Linux Advisory Watch: March 14th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 14th, 2010 Volume 11, Number 12 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Introduction: Buffer Overflow Vulnerabilities
---------------------------------------------
Buffer overflows are a leading type of security vulnerability. This
paper explains what a buffer overflow is, how it can be exploited, and
what countermeasures can be taken to prevent the use of buffer overflow
vulnerabilities.
http://www.linuxsecurity.com/content/view/118881
FTP Attack Case Study Part II: the Lessons
------------------------------------------
This article presents part II of a case study related to a company
network server compromise. Lessons on designing and implementing
security are drawn from the case.
http://www.linuxsecurity.com/content/view/117696
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2016-1: drupal6: Multiple vulnerabilities (Mar 13)
----------------------------------------------------------
Several vulnerabilities (SA-CORE-2010-001) have been discovered in
drupal6, a fully-featured content management framework. [More...]
http://www.linuxsecurity.com/content/view/151895
* Debian: 2014-1: moin: Multiple vulnerabilities (Mar 12)
-------------------------------------------------------
Several vulnerabilities have been discovered in moin, a python clone
of WikiWiki. The Common Vulnerabilities and Exposures project
identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/151888
* Debian: 2013-1: egroupware: Multiple vulnerabilities (Mar 11)
-------------------------------------------------------------
Nahuel Grisolia discovered two vulnerabilities in Egroupware, a
web-based groupware suite: Missing input sanitising in the
spellchecker integration may lead to the execution of arbitrary
commands and a cross-site scripting vulnerability was discovered in
the login page. [More...]
http://www.linuxsecurity.com/content/view/151887
* Debian: 2012-1: linux-2.6: privilege escalation/denial (Mar 11)
---------------------------------------------------------------
CVE-2009-3725 Philipp Reisner reported an issue in the connector
subsystem which allows unprivileged users to send netlink packets.
This [More...]
http://www.linuxsecurity.com/content/view/151883
* Debian: 2011-1: dpkg: path traversal (Mar 10)
---------------------------------------------
William Grant discovered that the dpkg-source component of dpkg, the
low-level infrastructure for handling the installation and removal of
Debian software packages, is vulnerable to path traversal attacks. A
specially crafted Debian source package can lead to file modification
[More...]
http://www.linuxsecurity.com/content/view/151877
* Debian: : kvm: privilege escalation/denial (Mar 10)
---------------------------------------------------
Several local vulnerabilities have been discovered in kvm, a full
virtualization system. The Common Vulnerabilities and Exposures
project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/151875
* Debian: 2009-1: tdiary: insufficient input sanitisi (Mar 9)
-----------------------------------------------------------
It was discovered that tdiary, a communication-friendly weblog
system, is prone to a cross-site scripting vulnerability due to
insuficient input sanitising in the TrackBack transmission plugin.
[More...]
http://www.linuxsecurity.com/content/view/151871
* Debian: 2008-1: typo3-src Multiple Vulnerabilities (Mar 8)
----------------------------------------------------------
Several remote vulnerabilities have been discovered in the TYPO3 web
content management framework: Cross-site scripting vulnerabilities
have been discovered in both the frontend and the backend. Also, user
data could be leaked.
http://www.linuxsecurity.com/content/view/151860
------------------------------------------------------------------------
* Mandriva: 2010:061: ncpfs (Mar 11)
----------------------------------
Multiple vulnerabilities has been found and corrected in ncpfs:
sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain
detailed error messages about the results of privileged file-access
attempts, which allows local users to determine the existence of
arbitrary [More...]
http://www.linuxsecurity.com/content/view/151884
* Mandriva: 2010:060: squid (Mar 10)
----------------------------------
A vulnerability has been found and corrected in squid: The
htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0 through
3.0.STABLE23 allows remote attackers to cause a denial of service
(crash) via crafted packets to the HTCP port, which triggers
[More...]
http://www.linuxsecurity.com/content/view/151878
* Mandriva: 2010:059: virtualbox (Mar 10)
---------------------------------------
A vulnerability has been found and corrected in virtualbox:
Unspecified vulnerability in Guest Additions in Sun xVM VirtualBox
1.6.x and 2.0.x before 2.0.12, 2.1.x, and 2.2.x, and Sun VirtualBox
before 3.0.10, allows guest OS users to cause a denial [More...]
http://www.linuxsecurity.com/content/view/151876
* Mandriva: 2010:058: php (Mar 9)
-------------------------------
Multiple vulnerabilities has been found and corrected in php: *
Improved LCG entropy. (Rasmus, Samy Kamkar) * Fixed safe_mode
validation inside tempnam() when the directory path does not end
with a /). (Martin Jansen) [More...]
http://www.linuxsecurity.com/content/view/151869
* Mandriva: 2010:057: apache (Mar 6)
----------------------------------
A vulnerabilitiy has been found and corrected in apache: The
ap_read_request function in server/protocol.c in the Apache HTTP
Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does
not properly handle headers in subrequests in certain circumstances
[More...]
http://www.linuxsecurity.com/content/view/151853
------------------------------------------------------------------------
* Slackware: 2010-069-01: pidgin: Security Update (Mar 10)
--------------------------------------------------------
New pidgin packages are available for Slackware 12.0, 12.1, 12.2,
13.0, and -current to fix denial of service issues. More details
about the issues may be found in the Common Vulnerabilities and
Exposures (CVE) database: [More Info...]
http://www.linuxsecurity.com/content/view/151879
* Slackware: 2010-067-01: httpd: Security Update (Mar 8)
------------------------------------------------------
New httpd packages are available for Slackware 12.0, 12.1, 12.2,
13.0, and -current to fix security issues. mod_ssl: A partial fix for
the TLS renegotiation prefix injection attack by rejecting any
client-initiated renegotiations. mod_proxy_ajp: Respond with
HTTP_BAD_REQUEST when the body is not sent [More Info...]
http://www.linuxsecurity.com/content/view/151861
------------------------------------------------------------------------
* SuSE: 2010-016: Linux kernel (Mar 8)
------------------------------------
The openSUSE 11.0 kernel was updated to fix following security
issues: CVE-2009-4020: Stack-based buffer overflow in the hfs
subsystem in the Linux kernel 2.6.32 allows remote attackers to have
an unspecified impact via a crafted Hierarchical File System (HFS)
filesystem, related to the [More...]
http://www.linuxsecurity.com/content/view/151855
------------------------------------------------------------------------
* Ubuntu: 907-1: gnome-screensaver vulnerabilities (Mar 8)
--------------------------------------------------------
It was discovered that gnome-screensaver did not correctly lock all
screenswhen monitors get hotplugged. An attacker with physical access
could usethis flaw to gain access to a locked session.
(CVE-2010-0285) [More...]
http://www.linuxsecurity.com/content/view/151856
------------------------------------------------------------------------
* Pardus: 2010-38: Sudo: Privilege Escalation (Mar 9)
---------------------------------------------------
A security issue has been fixed in sudo, which can be exploited by
malicious, local users to gain escalated privileges.
http://www.linuxsecurity.com/content/view/151862
* Pardus: 2010-39: Firefox: Multiple Vulnerabilities (Mar 9)
----------------------------------------------------------
Multiple vulnerabilities have been fixed in Firefox, which can be
exploited by malicious people to conduct cross-site scripting attacks
or compromise a user's system.
http://www.linuxsecurity.com/content/view/151863
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
