Linux Advisory Watch: June 3rd, 2011
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| June 3rd, 2011 Volume 12, Number 23 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
| Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Book Review: Linux Kernel Programming
-------------------------------------
As Linux is implemented on increasingly wider number of devices, the
number of people responsible for developing and maintaining Linux on
those platforms have increased. As the level of maturity of the kernel
increases, so does the complexity, capabilities, and size. This book
provides the Linux programmer the tools necessary to understand the
core aspects of the kernel and how to interface with it.
http://www.linuxsecurity.com/content/view/154775
--------------------------------------------------------------------
* Debian: 2252-1: dovecot: programming error (Jun 2)
--------------------------------------------------
It was discovered that the message header parser in the Dovecot mail
server parsed NUL characters incorrectly, which could lead to denial
of service through malformed mail headers. [More...]
http://www.linuxsecurity.com/content/view/155212
* Debian: 2251-1: subversion: Multiple vulnerabilities (Jun 2)
------------------------------------------------------------
Several vulnerabilities were discovered in Subversion, the version
control system. The Common Vulnerabilities and Exposures project
identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/155205
* Debian: 2250-1: citadel: denial of service (May 31)
---------------------------------------------------
Wouter Coekaerts discovered that the jabber server component of
citadel, a complete and feature-rich groupware server, is vulnerable
to the so-called "billion laughs" attack because it does not prevent
entity expansion on received data. This allows an attacker to perform
denial of service [More...]
http://www.linuxsecurity.com/content/view/155193
* Debian: 2249-1: jabberd14: denial of service (May 31)
-----------------------------------------------------
Wouter Coekaerts discovered that jabberd14, an instant messaging
server using the Jabber/XMPP protocol, is vulnerable to the so-called
"billion laughs" attack because it does not prevent entity expansion
on received data. This allows an attacker to perform denial of
service [More...]
http://www.linuxsecurity.com/content/view/155192
* Debian: 2248-1: ejabberd: denial of service (May 31)
----------------------------------------------------
Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber
server written in Erlang, is vulnerable to the so-called "billion
laughs" attack because it does not prevent entity expansion on
received data. This allows an attacker to perform denial of service
attacks against the [More...]
http://www.linuxsecurity.com/content/view/155191
* Debian: 2247-1: rails: several vulnerabilities (May 31)
-------------------------------------------------------
Several vulnerabilities have been discovered in Rails, the Ruby web
application framework. The Common Vulnerabilities and Exposures
project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/155190
* Debian: 2246-1: mahara: several vulnerabilities (May 29)
--------------------------------------------------------
Several vulnerabilities were discovered in mahara, an electronic
portfolio, weblog, and resume builder. The following Common
Vulnerabilities and Exposures project ids identify them: [More...]
http://www.linuxsecurity.com/content/view/155173
* Debian: 2245-1: chromium-browser: several vulnerabilities (May 29)
------------------------------------------------------------------
Several vulnerabilities were discovered in the Chromium browser. The
Common Vulnerabilities and Exposures project identifies the following
problems: [More...]
http://www.linuxsecurity.com/content/view/155172
* Debian: 2244-1: bind9: incorrect boundary conditio (May 27)
-----------------------------------------------------------
It was discovered that BIND, an implementation of the DNS protocol,
does not correctly process certain large RRSIG record sets in DNSSEC
responses. The resulting assertion failure causes the name server
process to crash, making name resolution unavailable. (CVE-2011-1910)
[More...]
http://www.linuxsecurity.com/content/view/155168
* Debian: 2243-1: unbound: design flaw (May 27)
---------------------------------------------
It was discovered that Unbound, a caching DNS resolver, ceases to
provide answers for zones signed using DNSSEC after it has processed
a crafted query. (CVE-2009-4008) [More...]
http://www.linuxsecurity.com/content/view/155167
------------------------------------------------------------------------
* Mandriva: 2011:105: wireshark (Jun 1)
-------------------------------------
This advisory updates wireshark to the latest version (1.2.17),
fixing several security issues: * Large/infinite loop in the DICOM
dissector. (Bug 5876) Versions affected: 1.2.0 to 1.2.16 and 1.4.0 to
1.4.6. [More...]
http://www.linuxsecurity.com/content/view/155201
* Mandriva: 2011:104: bind (Jun 1)
--------------------------------
A vulnerability has been identified and fixed in ISC BIND: Off-by-one
error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before
9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before
9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service
[More...]
http://www.linuxsecurity.com/content/view/155197
* Mandriva: 2011:103: gimp (May 29)
---------------------------------
Multiple vulnerabilities was discovered and fixed in gimp:
Stack-based buffer overflow in the "LIGHTING EFFECTS >
LIGHT" plugin in GIMP 2.6.11 allows user-assisted remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code [More...]
http://www.linuxsecurity.com/content/view/155174
* Mandriva: 2011:102: rdesktop (May 28)
-------------------------------------
A vulnerability has been identified and fixed in rdesktop: Directory
traversal vulnerability in the disk_create function in disk.c in
rdesktop before 1.7.0, when disk redirection is enabled, allows
remote RDP servers to read or overwrite arbitrary files via [More...]
http://www.linuxsecurity.com/content/view/155171
* Mandriva: 2011:101: dovecot (May 26)
------------------------------------
A vulnerability has been identified and fixed in dovecot:
lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and
2.0.x before 2.0.13 does not properly handle '\0' (NUL)
characters in header names, which allows remote attackers to cause a
denial of [More...]
http://www.linuxsecurity.com/content/view/155151
------------------------------------------------------------------------
* Red Hat: 2011:0836-01: kernel: Important Advisory (Jun 1)
---------------------------------------------------------
Updated kernel packages that fix multiple security issues and various
bugs are now available for Red Hat Enterprise Linux 6. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/155203
* Red Hat: 2011:0841-01: systemtap: Moderate Advisory (May 31)
------------------------------------------------------------
Updated systemtap packages that fix one security issue are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/155189
* Red Hat: 2011:0843-01: postfix: Moderate Advisory (May 31)
----------------------------------------------------------
Updated postfix packages that fix one security issue are now
available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/155188
* Red Hat: 2011:0844-01: apr: Low Advisory (May 31)
-------------------------------------------------
Updated apr packages that fix one security issue are now available
for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security
Response Team has rated this update as having low [More...]
http://www.linuxsecurity.com/content/view/155187
* Red Hat: 2011:0845-01: bind: Important Advisory (May 31)
--------------------------------------------------------
Updated bind and bind97 packages that fix one security issue are now
available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/155186
* Red Hat: 2011:0838-01: gimp: Moderate Advisory (May 31)
-------------------------------------------------------
Updated gimp packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/155185
* Red Hat: 2011:0842-01: systemtap: Moderate Advisory (May 31)
------------------------------------------------------------
Updated systemtap packages that fix two security issues are now
available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/155184
* Red Hat: 2011:0840-01: dhcp: Important Advisory (May 31)
--------------------------------------------------------
Updated dhcp packages that fix one security issue are now available
for Red Hat Enterprise Linux 3 Extended Life Cycle Support. The Red
Hat Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/155183
* Red Hat: 2011:0837-01: gimp: Moderate Advisory (May 31)
-------------------------------------------------------
Updated gimp packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/155181
* Red Hat: 2011:0833-01: kernel: Important Advisory (May 31)
----------------------------------------------------------
Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
Security Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/155182
* Red Hat: 2011:0839-01: gimp: Moderate Advisory (May 31)
-------------------------------------------------------
Updated gimp packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/155180
------------------------------------------------------------------------
* Slackware: 2011-147-01: bind: Security Update (May 27)
------------------------------------------------------
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current
to fix security issues. [More Info...]
http://www.linuxsecurity.com/content/view/155170
------------------------------------------------------------------------
* SuSE: Weekly Summary 2011:010 (May 31)
--------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: postfix, libthunarx-2-0,
rdesktop, python, viewvc, kvm, exim, logrotate, dovecot12/dovecot20,
pure-ftpd, kdelibs4.
http://www.linuxsecurity.com/content/view/155176
------------------------------------------------------------------------
* Ubuntu: 1143-1: Dovecot vulnerability (Jun 1)
---------------------------------------------
An attacker could send a crafted email message that could disrupt
emailservice.
http://www.linuxsecurity.com/content/view/155204
* Ubuntu: 1142-1: GDM vulnerability (Jun 1)
-----------------------------------------
GDM could be made to launch a browser and leak information about the
system.
http://www.linuxsecurity.com/content/view/155202
* Ubuntu: 1141-1: Linux kernel vulnerabilities (May 31)
-----------------------------------------------------
Multiple kernel vulnerabilities have been fixed.
http://www.linuxsecurity.com/content/view/155195
* Ubuntu: 1139-1: Bind vulnerabilities (May 30)
---------------------------------------------
An attacker could send crafted input to Bind and cause it to crash.
http://www.linuxsecurity.com/content/view/155175
* Ubuntu: 1138-2: NetworkManager and ModemManager update (May 26)
---------------------------------------------------------------
An attacker could send crafted input to NetworkManager and
ModemManagerand cause them to crash.
http://www.linuxsecurity.com/content/view/155161
* Ubuntu: 1138-1: DBus-GLib vulnerability (May 26)
------------------------------------------------
An attacker could send crafted input to applications using DBus-GLib
andcause them to crash.
http://www.linuxsecurity.com/content/view/155160
* Ubuntu: 1137-1: Eucalyptus vulnerability (May 26)
-------------------------------------------------
An attacker could send crafted input to Eucalyptus to run commands
asa valid user.
http://www.linuxsecurity.com/content/view/155158
------------------------------------------------------------------------
* Pardus: 2011-80: kdenetwork: Directory traversal (May 26)
---------------------------------------------------------
A vuolnerability has been fixed in kdenetwork, which can be exploited
by attackers to create arbitrary files.
http://www.linuxsecurity.com/content/view/155156
* Pardus: 2011-79: kdelibs: MITM Attack (May 26)
----------------------------------------------
A vulnerability has been fixed in kdelibs,which can be exploited by
malicious people to man-in-the-middle attack.
http://www.linuxsecurity.com/content/view/155155
* Pardus: 2011-78: dhcpcd: Execute Arbitrary Commands (May 26)
------------------------------------------------------------
A vulnerability has been fixed in dhcpcd, which allows attackers to
execute arbitrary commands.
http://www.linuxsecurity.com/content/view/155154
* Pardus: 2011-76: openldap: Multiple Vulnerabilities (May 26)
------------------------------------------------------------
Multiple vulnerabilities have been fixed in openldap.
http://www.linuxsecurity.com/content/view/155152
* Pardus: 2011-77: Wireshark: Multiple Vulnerabilities (May 26)
-------------------------------------------------------------
Multible vulnerabilities have been fixed in wireshark, which allow
attackers to cause a denial of service or to execute arbitrary code.
http://www.linuxsecurity.com/content/view/155153
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
