Linux Advisory Watch: March 4th, 2011
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 4th, 2011 Volume 12, Number 10 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.
http://www.linuxsecurity.com/content/view/153159
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2181-1: subversion: denial of service (Mar 4)
-----------------------------------------------------
Philip Martin discovered that HTTP-based Subversion servers crash
when processing lock requests on repositories which support
unauthenticated read access. [More...]
http://www.linuxsecurity.com/content/view/154547
* Debian: 2180-1: iceape: Multiple vulnerabilities (Mar 3)
--------------------------------------------------------
Several vulnerabilities have been found in the Iceape internet suite,
an unbranded version of Seamonkey: CVE-2010-1585 [More...]
http://www.linuxsecurity.com/content/view/154546
* Debian: 2179-1: dtc: SQL injection (Mar 2)
------------------------------------------
Ansgar Burchardt discovered several vulnerabilities in DTC, a web
control panel for admin and accounting hosting services.
CVE-2011-0434 [More...]
http://www.linuxsecurity.com/content/view/154535
* Debian: 2178-1: pango1.0: NULL pointer dereference (Mar 2)
----------------------------------------------------------
It was discovered that pango did not check for memory allocation
failures, causing a NULL pointer dereference with an adjustable
offset. This can lead to application crashes and potentially
arbitrary code execution. [More...]
http://www.linuxsecurity.com/content/view/154534
* Debian: 2177-1: pywebdav: SQL injection (Mar 2)
-----------------------------------------------
It was discovered that python-webdav, a WebDAV server implementation,
contains several SQL injection vulnerabilities in the processing of
user credentials. [More...]
http://www.linuxsecurity.com/content/view/154533
* Debian: 2176-1: cups: Multiple vulnerabilities (Mar 1)
------------------------------------------------------
Several vulnerabilities have been discovered in the Common UNIX
Printing System: CVE-2008-5183 [More...]
http://www.linuxsecurity.com/content/view/154514
* Debian: 2163-2: dajaxice: Multiple vulnerabilities (Mar 1)
----------------------------------------------------------
The changes in python-django DSA-2163 necessary to fix the issues
CVE-2011-0696 and CVE-2011-0697 introduced an unavoidable backward
incompatibility, which caused a regression in dajaxice, which depends
on python-django. This update supplies fixed packages for [More...]
http://www.linuxsecurity.com/content/view/154511
* Debian: 2175-1: samba: missing input sanisiting (Feb 28)
--------------------------------------------------------
Volker Lendecke discovered that missing range checks in Samba's file
descriptor handling could lead to memory corruption, resulting in
denial of service. [More...]
http://www.linuxsecurity.com/content/view/154500
* Debian: 2174-1: avahi: denial of service (Feb 26)
-------------------------------------------------
It was discovered that avahi, an implementation of the zeroconf
protocol, can be crashed remotely by a single UDP packet, which may
result in a denial of service. [More...]
http://www.linuxsecurity.com/content/view/154489
* Debian: 2173-1: pam-pgsql: buffer overflow (Feb 26)
---------------------------------------------------
It was discovered that pam-pgsql, a PAM module to authenticate using
a PostgreSQL database, was vulnerable to a buffer overflow in
supplied IP-addresses. [More...]
http://www.linuxsecurity.com/content/view/154488
------------------------------------------------------------------------
* Mandriva: 2011:040: pango (Mar 3)
---------------------------------
A vulnerability has been found and corrected in pango: It was
discovered that pango did not check for memory reallocation failures
in hb_buffer_ensure() function. This could trigger a NULL pointer
dereference in hb_buffer_add_glyph(), where possibly untrusted
[More...]
http://www.linuxsecurity.com/content/view/154541
* Mandriva: 2011:039: webkit (Mar 2)
----------------------------------
Multiple cross-site scripting, denial of service and arbitrary code
execution security flaws were discovered in webkit. Please consult
the CVE web links for further information. [More...]
http://www.linuxsecurity.com/content/view/154527
* Mandriva: 2011:038: samba (Feb 28)
----------------------------------
A vulnerability has been found and corrected in samba: All current
released versions of Samba are vulnerable to a denial of service
caused by memory corruption. Range checks on file descriptors being
used in the FD_SET macro were not present allowing stack [More...]
http://www.linuxsecurity.com/content/view/154497
* Mandriva: 2011:037: avahi (Feb 24)
----------------------------------
A vulnerability has been found and corrected in avahi:
avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows
remote attackers to cause a denial of service (infinite loop) via an
empty (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this
[More...]
http://www.linuxsecurity.com/content/view/154471
------------------------------------------------------------------------
* Red Hat: 2011:0318-01: libtiff: Important Advisory (Mar 2)
----------------------------------------------------------
Updated libtiff packages that fix one security issue are now
available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/154538
* Red Hat: 2011:0313-01: seamonkey: Critical Advisory (Mar 1)
-----------------------------------------------------------
Updated seamonkey packages that fix several security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/154525
* Red Hat: 2011:0311-01: thunderbird: Critical Advisory (Mar 1)
-------------------------------------------------------------
An updated thunderbird package that fixes several security issues is
now available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/154524
* Red Hat: 2011:0312-01: thunderbird: Moderate Advisory (Mar 1)
-------------------------------------------------------------
An updated thunderbird package that fixes several security issues is
now available for Red Hat Enterprise Linux 4 and 5. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/154523
* Red Hat: 2011:0309-01: pango: Critical Advisory (Mar 1)
-------------------------------------------------------
Updated pango packages that fix one security issue are now available
for Red Hat Enterprise Linux 6. The Red Hat Security Response Team
has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/154521
* Red Hat: 2011:0310-01: firefox: Critical Advisory (Mar 1)
---------------------------------------------------------
Updated firefox packages that fix several security issues and one bug
are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red
Hat Security Response Team has rated this update as having critical
[More...]
http://www.linuxsecurity.com/content/view/154522
* Red Hat: 2011:0307-01: mailman: Moderate Advisory (Mar 1)
---------------------------------------------------------
An updated mailman package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154519
* Red Hat: 2011:0308-01: mailman: Moderate Advisory (Mar 1)
---------------------------------------------------------
An updated mailman package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/154518
* Red Hat: 2011:0306-01: samba3x: Important Advisory (Mar 1)
----------------------------------------------------------
Updated samba3x packages that fix one security issue are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/154517
* Red Hat: 2011:0305-01: samba: Important Advisory (Mar 1)
--------------------------------------------------------
Updated samba packages that fix one security issue are now available
for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/154515
* Red Hat: 2011:0303-01: kernel: Moderate Advisory (Mar 1)
--------------------------------------------------------
Updated kernel packages that fix three security issues and several
bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/154516
------------------------------------------------------------------------
* Slackware: 2011-060-01: mozilla-firefox: Security Update (Mar 2)
----------------------------------------------------------------
New mozilla-firefox packages are available for Slackware 13.0, 13.1,
and -current to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/154526
* Slackware: 2011-059-01: samba: Security Update (Feb 28)
-------------------------------------------------------
New samba packages are available for Slackware 10.0, 10.1, 10.2,
11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a denial of
service security issue. [More Info...]
http://www.linuxsecurity.com/content/view/154504
* Slackware: 2011-055-01: pidgin: Security Update (Feb 25)
--------------------------------------------------------
New pidgin packages are available for Slackware 12.0, 12.1, 12.2,
13.0, 13.1, and -current to fix a security issue. [More Info...]
http://www.linuxsecurity.com/content/view/154479
------------------------------------------------------------------------
* Ubuntu: 1050-1: Thunderbird vulnerabilities (Mar 2)
---------------------------------------------------
Jesse Ruderman, Igor Bukanov, Olli Pettay, Gary Kwong, Jeff Walden,
HenrySivonen, Martijn Wargers, David Baron and Marcia Knous
discovered severalmemory issues in the browser engine. An attacker
could exploit these tocrash the browser or possibly run arbitrary
code as the user invoking theprogram. (CVE-2011-0053, CVE-2011-0062)
[More...]
http://www.linuxsecurity.com/content/view/154539
* Ubuntu: 1083-1: Linux kernel vulnerabilities (Mar 2)
----------------------------------------------------
Al Viro discovered a race condition in the TTY driver. A local
attackercould exploit this to crash the system, leading to a denial
of service.(CVE-2009-4895) [More...]
http://www.linuxsecurity.com/content/view/154537
* Ubuntu: 1080-2: Linux kernel vulnerabilities (Mar 2)
----------------------------------------------------
USN-1080-1 fixed vulnerabilities in the Linux kernel. This update
providesthe corresponding updates for the Linux kernel for use with
EC2. [More...]
http://www.linuxsecurity.com/content/view/154536
* Ubuntu: 1082-1: Pango vulnerabilities (Mar 2)
---------------------------------------------
Marc Schoenefeld discovered that Pango incorrectly handled certain
GlyphDefinition (GDEF) tables. If a user were tricked into displaying
text witha specially-crafted font, an attacker could cause Pango to
crash, resultingin a denial of service. This issue only affected
Ubuntu 8.04 LTS and 9.10.(CVE-2010-0421) [More...]
http://www.linuxsecurity.com/content/view/154532
* Ubuntu: 1081-1: Linux kernel vulnerabilities (Mar 1)
----------------------------------------------------
It was discovered that KVM did not correctly initialize certain
CPUregisters. A local attacker could exploit this to crash the
system, leadingto a denial of service. (CVE-2010-3698) [More...]
http://www.linuxsecurity.com/content/view/154520
* Ubuntu: 1080-1: Linux kernel vulnerabilities (Mar 1)
----------------------------------------------------
Thomas Pollet discovered that the RDS network protocol did not
checkcertain iovec buffers. A local attacker could exploit this to
crash thesystem or possibly execute arbitrary code as the root user.
(CVE-2010-3865) [More...]
http://www.linuxsecurity.com/content/view/154513
* Ubuntu: 1079-1: OpenJDK 6 vulnerabilities (Mar 1)
-------------------------------------------------
It was discovered that untrusted Java applets could create domainname
resolution cache entries, allowing an attacker to manipulatename
resolution within the JVM. (CVE-2010-4448) [More...]
http://www.linuxsecurity.com/content/view/154506
* Ubuntu: 1078-1: Logwatch vulnerability (Feb 28)
-----------------------------------------------
Dominik George discovered that logwatch did not properly sanitizelog
file names that were passed to the shell as part of a command.If a
remote attacker were able to generate specially crafted filenames(for
example, via Samba logging), they could execute arbitrary codewith
root privileges. [More...]
http://www.linuxsecurity.com/content/view/154505
* Ubuntu: 1074-2: Linux kernel vulnerabilities (Feb 28)
-----------------------------------------------------
USN-1074-1 fixed vulnerabilities in linux-fsl-imx51 in Ubuntu 9.10.
Thisupdate provides the corresponding updates for Ubuntu 10.04.
[More...]
http://www.linuxsecurity.com/content/view/154499
* Ubuntu: 1075-1: Samba vulnerability (Feb 28)
--------------------------------------------
Volker Lendecke discovered that Samba incorrectly handled certain
filedescriptors. A remote attacker could send a specially crafted
request tothe server and cause Samba to crash or hang, resulting in a
denial ofservice. [More...]
http://www.linuxsecurity.com/content/view/154498
* Ubuntu: 1074-1: Linux kernel vulnerabilities (Feb 25)
-----------------------------------------------------
Al Viro discovered a race condition in the TTY driver. A local
attackercould exploit this to crash the system, leading to a denial
of service.(CVE-2009-4895) [More...]
http://www.linuxsecurity.com/content/view/154487
* Ubuntu: 1073-1: Linux kernel vulnerabilities (Feb 25)
-----------------------------------------------------
Gleb Napatov discovered that KVM did not correctly check certain
privilegedoperations. A local attacker with access to a guest kernel
could exploitthis to crash the host system, leading to a denial of
service.(CVE-2010-0435) [More...]
http://www.linuxsecurity.com/content/view/154486
* Ubuntu: 1072-1: Linux vulnerabilities (Feb 25)
----------------------------------------------
Gleb Napatov discovered that KVM did not correctly check certain
privilegedoperations. A local attacker with access to a guest kernel
could exploitthis to crash the host system, leading to a denial of
service.(CVE-2010-0435) [More...]
http://www.linuxsecurity.com/content/view/154485
* Ubuntu: 1071-1: Linux kernel vulnerabilities (Feb 25)
-----------------------------------------------------
Tavis Ormandy discovered that the Linux kernel did not properly
implementexception fixup. A local attacker could exploit this to
crash the kernel,leading to a denial of service. (CVE-2010-3086)
[More...]
http://www.linuxsecurity.com/content/view/154484
------------------------------------------------------------------------
* Pardus: 2011-54: Samba: Memory Corruption (Mar 3)
-------------------------------------------------
A vulnerability have been fixed in samba, which allows attackers to
cause a denial of service.
http://www.linuxsecurity.com/content/view/154540
* Pardus: 2011-52: Gimp: Multiple Vulnerabilities (Feb 28)
--------------------------------------------------------
Multiple vulnerabilities have been fixed in gimp.
http://www.linuxsecurity.com/content/view/154494
* Pardus: 2011-51: Php: Denial of Service (Feb 28)
------------------------------------------------
A vulnerability have been fixed in php, which allows attackers to
cause a denial of service.
http://www.linuxsecurity.com/content/view/154493
* Pardus: 2011-50: Wireshark: Buffer Overflow (Feb 28)
----------------------------------------------------
A vulnerability has been fixed in wireshark, which can be exploit by
malicious people to cause a denial of service or to execute code.
http://www.linuxsecurity.com/content/view/154492
* Pardus: 2011-49: Ruby: Multiple Vulnerabilities (Feb 28)
--------------------------------------------------------
Multiple vulnerabilities have been fixed in ruby.
http://www.linuxsecurity.com/content/view/154491
* Pardus: 2011-48: Mit-Kerberos: Multiple (Feb 28)
------------------------------------------------
Multiple vulnerabilities have been fixed in mit-kerberos, which can
be exploited by malicious people to cause a denial of service.
http://www.linuxsecurity.com/content/view/154490
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
