Linux Advisory Watch: November 5th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| November 5th, 2010 Volume 11, Number 45 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2124-1: xulrunner: Multiple vulnerabilities (Nov 1)
-----------------------------------------------------------
Several vulnerabilities have been discovered in Xulrunner, the
component that provides the core functionality of Iceweasel, Debian's
variant of Mozilla's browser technology. [More...]
http://www.linuxsecurity.com/content/view/153615
* Debian: 2123-1: nss: Multiple vulnerabilities (Nov 1)
-----------------------------------------------------
Several vulnerabilities have been discovered in Mozilla's Network
Security Services (NSS) library. The Common Vulnerabilities and
Exposures project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/153613
------------------------------------------------------------------------
* Mandriva: 2010:220: pam (Nov 4)
-------------------------------
Multiple vulnerabilities were discovered and corrected in pam: The
pam_xauth module did not verify the return values of the setuid() and
setgid() system calls. A local, unprivileged user could use this flaw
to execute the xauth command with root privileges and make it
[More...]
http://www.linuxsecurity.com/content/view/153633
* Mandriva: 2010:202-1: krb5 (Nov 2)
----------------------------------
A vulnerability was discovered and corrected in krb5: The
merge_authdata function in kdc_authdata.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not
properly manage an index into an authorization-data list, which
[More...]
http://www.linuxsecurity.com/content/view/153621
* Mandriva: 2010:219: mozilla-thunderbird (Nov 1)
-----------------------------------------------
A security issue was identified and fixed in mozilla-thunderbird:
Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and
3.6.x through 3.6.11, when JavaScript is enabled, allows remote
attackers to execute arbitrary code via unknown vectors, as exploited
[More...]
http://www.linuxsecurity.com/content/view/153604
* Mandriva: 2010:218: php (Oct 31)
--------------------------------
Multiple vulnerabilities were discovered and corrected in php: Stack
consumption vulnerability in the filter_var function in PHP 5.2.x
through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL
mode is used, allows remote attackers to cause a denial of service
[More...]
http://www.linuxsecurity.com/content/view/153602
* Mandriva: 2010:217: dovecot (Oct 30)
------------------------------------
Multiple vulnerabilities was discovered and corrected in dovecot:
Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the
admin permission to the owner of each mailbox in a non-public
namespace, which might allow remote authenticated users to bypass
intended access [More...]
http://www.linuxsecurity.com/content/view/153601
* Mandriva: 2010:216: python (Oct 30)
-----------------------------------
Multiple vulnerabilities was discovered and corrected in python: The
asyncore module in Python before 3.2 does not properly handle
unsuccessful calls to the accept function, and does not have
accompanying documentation describing how daemon applications should
[More...]
http://www.linuxsecurity.com/content/view/153600
* Mandriva: 2010:215: python (Oct 30)
-----------------------------------
Multiple vulnerabilities was discovered and corrected in python:
Buffer underflow in the rgbimg module in Python 2.5 allows remote
attackers to cause a denial of service (application crash) via a
large ZSIZE value in a black-and-white (aka B/W) RGB image that
triggers [More...]
http://www.linuxsecurity.com/content/view/153599
* Mandriva: 2010:214: kernel (Oct 29)
-----------------------------------
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
A vulnerability in Linux kernel caused by insecure allocation of user
space memory when translating system call inputs to 64-bit. A stack
pointer underflow can occur when using the compat_alloc_user_space
[More...]
http://www.linuxsecurity.com/content/view/153597
* Mandriva: 2010:213: xulrunner (Oct 28)
--------------------------------------
A vulnerability was discovered and corrected in xulrunner:
Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and
3.6.x through 3.6.11, when JavaScript is enabled, allows remote
attackers to execute arbitrary code via unknown vectors, as exploited
[More...]
http://www.linuxsecurity.com/content/view/153579
------------------------------------------------------------------------
* Red Hat: 2010:0825-01: mysql: Moderate Advisory (Nov 3)
-------------------------------------------------------
Updated mysql packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153631
* Red Hat: 2010:0824-01: mysql: Moderate Advisory (Nov 3)
-------------------------------------------------------
Updated mysql packages that fix three security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153632
* Red Hat: 2010:0819-01: pam: Moderate Advisory (Nov 1)
-----------------------------------------------------
Updated pam packages that fix three security issues are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153614
* Red Hat: 2010:0811-01: cups: Important Advisory (Oct 28)
--------------------------------------------------------
Updated cups packages that fix two security issues are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153588
* Red Hat: 2010:0812-01: thunderbird: Moderate Advisory (Oct 28)
--------------------------------------------------------------
An updated thunderbird package that fixes one security issue is now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153589
------------------------------------------------------------------------
* Slackware: 2010-305-03: proftpd: Security Update (Nov 1)
--------------------------------------------------------
New proftpd packages are available for Slackware 11.0, 12.0, 12.1,
12.2, 13.0, 13.1, and -current to a fix security issue. [More
Info...]
http://www.linuxsecurity.com/content/view/153617
* Slackware: 2010-305-02: pidgin: Security Update (Nov 1)
-------------------------------------------------------
New pidgin packages are available for Slackware 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/153616
* Slackware: 2010-305-01: seamonkey: Security Update (Nov 1)
----------------------------------------------------------
New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153603
* Slackware: 2010-301-01: glibc: Security Update (Oct 29)
-------------------------------------------------------
New glibc packages are available for Slackware 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/153592
* Slackware: 2010-301-02: mozilla-firefox: Security Update (Oct 29)
-----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153591
------------------------------------------------------------------------
* SuSE: 2010-055: flash-player (Nov 5)
------------------------------------
Adobe Flash Player was updated to version 10.1.102.64 to fix a
critical security issue.
http://www.linuxsecurity.com/content/view/153641
* SuSE: Weekly Summary 2010:020 (Nov 3)
-------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: NetworkManager, bind,
clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail,
postgresql.
http://www.linuxsecurity.com/content/view/153630
* SuSE: 2010-054: Linux kernel (Nov 3)
------------------------------------
This security update of the SUSE Linux Enterprise 11 GA and openSUSE
11.1 kernel updates the kernel to 2.6.27.54 and fixes various
security issues and other bugs. The SUSE Linux Enterprise Server 11
kernel was released last week, the openSUSE 11.1 kernel with the same
source base yesterday. [More...]
http://www.linuxsecurity.com/content/view/153626
* SuSE: 2010-053: Linux kernel (Oct 28)
-------------------------------------
The openSUSE 11.2 and 11.3 kernels were updated to fix 2 critical
security issues and some small bugs. Following security issues were
fixed: CVE-2010-3904: A local privilege escalation in RDS sockets
allowed local attackers to gain root privileges. [More...]
http://www.linuxsecurity.com/content/view/153580
* SuSE: 2010-052: glibc (Oct 28)
------------------------------
The Linux C library glibc was updated to fix critical security issues
and several bugs: CVE-2010-3847: Decoding of the $ORIGIN special
value in various LD_ environment variables allowed local attackers to
execute code in context of e.g. setuid root programs, elevating
privileges. This specific issue did not affect SUSE as an assertion
triggers [More...]
http://www.linuxsecurity.com/content/view/153578
------------------------------------------------------------------------
* Ubuntu: 1013-1: FreeType vulnerabilities (Nov 4)
------------------------------------------------
Marc Schoenefeld discovered that FreeType did not correctly handle
certainmalformed font files. If a user were tricked into using a
specially craftedfont file, a remote attacker could cause FreeType to
crash or possiblyexecute arbitrary code with user privileges. This
issue only affectedUbuntu 6.06 LTS, 8.04 LTS, 9.10 and 10.04 LTS.
(CVE-2010-3311) [More...]
http://www.linuxsecurity.com/content/view/153636
* Ubuntu: 1012-1: CUPS vulnerability (Nov 4)
------------------------------------------
Emmanuel Bouillon discovered that CUPS did not properly handle
certainInternet Printing Protocol (IPP) packets. A remote attacker
could use thisflaw to cause a denial of service or possibly execute
arbitrary code. Inthe default installation in Ubuntu 8.04 LTS and
later, attackers would beisolated by the CUPS AppArmor profile.
[More...]
http://www.linuxsecurity.com/content/view/153637
* Ubuntu: 1011-3: Xulrunner vulnerability (Oct 29)
------------------------------------------------
USN-1011-1 fixed a vulnerability in Firefox. This update provides
thecorresponding update for Xulrunner. [More...]
http://www.linuxsecurity.com/content/view/153590
* Ubuntu: 1010-1: OpenJDK vulnerabilities (Oct 28)
------------------------------------------------
Marsh Ray and Steve Dispensa discovered a flaw in the TLS andSSLv3
protocols. If an attacker could perform a man in the middleattack at
the start of a TLS connection, the attacker could injectarbitrary
content at the beginning of the user's session. USN-923-1disabled
SSL/TLS renegotiation by default; this update implements [More...]
http://www.linuxsecurity.com/content/view/153587
* Ubuntu: 1011-2: Thunderbird vulnerability (Oct 28)
--------------------------------------------------
USN-1011-1 fixed a vulnerability in Firefox. This update provides
thecorresponding update for Thunderbird. [More...]
http://www.linuxsecurity.com/content/view/153586
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
