Linux Advisory Watch: July 2nd, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 2nd, 2010 Volume 11, Number 27 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Understand: Fork Bombing Attack
-------------------------------
As the variety of attacks and threats grow, you need to be prepared. In
this HOWTO, get a feeling for the Fork Bombing Attack, what it is, how it
works, where it comes from, how to deal with it and more.
http://www.linuxsecurity.com/content/view/129220
Review: Hacking: The Art of Exploitation, Second Edition
--------------------------------------------------------
If you've ever wondered what a "buffer overflow" was, or how a "denial
of service" attack works beyond just a basic understanding, then there
is no better book that will help you to delve into the nitty-gritty
than <i>Hacking: The Art of Exploitation, Second Edition, by Jon
Erickson.
http://www.linuxsecurity.com/content/view/152556
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2066-1: wireshark: Multiple vulnerabilities (Jul 1)
-----------------------------------------------------------
Several remote vulnerabilities have been discovered in the Wireshark
network traffic analyzer. It was discovered that null pointer
dereferences, buffer overflows and infinite loops in the SMB, SMB
PIPE, ASN1.1 and SigComp dissectors could lead to denial of service
[More...]
http://www.linuxsecurity.com/content/view/152739
* Debian: 2065-1: kvirc: Multiple vulnerabilities (Jun 27)
--------------------------------------------------------
Two security issues have been discovered in the DCC protocol support
code of kvirc, a KDE-based next generation IRC client, which allow
the overwriting of local files through directory traversal and the
execution of arbitrary code through a format string attack. [More...]
http://www.linuxsecurity.com/content/view/152703
* Debian: 2064-1: xulrunner: Multiple vulnerabilities (Jun 27)
------------------------------------------------------------
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/152702
------------------------------------------------------------------------
* Mandriva: 2010:126: mozilla-thunderbird (Jun 24)
------------------------------------------------
Multiple vulnerabilities has been found and corrected in
mozilla-thunderbird: Unspecified vulnerability in Mozilla Firefox 3
allows remote attackers to execute arbitrary code via unknown vectors
that trigger memory [More...]
http://www.linuxsecurity.com/content/view/152683
* Mandriva: 2010:125: firefox (Jun 24)
------------------------------------
Security issues were identified and fixed in firefox: An unspecified
function in the JavaScript implementation in Mozilla Firefox creates
and exposes a temporary footprint when there is a current login to a
web site, which makes it easier for remote [More...]
http://www.linuxsecurity.com/content/view/152675
------------------------------------------------------------------------
* Red Hat: 2010:0505-01: perl-Archive-Tar: Moderate Advisory (Jul 1)
------------------------------------------------------------------
An updated perl-Archive-Tar package that fixes multiple security
issues is now available for Red Hat Enterprise Linux 4 and 5. The Red
Hat Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/152737
* Red Hat: 2010:0504-01: kernel: Important Advisory (Jul 1)
---------------------------------------------------------
Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152738
* Red Hat: 2010:0503-01: acroread: Critical Advisory (Jun 30)
-----------------------------------------------------------
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat
Enterprise Linux 5 Supplementary. [More...]
http://www.linuxsecurity.com/content/view/152730
------------------------------------------------------------------------
* Slackware: 2010-180-02: libtiff: Security Update (Jun 30)
---------------------------------------------------------
New libtiff packages are available for Slackware 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix
security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152725
* Slackware: 2010-180-01: libpng: Security Update (Jun 30)
--------------------------------------------------------
New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix
security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152724
* Slackware: 2010-176-03: seamonkey: Security Update (Jun 25)
-----------------------------------------------------------
New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152699
* Slackware: 2010-176-04: mozilla-thunderbird: Security Update (Jun 25)
---------------------------------------------------------------------
New mozilla-thunderbird packages are available for Slackware 13.1 and
-current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152697
* Slackware: 2010-176-01: bind: Security Update (Jun 25)
------------------------------------------------------
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix
security issues when DNSSEC is enabled (which is not the default
setting). [More Info...]
http://www.linuxsecurity.com/content/view/152698
* Slackware: 2010-176-02: mozilla-firefox: Security Update (Jun 25)
-----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152696
* Slackware: 2010-176-05: cups: Security Update (Jun 25)
------------------------------------------------------
New cups packages are available for Slackware 13.1 and -current to
fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/152695
------------------------------------------------------------------------
* SuSE: 2010-027: Linux kernel (Jul 2)
------------------------------------
This SUSE Linux Enterprise 11 Service Pack 1 kernel update brings the
kernel to 2.6.32.13. It also contains a security fix and lots of
other bugfixes. Following security issues were fixed: CVE-2010-1173:
The sctp_process_unk_param function in [More...]
http://www.linuxsecurity.com/content/view/152741
* SuSE: 2010-026: IBM Java 6 (Jul 1)
----------------------------------
IBM Java 6 was updated to Service Release 8 to fix various security
issues. Following security issues were fixed: CVE-2010-0084:
Unspecified vulnerability in the Java Runtime Environment component
in Oracle Java SE and Java for Business 6 [More...]
http://www.linuxsecurity.com/content/view/152736
* SuSE: 2010-025: Samba (Jul 1)
-----------------------------
The Samba server was updated to fix security issues and bugs.
Following security issues were fixed: CVE-2010-2063: A buffer overrun
was possible in chain_reply code in 3.3.x and below, which could be
used to crash the samba server or potentially execute code.
[More...]
http://www.linuxsecurity.com/content/view/152733
------------------------------------------------------------------------
* Ubuntu: 956-1: sudo vulnerability (Jun 30)
------------------------------------------
Evan Broder and Anders Kaseorg discovered that sudo did not
properlysanitize its environment when configured to use secure_path
(the default inUbuntu). A local attacker could exploit this to
execute arbitrary code asroot if sudo was configured to allow the
attacker to use a program thatinterpreted the PATH environment
variable. [More...]
http://www.linuxsecurity.com/content/view/152732
* Ubuntu: 930-3: Firefox regression (Jun 30)
------------------------------------------
USN-930-1 fixed vulnerabilities in Firefox. Due to a software
packagingproblem, the Firefox 3.6 update could not be installed when
the firefox-2package was also installed. This update fixes the
problem and updatesapturl for the change. [More...]
http://www.linuxsecurity.com/content/view/152731
* Ubuntu: 930-2: apturl, Epiphany, gecko-sharp, gnome-python-extras, (Jun 29)
---------------------------------------------------------------------------
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This
updateprovides updated packages for use with Firefox 3.6 and
Xulrunner 1.9.2 onUbuntu 8.04 LTS. [More...]
http://www.linuxsecurity.com/content/view/152718
* Ubuntu: 930-1: Firefox and Xulrunner vulnerabilities (Jun 29)
-------------------------------------------------------------
If was discovered that Firefox could be made to access freed memory.
If auser were tricked into viewing a malicious site, a remote
attacker couldcause a denial of service or possibly execute arbitrary
code with theprivileges of the user invoking the program. This issue
only affectedUbuntu 8.04 LTS. (CVE-2010-1121) [More...]
http://www.linuxsecurity.com/content/view/152717
* Ubuntu: 927-5: nspr update (Jun 29)
-----------------------------------
USN-927-4 fixed vulnerabilities in NSS. This update provides the
NSPRneeded to use the new NSS. [More...]
http://www.linuxsecurity.com/content/view/152716
* Ubuntu: 927-4: nss vulnerability (Jun 29)
-----------------------------------------
USN-927-1 fixed vulnerabilities in nss in Ubuntu 9.10. This update
providesthe corresponding updates for Ubuntu 8.04 LTS. [More...]
http://www.linuxsecurity.com/content/view/152715
------------------------------------------------------------------------
* Pardus: 2010-91: Samba: Memory Corruption (Jun 30)
--------------------------------------------------
A vulnerability has been fixed in Samba, which can be exploited by
malicious people to potentially compromise a vulnerable system.
http://www.linuxsecurity.com/content/view/152719
* Pardus: 2010-89: Thunderbird: Multiple (Jun 30)
-----------------------------------------------
Multiple vulnerabilities have been fixed in Thunderbird.
http://www.linuxsecurity.com/content/view/152720
* Pardus: 2010-93: Wireshark: Multiple Vulnerabilities (Jun 30)
-------------------------------------------------------------
Multiple vulnerabilities have been fixed in Wireshark
http://www.linuxsecurity.com/content/view/152721
* Pardus: 2010-90: Ruby: Cross Site Scripting (Jun 30)
----------------------------------------------------
An XSS vulnerability has been fixed in WEBrick module.
http://www.linuxsecurity.com/content/view/152722
* Pardus: 2010-92: Firefox: Multiple Vulnerabilities (Jun 30)
-----------------------------------------------------------
Multiple vulnerabilities have been fixed in Firefox.
http://www.linuxsecurity.com/content/view/152723
* Pardus: 2010-82: texlive-core: Integer Overflow (Jun 24)
--------------------------------------------------------
An integer overflow has been fixed in texlive-core which can be used
by malicious people to execute arbitrary code.
http://www.linuxsecurity.com/content/view/152676
* Pardus: 2010-85: perl-libwww: Unexpected Download (Jun 24)
----------------------------------------------------------
A vulnerability has been fixed in perl-libwww which can allow
malicious users to overwrite existing files (such as .bashrc)
http://www.linuxsecurity.com/content/view/152677
* Pardus: 2010-86: ncompress: Integer Underflow (Jun 24)
------------------------------------------------------
An integer underflow vulnerability has been fixed which can be used
by malicious people to cause denial of service.
http://www.linuxsecurity.com/content/view/152678
* Pardus: 2010-87: dhcp: Denial of Service (Jun 24)
-------------------------------------------------
A vulnerability has been fixed in dhcp which can be used by malicious
people to cause denial of service
http://www.linuxsecurity.com/content/view/152679
* Pardus: 2010-88: perl: Multiple Vulnerabilities (Jun 24)
--------------------------------------------------------
Multiple vulnerabilities in Safe.pm module in perl have been fixed.
http://www.linuxsecurity.com/content/view/152680
* Pardus: 2010-84: dvipng: Denial of Service (Jun 24)
---------------------------------------------------
Multiple array index errors have been fixed which can allow malicious
users to cause denial of service.
http://www.linuxsecurity.com/content/view/152681
* Pardus: 2010-83: flashplugin: Multiple (Jun 24)
-----------------------------------------------
Multiple vulnerabilities have been fixed in flashplugin.
http://www.linuxsecurity.com/content/view/152682
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
