In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
| |
EnGarde Secure Community 3.0.22 Now Available! (Dec 9) |
| |
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668
|
|
|
| |
Debian: New xulrunner packages fix several vulnerabilities (Jan 14) |
| |
Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems... http://www.linuxsecurity.com/content/view/147167
|
| |
Debian: New bind9 packages fix cryptographic weakness (Jan 12) |
| |
It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. http://www.linuxsecurity.com/content/view/147140
|
| |
Debian: New ntp packages fix cryptographic weakness (Jan 12) |
| |
It has been discovered that NTP, an implementation of the Network Time Protocol, does not properly check the result of an OpenSSL function for verifying cryptographic signatures, which may ultimately lead to the acceptance of unauthenticated time information. (Note that cryptographic authentication of time servers is often not enabled in the first place.) http://www.linuxsecurity.com/content/view/147139
|
| |
Debian: New OpenSSL packages fix cryptographic weakness (Jan 12) |
| |
It was discovered that OpenSSL does not properly verify DSA signatures on X.509 certificates due to an API misuse, potentially leading to the acceptance of incorrect X.509 certificates as genuine (CVE-2008-5077). http://www.linuxsecurity.com/content/view/147138
|
| |
Debian: New lasso packages fix validation bypass (Jan 11) |
| |
It was discovered that Lasso, a library for Liberty Alliance and SAML protocols performs incorrect validation of the return value of OpenSSL's DSA_verify() function. http://www.linuxsecurity.com/content/view/147130
|
| |
Debian: New zaptel packages fix privilege escalation (Jan 11) |
| |
An array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396). http://www.linuxsecurity.com/content/view/147127
|
| |
Debian: New gforge packages fix SQL injection (Jan 9) |
| |
It was discovered that GForge, a collaborative development tool, insufficiently sanitises some input allowing a remote attacker to perform SQL injection. http://www.linuxsecurity.com/content/view/147118
|
|
|
| |
Fedora 9 Update: tqsllib-2.0-5.fc9 (Jan 14) |
| |
The TrustedQSL library incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. Package includes a patch to fix EVP_VerifyFinal result check. http://www.linuxsecurity.com/content/view/147350
|
| |
Fedora 10 Update: amarok-2.0.1.1-1.fc10 (Jan 14) |
| |
An update to the latest release, includes new features such as queuing, playlist search and filtering as well as "stop after current track". And, long awaited and finally available: sorting the collection by composer. Also includes a security fix concerning the parsing of malformed Audible digital audio files. For further details, see http://amarok.kde.org/en/releases/2.0.1.1 http://www.linuxsecurity.com/content/view/147354
|
| |
Fedora 9 Update: xine-lib-1.1.16-1.fc9.1 (Jan 14) |
| |
This updates xine-lib to the upstream 1.1.16 release. This fixes several bugs, including the security issues CVE-2008-5234 vector 1, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240 vectors 3 & 4 and CVE-2008-5243. See http://sourceforge.net/project/shownotes.php?release_id=652075&group_id=9655 for the full list of changes. In addition, the Fedora xine-lib package now includes the demuxers for the MPEG container format, which are not patent- encumbered. (The decoders for actual MPEG video and audio data are still excluded due to software patents.) http://www.linuxsecurity.com/content/view/147348
|
| |
Fedora 9 Update: nfs-utils-1.1.2-9.fc9 (Jan 14) |
| |
- Added warnings to tcp wrapper code when mounts are denied due to misconfigured DNS configurations. - gssd: By default, don't spam syslog when users' credentials expire Re-enabled and fixed/enhanced tcp wrappers. http://www.linuxsecurity.com/content/view/147320
|
| |
Fedora 10 Update: xine-lib-1.1.16-1.fc10 (Jan 14) |
| |
This updates xine-lib to the upstream 1.1.16 release. This fixes several bugs, including the security issues CVE-2008-5234 vector 1, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240 vectors 3 & 4 and CVE-2008-5243. See http://sourceforge.net/project/shownotes.php?release_id=652075&group_id=9655 for the full list of changes. In addition, the Fedora xine-lib package now includes the demuxers for the MPEG container format, which are not patent- encumbered. (The decoders for actual MPEG video and audio data are still excluded due to software patents.) http://www.linuxsecurity.com/content/view/147297
|
| |
Fedora 10 Update: bind-9.5.1-1.P1.fc10 (Jan 14) |
| |
Update to 9.5.1-P1 maintenance release which fixes CVE-2009-0025. This update also address following issues: - sample config file was outdated - specifying a fixed query source was broken http://www.linuxsecurity.com/content/view/147268
|
| |
Fedora 10 Update: tqsllib-2.0-5.fc10 (Jan 14) |
| |
The TrustedQSL library incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. Package includes a patch to fix EVP_VerifyFinal result check. http://www.linuxsecurity.com/content/view/147228
|
| |
Fedora 9 Update: bind-9.5.1-1.P1.fc9 (Jan 14) |
| |
Update to 9.5.1-P1 maintenance release which includes fix for CVE-2009-0025. This update also fixes rare crash of host utility. http://www.linuxsecurity.com/content/view/147188
|
| |
Fedora 10 Update: nfs-utils-1.1.4-6.fc10 (Jan 14) |
| |
Added warnings to tcp wrapper code when mounts are denied due to misconfigured DNS configurations. gssd: By default, don't spam syslog when users' credentials expire http://www.linuxsecurity.com/content/view/147171
|
|
|
| |
Gentoo: Avahi Denial of Service (Jan 14) |
| |
A Denial of Service vulnerability has been discovered in Avahi. http://www.linuxsecurity.com/content/view/147168
|
| |
Gentoo: Adobe Reader User-assisted execution of arbitrary code (Jan 13) |
| |
Adobe Reader is vulnerable to execution of arbitrary code. http://www.linuxsecurity.com/content/view/147144
|
| |
Gentoo: Online-Bookmarks Multiple vulnerabilities (Jan 12) |
| |
Multiple vulnerabilities have been reported in Online-Bookmarks. http://www.linuxsecurity.com/content/view/147141
|
| |
Gentoo: MPlayer Multiple vulnerabilities (Jan 12) |
| |
Multiple vulnerabilities in MPlayer may lead to the execution of arbitrary code or a Denial of Service. http://www.linuxsecurity.com/content/view/147137
|
| |
Gentoo: JHead Multiple vulnerabilities (Jan 12) |
| |
Multiple vulnerabilities in JHead might lead to the execution of arbitrary code or data loss. http://www.linuxsecurity.com/content/view/147136
|
| |
Gentoo: Tremulous User-assisted execution of arbitrary (Jan 11) |
| |
A buffer overflow vulnerability has been discovered in Tremulous. http://www.linuxsecurity.com/content/view/147129
|
| |
Gentoo: Streamripper Multiple vulnerabilities (Jan 11) |
| |
Multiple buffer overflows have been discovered in Streamripper, allowing for user-assisted execution of arbitrary code. http://www.linuxsecurity.com/content/view/147128
|
| |
Gentoo: D-Bus Denial of Service (Jan 10) |
| |
An error condition can cause D-Bus to crash. http://www.linuxsecurity.com/content/view/147126
|
| |
Gentoo: pdnsd Denial of Service and cache poisoning (Jan 10) |
| |
Two errors in pdnsd allow for Denial of Service and cache poisoning. http://www.linuxsecurity.com/content/view/147125
|
| |
Gentoo: JHead Multiple vulnerabilities (Jan 10) |
| |
Multiple vulnerabilities in JHead might lead to the execution of arbitrary code or data loss. http://www.linuxsecurity.com/content/view/147124
|
| |
Gentoo: NDISwrapper Arbitrary remote code execution (Jan 10) |
| |
Multiple buffer overflows might lead to remote execution of arbitrary code with root privileges. http://www.linuxsecurity.com/content/view/147123
|
|
|
| |
Mandriva: [ MDVSA-2009:011 ] virtualbox (Jan 14) |
| |
A vulnerability have been discovered and corrected in VirtualBox, affecting versions prior to 2.0.6, which allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-qateam-ipc/lock temporary file (CVE-2008-5256). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147169
|
| |
Mandriva: [ MDVSA-2009:010 ] qemu (Jan 14) |
| |
A security vulnerability have been discovered and corrected in VNC server of qemu 0.9.1 and earlier, which could lead to a denial-of-service attack (CVE-2008-2382). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147155
|
| |
Mandriva: [ MDVSA-2009:009 ] kvm (Jan 14) |
| |
Security vulnerabilities have been discovered and corrected in VNC server of kvm version 79 and earlier, which could lead to denial-of-service attacks (CVE-2008-2382), and make it easier for remote crackers to guess the VNC password (CVE-2008-5714). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147154
|
| |
Mandriva: [ MDVSA-2009:008 ] qemu (Jan 14) |
| |
Security vulnerabilities have been discovered and corrected in VNC server of qemu version 0.9.1 and earlier, which could lead to denial-of-service attacks (CVE-2008-2382), and make it easier for remote crackers to guess the VNC password (CVE-2008-5714). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147153
|
| |
Mandriva: [ MDVSA-2009:007 ] ntp (Jan 13) |
| |
A flaw was found in how NTP checked the return value of signature verification. A remote attacker could use this to bypass certificate validation by using a malformed SSL/TLS signature (CVE-2009-0021). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/147152
|
| |
Mandriva: [ MDVSA-2009:006 ] openoffice.org (Jan 13) |
| |
Heap-based overflow on functions to manipulate WMF and EMF files in OpenOffice.org documments enables remote attackers to execute arbitrary code on documments holding certain crafted either WMF or EMF files (CVE-2008-2237) (CVE-2008-2238). This update provide the fix for these security issues and further openoffice.org-voikko package has been updated as it depends on openoffice.org packages. http://www.linuxsecurity.com/content/view/147145
|
| |
Mandriva: [ MDVA-2009:010 ] bind (Jan 12) |
| |
A build issue with the BIND9 packages in Mandriva Linux 2009.0 prevents IPv6 from working correctly. This is due to POSIX not including the IPv6 Advanced Socket API, so glibc hides parts of this API as a result. The end result is a breakage in how IPv6 works. Compiling BIND9 with -D_GNU_SOURCE fixes this issue, and the updated packages use this additional flag. http://www.linuxsecurity.com/content/view/147142
|
| |
Mandriva: [ MDVSA-2009:005 ] xterm (Jan 11) |
| |
A vulnerability has been discovered in xterm, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to xterm not properly processing the DECRQSS Device Control Request Status String escape sequence. This can be exploited to inject and execute arbitrary shell commands by e.g. tricking a user into displaying a malicious text file containing a specially crafted escape sequence via the more command in xterm (CVE-2008-2383). The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147131
|
| |
Mandriva: [ MDVSA-2009:002 ] bind (Jan 10) |
| |
A flaw was found in how BIND checked the return value of the OpenSSL DSA_do_verify() function. On systems that use DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, which would allow for spoofing attacks (CVE-2009-0025). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/147122
|
| |
Mandriva: [ MDVSA-2009:004 ] pam_mount (Jan 9) |
| |
passwdehd script in pam_mount would allow local users to overwrite arbitrary files via a symlink attack on a temporary file. The updated packages have been patched to prevent this. http://www.linuxsecurity.com/content/view/147121
|
| |
Mandriva: [ MDVSA-2009:003 ] python (Jan 9) |
| |
Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864)
Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031) The updated Python packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/147120
|
| |
Mandriva: Subject: [Security Announce] [ MDVSA-2009:001 ] openssl (Jan 8) |
| |
A vulnerability was found by the Google Security Team with how OpenSSL checked the verification of certificates. An attacker in control of a malicious server or able to effect a man-in-the-middle attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, which would then bypass the certificate validation (CVE-2008-5077). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/147117
|
|
|
| |
RedHat: Important: kernel security and bug fix update (Jan 14) |
| |
Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147166
|
| |
RedHat: Critical: java-1.6.0-ibm security update (Jan 13) |
| |
Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147150
|
| |
RedHat: Critical: java-1.5.0-ibm security update (Jan 13) |
| |
Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147151
|
| |
RedHat: Moderate: squirrelmail security update (Jan 12) |
| |
An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147133
|
| |
RedHat: Moderate: avahi security update (Jan 12) |
| |
Updated avahi packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147134
|
| |
RedHat: Moderate: bind security update (Jan 8) |
| |
Updated Bind packages to correct a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. (CVE-2009-0025) This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147114
|
| |
RedHat: Important: kernel security update (Jan 8) |
| |
Updated kernel packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 running on 32-bit architectures. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/147112
|
|
|
| |
Slackware: ntp (Jan 15) |
| |
New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix security issue. http://www.linuxsecurity.com/content/view/147388
|
| |
Slackware: openssl (Jan 15) |
| |
New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue when connecting to an SSL/TLS server that uses a certificate containing a DSA or ECDSA key. http://www.linuxsecurity.com/content/view/147389
|
| |
Slackware: bind (Jan 15) |
| |
New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix a security issue. http://www.linuxsecurity.com/content/view/147387
|
|
|
| |
SuSE: Mozilla (SUSE-SA:2009:002) (Jan 14) |
| |
Various Mozilla browser suite programs were updated to the last ecurity release. The Mozilla Firefox 3.0.5 browser, Seamonkey 1.1.14 and xulrunner190 update were already published before Christmas, please see SUSE-SA:2008:058. Mozilla Firefox for older products was updated to 2.0.0.19 and Mozilla Thunderbird was updated to 2.0.0.19. Other packages received backports. http://www.linuxsecurity.com/content/view/147156
|
| |
SuSE: Sun Java (SUSE-SA:2009:001) (Jan 13) |
| |
Sun Java received several security fixes. Numerous security issues such as privilege escalations, and sandbox breakouts were fixed. http://www.linuxsecurity.com/content/view/147149
|
|
|
| |
Ubuntu: HPLIP vulnerability (Jan 13) |
| |
It was discovered that an installation script in the HPLIP package would change permissions on the hplip config files located in user's home directories. A local user could exploit this and change permissions on arbitrary files upon an HPLIP installation or upgrade, which could lead to root privileges. http://www.linuxsecurity.com/content/view/147148
|
| |
Ubuntu: CUPS vulnerabilities (Jan 12) |
| |
It was discovered that CUPS didn't properly handle adding a large number of RSS subscriptions. A local user could exploit this and cause CUPS to crash, leading to a denial of service. This issue only applied to Ubuntu 7.10, 8.04 LTS and 8.10. (CVE-2008-5183) It was discovered that CUPS did not authenticate users when adding and cancelling RSS subscriptions. An unprivileged local user could bypass intended restrictions and add a large number of RSS subscriptions. This issue only applied to Ubuntu 7.10 and 8.04 LTS. (CVE-2008-5184) It was discovered that the PNG filter in CUPS did not properly handle certain malformed images. If a user or automated system were tricked into opening a crafted PNG image file, a remote attacker could cause a denial of service or execute arbitrary code with user privileges. In Ubuntu 7.10, 8.04 LTS, and 8.10, attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-5286) It was discovered that the example pstopdf CUPS filter created log files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5377) http://www.linuxsecurity.com/content/view/147135
|
|
|
| |
Pardus: Bind: Spoofing (Jan 14) |
| |
A vulnerability has been reported in ISC BIND, which potentially can be exploited by malicious people to conduct spoofing attacks. http://www.linuxsecurity.com/content/view/147163
|
| |
Pardus: Ntp: Security Bypass (Jan 14) |
| |
NTP does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. http://www.linuxsecurity.com/content/view/147164
|
| |
Pardus: audiofile: Heap Overflow (Jan 14) |
| |
There is a bug in libaudiofile when attempting to decode the file, libaudiofile writes past the buffer in msadpcm.c. http://www.linuxsecurity.com/content/view/147165
|
| |
Pardus: Openssl: Spoofing (Jan 14) |
| |
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to conduct spoofing attacks. http://www.linuxsecurity.com/content/view/147161
|
| |
Pardus: Valgrind: Untrusted Path (Jan 14) |
| |
Untrusted search path vulnerability in valgrind allows local users to execute arbitrary programs via a Trojan horse http://www.linuxsecurity.com/content/view/147162
|
| |
Pardus: Samba Security Bypass (Jan 8) |
| |
A security issue has been reported in Samba, which can be exploited by malicious users to bypass certain security restrictions. http://www.linuxsecurity.com/content/view/147113
|
Only registered users can write comments.
Please login or register.
