Linux Advisory Watch: October 15th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 15th, 2010 Volume 11, Number 42 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
Review: Zabbix 1.8 Network Monitoring
-------------------------------------
If you have anything more than a small home network, you need to be
monitoring the status of your systems to ensure they are providing the
services they were designed to provide.
http://www.linuxsecurity.com/content/view/152990
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2120-1: postgresql-8.3: privilege escalation (Oct 12)
-------------------------------------------------------------
Tim Bunce discovered that PostgreSQL, a database server software,
does not properly separate interpreters for server-side stored
procedures which run in different security contexts. As a result,
non-privileged authenticated database users might gain additional
privileges. [More...]
http://www.linuxsecurity.com/content/view/153465
* Debian: 2116-1: poppler: Multiple vulnerabilities (Oct 12)
----------------------------------------------------------
Joel Voss of Leviathan Security Group discovered two vulnerabilities
in the Poppler PDF rendering library, which may lead to the execution
of arbitrary code if a malformed PDF file is opened. [More...]
http://www.linuxsecurity.com/content/view/153464
* Debian: 2115-2: moodle: Multiple vulnerabilities (Oct 11)
---------------------------------------------------------
DSA-2115-1 introduced a regression because it lacked a dependency on
the wwwconfig-common package, leading to installations problems. This
update addresses this issue. For reference, the text of the original
advisory is provided below. [More...]
http://www.linuxsecurity.com/content/view/153454
* Debian: 2118-1: subversion: logic flaw (Oct 8)
----------------------------------------------
Kamesh Jayachandran and C. Michael Pilat discovered that the
mod_dav_svn module of subversion, a version control system, is not
properly enforcing access rules which are scope-limited to named
repositories. If the SVNPathAuthz option is set to "short_circuit"
set this may enable an [More...]
http://www.linuxsecurity.com/content/view/153453
------------------------------------------------------------------------
* Mandriva: 2010:204: avahi (Oct 14)
----------------------------------
A vulnerability was discovered and corrected in avahi: The
AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in
Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of
service (assertion failure and daemon exit) via a DNS packet with
[More...]
http://www.linuxsecurity.com/content/view/153488
* Mandriva: 2010:203: automake (Oct 13)
-------------------------------------
A vulnerability was discovered and corrected in automake: The (1)
dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and
release branches branch-1-4 through branch-1-9, when producing a
distribution tarball for a package that uses Automake, assign
insecure [More...]
http://www.linuxsecurity.com/content/view/153479
* Mandriva: 2010:202: krb5 (Oct 13)
---------------------------------
A vulnerability was discovered and corrected in krb5: The
merge_authdata function in kdc_authdata.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not
properly manage an index into an authorization-data list, which
[More...]
http://www.linuxsecurity.com/content/view/153477
* Mandriva: 2010:201: freetype2 (Oct 13)
--------------------------------------
A vulnerability was discovered and corrected in freetype2: Marc
Schoenefeld found an input stream position error in the way FreeType
font rendering engine processed input file streams. If a user loaded
a specially-crafted font file with an application [More...]
http://www.linuxsecurity.com/content/view/153475
* Mandriva: 2010:200: wireshark (Oct 13)
--------------------------------------
It was discovered that the ASN.1 BER dissector in wireshark was
susceptible to a stack overflow (CVE-2010-3445). For 2010.0 and
2010.1 wireshark was upgraded to v1.2.12 which is not vulnerable to
this issue and was patched for CS4 and MES5 to resolve [More...]
http://www.linuxsecurity.com/content/view/153472
* Mandriva: 2010:199: subversion (Oct 12)
---------------------------------------
A vulnerability was discovered and corrected in subversion: authz.c
in the mod_dav_svn module for the Apache HTTP Server, as distributed
in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when
SVNPathAuthz short_circuit is enabled, does not [More...]
http://www.linuxsecurity.com/content/view/153463
* Mandriva: 2010:198: kernel (Oct 7)
----------------------------------
Some vulnerabilities were discovered and corrected in the Linux 2.6
kernel: fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not
always follow NFS automount symlinks, which allows attackers to have
an [More...]
http://www.linuxsecurity.com/content/view/153450
------------------------------------------------------------------------
* Red Hat: 2010:0771-01: kernel-rt: Moderate Advisory (Oct 14)
------------------------------------------------------------
Updated kernel-rt packages that fix multiple security issues and
upgrade the kernel-rt kernel to version 2.6.33.7-rt29 are now
available for Red Hat Enterprise MRG 1.3. [More...]
http://www.linuxsecurity.com/content/view/153486
* Red Hat: 2010:0770-01: java-1.6.0-sun: Critical Advisory (Oct 14)
-----------------------------------------------------------------
Updated java-1.6.0-sun packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. The Red Hat Security Response Team has rated this
update as having critical [More...]
http://www.linuxsecurity.com/content/view/153487
* Red Hat: 2010:0768-01: java-1.6.0-openjdk: Important Advisory (Oct 13)
----------------------------------------------------------------------
Updated java-1.6.0-openjdk packages that fix several security issues
and two bugs are now available for Red Hat Enterprise Linux 5. The
Red Hat Security Response Team has rated this update as having
[More...]
http://www.linuxsecurity.com/content/view/153476
* Red Hat: 2010:0758-01: kernel-rt: Important Advisory (Oct 7)
------------------------------------------------------------
Updated kernel-rt packages that fix two security issues and three
bugs are now available for Red Hat Enterprise MRG 1.2. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153451
* Red Hat: 2010:0755-01: cups: Important Advisory (Oct 7)
-------------------------------------------------------
Updated cups packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153449
* Red Hat: 2010:0750-01: xpdf: Important Advisory (Oct 7)
-------------------------------------------------------
An updated xpdf package that fixes one security issue is now
available for Red Hat Enterprise Linux 3. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153448
* Red Hat: 2010:0753-01: kdegraphics: Important Advisory (Oct 7)
--------------------------------------------------------------
Updated kdegraphics packages that fix two security issues are now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153446
* Red Hat: 2010:0754-01: cups: Important Advisory (Oct 7)
-------------------------------------------------------
Updated cups packages that fix one security issue are now available
for Red Hat Enterprise Linux 3. The Red Hat Security Response Team
has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153447
* Red Hat: 2010:0752-01: gpdf: Important Advisory (Oct 7)
-------------------------------------------------------
An updated gpdf package that fixes two security issues is now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153442
* Red Hat: 2010:0749-01: poppler: Important Advisory (Oct 7)
----------------------------------------------------------
Updated poppler packages that fix two security issues are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153443
* Red Hat: 2010:0751-01: xpdf: Important Advisory (Oct 7)
-------------------------------------------------------
An updated xpdf package that fixes two security issues is now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153444
------------------------------------------------------------------------
* SuSE: 2010-050: Linux kernel (Oct 13)
-------------------------------------
This SUSE Linux Enterprise 11 Service Pack 1 kernel contains various
security fixes and lots of other bugfixes. Following security issues
were fixed: CVE-2010-2960: local users could crash the system by
causing a NULL deref in the keyctl_session_to_parent() function
[More...]
http://www.linuxsecurity.com/content/view/153473
* SuSE: 2010-049: Mozilla Firefox (Oct 12)
----------------------------------------
Mozilla Firefox was updated to version 3.6.10, fixing various bugs
and security issues. Mozilla Thunderbird was updated to version 3.0.8
on openSUSE, fixing the same bugs. Mozilla Seamonkey was updated to
version 2.0.8 on openSUSE, fixing [More...]
http://www.linuxsecurity.com/content/view/153459
* SuSE: 2010-048: acroread (Oct 11)
---------------------------------
Specially crafted PDF documents could crash acroread or lead to
execution of arbitrary code. acroread was updated to version 9.4
which addresses the issues. Please see Adobe's site for more
information:
http://www.adobe.com/support/security/bulletins/apsb10-21.html
[More...]
http://www.linuxsecurity.com/content/view/153455
------------------------------------------------------------------------
* Ubuntu: 1004-1: Django vulnerability (Oct 13)
---------------------------------------------
It was discovered that Django did not properly sanitize the cookie
valuewhen applying CSRF protections resulting in a cross-site
scripting (XSS)vulnerability. With cross-site scripting
vulnerabilities, if a user weretricked into viewing server output
during a crafted server request, aremote attacker could exploit this
to modify the contents, or steal [More...]
http://www.linuxsecurity.com/content/view/153478
* Ubuntu: 1002-2: PostgreSQL vulnerability (Oct 7)
------------------------------------------------
USN-1002-1 fixed vulnerabilities in PostgreSQL. This update provides
thecorresponding update for Ubuntu 10.10. [More...]
http://www.linuxsecurity.com/content/view/153445
* Ubuntu: 1002-1: PostgreSQL vulnerability (Oct 7)
------------------------------------------------
It was discovered that PostgreSQL did not properly enforce
permissionswithin sessions when PL/Perl and PL/Tcl functions or
operators wereredefined. A remote authenticated attacker could
exploit this to executearbitrary code with permissions of a different
user, possibly leading toprivilege escalation. [More...]
http://www.linuxsecurity.com/content/view/153441
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
