Linux Advisory Watch: January 6th, 2012
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 6th, 2012 Volume 13, Number 1 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
Password guessing as an attack vector
-------------------------------------
Using password guessing as an attack vector. Over the years we've been
taught a strong password must be long and complex to be considered
secure. Some of us have taken that notion to heart and always ensure
our passwords are strong. But some don't give a second thought to the
complexity or length of our password.
http://www.linuxsecurity.com/content/view/156412
------------------------------------------------------------------------
* Debian: 2381-1: squid3: invalid memory deallocation (Jan 6)
-----------------------------------------------------------
It was discovered that the IPv6 support code in Squid does not
properly handle certain DNS responses, resulting in deallocation of
an invalid pointer and a daemon crash. [More...]
http://www.linuxsecurity.com/content/view/156522
* Debian: 2380-1: foomatic-filters: shell command injection (Jan 4)
-----------------------------------------------------------------
It was discovered that the foomatic-filters, a support package for
setting up printers, allowed authenticated users to submit crafted
print jobs which would execute shell commands on the print servers.
[More...]
http://www.linuxsecurity.com/content/view/156516
* Debian: 2379-1: krb5: Multiple vulnerabilities (Jan 4)
------------------------------------------------------
It was discovered that the Key Distribution Center (KDC) in Kerberos
5 crashes when processing certain crafted requests: CVE-2011-1528
[More...]
http://www.linuxsecurity.com/content/view/156515
* Debian: 2378-1: ffmpeg: Multiple vulnerabilities (Jan 3)
--------------------------------------------------------
Several vulnerabilities have been discovered in ffmpeg, a multimedia
player, server and encoder. Multiple input validations in the
decoders for QDM2, VP5, VP6, VMD and SVQ1 files could lead to the
execution of arbitrary code. [More...]
http://www.linuxsecurity.com/content/view/156508
* Debian: 2377-1: cyrus-imapd-2.2: NULL pointer dereference (Jan 1)
-----------------------------------------------------------------
It was discovered that cyrus-imapd, a highly scalable mail system
designed for use in enterprise environments, is not properly parsing
mail headers when a client makes use of the IMAP threading feature.
As a result, a NULL pointer is dereferenced which crashes the daemon.
An attacker can trigger [More...]
http://www.linuxsecurity.com/content/view/156505
* Debian: 2376-2: ipmitool: insecure pid file (Dec 31)
----------------------------------------------------
It was discovered that OpenIPMI, the Intelligent Platform Management
Interface library and tools, used too wide permissions PID file,
which allows local users to kill arbitrary processes by writing to
this file. [More...]
http://www.linuxsecurity.com/content/view/156503
* Debian: 2263-2: movabletype-opensource: Multiple vulnerabilities (Dec 30)
-------------------------------------------------------------------------
Advisory DSA 2363-1 did not include a package for the Debian 5.0
'Lenny' suite at that time. This update adds that package. The
original advisory text follows. [More...]
http://www.linuxsecurity.com/content/view/156499
* Debian: 2376-1: ipmitool: insecure pid file (Dec 30)
----------------------------------------------------
It was discovered that OpenIPMI, the Intelligent Platform Management
Interface library and tools, used too wide permissions PID file,
which allows local users to kill arbitrary processes by writing to
this file. [More...]
http://www.linuxsecurity.com/content/view/156498
------------------------------------------------------------------------
* Gentoo: 201201-02: MySQL: Multiple vulnerabilities (Jan 5)
----------------------------------------------------------
Multiple vulnerabilities were found in MySQL, some of which may
allowexecution of arbitrary code.
http://www.linuxsecurity.com/content/view/156521
* Gentoo: 201201-01: phpMyAdmin: Multiple vulnerabilities (Jan 4)
---------------------------------------------------------------
Multiple vulnerabilities were found in phpMyAdmin, the most severe
ofwhich allows the execution of arbitrary PHP code.
http://www.linuxsecurity.com/content/view/156517
------------------------------------------------------------------------
* Mandriva: 2012:002: t1lib (Jan 2)
---------------------------------
A vulnerability has been found and corrected in t1lib: t1lib 5.1.2
and earlier uses an invalid pointer in conjunction with a dereference
operation, which allows remote attackers to execute arbitrary code
via a specially crafted Type 1 font in a PDF document [More...]
http://www.linuxsecurity.com/content/view/156507
* Mandriva: 2012:001: fcgi (Jan 2)
--------------------------------
A vulnerability has been found and corrected in fcgi: The FCGI (aka
Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast,
uses environment variable values from one request during processing
of a later request, which allows remote attackers to bypass [More...]
http://www.linuxsecurity.com/content/view/156506
* Mandriva: 2011:198: phpmyadmin (Dec 31)
---------------------------------------
Multiple vulnerabilities has been found and corrected in phpmyadmin:
Importing a specially-crafted XML file which contains an XML entity
injection permits to retrieve a local file (limited by the privileges
of the user running the web server) (CVE-2011-4107). [More...]
http://www.linuxsecurity.com/content/view/156504
* Mandriva: 2011:197: php (Dec 30)
--------------------------------
Multiple vulnerabilities has been discovered and corrected in php:
Integer overflow in the exif_process_IFD_TAG function in exif.c in
the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows
remote attackers to read the contents of arbitrary memory locations
or [More...]
http://www.linuxsecurity.com/content/view/156500
------------------------------------------------------------------------
* Ubuntu: 1320-1: FFmpeg vulnerabilities (Jan 5)
----------------------------------------------
FFmpeg could be made to crash or run programs as your login if
itopened a specially crafted file.
http://www.linuxsecurity.com/content/view/156520
* Ubuntu: 1319-1: Linux kernel (OMAP4) vulnerabilities (Jan 5)
------------------------------------------------------------
Several security issues were fixed in the kernel.
http://www.linuxsecurity.com/content/view/156519
* Ubuntu: 1318-1: Linux kernel (FSL-IMX51) vulnerabilities (Jan 5)
----------------------------------------------------------------
Several security issues were fixed in the kernel.
http://www.linuxsecurity.com/content/view/156518
* Ubuntu: 1317-1: Ghostscript vulnerabilities (Jan 4)
---------------------------------------------------
Ghostscript could be made to crash or run programs as your login if
itopened a specially crafted file.
http://www.linuxsecurity.com/content/view/156509
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
