Linux Advisory Watch: February 3rd, 2012
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| February 3rd, 2012 Volume 13, Number 5 |
| |
| Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> |
+----------------------------------------------------------------------+
Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.
------------------------------------------------------------------------
* Debian: 2403-1: php5: code injection (Feb 2)
--------------------------------------------
Stefan Esser discovered that the implementation of the max_input_vars
configuration variable in a recent PHP security update was flawed
such that it allows remote attackers to crash PHP or potentially
execute code. [More...]
http://www.linuxsecurity.com/content/view/156698
* Debian: 2402-1: iceape: Multiple vulnerabilities (Feb 2)
--------------------------------------------------------
Several vulnerabilities have been found in the Iceape internet suite,
an unbranded version of Seamonkey: CVE-2011-3670 [More...]
http://www.linuxsecurity.com/content/view/156697
* Debian: 2400-1: iceweasel: Multiple vulnerabilities (Feb 2)
-----------------------------------------------------------
Several vulnerabilities have been discovered in Iceweasel, a web
browser based on Firefox. The included XULRunner library provides
rendering services for several other applications included in Debian.
[More...]
http://www.linuxsecurity.com/content/view/156696
* Debian: 2401-1: tomcat6: Multiple vulnerabilities (Feb 2)
---------------------------------------------------------
Several vulnerabilities have been found in Tomcat, a servlet and JSP
engine: CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064
[More...]
http://www.linuxsecurity.com/content/view/156695
* Debian: 2399-2: php5: Multiple vulnerabilities (Jan 31)
-------------------------------------------------------
A regression was found in the fix for PHP's XSLT transformations
(CVE-2012-0057). Updated packages are now available to address this
regression. For reference, the original advisory text follows.
[More...]
http://www.linuxsecurity.com/content/view/156681
* Debian: 2399-1: php5: Multiple vulnerabilities (Jan 31)
-------------------------------------------------------
Several vulnerabilities have been discovered in PHP, the web
scripting language. The Common Vulnerabilities and Exposures project
identifies the following issues: [More...]
http://www.linuxsecurity.com/content/view/156678
* Debian: 2398-1: curl: Multiple vulnerabilities (Jan 30)
-------------------------------------------------------
Several vulnerabilities have been discovered in Curl, an URL transfer
library. The Common Vulnerabilities and Exposures project identifies
the following problems: [More...]
http://www.linuxsecurity.com/content/view/156675
* Debian: 2397-1: icu: buffer underflow (Jan 29)
----------------------------------------------
It was discovered that a buffer overflow in the Unicode libraray ICU
could lead to the execution of arbitrary code. For the oldstable
distribution (lenny), this problem has been fixed in [More...]
http://www.linuxsecurity.com/content/view/156667
* Debian: 2396-1: qemu-kvm: buffer underflow (Jan 27)
---------------------------------------------------
Nicolae Mogoraenu discovered a heap overflow in the emulated e1000e
network interface card of KVM, a solution for full virtualization on
x86 hardware, which could result in denial of service or privilege
escalation. [More...]
http://www.linuxsecurity.com/content/view/156664
* Debian: 2395-1: wireshark: buffer underflow (Jan 27)
----------------------------------------------------
Laurent Butti discovered a buffer underflow in the LANalyzer
dissector of the Wireshark network traffic analyzer, which could lead
to the execution of arbitrary code (CVE-2012-0068) [More...]
http://www.linuxsecurity.com/content/view/156662
* Debian: 2394-1: libxml2: Multiple vulnerabilities (Jan 26)
----------------------------------------------------------
Many security problems had been fixed in libxml2, a popular library
to handle XML data files. CVE-2011-3919: [More...]
http://www.linuxsecurity.com/content/view/156655
------------------------------------------------------------------------
* Gentoo: 201201-18: bip: Multiple vulnerabilities (Jan 30)
---------------------------------------------------------
Multiple vulnerabilities in bip might allow remote
unauthenticatedattackers to cause a Denial of Service or possibly
execute arbitrarycode.
http://www.linuxsecurity.com/content/view/156669
* Gentoo: 201201-19: Adobe Reader: Multiple vulnerabilities (Jan 30)
------------------------------------------------------------------
Multiple vulnerabilities in Adobe Reader might allow remote
attackersto execute arbitrary code or conduct various other attacks.
http://www.linuxsecurity.com/content/view/156670
* Gentoo: 201201-17: Chromium: Multiple vulnerabilities (Jan 27)
--------------------------------------------------------------
Multiple vulnerabilities have been reported in Chromium, some of
whichmay allow execution of arbitrary code.
http://www.linuxsecurity.com/content/view/156666
* Gentoo: 201201-16: X.Org X Server/X Keyboard Database (Jan 27)
----------------------------------------------------------------
A debugging functionality in the X.Org X Server that is bound to
ahotkey by default can be used by local attackers to circumvent
screenlocking utilities.
http://www.linuxsecurity.com/content/view/156665
* Gentoo: 201201-15: ktsuss: Privilege escalation (Jan 27)
--------------------------------------------------------
Two vulnerabilities have been found in ktsuss, allowing local
attackersto gain escalated privileges.
http://www.linuxsecurity.com/content/view/156661
------------------------------------------------------------------------
* Mandriva: 2012:012: apache (Feb 2)
----------------------------------
Multiple vulnerabilities has been found and corrected in apache (ASF
HTTPD): The log_cookie function in mod_log_config.c in the
mod_log_config module in the Apache HTTP Server 2.2.17 through
2.2.21, when a threaded [More...]
http://www.linuxsecurity.com/content/view/156694
* Mandriva: 2012:011: openssl (Jan 29)
------------------------------------
A vulnerability has been found and corrected in openssl: OpenSSL
0.9.8s and 1.0.0f does not properly support DTLS applications, which
allows remote attackers to cause a denial of service via unspecified
vectors. NOTE: this vulnerability exists because of an [More...]
http://www.linuxsecurity.com/content/view/156668
------------------------------------------------------------------------
* Red Hat: 2012:0093-01: php: Critical Advisory (Feb 2)
-----------------------------------------------------
Updated php packages that fix one security issue are now available
for Red Hat Enterprise Linux 4, 5 and 6. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/156703
* Red Hat: 2012:0095-01: ghostscript: Moderate Advisory (Feb 2)
-------------------------------------------------------------
Updated ghostscript packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 5 and 6. The Red Hat
Security Response Team has rated this update as having moderate
[More...]
http://www.linuxsecurity.com/content/view/156702
* Red Hat: 2012:0096-01: ghostscript: Moderate Advisory (Feb 2)
-------------------------------------------------------------
Updated ghostscript packages that fix two security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/156699
* Red Hat: 2012:0094-01: freetype: Important Advisory (Feb 2)
-----------------------------------------------------------
Updated freetype packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.6 Extended Update Support.
The Red Hat Security Response Team has rated this update as having
[More...]
http://www.linuxsecurity.com/content/view/156700
* Red Hat: 2012:0092-01: php53: Critical Advisory (Feb 2)
-------------------------------------------------------
Updated php53 packages that fix one security issue are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/156701
* Red Hat: 2012:0086-01: openssl: Moderate Advisory (Feb 1)
---------------------------------------------------------
Updated openssl packages that fix two security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/156689
* Red Hat: 2012:0085-01: thunderbird: Critical Advisory (Feb 1)
-------------------------------------------------------------
An updated thunderbird package that fixes two security issues is now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/156684
* Red Hat: 2012:0084-01: seamonkey: Critical Advisory (Feb 1)
-----------------------------------------------------------
Updated seamonkey packages that fix two security issues are now
available for Red Hat Enterprise Linux 4. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/156685
* Red Hat: 2012:0079-01: firefox: Critical Advisory (Jan 31)
----------------------------------------------------------
Updated firefox packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
Security Response Team has rated this update as having critical
[More...]
http://www.linuxsecurity.com/content/view/156683
* Red Hat: 2012:0080-01: thunderbird: Critical Advisory (Jan 31)
--------------------------------------------------------------
An updated thunderbird package that fixes multiple security issues is
now available for Red Hat Enterprise Linux 6. The Red Hat Security
Response Team has rated this update as having critical [More...]
http://www.linuxsecurity.com/content/view/156682
------------------------------------------------------------------------
* Ubuntu: 1354-1: usbmuxd vulnerability (Feb 1)
---------------------------------------------
usbmuxd could be made to crash or run programs if it received
speciallycrafted input.
http://www.linuxsecurity.com/content/view/156686
* Ubuntu: 1351-1: AccountsService vulnerability (Jan 31)
------------------------------------------------------
AccountsService could be made to overwrite files as the
administrator.
http://www.linuxsecurity.com/content/view/156679
* Ubuntu: 1349-1: X.Org vulnerability (Jan 26)
--------------------------------------------
X could be made to start by a user who lacked appropriate
permissions.
http://www.linuxsecurity.com/content/view/156654
* Ubuntu: 1348-1: ICU vulnerability (Jan 26)
------------------------------------------
ICU could be made to crash or run programs as your login if itopened
specially crafted data.
http://www.linuxsecurity.com/content/view/156649
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Fedora Announce]
[Linux Crypto]
[Kernel]
[Netfilter]
[Video for Linux]
[Bugtraq]
[USB]
[Fedora Security]
