Linux Advisory Watch: April 10th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 10th, 2010 Volume 11, Number 15 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Vulnerabilities in Web Applications
-----------------------------------
This paper aims to raise awareness by discussing common vulnerabilities
and mistakes in web application development. It also considers mitigating
factors, strategies and corrective measures.
http://www.linuxsecurity.com/content/view/118427
A Secure Nagios Server
----------------------
This article will not show you how to install Nagios since there are tons
of them out there but it will show you in detail ways to improve your
Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2030-1: mahara: sql injection (Apr 6)
---------------------------------------------
It was discovered that mahara, an electronic portfolio, weblog, and
resume builder is not properly escaping input when generating a
unique username based on a remote user name from a single sign-on
application. An attacker can use this to compromise the mahara
database via crafted user names. [More...]
http://www.linuxsecurity.com/content/view/152083
* Debian: 2029-1: imlib2: Multiple vulnerabilities (Apr 5)
--------------------------------------------------------
It was discovered that imlib2, a library to load and process several
image formats, did not properly process various image file types.
Several heap and stack based buffer overflows - partly due to integer
overflows - in the ARGB, BMP, JPEG, LBM, PNM, TGA and XPM loaders can
[More...]
http://www.linuxsecurity.com/content/view/152079
* Debian: 2028-1: xpdf: Multiple vulnerabilities (Apr 5)
------------------------------------------------------
Several vulnerabilities have been identified in xpdf, a suite of
tools for viewing and converting Portable Document Format (PDF)
files. The Common Vulnerabilities and Exposures project identifies
the following [More...]
http://www.linuxsecurity.com/content/view/152078
* Debian: 2027-1: xulrunner: Multiple vulnerabilities (Apr 3)
-----------------------------------------------------------
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems: [More...]
http://www.linuxsecurity.com/content/view/152065
* Debian: 2026-1: netpbm-free: stack-based buffer overflow (Apr 2)
----------------------------------------------------------------
Marc Schoenefeld discovered a stack-based buffer overflow in the XPM
reader implementation in netpbm-free, a suite of image manipulation
utilities. An attacker could cause a denial of service (application
crash) or possibly [More...]
http://www.linuxsecurity.com/content/view/152063
------------------------------------------------------------------------
* Mandriva: 2010:069: nss (Apr 6)
-------------------------------
A vulnerability has been found and corrected in nss: The TLS
protocol, and the SSL protocol 3.0 and possibly earlier, as used in
Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the
Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
[More...]
http://www.linuxsecurity.com/content/view/152090
------------------------------------------------------------------------
* Red Hat: 2010:0343-01: krb5: Important Advisory (Apr 6)
-------------------------------------------------------
Updated krb5 packages that fix one security issue and one bug are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152089
* Red Hat: 2010:0342-01: kernel: Important Advisory (Apr 6)
---------------------------------------------------------
Updated kernel packages that fix one security issue and one bug are
now available for Red Hat Enterprise Linux 4.7 Extended Update
Support. The Red Hat Security Response Team has rated this update as
having [More...]
http://www.linuxsecurity.com/content/view/152088
------------------------------------------------------------------------
* Slackware: 2010-095-01: mozilla-thunderbird: Security Update (Apr 5)
--------------------------------------------------------------------
New mozilla-thunderbird packages are available for Slackware 10.2,
11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues.
[More Info...]
http://www.linuxsecurity.com/content/view/152068
* Slackware: 2010-095-02: mozilla-firefox: Security Update (Apr 5)
----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 12.2, 13.0,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152066
* Slackware: 2010-095-03: seamonkey: Security Update (Apr 5)
----------------------------------------------------------
New seamonkey packages are available for Slackware 12.2, 13.0, and
-current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152067
------------------------------------------------------------------------
* SuSE: Weekly Summary 2010:008 (Apr 7)
-------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: gnome-screensaver, tomcat5,
tomcat6, libtheora, java-1_6_0-sun, samba.
http://www.linuxsecurity.com/content/view/152093
------------------------------------------------------------------------
* Ubuntu: 926-1: ClamAV vulnerabilities (Apr 8)
---------------------------------------------
It was discovered that ClamAV did not properly verify its input
whenprocessing CAB files. A remote attacker could send a specially
craftedCAB file to evade malware detection. (CVE-2010-0098) [More...]
http://www.linuxsecurity.com/content/view/152105
* Ubuntu: 925-1: MoinMoin vulnerabilities (Apr 8)
-----------------------------------------------
It was discovered that MoinMoin did not properly sanitize its input
whenprocessing Despam actions, resulting in cross-site scripting
(XSS)vulnerabilities. If a privileged wiki user were tricked into
performingthe Despam action on a page with a crafted title, a remote
attacker couldexploit this to execute JavaScript code.
(CVE-2010-0828) [More...]
http://www.linuxsecurity.com/content/view/152104
* Ubuntu: 923-1: OpenJDK vulnerabilities (Apr 7)
----------------------------------------------
Marsh Ray and Steve Dispensa discovered a flaw in the TLS and
SSLv3protocols. If an attacker could perform a man in the middle
attack at thestart of a TLS connection, the attacker could inject
arbitrary contentat the beginning of the user's session.
(CVE-2009-3555) [More...]
http://www.linuxsecurity.com/content/view/152091
* Ubuntu: 924-1: Kerberos vulnerabilities (Apr 7)
-----------------------------------------------
Sol Jerome discovered that the Kerberos kadmind service did not
correctlyfree memory. An unauthenticated remote attacker could send
speciallycrafted traffic to crash the kadmind process, leading to a
denial ofservice. (CVE-2010-0629) [More...]
http://www.linuxsecurity.com/content/view/152092
------------------------------------------------------------------------
* Pardus: 2010-46: OpenSSL: Denial of Service (Apr 6)
---------------------------------------------------
A vulnerability has been fixed in OpenSSL, which can be exploited by
malicious people to manipulate certain data and cause a DoS (Denial
of Service)
http://www.linuxsecurity.com/content/view/152080
* Pardus: 2010-47: Firefox: Multiple Vulnerabilities (Apr 6)
----------------------------------------------------------
Multiple vulnerabilities have been fixed in Firefox.
http://www.linuxsecurity.com/content/view/152081
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
