2009-0642) It was discovered that Ruby did not
properly handle string arguments that represent large numbers. An
attacker could exploit this and cause a denial of service.
(CVE-2009-1904)
http://www.linuxsecurity.com/content/view/149427
------------------------------------------------------------------------
* Pardus: Perl IO::Socket::SSL: Security (Jul 22)
-----------------------------------------------
exploited by malicious people to bypass certain security
restrictions.
http://www.linuxsecurity.com/content/view/149438
* Pardus: WxGtk: Integer Overflow (Jul 19)
----------------------------------------
exploited by malicious people to potentially compromise a user's
system.
http://www.linuxsecurity.com/content/view/149416
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
