This week, advisories were released for phpmyadmin, bugzilla, trac, pdns,
openssh, firefox, netkit, openssh, graphcsmagick, gnuplot, ical, webmin, opensc,
bind, libpng, syslinux, pxelinux, doxygen, chromium, wireshark, php, nss_ldap,
elinks, ImageMagick, asterisk, texinfo, and avahi. The distributors include
Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu.
|
Debian |
|
Debian: New phpmyadmin packages fix several
vulnerabilities |
|
9th, November, 2006
The following CVEIDs are addressed: CVE-2006-1678 CVE-2006-2418 CVE-2005-3621
CVE-2005-3665 CVE-2006-5116
advisories/debian/debian-new-phpmyadmin-packages-fix-several-vulnerabilities-72435
|
|
|
Debian: New bugzilla packages fix several
vulnerabilities |
|
11th, November, 2006
Updated package.
advisories/debian/debian-new-bugzilla-packages-fix-several-vulnerabilities
|
|
|
Debian: New trac packages fix cross-site
request forgery |
|
12th, November, 2006
Updated package.
advisories/debian/debian-new-trac-packages-fix-cross-site-request-forgery-63409
|
|
|
Debian: New trac packages fix cross-site
request forgery |
|
13th, November, 2006
Updated package.
advisories/debian/debian-new-trac-packages-fix-cross-site-request-forgery-63409
|
|
|
Debian: New Mozilla Firefox packages
fix several vulnerabilities |
|
14th, November, 2006
Updated package.
advisories/debian/debian-new-mozilla-firefox-packages-fix-several-vulnerabilities-71271
|
|
|
Debian: New pdns packages fix arbitrary
code execution |
|
14th, November, 2006
Updated package.
advisories/debian/debian-new-pdns-packages-fix-arbitrary-code-execution
|
|
|
Debian: New openssh packages fix denial
of service |
|
15th, November, 2006
Two denial of service vulnerabilities have been found in the OpenSSH
server. CVE-2006-4924: The sshd support for ssh protcol version 1 does
not properly handle duplicate incoming blocks. This could allow a remote
attacker to cause sshd to consume significant CPU resources leading
to a denial of service. CVE-2006-5051: A signal handler race condition
could potentially allow a remote attacker to crash sshd and could theoretically
lead to the ability to execute arbitrary code.
advisories/debian/debian-new-openssh-packages-fix-denial-of-service
|
|
|
Fedora
|
|
Fedora Core 5 Update: firefox-1.5.0.8-1.fc5 |
|
9th, November, 2006
Mozilla Firefox is an open source Web browser. Several flaws were found
in the way Firefox processes certain malformed Javascript code. A malicious
web page could cause the execution of Javascript code in such a way
that could cause Firefox to crash or execute arbitrary code as the user
running Firefox. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748) Several
flaws were found in the way Firefox renders web pages. A malicious web
page could cause the browser to crash or possibly execute arbitrary
code as the user running Firefox. (CVE-2006-5464) Users of Firefox are
advised to upgrade to this update, which contains Firefox version 1.5.0.8
that corrects these issues.
advisories/fedora/fedora-core-5-update-firefox-1508-1fc5-12-16-00-125654
|
|
|
Fedora Extras [3 4 5 6 devel] / 1.2.1-2
[FE 3 4], 1.3.0-3 [FE 5 6 devel] |
|
9th, November, 2006
CVE IDs: CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify
the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a
user were tricked into viewing or processing a specially crafted image
with an application that uses imlib2, the flaws could be exploited to
execute arbitrary code with the user's privileges. Fedora Extras versions
earlier then the versions mentioned above are vulnerable to this problem,
upgrade to fix this vulnerability.
advisories/fedora/fedora-extras-3-4-5-6-devel-121-2-fe-3-4-130-3-fe-5-6-devel-12-16-00-125656
|
|
|
Gentoo |
|
Gentoo: Bugzilla Multiple Vulnerabilities |
|
9th, November, 2006
Bugzilla is vulnerable to cross-site scripting, script injection, and
request forgery.
|
|
|
Gentoo: Netkit FTP Server Privilege escalation |
|
10th, November, 2006
An incorrect seteuid() call could allow an FTP user to access some
files or directories that would normally be inaccessible.
|
|
|
Gentoo: OpenSSH Multiple Denial of Service
vulnerabilities |
|
13th, November, 2006
Several Denial of Service vulnerabilities have been identified in OpenSSH.
|
|
|
Gentoo: GraphicsMagick PALM and DCM buffer
overflows |
|
13th, November, 2006
GraphicsMagick improperly handles PALM and DCM images, potentially
resulting in the execution of arbitrary code.
|
|
|
Gentoo: RPM Buffer overflow |
|
13th, November, 2006
RPM is vulnerable to a buffer overflow and possibly the execution of
arbitrary code when opening specially crafted packages.
|
|
|
Mandriva |
|
Mandriva: Updated gnuplot package fixes
GUI crash |
|
9th, November, 2006
An error in gnuplot was causing it to fail with a segmentation fault
whenever the user attempted to produce a graphical plot via the default
'x11' term. The updated package corrects this error and allows graphical
plotting via X11.
|
|
|
Mandriva: Updated Firefox packages fix
multiple vulnerabilities |
|
9th, November, 2006
A number of security vulnerabilities have been discovered and corrected
in the latest Mozilla Firefox program, version 1.5.0.8. This update
provides the latest Firefox to correct these issues.
|
|
|
Mandriva: Updated desktop-common-data
and alacarte packages fix system menu issues |
|
9th, November, 2006
There were some problems with the menu system in Mandriva Linux 2007.
Some menu categories were not displayed or properly translated, and
editing the menus with the GNOME menu editor (alacarte) was not working.
This update fixes these problems.
|
|
|
Mandriva: Updated Thunderbird packages
fix multiple vulnerabilities |
|
9th, November, 2006
A number of security vulnerabilities have been discovered and corrected
in the latest Mozilla Thunderbird program, version 1.5.0.8. This update
provides the latest Thunderbird to correct these issues.
|
|
|
Mandriva: Updated ical package fixes |
|
10th, November, 2006
The Ical package in Mandriva Linux 2007 fails to run due to
old code that does not work with current versions of TCL. Additionally,
the application did not appear in the menu and the URL was obsolete. This
updated package fixes these issues.
|
|
|
Mandriva: Updated webmin to correct issues
with various modules. |
|
13th, November, 2006
For the Mandriva 2007.0 release, the webmin package received a patch
to the operating system detection code to cope with the Mandriva name
change. This patch unfortunately introduced a problem where many webmin
modules would no longer work, like cron, MySQL and many others.
|
|
|
Mandriva: Updated opensc packages fix
Oberthur smart card issues |
|
13th, November, 2006
Opensc is a library for accessing smart card devices. This update fixes
a problem which prevented Oberthur smart cards from being recognized
and used.
|
|
|
Mandriva: Updated bind packages fixes
RSA signature verification vulnerability |
|
14th, November, 2006
The BIND DNS server is vulnerable to the recently-discovered OpenSSL
RSA signature verification problem (CVE-2006-4339). BIND uses RSA cryptography
as part of its DNSSEC implementation. As a result, to resolve the security
issue, these packages need to be upgraded and for both KEY and DNSKEY
record types, new RSASHA1 and RSAMD5 keys need to be generated using
the "-e" option of dnssec-keygen, if the current keys were generated
using the default exponent of 3.
|
|
|
Mandriva: Updated openldap packages fixes
Bind vulnerability |
|
15th, November, 2006
An unspecified vulnerability in OpenLDAP allows remote attackers to
cause a denial of service (daemon crash) via a certain combination of
SASL Bind requests that triggers an assertion failure in libldap. Packages
have been patched to correct this issue.
|
|
|
Mandriva: Updated libpng packages fix
vulnerabilities |
|
16th, November, 2006
Buffer overflow in the png_decompress_chunk function in pngrutil.c
in libpng before 1.2.12 allows context-dependent attackers to cause
a denial of service and possibly execute arbitrary code via unspecified
vectors related to "chunk error processing," possibly involving the
"chunk_name".
|
|
|
Mandriva: Updated syslinux packages to
fix embedded libpng vulnerabilities |
|
16th, November, 2006
SYSLINUX is a boot loader for the Linux operating system which operates
off an MS-DOS/Windows FAT filesystem. It is built with a private copy
of libpng, and as such could be susceptible to some of the same vulnerabilities.
|
|
|
Mandriva: Updated pxelinux packages to
fix embedded libpng vulnerabilities |
|
16th, November, 2006
PXELINUX is a PXE bootloader. It is built with a private copy of libpng,
and as such could be susceptible to some of the same vulnerabilities.
|
|
|
Mandriva: Updated doxygen packages to
fix embedded libpng vulnerabilities |
|
16th, November, 2006
Doxygen is a documentation system for C, C++ and IDL. It is built with
a private copy of libpng, and as such could be susceptible to some of
the same vulnerabilities.
|
|
|
Mandriva: Updated chromium packages to
fix embedded libpng vulnerabilities |
|
16th, November, 2006
Chromium is an OpenGL-based shoot them up game with fine graphics.
It is built with a private copy of libpng, and as such could be susceptible
to some of the same vulnerabilities.
|
|
|
Red
Hat |
|
RedHat: Moderate: wireshark security
update |
|
9th, November, 2006
New Wireshark packages that fix various security vulnerabilities are
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
advisories/red-hat/redhat-moderate-wireshark-security-update-RHSA-2008-0890-01
|
|
|
RedHat: Important: php security update |
|
10th, November, 2006
Updated PHP packages that fix a security issue are now available for
the Red Hat Application Stack. This update has been rated as having
important security impact by the Red Hat Security Response Team.
advisories/red-hat/redhat-important-php-security-update-98171
|
|
|
RedHat: Moderate: nss_ldap security update |
|
15th, November, 2006
Updated nss_ldap packages that fix a security flaw are now available
for Red Hat Enterprise Linux 4. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.
advisories/red-hat/redhat-moderate-nssldap-security-update-RHSA-2006-0719-01
|
|
|
RedHat: Low: openssh security update |
|
15th, November, 2006
Updated openssh packages that fix an authentication flaw are now available
for Red Hat Enterprise Linux 3 and 4. This update has been rated as
having low security impact by the Red Hat Security Response Team.
advisories/red-hat/redhat-low-openssh-security-update-96847
|
|
|
RedHat: Critical: elinks security update |
|
15th, November, 2006
An updated elinks package that corrects a security vulnerability is
now available for Red Hat Enterprise Linux 4. This update has been rated
as having critical security impact by the Red Hat Security Response
Team.
advisories/red-hat/redhat-critical-elinks-security-update-RHSA-2006-0742-01
|
|
|
Slackware |
|
Slackware: firefox/thunderbird/seamonkey |
|
9th, November, 2006
New Firefox and Thunderbird packages are available for Slackware 10.2
and 11.0 to fix security issues. In addition, a new Seamonkey package
is available for Slackware 11.0 to fix similar issues.
|
|
|
SuSE |
|
SuSE: kernel (SUSE-SA:2006:064) |
|
10th, November, 2006
Updated package.
|
|
|
SuSE: ethereal (SUSE-SA:2006:065) |
|
14th, November, 2006
Updated package.
|
|
|
SuSE: ImageMagick (SUSE-SA:2006:066) |
|
14th, November, 2006
Updated package.
|
|
|
SuSE: php4,php5 (SUSE-SA:2006:067) |
|
15th, November, 2006
CVE-2006-5465: Various buffer overflows in htmlentities / htmlspecialchars
internal routines could be used to crash the PHP interpreter or potentially
execute code, depending on the PHP application used.
|
|
|
SuSE: Mozilla Firefox, Thunderbird, |
|
16th, November, 2006
The following CVEIDs are addresed by this vulnerability: CVE-2006-5464
CVE-2006-5747 CVE-2006-5748 CVE-2006-5462 CVE-2006-5463
|
|
|
SuSE: asterisk (SUSE-SA:2006:069) |
|
16th, November, 2006
Two security problem have been found and fixed in the PBX software
Asterisk. CVE-2006-5444: Integer overflow in the get_input function
in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones,
allows remote attackers to potentially execute arbitrary code via a
certain dlen value that passes a signed integer comparison and leads
to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the
SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1
allows remote attackers to cause a denial of service (resource consumption)
via unspecified vectors that result in the creation of "a real pvt structure"
that uses more resources than necessary.
|
|
|
SuSE: powerdns denial of service |
|
16th, November, 2006
Two security problems that have been found in PowerDNS are fixed by
this update: CVE-2006-4251: The PowerDNS Recursor can be made to crash
by sending malformed questions to it over TCP potentially executing
code. CVE-2006-4252: Zero second CNAME TTLs can make PowerDNS exhaust
allocated stack space and crash.
|
|
|
Ubuntu |
|
Ubuntu: texinfo vulnerability |
|
9th, November, 2006
Miloslav Trmac discovered a buffer overflow in texinfo's index processor.
If a user is tricked into processing a .texi file with texindex, this
could lead to arbitrary code execution with user privileges.
advisories/ubuntu/ubuntu-texinfo-vulnerability
|
|
|
Ubuntu: Avahi vulnerability |
|
10th, November, 2006
Steve Grubb discovered that netlink messages were not being checked
for their sender identity. This could lead to local users manipulating
the Avahi service.
advisories/ubuntu/ubuntu-avahi-vulnerability-89019
|
|