Linux Advisory Watch: October 29th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 29th, 2010 Volume 11, Number 44 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
Review: Zabbix 1.8 Network Monitoring
-------------------------------------
If you have anything more than a small home network, you need to be
monitoring the status of your systems to ensure they are providing the
services they were designed to provide.
http://www.linuxsecurity.com/content/view/152990
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2122-1: glibc: missing input sanitization (Oct 22)
----------------------------------------------------------
Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in
GNU libc allows local users to gain root privileges using a crafted
LD_AUDIT environment variable. [More...]
http://www.linuxsecurity.com/content/view/153544
------------------------------------------------------------------------
* Mandriva: 2010:213: xulrunner (Oct 28)
--------------------------------------
A vulnerability was discovered and corrected in xulrunner:
Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and
3.6.x through 3.6.11, when JavaScript is enabled, allows remote
attackers to execute arbitrary code via unknown vectors, as exploited
[More...]
http://www.linuxsecurity.com/content/view/153579
* Mandriva: 2010:212: glibc (Oct 24)
----------------------------------
A vulnerability in the GNU C library (glibc) was discovered which
could escalate the privilegies for local users (CVE-2010-3856).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more: [More...]
http://www.linuxsecurity.com/content/view/153553
* Mandriva: 2010:211: mozilla-thunderbird (Oct 22)
------------------------------------------------
Security issues were identified and fixed in mozilla-thunderbird: The
SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before
3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and
SeaMonkey before 2.0.9 does not properly set the minimum key length
[More...]
http://www.linuxsecurity.com/content/view/153548
* Mandriva: 2010:210: firefox (Oct 22)
------------------------------------
Security issues were identified and fixed in firefox: Mozilla Firefox
before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and
3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard
IP address in the subject's Common Name field of [More...]
http://www.linuxsecurity.com/content/view/153546
* Mandriva: 2010:209: libsmi (Oct 22)
-----------------------------------
A buffer overflow was discovered in libsmi when long OID was given in
numerical form. This could lead to arbitraty code execution
(CVE-2010-2891). Packages for 2009.0 are provided as of the Extended
Maintenance [More...]
http://www.linuxsecurity.com/content/view/153545
* Mandriva: 2010:208: pidgin (Oct 21)
-----------------------------------
A security vulnerability has been identified and fixed in pidgin: It
has been discovered that eight denial of service conditions exist in
libpurple all due to insufficient validation of the return value from
purple_base64_decode(). Invalid or malformed data received in
[More...]
http://www.linuxsecurity.com/content/view/153536
------------------------------------------------------------------------
* Red Hat: 2010:0811-01: cups: Important Advisory (Oct 28)
--------------------------------------------------------
Updated cups packages that fix two security issues are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153588
* Red Hat: 2010:0812-01: thunderbird: Moderate Advisory (Oct 28)
--------------------------------------------------------------
An updated thunderbird package that fixes one security issue is now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153589
* Red Hat: 2010:0810-01: seamonkey: Critical Advisory (Oct 27)
------------------------------------------------------------
Updated seamonkey packages that fix one security issue are now
available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/153574
* Red Hat: 2010:0807-01: java-1.5.0-ibm: Critical Advisory (Oct 27)
-----------------------------------------------------------------
Updated java-1.5.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. The Red Hat Security Response Team has rated this
update as having critical [More...]
http://www.linuxsecurity.com/content/view/153573
* Red Hat: 2010:0809-01: xulrunner: Critical Advisory (Oct 27)
------------------------------------------------------------
Updated xulrunner packages that fix one security issue are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/153571
* Red Hat: 2010:0808-01: firefox: Critical Advisory (Oct 27)
----------------------------------------------------------
An updated firefox package that fixes one security issue is now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/153572
* Red Hat: 2010:0792-01: kernel: Important Advisory (Oct 25)
----------------------------------------------------------
Updated kernel packages that fix one security issue are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153556
* Red Hat: 2010:0793-01: glibc: Important Advisory (Oct 25)
---------------------------------------------------------
Updated glibc packages that fix one security issue are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153557
* Red Hat: 2010:0788-01: pidgin: Moderate Advisory (Oct 21)
---------------------------------------------------------
Updated pidgin packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153542
------------------------------------------------------------------------
* Slackware: 2010-301-01: glibc: Security Update (Oct 29)
-------------------------------------------------------
New glibc packages are available for Slackware 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/153592
* Slackware: 2010-301-02: mozilla-firefox: Security Update (Oct 29)
-----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153591
* Slackware: 2010-300-01: seamonkey: Security Update (Oct 27)
-----------------------------------------------------------
New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153570
* Slackware: 2010-295-03: mozilla-thunderbird: Security Update (Oct 22)
---------------------------------------------------------------------
New mozilla-thunderbird packages are available for Slackware 13.1 and
-current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153550
* Slackware: 2010-295-01: glibc: Security Update (Oct 22)
-------------------------------------------------------
New glibc packages are available for Slackware 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/153551
* Slackware: 2010-295-02: mozilla-firefox: Security Update (Oct 22)
-----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153549
------------------------------------------------------------------------
* SuSE: 2010-053: Linux kernel (Oct 28)
-------------------------------------
The openSUSE 11.2 and 11.3 kernels were updated to fix 2 critical
security issues and some small bugs. Following security issues were
fixed: CVE-2010-3904: A local privilege escalation in RDS sockets
allowed local attackers to gain root privileges. [More...]
http://www.linuxsecurity.com/content/view/153580
* SuSE: 2010-052: glibc (Oct 28)
------------------------------
The Linux C library glibc was updated to fix critical security issues
and several bugs: CVE-2010-3847: Decoding of the $ORIGIN special
value in various LD_ environment variables allowed local attackers to
execute code in context of e.g. setuid root programs, elevating
privileges. This specific issue did not affect SUSE as an assertion
triggers [More...]
http://www.linuxsecurity.com/content/view/153578
* SuSE: Weekly Summary 2010:019 (Oct 25)
--------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: OpenOffice_org,
acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival,
freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d,
mysql, postgresql, squid3.
http://www.linuxsecurity.com/content/view/153554
------------------------------------------------------------------------
* Ubuntu: 1011-3: Xulrunner vulnerability (Oct 29)
------------------------------------------------
USN-1011-1 fixed a vulnerability in Firefox. This update provides
thecorresponding update for Xulrunner. [More...]
http://www.linuxsecurity.com/content/view/153590
* Ubuntu: 1010-1: OpenJDK vulnerabilities (Oct 28)
------------------------------------------------
Marsh Ray and Steve Dispensa discovered a flaw in the TLS andSSLv3
protocols. If an attacker could perform a man in the middleattack at
the start of a TLS connection, the attacker could injectarbitrary
content at the beginning of the user's session. USN-923-1disabled
SSL/TLS renegotiation by default; this update implements [More...]
http://www.linuxsecurity.com/content/view/153587
* Ubuntu: 1011-2: Thunderbird vulnerability (Oct 28)
--------------------------------------------------
USN-1011-1 fixed a vulnerability in Firefox. This update provides
thecorresponding update for Thunderbird. [More...]
http://www.linuxsecurity.com/content/view/153586
* Ubuntu: 1011-1: Firefox vulnerability (Oct 27)
----------------------------------------------
Morten Krakvik discovered a heap-based buffer overflow in Firefox. If
auser were tricked into navigating to a malicious site, an attacker
couldcause a denial of service or possibly execute arbitrary code as
the userinvoking the program. [More...]
http://www.linuxsecurity.com/content/view/153575
* Ubuntu: 959-2: PAM vulnerability (Oct 25)
-----------------------------------------
USN-959-1 fixed vulnerabilities in PAM. This update provides
thecorresponding updates for Ubuntu 10.10. [More...]
http://www.linuxsecurity.com/content/view/153555
* Ubuntu: 1008-3: libvirt update (Oct 23)
---------------------------------------
USN-1008-1 fixed vulnerabilities in libvirt. The update for Ubuntu
10.04LTS reverted a recent bug fix update. This update fixes the
problem. [More...]
http://www.linuxsecurity.com/content/view/153552
* Ubuntu: 1008-2: Virtinst update (Oct 21)
----------------------------------------
Libvirt in Ubuntu 10.04 LTS now no longer probes qemu disks for the
imageformat and defaults to 'raw' when the format is not specified in
the XML.This change in behavior breaks virt-install --import because
virtinst inUbuntu 10.04 LTS did not allow for specifying a disk
format and does notspecify a format in the XML. This update adds the
'format=' option when [More...]
http://www.linuxsecurity.com/content/view/153543
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
