Linux Advisory Watch: December 17th, 2010
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 17th, 2010 Volume 11, Number 51 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2133-1: collectd: denial of service (Dec 13)
----------------------------------------------------
It was discovered that collectd, a statistics collection and
monitoring daemon, is prone to a denial of service attach via a
crafted network packet. [More...]
http://www.linuxsecurity.com/content/view/153938
* Debian: 2132-1: xulrunner: Multiple vulnerabilities (Dec 11)
------------------------------------------------------------
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/153925
* Debian: 2130-1: bind9: Multiple vulnerabilities (Dec 10)
--------------------------------------------------------
Several remote vulnerabilities have been discovered in BIND, an
implementation of the DNS protocol suite. The Common Vulnerabilities
and Exposures project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/153922
* Debian: 2131-1: exim4: arbitrary code execution (Dec 10)
--------------------------------------------------------
Several vulnerabilities have been found in exim4 that allow a remote
attacker to execute arbitrary code as root user. Exploits for these
issues have been seen in the wild. [More...]
http://www.linuxsecurity.com/content/view/153918
------------------------------------------------------------------------
* Gentoo: 201012-01: Chromium: Multiple vulnerabilities (Dec 17)
--------------------------------------------------------------
Multiple vulnerabilities have been reported in Chromium, some of
whichmay allow user-assisted execution of arbitrary code.
http://www.linuxsecurity.com/content/view/153974
------------------------------------------------------------------------
* Mandriva: 2010:257: kernel (Dec 16)
-----------------------------------
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The setup_arg_pages function in fs/exec.c in the Linux kernel before
2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly
restrict the stack memory consumption of the (1) arguments and (2)
environment [More...]
http://www.linuxsecurity.com/content/view/153972
* Mandriva: 2010:256: git (Dec 16)
--------------------------------
A vulnerability was discovered and corrected in git (gitweb): A
cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and
previous versions allows remote attackers to inject arbitrary web
script or HTML code via f and fp variables (CVE-2010-3906). [More...]
http://www.linuxsecurity.com/content/view/153960
* Mandriva: 2010:255: php-intl (Dec 15)
-------------------------------------
A vulnerability was discovered and corrected in php-intl: Integer
overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol)
function in PHP 5.3.3 and earlier allows context-dependent attackers
to cause a denial of service (application [More...]
http://www.linuxsecurity.com/content/view/153952
* Mandriva: 2010:254: php (Dec 15)
--------------------------------
This is a maintenance and security update that upgrades php to 5.3.4
for 2010.0/2010.1. Security Enhancements and Fixes in PHP 5.3.4:
[More...]
http://www.linuxsecurity.com/content/view/153951
* Mandriva: 2010:253: bind (Dec 14)
---------------------------------
Multiple vulnerabilities were discovered and corrected in bind: named
in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and
9.7.x before 9.7.2-P3 does not properly handle the combination of
signed negative responses and corresponding RRSIG records in the
[More...]
http://www.linuxsecurity.com/content/view/153948
* Mandriva: 2010:252: perl-CGI-Simple (Dec 14)
--------------------------------------------
A vulnerability was discovered and corrected in perl-CGI-Simple: CRLF
injection vulnerability in the header function in (1) CGI.pm before
3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP [More...]
http://www.linuxsecurity.com/content/view/153947
* Mandriva: 2010:251: firefox (Dec 9)
-----------------------------------
Security issues were identified and fixed in firefox: Security
researchers Yosuke Hasegawa and Masatoshi Kimura reported that the
x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are
vulnerable to XSS attacks due to some characters being converted to
[More...]
http://www.linuxsecurity.com/content/view/153910
* Mandriva: 2010:250: perl-CGI-Simple (Dec 9)
-------------------------------------------
A vulnerability was discovered and corrected in perl-CGI-Simple: The
multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm
in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME
boundary string in multipart/x-mixed-replace content, which allows
[More...]
http://www.linuxsecurity.com/content/view/153903
------------------------------------------------------------------------
* Red Hat: 2010:0987-01: java-1.6.0-ibm: Critical Advisory (Dec 15)
-----------------------------------------------------------------
Updated java-1.6.0-ibm packages that fix several security issues and
two bugs are now available for Red Hat Enterprise Linux 4 Extras, and
Red Hat Enterprise Linux 5 and 6 Supplementary. [More...]
http://www.linuxsecurity.com/content/view/153959
* Red Hat: 2010:0979-01: openssl: Moderate Advisory (Dec 13)
----------------------------------------------------------
Updated openssl packages that fix one security issue are now
available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153935
* Red Hat: 2010:0978-01: openssl: Moderate Advisory (Dec 13)
----------------------------------------------------------
Updated openssl packages that fix two security issues are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153936
* Red Hat: 2010:0976-01: bind: Important Advisory (Dec 13)
--------------------------------------------------------
Updated bind packages that fix three security issues are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153934
* Red Hat: 2010:0975-01: bind: Important Advisory (Dec 13)
--------------------------------------------------------
Updated bind packages that fix two security issues are now available
for Red Hat Enterprise Linux 6. The Red Hat Security Response Team
has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/153932
* Red Hat: 2010:0977-01: openssl: Moderate Advisory (Dec 13)
----------------------------------------------------------
Updated openssl packages that fix three security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153933
* Red Hat: 2010:0970-01: exim: Critical Advisory (Dec 10)
-------------------------------------------------------
Updated exim packages that fix one security issue are now available
for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux
4.7, 5.3, and 5.4 Extended Update Support. [More...]
http://www.linuxsecurity.com/content/view/153923
* Red Hat: 2010:0967-01: seamonkey: Critical Advisory (Dec 9)
-----------------------------------------------------------
Updated seamonkey packages that fix several security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/153908
* Red Hat: 2010:0969-02: thunderbird: Moderate Advisory (Dec 9)
-------------------------------------------------------------
An updated thunderbird package that fixes several security issues is
now available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/153909
* Red Hat: 2010:0968-01: thunderbird: Moderate Advisory (Dec 9)
-------------------------------------------------------------
An updated thunderbird package that fixes several security issues is
now available for Red Hat Enterprise Linux 4 and 5. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/153905
* Red Hat: 2010:0966-01: firefox: Critical Advisory (Dec 9)
---------------------------------------------------------
Updated firefox packages that fix several security issues are now
available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
Security Response Team has rated this update as having critical
[More...]
http://www.linuxsecurity.com/content/view/153906
------------------------------------------------------------------------
* Slackware: 2010-350-01: bind: Security Update (Dec 16)
------------------------------------------------------
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix
security issues that could allow attackers to successfully query
private DNS records, or cause a denial of service. [More Info...]
http://www.linuxsecurity.com/content/view/153971
* Slackware: 2010-344-01: seamonkey: Security Update (Dec 11)
-----------------------------------------------------------
New seamonkey packages are available for Slackware 12.2, 13.0, and
13.1 to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153924
* Slackware: 2010-343-01: mozilla-firefox: Security Update (Dec 10)
-----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153912
* Slackware: 2010-343-02: mozilla-thunderbird: Security Update (Dec 10)
---------------------------------------------------------------------
New mozilla-thunderbird packages are available for Slackware 13.0,
13.1, and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/153913
------------------------------------------------------------------------
* SuSE: 2010-061: IBM Java 1.4.2 (Dec 17)
---------------------------------------
IBM Java 1.4.2 was updated to Service Release 13 Fix Pack 6 to fix
various bugs and security issues. Following CVEs are tracked for this
update: CVE-2009-3555 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549
CVE-2010-3551 CVE-2010-3553 CVE-2010-3556 CVE-2010-3557 CVE-2010-3562
CVE-2010-3565 [More...]
http://www.linuxsecurity.com/content/view/153973
* SuSE: 2010-060: Linux kernel (Dec 14)
-------------------------------------
This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes
several security issues and bugs. Following security issues were
fixed: CVE-2010-3442: Multiple integer overflows in the snd_ctl_new
function in sound/core/control.c in the Linux kernel before
[More...]
http://www.linuxsecurity.com/content/view/153940
* SuSE: 2010-059: exim (Dec 13)
-----------------------------
The unprivileged user exim is running as could tell the exim daemon
to read a different config file and leverage that to escalate
privileges to root (CVE-2010-4345). A buffer overflow in exim
allowed remote attackers to execute [More...]
http://www.linuxsecurity.com/content/view/153926
------------------------------------------------------------------------
* Ubuntu: 1033-1: Eucalyptus vulnerability (Dec 16)
-------------------------------------------------
It was discovered that Eucalyptus did not verify password resets
fromthe Admin UI correctly. An unauthenticated remote attacker could
issuepassword reset requests to gain admin privileges in the
Eucalyptusenvironment. [More...]
http://www.linuxsecurity.com/content/view/153969
* Ubuntu: 1024-2: OpenJDK regression (Dec 14)
-------------------------------------------
USN-1024-1 fixed vulnerabilities in OpenJDK. Some of the
additionalbackported improvements could interfere with the
compilation of certainJava software. This update fixes the problem.
[More...]
http://www.linuxsecurity.com/content/view/153949
* Ubuntu: 1031-1: ClamAV vulnerabilities (Dec 9)
----------------------------------------------
Arkadiusz Miskiewicz and others discovered that the PDF
processingcode in libclamav improperly validated input. This could
allow aremote attacker to craft a PDF document that could crash
clamav orpossibly execute arbitrary code. (CVE-2010-4260,
CVE-2010-4479) [More...]
http://www.linuxsecurity.com/content/view/153907
* Ubuntu: 1019-1: Firefox and Xulrunner vulnerabilities (Dec 9)
-------------------------------------------------------------
Jesse Ruderman, Andreas Gal, Nils, Brian Hackett, and Igor
Bukanovdiscovered several memory issues in the browser engine. An
attacker couldexploit these to crash the browser or possibly run
arbitrary code as theuser invoking the program. (CVE-2010-3776,
CVE-2010-3777, CVE-2010-3778) [More...]
http://www.linuxsecurity.com/content/view/153904
* Ubuntu: 1030-1: Kerberos vulnerabilities (Dec 9)
------------------------------------------------
It was discovered that Kerberos did not properly determine
theacceptability of certain checksums. A remote attacker could use
certainchecksums to alter the prompt message, modify a response to a
KeyDistribution Center (KDC) or forge a KRB-SAFE message.
(CVE-2010-1323) [More...]
http://www.linuxsecurity.com/content/view/153902
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
