[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux Advisory Watch: January 7th, 2011

+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| January 7th, 2011                                Volume 12, Number 2 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
|                       Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The 
purpose of this document is to provide our readers with a quick summary of 
each week's vendor security bulletins and pointers on methods to improve 
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be 
sure to read through to find the updates your distributor have made 
available.

Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.

http://www.linuxsecurity.com/content/view/153159

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
   ----------------------------------------------
   Guardian Digital is happy to announce the release of EnGarde Secure
   Community 3.0.22 (Version 3.0, Release 22).  This release includes
   many updated packages and bug fixes and some feature enhancements to
   the EnGarde Secure Linux Installer and the SELinux policy.

   http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2142-1: dpkg: directory traversal (Jan 6)
   -------------------------------------------------
   Jakub Wilk discovered that the dpkg-source component of dpkg, the
   Debian package management system, doesn't correctly handle paths in
   patches of source packages, which could make it traverse directories.
   Raphaël Hertzog additionally discovered that symbolic links in the
   .pc [More...]

   http://www.linuxsecurity.com/content/view/154082

* Debian: 2141-3: apache2: backward compatibility opti (Jan 5)
   ------------------------------------------------------------
   DSA-2141-1 changed the behaviour of the openssl libraries in a server
   environment to only allow SSL/TLS renegotiation for clients that
   support the RFC5746 renegotiation extension. This update to apache2
   adds the new SSLInsecureRenegotiation configuration option that
   allows [More...]

   http://www.linuxsecurity.com/content/view/154079

* Debian: 2141-2: nss: SSL/TLS insecure renegotiat (Jan 5)
   --------------------------------------------------------
   CVE-2009-3555: Marsh Ray, Steve Dispensa, and Martin Rex discovered a
   flaw in the TLS and SSLv3 protocols. If an attacker could perform a
   man in the middle [More...]

   http://www.linuxsecurity.com/content/view/154078

* Debian: 2141-1: openssl: SSL/TLS insecure renegotiat (Jan 5)
   ------------------------------------------------------------
   CVE-2009-3555: Marsh Ray, Steve Dispensa, and Martin Rex discovered a
   flaw in the TLS and SSLv3 protocols. If an attacker could perform a
   man in the middle [More...]

   http://www.linuxsecurity.com/content/view/154077

* Debian: 2140-1: libapache2-mod-fcgid: stack overflow (Jan 5)
   ------------------------------------------------------------
   A vulnerability has been found in Apache mod_fcgid. The Common
   Vulnerabilities and Exposures project identifies the following
   problem: [More...]

   http://www.linuxsecurity.com/content/view/154076

* Debian: 2139-1: phpmyadmin: Multiple vulnerabilities (Dec 31)
   -------------------------------------------------------------
   Several vulnerabilities have been discovered in phpMyAdmin, a tool to
   administer MySQL over the web. The Common Vulnerabilities and
   Exposures project identifies the following problems: [More...]

   http://www.linuxsecurity.com/content/view/154053

------------------------------------------------------------------------

* Gentoo: 201101-01: gif2png: User-assisted execution of arbitrary (Jan 4)
   ------------------------------------------------------------------------
   gif2png contains a stack overflow vulnerability when parsing
   commandline arguments.

   http://www.linuxsecurity.com/content/view/154067

------------------------------------------------------------------------

* Mandriva: 2011:001: dhcp (Jan 7)
   --------------------------------
   A vulnerability has been found and corrected in dhcp: ISC DHCP server
   4.2 before 4.2.0-P2, when configured to use failover partnerships,
   allows remote attackers to cause a denial of service
   (communications-interrupted state and DHCP client service loss)
   [More...]

   http://www.linuxsecurity.com/content/view/154090

* Mandriva: 2011:000: phpmyadmin (Jan 5)
   --------------------------------------
   Multiple vulnerabilities has been found and corrected in phpmyadmin:
   error.php in PhpMyAdmin 3.3.8.1 and earlier allows remote attackers
   to conduct cross-site scripting (XSS) attacks via a crafted BBcode
   tag containing @ characters, as demonstrated using [a@url@page]
   [More...]

   http://www.linuxsecurity.com/content/view/154073

------------------------------------------------------------------------

* Red Hat: 2011:0009-01: evince: Moderate Advisory (Jan 6)
   --------------------------------------------------------
   Updated evince packages that fix multiple security issues are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154083

* Red Hat: 2011:0004-01: kernel: Important Advisory (Jan 4)
   ---------------------------------------------------------
   Updated kernel packages that fix multiple security issues, several
   bugs, and add an enhancement are now available for Red Hat Enterprise
   Linux 5. The Red Hat Security Response Team has rated this update as
   having [More...]

   http://www.linuxsecurity.com/content/view/154066

------------------------------------------------------------------------

* SuSE: 2011-003: Mozilla (Jan 5)
   -------------------------------
   Mozilla Firefox was updated to update 3.6.13 to fix several security
   issues. Also Mozilla Thunderbird and Seamonkey were updated on
   openSUSE. Following security issues were fixed: MFSA 2010-74: Mozilla
   developers identified and fixed several memory safety bugs in the
   browser engine used in Firefox and other  [More...]

   http://www.linuxsecurity.com/content/view/154068

* SuSE: 2011-002: Linux kernel (Jan 3)
   ------------------------------------
   This update of the openSUSE 11.2 kernel fixes various bugs and lots
   of security issues. Following security issues have been fixed:
   CVE-2010-4258: A local attacker could use a Oops (kernel crash)
   caused by other flaws to write a 0 byte to a attacker controlled
   address in the  [More...]

   http://www.linuxsecurity.com/content/view/154061

* SuSE: 2011-001: Linux kernel (Jan 3)
   ------------------------------------
   The openSUSE 11.3 kernel was updated to fix various bugs and security
   issues.  Following security issues have been fixed: CVE-2010-4347: A
   local user could inject ACPI code into the kernel  [More...]

   http://www.linuxsecurity.com/content/view/154060

------------------------------------------------------------------------

* Ubuntu: 1040-1: Django vulnerabilities (Jan 6)
   ----------------------------------------------
   Adam Baldwin discovered that Django did not properly validate query
   stringlookups. This could be exploited to provide an information leak
   to anattacker with admin privilieges. (CVE-2010-4534) [More...]

   http://www.linuxsecurity.com/content/view/154086

* Ubuntu: 1036-1: CUPS update (Jan 6)
   -----------------------------------
   Under certain circumstances, CUPS could start before its AppArmor
   profilewas loaded and therefore run unconfined. This update ensures
   the AppArmorprofile is loaded before CUPS starts. [More...]

   http://www.linuxsecurity.com/content/view/154085

* Ubuntu: 1038-1: dpkg vulnerability (Jan 6)
   ------------------------------------------
   Jakub Wilk and Raphaël Hertzog discovered that dpkg-source did
   notcorrectly handle certain paths and symlinks when unpacking
   source-formatversion 3.0 packages. If a user or an automated system
   were tricked intounpacking a specially crafted source package, a
   remote attacker couldmodify files outside the target unpack
   directory, leading to a denial [More...]

   http://www.linuxsecurity.com/content/view/154084

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux