LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: March 6th, 2010
Linux Advisory Watch: February 26th, 2010
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: May 4th, 2009 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for wireshark, freetype, mysql-dfsg, mplayer, ffmpeg, libdbd-pg-perl, apt, miro, gnome-web-photo, google-gadgets, kazehakase, mozvoikko, perl, mugshot, pcmanx, yelp, ruby-gnome, gnome-python2, epiphany, firefox, xulrunner, blam, galeon, devhelp, totem, evolution, gtkmozembedmm, libmodplug, prewikka, apache, udev, kernel, usermode, xpdf, printer-drivers, x11-drive-video-intel, krb5, libwmf, ruby, cups, bitchx, php, cipid, freetype, libmodplug, ghostscript, udev, and zsh. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, Ubuntu, and Pardus.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
 

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668
  Debian: New wireshark packages fix several vulnerabilities (May 1)
 

http://www.linuxsecurity.com/content/view/148762
  Debian: New freetype packages fix arbitrary code execution (Apr 30)
 

http://www.linuxsecurity.com/content/view/148750
  Debian: New mysql-dfsg-5.0 packages fix multiple vulnerabilities (Apr 29)
 

http://www.linuxsecurity.com/content/view/148746
  Debian: New mplayer packages fix arbitrary code execution (Apr 29)
 

http://www.linuxsecurity.com/content/view/148745
  Debian: New ffmpeg-debian packages fix arbitrary code execution (Apr 29)
 

http://www.linuxsecurity.com/content/view/148744
  Debian: New libdbd-pg-perl packages fix potential code execution (Apr 28)
 

http://www.linuxsecurity.com/content/view/148739
  Debian: New apt packages fix several vulnerabilities (Apr 26)
 

http://www.linuxsecurity.com/content/view/148675
  Fedora 10 Update: Miro-2.0.3-4.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148722
  Fedora 10 Update: gnome-web-photo-0.3-18.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148723
  Fedora 10 Update: google-gadgets-0.10.5-6.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148724
  Fedora 10 Update: kazehakase-0.5.6-4.fc10.2 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148725
  Fedora 10 Update: mozvoikko-0.9.5-10.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148726
  Fedora 10 Update: perl-Gtk2-MozEmbed-0.08-6.fc10.1 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148727
  Fedora 10 Update: mugshot-1.2.2-9.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148728
  Fedora 10 Update: pcmanx-gtk2-0.3.8-9.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148729
  Fedora 10 Update: yelp-2.24.0-9.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148730
  Fedora 10 Update: ruby-gnome2-0.18.1-5.fc10.2 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148731
  Fedora 10 Update: gnome-python2-extras-2.19.1-30.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148721
  Fedora 10 Update: epiphany-2.24.3-6.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148713
  Fedora 10 Update: firefox-3.0.10-1.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148714
  Fedora 10 Update: xulrunner-1.9.0.10-1.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148715
  Fedora 10 Update: epiphany-extensions-2.24.0-8.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148716
  Fedora 10 Update: blam-1.8.5-10.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148717
  Fedora 10 Update: gecko-sharp2-0.13-8.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148718
  Fedora 10 Update: galeon-2.0.7-10.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148719
  Fedora 10 Update: devhelp-0.22-8.fc10 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148720
  Fedora 9 Update: totem-2.23.2-16.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148712
  Fedora 9 Update: galeon-2.0.7-10.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148701
  Fedora 9 Update: evolution-rss-0.1.0-11.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148702
  Fedora 9 Update: devhelp-0.19.1-12.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148703
  Fedora 9 Update: gnome-web-photo-0.3-21.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148704
  Fedora 9 Update: gtkmozembedmm-1.4.2.cvs20060817-29.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148705
  Fedora 9 Update: mozvoikko-0.9.5-10.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148706
  Fedora 9 Update: kazehakase-0.5.6-4.fc9.2 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148707
  Fedora 9 Update: Miro-2.0.3-4.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148708
  Fedora 9 Update: ruby-gnome2-0.17.0-9.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148709
  Fedora 9 Update: mugshot-1.2.2-9.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148710
  Fedora 9 Update: yelp-2.22.1-12.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148711
  Fedora 9 Update: xulrunner-1.9.0.10-1.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148693
  Fedora 9 Update: firefox-3.0.10-1.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148694
  Fedora 9 Update: epiphany-2.22.2-11.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148695
  Fedora 9 Update: blam-1.8.5-9.fc9.1 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148696
  Fedora 9 Update: chmsee-1.0.1-12.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148697
  Fedora 9 Update: epiphany-extensions-2.22.1-11.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148698
  Fedora 9 Update: gnome-python2-extras-2.19.1-27.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148699
  Fedora 9 Update: google-gadgets-0.10.5-6.fc9 (Apr 27)
 

Update to Firefox 3.0.10 fixing one security issue: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.10 Depending packages rebuilt against new Firefox are also included in this update. Additional bugs fixed in other packages: - totem: Fix YouTube plugin following web site changes

http://www.linuxsecurity.com/content/view/148700
  Fedora 9 Update: libmodplug-0.8.7-1.fc9 (Apr 27)
 

Update to 0.8.7: http://sourceforge.net/project/shownotes.php?group_id=1275&release_id=675660 http://sourceforge.net/project/shownotes.php?group_id=1275&release_id=677065 http://sourceforge.net/project/shownotes.php?group_id=1275&release_id=678622

http://www.linuxsecurity.com/content/view/148691
  Fedora 10 Update: libmodplug-0.8.7-1.fc10 (Apr 27)
 

Update to 0.8.7: http://sourceforge.net/project/shownotes.php?group_id=1275&release_id=675660 http://sourceforge.net/project/shownotes.php?group_id=1275&release_id=677065 http://sourceforge.net/project/shownotes.php?group_id=1275&release_id=678622

http://www.linuxsecurity.com/content/view/148692
  Fedora 10 Update: prewikka-0.9.14-2.fc10 (Apr 27)
 

The permissions on the prewikka.conf file are world readable and contain the sql database password used by prewikka. This update makes it readable just by the apache group.

http://www.linuxsecurity.com/content/view/148686
  Fedora 9 Update: prewikka-0.9.14-2.fc9 (Apr 27)
 

The permissions on the prewikka.conf file are world readable and contain the sql database password used by prewikka. This update makes it readable just by the apache group.

http://www.linuxsecurity.com/content/view/148685
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:102 ] apache (May 1)
 

A vulnerability has been found and corrected in apache: mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191). This update provides fixes for that vulnerability.

http://www.linuxsecurity.com/content/view/148761
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:104 ] udev (Apr 30)
 

udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space (CVE-2009-1185). The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/148756
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:103 ] udev (Apr 30)
 

Security vulnerabilities have been identified and fixed in udev. udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space (CVE-2009-1185). Buffer overflow in the util_path_encode function in udev/lib/libudev-util.c in udev before 1.4.1 allows local users to cause a denial of service (service outage) via vectors that trigger a call with crafted arguments (CVE-2009-1186). The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/148755
  Mandriva: Subject: [Security Announce] [ MDVA-2009:103 ] kernel (Apr 30)
 

Some problems were discovered and corrected in the Linux 2.6 kernel: Filesystem could become read-only in the event of a I/O retry or path failover of the VMWare ESX Server's SAN or iSCSI storage. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate

http://www.linuxsecurity.com/content/view/148754
  Mandriva: Subject: [Security Announce] [ MDVA-2009:057 ] usermode (Apr 28)
 

A configuration error in usermode was preventing some Mandriva graphical tools requiring superuser privileges to be started correctly if session was started from KDM. This updates fixes this issue.

http://www.linuxsecurity.com/content/view/148742
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:101 ] xpdf (Apr 28)
 

Multiple buffer overflows in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0146). Multiple integer overflows in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0147). An integer overflow in the JBIG2 decoder has unspecified impact. (CVE-2009-0165). A free of uninitialized memory flaw in the the JBIG2 decoder allows remote to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0166). Multiple input validation flaws in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF file (CVE-2009-0800). An out-of-bounds read flaw in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0799). An integer overflow in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF file (CVE-2009-1179). A free of invalid data flaw in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF (CVE-2009-1180). A NULL pointer dereference flaw in the JBIG2 decoder allows remote attackers to cause denial of service (crash) via a crafted PDF file (CVE-2009-1181). Multiple buffer overflows in the JBIG2 MMR decoder allows remote attackers to cause denial of service or to execute arbitrary code via a crafted PDF file (CVE-2009-1182, CVE-2009-1183). This update provides fixes for that vulnerabilities.

http://www.linuxsecurity.com/content/view/148741
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:099 ] openafs (Apr 27)
 

Multiple vulnerabilities has been found and corrected in openafs: The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Linux allows remote attackers to cause a denial of service (system crash) via an RX response with a large error-code value that is interpreted as a pointer and dereferenced, related to use of the ERR_PTR macro (CVE-2009-1250). Heap-based buffer overflow in the cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 through 1.5.58 on Unix platforms allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via an RX response containing more data than specified in a request, related to use of XDR arrays (CVE-2009-1251). The updated packages have been patched to correct these issues.

http://www.linuxsecurity.com/content/view/148690
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:096-1 ] printer-drivers (Apr 27)
 

A buffer underflow in Ghostscript's CCITTFax decoding filter allows remote attackers to cause denial of service and possibly to execute arbitrary by using a crafted PDF file (CVE-2007-6725). Multiple interger overflows in Ghostsript's International Color Consortium Format Library (icclib) allows attackers to cause denial of service (heap-based buffer overflow and application crash) and possibly execute arbirary code by using either a PostScript or PDF file with crafte embedded images (CVE-2009-0583, CVE-2009-0584). Multiple interger overflows in Ghostsript's International Color Consortium Format Library (icclib) allows attackers to cause denial of service (heap-based buffer overflow and application crash) and possibly execute arbirary code by using either a PostScript or PDF file with crafte embedded images. Note: this issue exists because of an incomplete fix for CVE-2009-0583 (CVE-2009-0792). This update provides fixes for that vulnerabilities.

Update:

The previous update went with a wrong require version of perl-base in the foomatic-db-engine package. It is fixed on this update.

http://www.linuxsecurity.com/content/view/148683
  Mandriva: Subject: [Security Announce] [ MDVA-2009:056 ] x11-driver-video-intel (Apr 27)
 

The intel driver shipped wtih 2009.0 had problems when sealing with some Intel x4500MHD graphics chips like that found on Sony Vaio FW series laptops. This package includes an upstream fix for this issue.

http://www.linuxsecurity.com/content/view/148682
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:098 ] krb5 (Apr 27)
 

Multiple vulnerabilities has been found and corrected in krb5: The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read (CVE-2009-0844). The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer (CVE-2009-0846). The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic (CVE-2009-0847). The updated packages have been patched to correct these issues.

Update:

krb5 packages for Mandriva Linux Corporate Server 3 and 4 are not affected by CVE-2009-0844 and CVE-2009-0845

http://www.linuxsecurity.com/content/view/148681
  RedHat: Moderate: libwmf security update (Apr 30)
 

Updated libwmf packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/148751
  RedHat: Important: gpdf security update (Apr 30)
 

An updated gpdf package that fixes multiple security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/148752
  RedHat: Important: kernel security and bug fix update (Apr 30)
 

Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/148753
  RedHat: Important: kernel-rt security and bug fix update (Apr 29)
 

Updated kernel-rt packages that fix several security issues and a bug are now available for Red Hat Enterprise MRG 1.1.2. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/148747
  RedHat: Critical: firefox security update (Apr 27)
 

Updated firefox packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/148684
  Slackware: ruby (May 1)
 

New ruby packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix a problem with REXML and other security issues. For details about the REXML issue, see: http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ A full list may be found in the ChangeLog file included with the source code.

http://www.linuxsecurity.com/content/view/148757
  Slackware: mozilla-firefox (Apr 28)
 

New mozilla-firefox packages are available for Slackware 12.2 and -current to fix security issues. The updated packages may also be used with Slackware 11.0 or newer.

More details about the issues may be found on the Mozilla website: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

http://www.linuxsecurity.com/content/view/148743
  Slackware: cups (Apr 26)
 

New cups packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix security issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166

http://www.linuxsecurity.com/content/view/148676
  Slackware: bitchx EOLed in Slackware (Apr 26)
 

This is a notice that bitchx, an IRC client based on ircii-EPIC4, has been removed from Slackware -current and will not be part of future Slackware releases. Security issues and bugs have been reported, but upstream work seems to have stalled leaving bitchx in a state where there are known problems without official (or in some cases any) fixes. The most secure course of action is to remove bitchx from the system and switch to using a supported IRC client. We have not compiled a complete list of open issues in BitchX, but here are a few that we know about: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4584 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5839

Package removal instructions: +---------------------------+ Remove the package as root: # removepkg bitchx Some admins may also want to add a symlink to another console IRC client such as irssi to help users migrate: cd /usr/bin ln -sf irssi BitchX

+-----+ Slackware Linux Security Team http://slackware.com/gpg-key

http://www.linuxsecurity.com/content/view/148677
  Ubuntu: PHP vulnerabilities (Apr 27)
 

USN-761-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 9.04. Original advisory details: It was discovered that PHP did not sanitize certain error messages when display_errors is enabled, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2008-5814) It was discovered that PHP did not properly handle certain malformed strings when being parsed by the json_decode function. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 and 8.10. (CVE-2009-1271)

http://www.linuxsecurity.com/content/view/148687
  Ubuntu: acpid vulnerability (Apr 27)
 

It was discovered that acpid did not properly handle a large number of connections. A local user could exploit this and monopolize CPU resources, leading to a denial of service.

http://www.linuxsecurity.com/content/view/148688
  Ubuntu: FreeType vulnerability (Apr 27)
 

Tavis Ormandy discovered that FreeType did not correctly handle certain large values in font files. If a user were tricked into using a specially crafted font file, a remote attacker could execute arbitrary code with user privileges.

http://www.linuxsecurity.com/content/view/148689
  Pardus: Libmodplug: Buffer Overflow (May 1)
 

A vulnerability has been reported in libmodplug, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.

http://www.linuxsecurity.com/content/view/148760
  Pardus: Poppler: Multiple Vulnerabilities (May 1)
 

Multiple vulnerabilities have been reported in Poppler, which can be exploited by malicious people to cause a DoS (Denial of Service).

http://www.linuxsecurity.com/content/view/148759
  Pardus: Ghostscript: Multiple (May 1)
 

Some vulnerabilities have been reported in Ghostscript which can be exploited by malicious people to potentially compromise a user's system.

http://www.linuxsecurity.com/content/view/148758
  Pardus: Udev: Multiple Vulnerabilities (Apr 28)
 

Some vulnerabilities have been reported in udev, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

http://www.linuxsecurity.com/content/view/148736
  Pardus: Zsh: Denial of Service (Apr 28)
 

A stack-based buffer overflow was found in the zsh command interpreter.

http://www.linuxsecurity.com/content/view/148733
  Pardus: mpg123: Signedness Vulnerability (Apr 28)
 

A vulnerability has been reported in mpg123, which can be exploited by malicious people to potentially compromise a user's system.

http://www.linuxsecurity.com/content/view/148734
  Pardus: Libmodplug: Integer Overflow (Apr 28)
 

A vulnerability has been reported in libmodplug, which can be exploited by malicious people to compromise an application using the library.

http://www.linuxsecurity.com/content/view/148735
  Pardus: ICU: Security Bypass (Apr 28)
 

A vulnerability has been reported in International Components for Unicode, which can be exploited by malicious people to bypass certain security restrictions.

http://www.linuxsecurity.com/content/view/148732

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner:

 
Latest Features
Introduction: Buffer Overflow Vulnerabilities
FTP Attack Case Study Part II: the Lessons
Network Security Audit (Part II)
Measuring Security IT Success
Buffer Overflow Basics
Network Intrusion Prevention Systems: When They're Valuable, and When They're Not
Hacks From Pax: Network Server Monitoring With Nmap
Yesterday's Edition
Building a UNIX/Linux Incident response / Forensic Disk
What Are the Most Overrated Security Technologies?
Hackers aren't as sneaky as you think
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2010 Guardian Digital, Inc. All rights reserved.