Linux Advisory Watch: July 9th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 9th, 2010 Volume 11, Number 28 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Understand: Fork Bombing Attack
-------------------------------
As the variety of attacks and threats grow, you need to be prepared. In
this HOWTO, get a feeling for the Fork Bombing Attack, what it is, how it
works, where it comes from, how to deal with it and more.
http://www.linuxsecurity.com/content/view/129220
Review: Hacking: The Art of Exploitation, Second Edition
--------------------------------------------------------
If you've ever wondered what a "buffer overflow" was, or how a "denial
of service" attack works beyond just a basic understanding, then there
is no better book that will help you to delve into the nitty-gritty
than Hacking: The Art of Exploitation, Second Edition, by Jon
Erickson.
http://www.linuxsecurity.com/content/view/152556
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2059-2: pcsc-lite: buffer overflow (Jul 4)
--------------------------------------------------
The update for PCSCD caused a regression with some card readers. This
update corrects that regression. The full advisory is below for
completeness. It was discovered that PCSCD, a daemon to access smart
cards, was vulnerable [More...]
http://www.linuxsecurity.com/content/view/152747
* Debian: 2067-1: mahara: Multiple vulnerabilities (Jul 2)
--------------------------------------------------------
Several vulnerabilities were discovered in mahara, an electronic
portfolio, weblog, and resume builder. The following Common
Vulnerabilities and Exposures project ids identify them: [More...]
http://www.linuxsecurity.com/content/view/152745
* Debian: 2066-1: wireshark: Multiple vulnerabilities (Jul 1)
-----------------------------------------------------------
Several remote vulnerabilities have been discovered in the Wireshark
network traffic analyzer. It was discovered that null pointer
dereferences, buffer overflows and infinite loops in the SMB, SMB
PIPE, ASN1.1 and SigComp dissectors could lead to denial of service
[More...]
http://www.linuxsecurity.com/content/view/152739
------------------------------------------------------------------------
* Mandriva: 2010:130: heimdal (Jul 7)
-----------------------------------
A vulnerability has been found and corrected in heimdal: Certain
invalid GSS-API tokens can cause a GSS-API acceptor (server) to crash
due to a null pointer dereference in the GSS-API library
(CVE-2010-1321). [More...]
http://www.linuxsecurity.com/content/view/152765
* Mandriva: 2010:129: heimdal (Jul 7)
-----------------------------------
Multiple vulnerabilities has been found and corrected in heimdal: The
(1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up
to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and
(b) Heimdal 0.7.2 and earlier, do not check return codes for setuid
[More...]
http://www.linuxsecurity.com/content/view/152764
* Mandriva: 2010:128: lftp (Jul 6)
--------------------------------
A vulnerability has been found and corrected in lftp: The get1
command, as used by lftpget, in LFTP before 4.0.6 does not properly
validate a server-provided filename before determining the
destination filename of a download, which allows remote servers to
[More...]
http://www.linuxsecurity.com/content/view/152756
* Mandriva: 2010:127: imlib2 (Jul 2)
----------------------------------
A vulnerability has been found and corrected in imlib2: imlib2 before
1.4.2 allows context-dependent attackers to have an unspecified
impact via a crafted (1) ARGB, (2) BMP, (3) JPEG, (4) LBM, (5) PNM,
(6) TGA, or (7) XPM file, related to several [More...]
http://www.linuxsecurity.com/content/view/152744
------------------------------------------------------------------------
* Red Hat: 2010:0520-01: libtiff: Important Advisory (Jul 8)
----------------------------------------------------------
Updated libtiff packages that fix two security issues are now
available for Red Hat Enterprise Linux 3. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152779
* Red Hat: 2010:0518-01: scsi-target-utils: Important Advisory (Jul 8)
--------------------------------------------------------------------
An updated scsi-target-utils package that fixes multiple security
issues is now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152777
* Red Hat: 2010:0519-01: libtiff: Important Advisory (Jul 8)
----------------------------------------------------------
Updated libtiff packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152778
* Red Hat: 2010:0505-01: perl-Archive-Tar: Moderate Advisory (Jul 1)
------------------------------------------------------------------
An updated perl-Archive-Tar package that fixes multiple security
issues is now available for Red Hat Enterprise Linux 4 and 5. The Red
Hat Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/152737
* Red Hat: 2010:0504-01: kernel: Important Advisory (Jul 1)
---------------------------------------------------------
Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152738
------------------------------------------------------------------------
* SuSE: 2010-030: Mozilla Firefox (Jul 9)
---------------------------------------
Mozilla Firefox was updated to version 3.5.10, fixing various bugs
and security issues. MFSA 2010-33 / CVE-2008-5913: Security
researcher Amit Klein reported that it was possible to reverse
engineer the value used to seed Math.random(). Since the
pseudo-random [More...]
http://www.linuxsecurity.com/content/view/152780
* SuSE: 2010-029: Acrobat Reader (Jul 8)
--------------------------------------
Acrobat Reader was updated to version 9.3.3 to fix lots of security
issues and bugs, several of whom could be used to execute code by
trick the target user to open specially crafted PDFs. Adobes advisory
can be found here:
http://www.adobe.com/support/security/bulletins/apsb10-15.html
[More...]
http://www.linuxsecurity.com/content/view/152767
* SuSE: 2010-028: IBM Java 5 (Jul 6)
----------------------------------
This update of IBM Java 1.5.0 to SR11 FP2 brings various bug and lots
of security fixes. Following security issues were fixed:
CVE-2010-0084: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
[More...]
http://www.linuxsecurity.com/content/view/152753
* SuSE: 2010-027: Linux kernel (Jul 2)
------------------------------------
This SUSE Linux Enterprise 11 Service Pack 1 kernel update brings the
kernel to 2.6.32.13. It also contains a security fix and lots of
other bugfixes. Following security issues were fixed: CVE-2010-1173:
The sctp_process_unk_param function in [More...]
http://www.linuxsecurity.com/content/view/152741
* SuSE: 2010-026: IBM Java 6 (Jul 1)
----------------------------------
IBM Java 6 was updated to Service Release 8 to fix various security
issues. Following security issues were fixed: CVE-2010-0084:
Unspecified vulnerability in the Java Runtime Environment component
in Oracle Java SE and Java for Business 6 [More...]
http://www.linuxsecurity.com/content/view/152736
* SuSE: 2010-025: Samba (Jul 1)
-----------------------------
The Samba server was updated to fix security issues and bugs.
Following security issues were fixed: CVE-2010-2063: A buffer overrun
was possible in chain_reply code in 3.3.x and below, which could be
used to crash the samba server or potentially execute code.
[More...]
http://www.linuxsecurity.com/content/view/152733
------------------------------------------------------------------------
* Ubuntu: 960-1: libpng vulnerabilities (Jul 8)
---------------------------------------------
It was discovered that libpng did not properly handle certain
malformed PNGimages. If a user or automated system were tricked into
opening a craftedPNG file, an attacker could cause a denial of
service or possibly executearbitrary code with the privileges of the
user invoking the program.(CVE-2010-1205) [More...]
http://www.linuxsecurity.com/content/view/152772
* Ubuntu: 959-1: PAM vulnerability (Jul 7)
----------------------------------------
Denis Excoffier discovered that the PAM MOTD module in Ubuntu didnot
correctly handle path permissions when creating user file stamps.A
local attacker could exploit this to gain root privilieges. [More...]
http://www.linuxsecurity.com/content/view/152766
* Ubuntu: 943-1: Thunderbird vulnerabilities (Jul 6)
--------------------------------------------------
Martin Barbella discovered an integer overflow in an XSLT node
sortingroutine. An attacker could exploit this to overflow a buffer
and cause adenial of service or possibly execute arbitrary code with
the privileges ofthe user invoking the program. (CVE-2010-1199)
[More...]
http://www.linuxsecurity.com/content/view/152752
------------------------------------------------------------------------
* Pardus: 2010-94: Kernel: Multiple Vulnerabilities (Jul 8)
---------------------------------------------------------
Multiple vulnerabilities have been fixed in kernel.
http://www.linuxsecurity.com/content/view/152768
* Pardus: 2010-95: Cups: Multiple Vulnerabilities (Jul 8)
-------------------------------------------------------
Multiple vulnerabilities have been fixed in cups.
http://www.linuxsecurity.com/content/view/152769
* Pardus: 2010-96: Libpng: Denial of Service (Jul 8)
--------------------------------------------------
Two vulnerabilities have been fixed in libpng, which can be exploited
by malicious people to cause a DoS (Denial of Service) and
potentially compromise an application using the library.
http://www.linuxsecurity.com/content/view/152770
* Pardus: 2010-97: Avahi: Denial of Service (Jul 8)
-------------------------------------------------
A denial of service vulnerability has been fixed in Avahi, which can
be used by malicious people to crash the server.
http://www.linuxsecurity.com/content/view/152771
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
