Linux Advisory Watch: January 28th, 2011
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 28th, 2011 Volume 12, Number 5 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2152-1: hplip: buffer overflow (Jan 27)
-----------------------------------------------
Sebastian Krahmer discovered a buffer overflow in the SNMP discovery
code of the HP Linux Printing and Imaging System, which could result
in the execution of arbitrary code. [More...]
http://www.linuxsecurity.com/content/view/154249
* Debian: : openoffice.org: Multiple vulnerabilities (Jan 26)
-----------------------------------------------------------
Several security related problems have been discovered in the
OpenOffice.org package that allows malformed documents to trick the
system into crashes or even the execution of arbitrary code.
[More...]
http://www.linuxsecurity.com/content/view/154239
* Debian: 2150-1: request-tracker3.6: unsalted password hashing (Jan 22)
----------------------------------------------------------------------
It was discovered that Request Tracker, an issue tracking system,
stored passwords in its database by using an insufficiently strong
hashing method. If an attacker would have access to the password
database, he could decode the passwords stored in it. [More...]
http://www.linuxsecurity.com/content/view/154209
* Debian: 2149-1: dbus: denial of service (Jan 20)
------------------------------------------------
Rémi Denis-Courmont discovered that dbus, a message bus application,
is not properly limiting the nesting level when examining messages
with extensive nested variants. This allows an attacker to crash the
dbus system daemon due to a call stack overflow via crafted messages.
[More...]
http://www.linuxsecurity.com/content/view/154194
------------------------------------------------------------------------
* Gentoo: 201101-08: Adobe Reader: Multiple vulnerabilities (Jan 21)
------------------------------------------------------------------
Multiple vulnerabilities in Adobe Reader might result in the
executionof arbitrary code.
http://www.linuxsecurity.com/content/view/154207
* Gentoo: 201101-09: Adobe Flash Player: Multiple vulnerabilities (Jan 21)
------------------------------------------------------------------------
Multiple vulnerabilities in Adobe Flash Player might allow
remoteattackers to execute arbitrary code or cause a Denial of
Service.
http://www.linuxsecurity.com/content/view/154206
------------------------------------------------------------------------
* Mandriva: 2011:019: libuser (Jan 26)
------------------------------------
A vulnerability has been found and corrected in libuser: libuser
before 0.57 uses a cleartext password value of (1) !! or (2) x for
new LDAP user accounts, which makes it easier for remote attackers to
obtain access by specifying one of these values (CVE-2011-0002).
[More...]
http://www.linuxsecurity.com/content/view/154240
* Mandriva: 2011:018: sudo (Jan 21)
---------------------------------
Multiple vulnerabilities has been found and corrected in sudo: A a
patch for parse.c in sudo does not properly interpret a system group
(aka %group) in the sudoers file during authorization decisions for a
user who belongs to that group, which allows local users to [More...]
http://www.linuxsecurity.com/content/view/154208
* Mandriva: 2011:017: tetex (Jan 21)
----------------------------------
It was discovered that tetex suffered from the same vulnerability as
previousely addressed in Evince with MDVSA-2011:005 (CVE-2010-2642).
As a precaution tetex has been patched to address this flaw. Packages
for 2009.0 are provided as of the Extended Maintenance [More...]
http://www.linuxsecurity.com/content/view/154204
* Mandriva: 2011:016: t1lib (Jan 21)
----------------------------------
It was discovered that t1lib suffered from the same vulnerability as
previousely addressed in Evince with MDVSA-2011:005 (CVE-2010-2642).
As a precaution t1lib has been patched to address this flaw. Packages
for 2009.0 are provided as of the Extended Maintenance [More...]
http://www.linuxsecurity.com/content/view/154202
* Mandriva: 2011:015: pcsc-lite (Jan 20)
--------------------------------------
A vulnerability has been found and corrected in pcsc-lite:
Stack-based buffer overflow in the ATRDecodeAtr function in the
Answer-to-Reset (ATR) Handler (atrhandler.c) for pcscd in PCSC-Lite
1.5.3, and possibly other 1.5.x and 1.6.x versions, allows physically
[More...]
http://www.linuxsecurity.com/content/view/154199
* Mandriva: 2011:014: ccid (Jan 20)
---------------------------------
A vulnerability has been found and corrected in ccid: Signedness
error in ccid_serial.c in libccid in the USB Chip/Smart Card
Interface Devices (CCID) driver, as used in pcscd in PCSC-Lite 1.5.3
and possibly other products, allows physically proximate attackers to
[More...]
http://www.linuxsecurity.com/content/view/154198
------------------------------------------------------------------------
* Red Hat: 2011:0180-01: pango: Moderate Advisory (Jan 27)
--------------------------------------------------------
Updated pango and evolution28-pango packages that fix one security
issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The
Red Hat Security Response Team has rated this update as having
moderate [More...]
http://www.linuxsecurity.com/content/view/154246
* Red Hat: 2011:0177-01: webkitgtk: Moderate Advisory (Jan 25)
------------------------------------------------------------
Updated webkitgtk packages that fix several security issues are now
available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154229
* Red Hat: 2011:0176-01: java-1.6.0-openjdk: Moderate Advisory (Jan 25)
---------------------------------------------------------------------
Updated java-1.6.0-openjdk packages that fix two security issues are
now available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154228
* Red Hat: 2011:0170-01: libuser: Moderate Advisory (Jan 20)
----------------------------------------------------------
Updated libuser packages that fix one security issue are now
available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/154196
* Red Hat: 2011:0169-01: java-1.5.0-ibm: Critical Advisory (Jan 20)
-----------------------------------------------------------------
Updated java-1.5.0-ibm packages that fix multiple security issues and
one bug are now available for Red Hat Enterprise Linux 4 Extras, and
Red Hat Enterprise Linux 5 and 6 Supplementary. [More...]
http://www.linuxsecurity.com/content/view/154197
------------------------------------------------------------------------
* SuSE: 2011-006: IBM Java 6 (Jan 25)
-----------------------------------
IBM Java 6 SR9 was released, fixing lots of security issues.
Following CVE entries are cross referenced by this update:
CVE-2010-3553 CVE-2009-3555 CVE-2010-3562 CVE-2010-3557 CVE-2010-3558
CVE-2010-3563 CVE-2010-0771 CVE-2010-3550 CVE-2010-3549 CVE-2010-3551
CVE-2010-3555 CVE-2010-3556 [More...]
http://www.linuxsecurity.com/content/view/154227
* SuSE: 2011-005: Linux kernel (Jan 25)
-------------------------------------
This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes
several security issues and bugs. Following security issues were
fixed: CVE-2010-4258: A local attacker could use a Oops (kernel
crash) caused by other flaws to write a 0 byte to a attacker
controlled address [More...]
http://www.linuxsecurity.com/content/view/154225
* SuSE: Weekly Summary 2011:002 (Jan 25)
--------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: ed, evince, hplip,
libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo,
wireshark.
http://www.linuxsecurity.com/content/view/154221
------------------------------------------------------------------------
* Ubuntu: 1052-1: OpenJDK vulnerability (Jan 26)
----------------------------------------------
It was discovered that the JNLP SecurityManager in IcedTea for
JavaOpenJDK in some instances failed to properly apply the
intendedscurity policy in its checkPermission method. This could
allow anattacker execute code with privileges that should have been
prevented.(CVE-2010-4351) [More...]
http://www.linuxsecurity.com/content/view/154241
* Ubuntu: 1047-1: AWStats vulnerability (Jan 24)
----------------------------------------------
It was discovered that AWStats did not correctly filter the
LoadPluginconfiguration option. A local attacker on a shared system
could use thisto inject arbitrary code into AWStats. [More...]
http://www.linuxsecurity.com/content/view/154218
* Ubuntu: 1048-1: Tomcat vulnerability (Jan 24)
---------------------------------------------
It was discovered that Tomcat did not properly escape certain
parameters inthe Manager application which could result in browsers
becoming vulnerableto cross-site scripting attacks when processing
the output. With cross-sitescripting vulnerabilities, if a user were
tricked into viewing serveroutput during a crafted server request, a
remote attacker could exploit [More...]
http://www.linuxsecurity.com/content/view/154219
* Ubuntu: 1046-1: Sudo vulnerability (Jan 20)
-------------------------------------------
Alexander Kurtz discovered that sudo would not prompt for a password
whena group was specified in the Runas_Spec. A local attacker could
exploitthis to execute arbitrary code as the specified group if sudo
wasconfigured to allow the attacker to use a program as this group.
The groupRunas_Spec is not used in the default installation of
Ubuntu. [More...]
http://www.linuxsecurity.com/content/view/154195
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
