Linux Advisory Watch: August 13th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 13th, 2010 Volume 11, Number 33 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: Zabbix 1.8 Network Monitoring
-------------------------------------
If you have anything more than a small home network, you need to be
monitoring the status of your systems to ensure they are providing the
services they were designed to provide. Rihards Olups has created a
comprehensive reference and usability guide for the latest version of
Zabbix that anyone being tasked with implementing should have by their
side.
http://www.linuxsecurity.com/content/view/152990
Meet the Anti-Nmap: PSAD
------------------------
How would you know if someone is scanning your defenses? Is there any way
to properly respond to such scans? You bet there is...
http://www.linuxsecurity.com/content/view/134248
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2091-1: squirrelmail: No user-specific token impl (Aug 12)
------------------------------------------------------------------
SquirrelMail, a webmail application, does not employ a user-specific
token for webforms. This allows a remote attacker to perform a Cross
Site Request Forgery (CSRF) attack. The attacker may hijack the
authentication of unspecified victims and send messages or change
user preferences among other [More...]
http://www.linuxsecurity.com/content/view/153028
* Debian: 2090-1: socat: incorrect user-input valida (Aug 6)
----------------------------------------------------------
A stack overflow vulnerability was found in socat that allows an
attacker to execute arbitrary code with the privileges of the socat
process. [More...]
http://www.linuxsecurity.com/content/view/152982
* Debian: 2089-1: php5: Multiple vulnerabilities (Aug 6)
------------------------------------------------------
Several remote vulnerabilities have been discovered in PHP 5, an
hypertext preprocessor. The Common Vulnerabilities and Exposures
project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/152974
* Debian: 2088-1: wget: missing input sanitization (Aug 5)
--------------------------------------------------------
It was discovered that wget, a command line tool for downloading
files from the WWW, uses server-provided file names when creating
local files. This may lead to code execution in some scenarios.
[More...]
http://www.linuxsecurity.com/content/view/152965
------------------------------------------------------------------------
* Mandriva: 2010:149: freetype2 (Aug 12)
--------------------------------------
A vulnerability has been discovered and corrected in freetype2:
Multiple stack overflow flaws have been reported in the way FreeType
font rendering engine processed certain CFF opcodes. An attacker
could use these flaws to create a specially-crafted font file that,
[More...]
http://www.linuxsecurity.com/content/view/153015
* Mandriva: 2010:148: pidgin (Aug 12)
-----------------------------------
A security vulnerability has been identified and fixed in pidgin: The
clientautoresp function in family_icbm.c in the oscar protocol plugin
in libpurple in Pidgin before 2.7.2 allows remote authenticated users
to cause a denial of service (NULL pointer dereference and [More...]
http://www.linuxsecurity.com/content/view/153008
* Mandriva: 2010:147: firefox (Aug 10)
------------------------------------
Security issues were identified and fixed in firefox:
layout/generic/nsObjectFrame.cpp in Mozilla Firefox 3.6.7 does not
properly free memory in the parameter array of a plugin instance,
which allows remote attackers to cause a denial of service (memory
[More...]
http://www.linuxsecurity.com/content/view/152994
* Mandriva: 2010:146: libtiff (Aug 6)
-----------------------------------
Multiple vulnerabilities has been discovered and corrected in
libtiff: The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as
used in ImageMagick, does not properly handle invalid
ReferenceBlackWhite values, which allows remote attackers to cause a
denial of service [More...]
http://www.linuxsecurity.com/content/view/152981
* Mandriva: 2010:145: libtiff (Aug 6)
-----------------------------------
Multiple vulnerabilities has been discovered and corrected in
libtiff: The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as
used in ImageMagick, does not properly handle invalid
ReferenceBlackWhite values, which allows remote attackers to cause a
denial of service [More...]
http://www.linuxsecurity.com/content/view/152978
------------------------------------------------------------------------
* Red Hat: 2010:0625-01: wireshark: Moderate Advisory (Aug 11)
------------------------------------------------------------
Updated wireshark packages that fix several security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/153006
* Red Hat: 2010:0623-01: flash-plugin: Critical Advisory (Aug 11)
---------------------------------------------------------------
An updated Adobe Flash Player package that fixes multiple security
issues is now available for Red Hat Enterprise Linux 5 Supplementary.
The Red Hat Security Response Team has rated this update as having
critical [More...]
http://www.linuxsecurity.com/content/view/153004
* Red Hat: 2010:0624-01: flash-plugin: Critical Advisory (Aug 11)
---------------------------------------------------------------
An updated Adobe Flash Player package that fixes multiple security
issues is now available for Red Hat Enterprise Linux 3 and 4 Extras.
The Red Hat Security Response Team has rated this update as having
critical [More...]
http://www.linuxsecurity.com/content/view/153005
* Red Hat: 2010:0616-01: dbus-glib: Moderate Advisory (Aug 10)
------------------------------------------------------------
Updated dbus-glib packages that fix one security issue are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/152998
* Red Hat: 2010:0615-01: libvirt: Low Advisory (Aug 10)
-----------------------------------------------------
Updated libvirt packages that fix two security issues and three bugs
are now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/152997
* Red Hat: 2010:0610-01: kernel: Important Advisory (Aug 10)
----------------------------------------------------------
Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152996
* Red Hat: 2010:0606-01: kernel: Important Advisory (Aug 5)
---------------------------------------------------------
Updated kernel packages that fix multiple security issues and one bug
are now available for Red Hat Enterprise Linux 4. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152971
* Red Hat: 2010:0607-02: freetype: Important Advisory (Aug 5)
-----------------------------------------------------------
Updated freetype packages that fix two security issues are now
available for Red Hat Enterprise Linux 3, 4, and 5. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152972
------------------------------------------------------------------------
* SuSE: 2010-034: flash-player (Aug 13)
-------------------------------------
Flash Player was updated to version 10.1.82.76 fixing several
critical security issues: - CVE-2010-0209: CVSS v2 Base Score: 9.3:
Code Injection (CWE-94) Details unknown. - CVE-2010-2188: CVSS v2
Base Score: 6.8: Buffer Errors (CWE-119) [More...]
http://www.linuxsecurity.com/content/view/153030
------------------------------------------------------------------------
* Ubuntu: 970-1: GnuPG2 vulnerability (Aug 11)
--------------------------------------------
It was discovered that GPGSM in GnuPG2 did not correctly
handlecertificates with a large number of Subject Alternate Names. If
a user orautomated system were tricked into processing a specially
craftedcertificate, an attacker could cause a denial of service or
executearbitrary code with privileges of the user invoking the
program. [More...]
http://www.linuxsecurity.com/content/view/153003
* Ubuntu: 967-1: w3m vulnerability (Aug 9)
----------------------------------------
Ludwig Nussel discovered w3m does not properly handle
SSL/TLScertificates with NULL characters in the certificate name.
Anattacker could exploit this to perform a man in the middleattack to
view sensitive information or alter encryptedcommunications.
(CVE-2010-2074) [More...]
http://www.linuxsecurity.com/content/view/152992
* Ubuntu: 969-1: PCSC-Lite vulnerability (Aug 5)
----------------------------------------------
It was discovered that the PC/SC service did not correctly
handlemalformed messages. A local attacker could exploit this to
executearbitrary code with root privileges. [More...]
http://www.linuxsecurity.com/content/view/152973
------------------------------------------------------------------------
* Pardus: 2010-105: Gnupg: Arbitrary Code Execution (Aug 12)
----------------------------------------------------------
A vulnerability has been fixed in GnuPG, which can be exploited by
malicious people to potentially compromise a user's system.
http://www.linuxsecurity.com/content/view/153016
* Pardus: 2010-109: Cabextract: Multiple (Aug 12)
-----------------------------------------------
Multiple vulnerabilities have been fixed in cabextract.
http://www.linuxsecurity.com/content/view/153017
* Pardus: 2010-107: Firefox: Multiple Vulnerabilities (Aug 12)
------------------------------------------------------------
Multiple vulnerabilities have been fixed in Firefox.
http://www.linuxsecurity.com/content/view/153018
* Pardus: 2010-110: Iputils: Denial of Service (Aug 12)
-----------------------------------------------------
A denial of service vulnerability has been fixed in Iputils.
http://www.linuxsecurity.com/content/view/153019
* Pardus: 2010-111: Vte: Arbitrary Code Execution (Aug 12)
--------------------------------------------------------
A vulnerability has been fixed in Vte, which an allow malicious users
to execute arbitrary code
http://www.linuxsecurity.com/content/view/153020
* Pardus: 2010-112: Kernel: Multiple Vulnerabilities (Aug 12)
-----------------------------------------------------------
Multiple vulnerabilities have been fixed in kernel
http://www.linuxsecurity.com/content/view/153021
* Pardus: 2010-113: Wireshark: Multiple (Aug 12)
----------------------------------------------
Multiple vulnerabilities have been fixed in Wireshark.
http://www.linuxsecurity.com/content/view/153022
* Pardus: 2010-114: FreeType: Multiple Vulnerabilities (Aug 12)
-------------------------------------------------------------
Multiple vulnerabilities have been fixed in FreeType.
http://www.linuxsecurity.com/content/view/153023
* Pardus: 2010-115: Kvirc: Remote Code Execution (Aug 12)
-------------------------------------------------------
A vulnerability was fixed in kvirc, which can be used by malicious
people to execute arbitrary IRC commands via CTCP request.
http://www.linuxsecurity.com/content/view/153024
* Pardus: 2010-108: Rekonq: XSS Vulnerability (Aug 12)
----------------------------------------------------
Universal XSS vulnerability has been fixed in Rekonq.
http://www.linuxsecurity.com/content/view/153025
* Pardus: 2010-116: Pidgin: Denial of Service (Aug 12)
----------------------------------------------------
A flaw has been fixed in Pidgin, which can allow remote attackers to
cause denial of service via X-Status message.
http://www.linuxsecurity.com/content/view/153026
* Pardus: 2010-106: Qt: Multiple Vulnerabilities (Aug 12)
-------------------------------------------------------
Multiple vulnerabilities have been fixed in Qt.
http://www.linuxsecurity.com/content/view/153027
* Pardus: 2010-103: Git: Arbitrary Code Execution (Aug 9)
-------------------------------------------------------
A vulnerability has been fixed in Git which can be exploited by
malicious people to execute arbitrary code
http://www.linuxsecurity.com/content/view/152983
* Pardus: 2010-104: Php: Multiple Vulnerabilities (Aug 9)
-------------------------------------------------------
Multiple vulnerabilities have been fixed in PHP
http://www.linuxsecurity.com/content/view/152984
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
