Linux Advisory Watch: January 15th, 2011
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 15th, 2011 Volume 12, Number 3 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2144-1: wireshark: buffer overflow (Jan 14)
---------------------------------------------------
It was discovered that a buffer overflow in the ENTTEC dissector may
lead to the execution of arbitrary code. [More...]
http://www.linuxsecurity.com/content/view/154144
* Debian: 2143-1: mysql-dfsg-5.0: several vulnerabilities (Jan 14)
----------------------------------------------------------------
Several vulnerabilities have been discovered in the MySQL database
server. The Common Vulnerabilities and Exposures project identifies
the [More...]
http://www.linuxsecurity.com/content/view/154135
* Debian: 2141-4: lighttpd: compatibility problem with (Jan 12)
-------------------------------------------------------------
The openssl update in DSA-2141-1 caused a regression in lighttpd. Due
to a bug in lighttpd, the server fails to start in some
configurations if using the updated openssl libraries. This update
fixes this problem. [More...]
http://www.linuxsecurity.com/content/view/154122
* Debian: 2122-2: glibc: missing input sanitization (Jan 11)
----------------------------------------------------------
Colin Watson discovered that the update for stable relased in
DSA-2122-1 did not complete address the underlying security issue in
all possible scenarios. [More...]
http://www.linuxsecurity.com/content/view/154110
------------------------------------------------------------------------
* Gentoo: 201101-03: libvpx: User-assisted execution of arbitrary code (Jan 14)
-----------------------------------------------------------------------------
Timothy B. Terriberry discovered that libvpx contains an
integeroverflow vulnerability in the processing of video streams that
mayallow user-assisted execution of arbitrary code.
http://www.linuxsecurity.com/content/view/154146
* Gentoo: 201101-02: Tor: Remote heap-based buffer overflow (Jan 14)
------------------------------------------------------------------
Tor is vulnerable to a heap-based buffer overflow that may
allowarbitrary code execution.
http://www.linuxsecurity.com/content/view/154145
------------------------------------------------------------------------
* Mandriva: 2011:009: gif2png (Jan 14)
------------------------------------
A vulnerability has been found and corrected in gif2png: Stack-based
buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
context-dependent attackers to execute arbitrary code via a long
command-line argument, as demonstrated by a CGI program [More...]
http://www.linuxsecurity.com/content/view/154143
* Mandriva: 2011:008: perl-CGI (Jan 14)
-------------------------------------
A vulnerability has been found and corrected in perl-CGI: Unspecified
vulnerability in CGI.pm 3.50 and earlier allows remote attackers to
inject arbitrary HTTP headers and conduct HTTP response splitting
attacks via unknown vectors. NOTE: this issue exists [More...]
http://www.linuxsecurity.com/content/view/154142
* Mandriva: 2011:007: wireshark (Jan 14)
--------------------------------------
A vulnerability has been found and corrected in wireshark: Buffer
overflow in the MAC-LTE dissector (epan/dissectors/packet-mac-lte.c)
in Wireshark 1.2.0 through 1.2.13 and 1.4.0 through 1.4.2 allows
remote attackers to cause a denial [More...]
http://www.linuxsecurity.com/content/view/154141
* Mandriva: 2011:006: subversion (Jan 14)
---------------------------------------
Multiple vulnerabilities has been found and corrected in subversion:
The walk function in repos.c in the mod_dav_svn module for the Apache
HTTP Server, as distributed in Apache Subversion before 1.6.15,
allows remote authenticated users to cause a denial of service (NULL
[More...]
http://www.linuxsecurity.com/content/view/154136
* Mandriva: 2011:005: evince (Jan 13)
-----------------------------------
Multiple vulnerabilities has been found and corrected in evince:
Array index error in the PK and VF font parser in the dvi-backend
component in Evince 2.32 and earlier allows remote attackers to cause
a denial of service (application crash) or possibly execute [More...]
http://www.linuxsecurity.com/content/view/154128
* Mandriva: 2011:004: php-phar (Jan 10)
-------------------------------------
A vulnerability has been found and corrected in php-phar: Multiple
format string vulnerabilities in the phar extension in PHP 5.3 before
5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code
[More...]
http://www.linuxsecurity.com/content/view/154104
* Mandriva: 2011:003: MHonArc (Jan 10)
------------------------------------
Multiple vulnerabilities has been found and corrected in MHonArc:
MHonArc 2.6.16 allows remote attackers to cause a denial of service
(CPU consumption) via start tags that are placed within other start
tags, as demonstrated by a <bo<bo<bo<bo<body>dy>dy>dy>dy>
sequence, [More...]
http://www.linuxsecurity.com/content/view/154099
* Mandriva: 2011:002: wireshark (Jan 9)
-------------------------------------
A vulnerability has been found and corrected in wireshark: Buffer
overflow in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted ENTTEC DMX [More...]
http://www.linuxsecurity.com/content/view/154094
* Mandriva: 2011:001: dhcp (Jan 7)
--------------------------------
A vulnerability has been found and corrected in dhcp: ISC DHCP server
4.2 before 4.2.0-P2, when configured to use failover partnerships,
allows remote attackers to cause a denial of service
(communications-interrupted state and DHCP client service loss)
[More...]
http://www.linuxsecurity.com/content/view/154090
------------------------------------------------------------------------
* Red Hat: 2011:0028-01: kvm: Low Advisory (Jan 13)
-------------------------------------------------
Updated kvm packages that fix one security issue and several bugs are
now available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/154126
* Red Hat: 2011:0027-01: python: Low Advisory (Jan 13)
----------------------------------------------------
Updated python packages that fix multiple security issues, several
bugs, and add two enhancements are now available for Red Hat
Enterprise Linux 5. The Red Hat Security Response Team has rated this
update as having low [More...]
http://www.linuxsecurity.com/content/view/154125
* Red Hat: 2011:0025-01: gcc: Low Advisory (Jan 13)
-------------------------------------------------
Updated gcc packages that fix two security issues and several
compiler bugs are now available for Red Hat Enterprise Linux 5. The
Red Hat Security Response Team has rated this update as having low
[More...]
http://www.linuxsecurity.com/content/view/154123
* Red Hat: 2011:0007-01: kernel: Important Advisory (Jan 11)
----------------------------------------------------------
Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 6. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/154111
* Red Hat: 2011:0013-01: wireshark: Moderate Advisory (Jan 10)
------------------------------------------------------------
Updated wireshark packages that fix one security issue are now
available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/154102
------------------------------------------------------------------------
* Slackware: 2011-010-01: php: Security Update (Jan 10)
-----------------------------------------------------
New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/154105
------------------------------------------------------------------------
* SuSE: 2011-004: Linux kernel (Jan 14)
-------------------------------------
The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to
2.6.32.27 and fixes various bugs and security issues. Following
security issues were fixed: CVE-2010-4258: A local attacker could use
a Oops (kernel crash) caused by other flaws to write a 0 byte to a
attacker controlled address [More...]
http://www.linuxsecurity.com/content/view/154140
* SuSE: Weekly Summary 2011:001 (Jan 11)
--------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: finch/pidgin,
libmoon-devel/moonlight-plugin, libsmi, openssl, perl-CGI-Simple,
supportutils, wireshark.
http://www.linuxsecurity.com/content/view/154106
------------------------------------------------------------------------
* Ubuntu: 1042-2: PHP5 regression (Jan 13)
----------------------------------------
USN-1042-1 fixed vulnerabilities in PHP5. The fix for
CVE-2010-3436introduced a regression in the open_basedir restriction
handling code.This update fixes the problem. [More...]
http://www.linuxsecurity.com/content/view/154124
* Ubuntu: 1043-1: Little CMS vulnerability (Jan 12)
-------------------------------------------------
It was discovered that a NULL pointer dereference in the code
forhandling transformations of monochrome profiles could allow an
attackerto cause a denial of service through a specially crafted
image.(CVE-2009-0793) [More...]
http://www.linuxsecurity.com/content/view/154114
* Ubuntu: 1009-2: GNU C Library vulnerability (Jan 12)
----------------------------------------------------
USN-1009-1 fixed vulnerabilities in the GNU C library. Colin
Watsondiscovered that the fixes were incomplete and introduced flaws
withsetuid programs loading libraries that used dynamic string tokens
in theirRPATH. If the "man" program was installed setuid, a local
attacker couldexploit this to gain "man" user privileges, potentially
leading to further [More...]
http://www.linuxsecurity.com/content/view/154113
* Ubuntu: 1042-1: PHP vulnerabilities (Jan 11)
--------------------------------------------
It was discovered that an integer overflow in the XML UTF-8
decodingcode could allow an attacker to bypass cross-site scripting
(XSS)protections. This issue only affected Ubuntu 6.06 LTS, Ubuntu
8.04 LTS,and Ubuntu 9.10. (CVE-2009-5016) [More...]
http://www.linuxsecurity.com/content/view/154112
* Ubuntu: 1041-1: Linux kernel vulnerabilities (Jan 10)
-----------------------------------------------------
Dan Rosenberg discovered that the btrfs filesystem did not
correctlyvalidate permissions when using the clone function. A local
attacker couldoverwrite the contents of file handles that were opened
for append-only,or potentially read arbitrary contents, leading to a
loss of privacy. OnlyUbuntu 9.10 was affected. (CVE-2010-2537,
CVE-2010-2538) [More...]
http://www.linuxsecurity.com/content/view/154103
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
