Linux Advisory Watch: February 18th, 2011
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| February 18th, 2011 Volume 12, Number 8 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2169-1: telepathy-gabble: insufficient input validati (Feb 16)
----------------------------------------------------------------------
It was discovered that telepathy-gabble, the Jabber/XMMP connection
manager for the Telepathy framework, is processing google:jingleinfo
updates without validating their origin. This may allow an attacker
to trick telepathy-gabble into relaying streamed media data through a
server of his choice and thus [More...]
http://www.linuxsecurity.com/content/view/154417
* Debian: 2168-1: openafs: Multiple vulnerabilities (Feb 16)
----------------------------------------------------------
Two vulnerabilities were discovered the distributed filesystem AFS:
CVE-2011-0430 [More...]
http://www.linuxsecurity.com/content/view/154416
* Debian: 2167-1: phpmyadmin: sql injection (Feb 16)
--------------------------------------------------
It was discovered that phpMyAdmin, a a tool to administer MySQL over
the web, when the bookmarks feature is enabled, allowed to create a
bookmarked query which would be executed unintentionally by other
users. [More...]
http://www.linuxsecurity.com/content/view/154415
* Debian: 2166-1: chromium-browser: Multiple vulnerabilities (Feb 16)
-------------------------------------------------------------------
Several vulnerabilities were discovered in the Chromium browser. The
Common Vulnerabilities and Exposures project identifies the following
problems: [More...]
http://www.linuxsecurity.com/content/view/154408
* Debian: 2165-1: ffmpeg-debian: buffer overflow (Feb 16)
-------------------------------------------------------
Several vulnerabilities have been discovered in FFmpeg coders, which
are used by by MPlayer and other applications. [More...]
http://www.linuxsecurity.com/content/view/154404
* Debian: 2164-1: shadow: insufficient input sanitiza (Feb 15)
------------------------------------------------------------
Kees Cook discovered that the chfn and chsh utilities do not properly
sanitize user input that includes newlines. An attacker could use
this to to corrupt passwd entries and may create users or groups in
NIS environments. [More...]
http://www.linuxsecurity.com/content/view/154402
* Debian: 2161-2: openjdk-6: Multiple vulnerabilities (Feb 14)
------------------------------------------------------------
It was discovered that the floating point parser in OpenJDK, an
implementation of the Java platform, can enter an infinite loop when
processing certain input strings. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
[More...]
http://www.linuxsecurity.com/content/view/154386
* Debian: 2163-1: python-django: Multiple vulnerabilities (Feb 14)
----------------------------------------------------------------
Several vulnerabilities were discovered in the django web development
framework: CVE-2011-0696 [More...]
http://www.linuxsecurity.com/content/view/154384
* Debian: 2162-1: openssl: invalid memory access (Feb 14)
-------------------------------------------------------
Neel Mehta discovered that an incorrectly formatted ClientHello
handshake message could cause OpenSSL to parse past the end of the
message. This allows an attacker to crash an application using
OpenSSL by triggering an invalid memory access. Additionally, some
applications may be vulnerable [More...]
http://www.linuxsecurity.com/content/view/154382
* Debian: 2161-1: openjdk-6: denial of service (Feb 13)
-----------------------------------------------------
It was discovered that the floating point parser in OpenJDK, an
implementation of the Java platform, can enter an infinite loop when
processing certain input strings. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
[More...]
http://www.linuxsecurity.com/content/view/154368
* Debian: 2160-1: tomcat6: Multiple vulnerabilities (Feb 13)
----------------------------------------------------------
Several vulnerabilities were discovered in the Tomcat Servlet and JSP
engine: CVE-2010-3718 [More...]
http://www.linuxsecurity.com/content/view/154367
* Debian: 2159-1: vlc: missing input sanitising (Feb 10)
------------------------------------------------------
Dan Rosenberg discovered that insufficient input validation in VLC's
processing of Matroska/WebM containers could lead to the execution of
arbitrary code. [More...]
http://www.linuxsecurity.com/content/view/154346
------------------------------------------------------------------------
* Mandriva: 2011:031: python-django (Feb 18)
------------------------------------------
Multiple vulnerabilities has been found and corrected in
python-django: Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does
not properly validate HTTP requests that contain an X-Requested-With
header, which makes it easier for remote attackers to conduct
cross-site [More...]
http://www.linuxsecurity.com/content/view/154434
* Mandriva: 2011:030: tomcat5 (Feb 18)
------------------------------------
Multiple vulnerabilities has been found and corrected in tomcat5:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to
the work directory. This directory is used for a variety of temporary
[More...]
http://www.linuxsecurity.com/content/view/154433
* Mandriva: 2011:029: kernel (Feb 17)
-----------------------------------
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The X.25 implementation does not properly parse facilities, which
allows remote attackers to cause a denial of service (heap memory
corruption and panic) or possibly have unspecified other impact via
malformed data, a different vulnerability [More...]
http://www.linuxsecurity.com/content/view/154425
* Mandriva: 2011:028: openssl (Feb 15)
------------------------------------
A vulnerability has been found and corrected in openssl: Incorrectly
formatted ClientHello handshake message could cause OpenSSL to parse
past the end of the message. This allows an attacker to crash an
application using OpenSSL by triggering an invalid memory [More...]
http://www.linuxsecurity.com/content/view/154391
* Mandriva: 2011:027: openoffice.org (Feb 14)
-------------------------------------------
Multiple vulnerabilities were discovered and corrected in
OpenOffice.org: Multiple directory traversal vulnerabilities allow
remote attackers to overwrite arbitrary files via a .. (dot dot) in
an entry in an [More...]
http://www.linuxsecurity.com/content/view/154385
* Mandriva: 2011:026: phpmyadmin (Feb 14)
---------------------------------------
Multiple vulnerabilities were discovered and corrected in phpmyadmin:
When the files README, ChangeLog or LICENSE have been removed from
their original place (possibly by the distributor), the scripts used
to display these files can show their full path, leading to possible
[More...]
http://www.linuxsecurity.com/content/view/154377
------------------------------------------------------------------------
* Red Hat: 2011:0281-01: java-1.6.0-openjdk: Important Advisory (Feb 17)
----------------------------------------------------------------------
Updated java-1.6.0-openjdk packages that fix several security issues
are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/154423
* Red Hat: 2011:0282-01: java-1.6.0-sun: Critical Advisory (Feb 17)
-----------------------------------------------------------------
Updated java-1.6.0-sun packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras, and Red Hat
Enterprise Linux 5 and 6 Supplementary. [More...]
http://www.linuxsecurity.com/content/view/154424
* Red Hat: 2011:0266-01: fence: Low Advisory (Feb 16)
---------------------------------------------------
An updated fence package that fixes multiple security issues, several
bugs, and adds two enhancements is now available for Red Hat Cluster
Suite 4. The Red Hat Security Response Team has rated this update as
having low [More...]
http://www.linuxsecurity.com/content/view/154414
* Red Hat: 2011:0264-01: rgmanager: Low Advisory (Feb 16)
-------------------------------------------------------
An updated rgmanager package that fixes multiple security issues and
several bugs is now available for Red Hat Cluster Suite 4. The Red
Hat Security Response Team has rated this update as having low
[More...]
http://www.linuxsecurity.com/content/view/154413
* Red Hat: 2011:0262-01: sendmail: Low Advisory (Feb 16)
------------------------------------------------------
Updated sendmail packages that fix one security issue and three bugs
are now available for Red Hat Enterprise Linux 4. The Red Hat
Security Response Team has rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/154412
* Red Hat: 2011:0265-01: ccs: Low Advisory (Feb 16)
-------------------------------------------------
Updated ccs packages that fix one security issue are now available
for Red Hat Cluster Suite 4. The Red Hat Security Response Team has
rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/154411
* Red Hat: 2011:0261-01: bash: Low Advisory (Feb 16)
--------------------------------------------------
Updated bash packages that fix one security issue and several bugs
are now available for Red Hat Enterprise Linux 4. The Red Hat
Security Response Team has rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/154409
* Red Hat: 2011:0260-01: python: Low Advisory (Feb 16)
----------------------------------------------------
Updated python packages that fix multiple security issues and three
bugs are now available for Red Hat Enterprise Linux 4. The Red Hat
Security Response Team has rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/154410
* Red Hat: 2011:0257-01: subversion: Moderate Advisory (Feb 15)
-------------------------------------------------------------
Updated subversion packages that fix two security issues are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154399
* Red Hat: 2011:0258-01: subversion: Moderate Advisory (Feb 15)
-------------------------------------------------------------
Updated subversion packages that fix three security issues are now
available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154398
* Red Hat: 2011:0256-01: dhcp: Moderate Advisory (Feb 15)
-------------------------------------------------------
Updated dhcp packages that fix one security issue are now available
for Red Hat Enterprise Linux 6. The Red Hat Security Response Team
has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154397
* Red Hat: 2011:0214-01: java-1.6.0-openjdk: Moderate Advisory (Feb 10)
---------------------------------------------------------------------
Updated java-1.6.0-openjdk packages that fix one security issue are
now available for Red Hat Enterprise Linux 5 and 6. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/154347
------------------------------------------------------------------------
* Slackware: 2011-041-02: expat: Security Update (Feb 10)
-------------------------------------------------------
New expat packages are available for Slackware 11.0, 12.0, 12.1,
12.2, 13.0, 13.1, and -current to fix security issues. [More
Info...]
http://www.linuxsecurity.com/content/view/154351
* Slackware: 2011-041-04: openssl: Security Update (Feb 10)
---------------------------------------------------------
New openssl packages are available for 11.0, 12.0, 12.1, 12.2, 13.0,
13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/154352
* Slackware: 2011-041-01: apr-util: Security Update (Feb 10)
----------------------------------------------------------
New apr and apr-util packages are available for Slackware 11.0, 12.0,
12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More
Info...]
http://www.linuxsecurity.com/content/view/154348
* Slackware: 2011-041-03: httpd: Security Update (Feb 10)
-------------------------------------------------------
New httpd packages are available for Slackware 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/154349
* Slackware: 2011-041-05: sudo: Security Update (Feb 10)
------------------------------------------------------
New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a
security issue. [More Info...]
http://www.linuxsecurity.com/content/view/154350
------------------------------------------------------------------------
* SuSE: 2011-009: Flash Player (Feb 14)
-------------------------------------
The Adobe Flash Player was updated to the 10.2.152.26 release, fixing
lots of bugs and security issues. Please also see:
http://www.adobe.com/support/security/bulletins/apsb11-02.html
http://www.linuxsecurity.com/content/view/154383
* SuSE: 2011-008: Linux kernel (Feb 11)
-------------------------------------
This patch updates the SUSE Linux Enterprise Server 9 kernel to fix
various security issues and some bugs. Following security issues were
fixed: CVE-2010-4242: The hci_uart_tty_open function in the HCI UART
driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did not
verify [More...]
http://www.linuxsecurity.com/content/view/154353
------------------------------------------------------------------------
* Ubuntu: 1067-1: Telepathy Gabble vulnerability (Feb 17)
-------------------------------------------------------
It was discovered that Gabble did not verify the from field of
googlejingleinfo updates. This could allow a remote attacker to
perform manin the middle attacks (MITM) on streamed media. [More...]
http://www.linuxsecurity.com/content/view/154422
* Ubuntu: 1065-1: shadow vulnerability (Feb 15)
---------------------------------------------
Kees Cook discovered that some shadow utilities did not correctly
validateuser input. A local attacker could exploit this flaw to
inject newlines intothe /etc/passwd file. If the system was
configured to use NIS, this couldlead to existing NIS groups or users
gaining or losing access to the system,resulting in a denial of
service or unauthorized access. [More...]
http://www.linuxsecurity.com/content/view/154401
* Ubuntu: 1063-1: QEMU vulnerability (Feb 14)
-------------------------------------------
Neil Wilson discovered that if VNC passwords were blank in
QEMUconfigurations, access to VNC sessions was allowed without a
passwordinstead of being disabled. A remote attacker could connect to
runningVNC sessions of QEMU and directly control the system. By
default, QEMUdoes not start VNC sessions. [More...]
http://www.linuxsecurity.com/content/view/154389
* Ubuntu: 1060-1: Exim vulnerabilities (Feb 10)
---------------------------------------------
It was discovered that Exim contained a design flaw in the way it
processedalternate configuration files. An attacker that obtained
privileges of the"Debian-exim" user could use an alternate
configuration file to obtainroot privileges. (CVE-2010-4345)
[More...]
http://www.linuxsecurity.com/content/view/154345
------------------------------------------------------------------------
* Pardus: 2011-45: Django: Multiple Vulnerabilities (Feb 14)
----------------------------------------------------------
Multiple vulnerabilities have been fixed in Django.
http://www.linuxsecurity.com/content/view/154388
* Pardus: 2011-44: Poppler: Integer Overflow (Feb 14)
---------------------------------------------------
A vulnerability has been fixed in poppler, which allows attackers to
execute arbitrary commands with a specially crafted PDF file.
http://www.linuxsecurity.com/content/view/154378
* Pardus: 2011-43: Wireshark: Uninitialized Pointer (Feb 14)
----------------------------------------------------------
A vulnerability has been fixed in wireshark, which allows remote
attackers to cause a denial of service or have unspecified other
impact
http://www.linuxsecurity.com/content/view/154376
* Pardus: 2011-42: Pango: Buffer Overflow (Feb 14)
------------------------------------------------
A vulnerability has been fixed in Pango, which can potentially be
exploited by malicious people to cause a denial of service
(application crash) or possibly execute arbitrary code.
http://www.linuxsecurity.com/content/view/154375
* Pardus: : Security Summary: Summary (Feb 14)
--------------------------------------------
Multiple vulnerabilities have been fixed in Linux-PAM.
http://www.linuxsecurity.com/content/view/154374
* Pardus: 2011-40: OpenSSH: Legacy Certificate (Feb 14)
-----------------------------------------------------
A vulnerability has been fixed in PostgreSQL, which can potentially
be exploited by malicious people to obtain sensitive contents or to
conduct hash collision attacks
http://www.linuxsecurity.com/content/view/154373
* Pardus: 2011-38: Tomcat: Multiple Vulnerabilities (Feb 14)
----------------------------------------------------------
Multiple vulnerabilities have been fixed in php.
http://www.linuxsecurity.com/content/view/154371
* Pardus: 2011-39: VLC: Multiple Vulnerabilities (Feb 14)
-------------------------------------------------------
Multiple vulnerabilities have been fixed in vlc, which can
potentially be exploited by malicious people to cause a denial of
service or possibly execute arbitrary code or commands.
http://www.linuxsecurity.com/content/view/154372
* Pardus: 2011-37: PostgreSQL: Buffer Overflow (Feb 14)
-----------------------------------------------------
A vulnerability has been fixed in PostgreSQL, which can potentially
be exploited by malicious people to cause a denial of service (crash)
and possibly execute arbitrary code.
http://www.linuxsecurity.com/content/view/154370
* Pardus: 2011-36: DHCP: Denial of Service (Feb 14)
-------------------------------------------------
A vulnerability has been fixed indhcp, which can be exploited by
malicious users to cause a DoS (Denial of Service).
http://www.linuxsecurity.com/content/view/154369
* Pardus: 2011-28: Patch: Arbitrary File (Feb 12)
-----------------------------------------------
A vulnerability have been fixed in patch, which allows an attacker to
create arbitrary files.
http://www.linuxsecurity.com/content/view/154358
* Pardus: 2011-30: D-BUS: Stack overflow (Feb 12)
-----------------------------------------------
A vulnerability have been fixed in d-bus, which allows local users to
cause a denial of service.
http://www.linuxsecurity.com/content/view/154359
* Pardus: 2011-27: Chromium: Multiple vulnerabilities (Feb 12)
------------------------------------------------------------
Multiple vulnerabilities have been fixed in chromium-browser.
http://www.linuxsecurity.com/content/view/154360
* Pardus: 2011-33: HPlib: Stack Overflow (Feb 12)
-----------------------------------------------
A vulnerability was found in hplib, which can be exploited by
malicious people to cause denial of service
http://www.linuxsecurity.com/content/view/154361
* Pardus: 2011-32: Subversion: Multiple (Feb 12)
----------------------------------------------
A vulnerability was found in subversion, which can be exploited by
malicious people to cause denial of service
http://www.linuxsecurity.com/content/view/154362
* Pardus: 2011-34: OpenOffice: Multiple (Feb 12)
----------------------------------------------
Multiple vulnerabilities have been fixed in openoffice.
http://www.linuxsecurity.com/content/view/154363
* Pardus: 2011-35: PHP: Multiple vulnerabilities (Feb 12)
-------------------------------------------------------
Multiple vulnerabilities have been fixed in php.
http://www.linuxsecurity.com/content/view/154364
* Pardus: 2011-29: Wget: Arbitrary Files (Feb 12)
-----------------------------------------------
A vulnerability have been fixed in wget, which allows an remote
servers to create or ovewrite arbitrary files.
http://www.linuxsecurity.com/content/view/154365
* Pardus: 2011-31: Sudo: Escalated Escalation (Feb 12)
----------------------------------------------------
A vulnerability was found in sudo, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges.
http://www.linuxsecurity.com/content/view/154366
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
