LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: February 10th, 2012
Linux Security Week: February 6th, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: June 5th, 2009 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for apr-util, cups, libapache-mod-jk, drupral, cyrus, mingw, pidgin, ocsinventory, maniadrive, php, ntp, opensc, freetype, acpid, freetype, libmodplug, gaim, rpmdrake, eggdrop, sudo, wireshark, and apache. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Ubuntu, and Pardus.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
 

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668
  Debian: New apr-util packages fix several vulnerabilities (Jun 4)
 

http://www.linuxsecurity.com/content/view/149033
  Debian: New cups/cupsys packages fix denial of service (Jun 2)
 

http://www.linuxsecurity.com/content/view/149018
  Debian: New libapache-mod-jk packages fix information (Jun 2)
 

http://www.linuxsecurity.com/content/view/149017
  Debian: New Linux 2.6.26 packages fix several vulnerabilities (Jun 2)
 

http://www.linuxsecurity.com/content/view/149006
  Debian: New drupal6 packages fix insufficient input sanitising (Jun 1)
 

http://www.linuxsecurity.com/content/view/149003
  Debian: New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution (Jun 1)
 

http://www.linuxsecurity.com/content/view/149002
  Fedora 10 Update: mingw32-opensc-0.11.8-1.fc10 (Jun 2)
 

CVE-2009-1603 A minor update fixing security problem within pkcs11-tool command. http://www.opensc-project.org/pipermail/opensc- announce/2009-May/000025.html

http://www.linuxsecurity.com/content/view/149013
  Fedora 11 Update: mingw32-opensc-0.11.8-1.fc11 (Jun 2)
 

CVE-2009-1603 A minor update fixing security problem within pkcs11-tool command. http://www.opensc-project.org/pipermail/opensc- announce/2009-May/000025.html OpenSC is a package for for accessing smart card devices. Basic functionality (e.g. SELECT FILE, READ BINARY) should work on any ISO 7816-4 compatible smart card. Encryption and decryption using private keys on the smart card is possible with PKCS #15 compatible cards, such as the FINEID (Finnish Electronic IDentity) card. Swedish Posten eID cards have also been confirmed to work. This is the MinGW cross-compiled Windows library.

http://www.linuxsecurity.com/content/view/149014
  Fedora 10 Update: pidgin-2.5.6-1.fc10 (Jun 2)
 

This is a bugfix & security fix release of Pidgin. The full ChangeLog is available at http://developer.pidgin.im/wiki/ChangeLog Details of the security fixes included are available at http://www.pidgin.im/news/security/

http://www.linuxsecurity.com/content/view/149012
  Fedora 10 Update: ocsinventory-1.02.1-1.fc10 (Jun 2)
 

2 Security fixes - CVE-2009-1769 OCS Inventory NG: Authentication result varies for existent and non-existent users - SQL injection and Unauthenticated Arbitrary File Read Some Other minor bug fixes http://www.ocsinventory-ng. org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=140&cntnt01returnid=64

http://www.linuxsecurity.com/content/view/149011
  Fedora 11 Update: ocsinventory-1.02.1-1.fc11 (Jun 2)
 

2 Security fixes - CVE-2009-1769 OCS Inventory NG: Authentication result varies for existent and non-existent users - SQL injection and Unauthenticated Arbitrary File Read Some Other minor bug fixes http://www.ocsinventory-ng. org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=140&cntnt01returnid=64

http://www.linuxsecurity.com/content/view/149010
  Fedora 9 Update: ocsinventory-1.02.1-1.fc9 (Jun 2)
 

2 Security fixes - CVE-2009-1769 OCS Inventory NG: Authentication result varies for existent and non-existent users - SQL injection and Unauthenticated Arbitrary File Read Some Other minor bug fixes http://www.ocsinventory-ng. org/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=140&cntnt01returnid=64

http://www.linuxsecurity.com/content/view/149008
  Fedora 11 Update: pidgin-2.5.6-1.fc11 (Jun 2)
 

This is a bugfix & security fix release of Pidgin. The full ChangeLog is available at http://developer.pidgin.im/wiki/ChangeLog Details of the security fixes included are available at http://www.pidgin.im/news/security/

http://www.linuxsecurity.com/content/view/149009
  Fedora 9 Update: pidgin-2.5.6-1.fc9 (Jun 2)
 

This is a bugfix & security fix release of Pidgin. The full ChangeLog is available at http://developer.pidgin.im/wiki/ChangeLog Details of the security fixes included are available at http://www.pidgin.im/news/security/

http://www.linuxsecurity.com/content/view/149007
  Fedora 9 Update: maniadrive-1.2-13.fc9 (May 29)
 

Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially-crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP "imap" extension. This could cause the PHP interpreter to crash if the "imap" extension was used to read specially-crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9

http://www.linuxsecurity.com/content/view/148993
  Fedora 9 Update: php-5.2.9-2.fc9 (May 29)
 

Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially-crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP "imap" extension. This could cause the PHP interpreter to crash if the "imap" extension was used to read specially-crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9

http://www.linuxsecurity.com/content/view/148994
  Fedora 10 Update: maniadrive-1.2-13.fc10 (May 29)
 

Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially-crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP "imap" extension. This could cause the PHP interpreter to crash if the "imap" extension was used to read specially-crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9

http://www.linuxsecurity.com/content/view/148991
  Fedora 10 Update: php-5.2.9-2.fc10 (May 29)
 

Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the "background color" argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had "display_errors" enabled, a remote attacker able to set a specially-crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) A flaw was found in the handling of the "mbstring.func_overload" configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially-crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script. (CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP "imap" extension. This could cause the PHP interpreter to crash if the "imap" extension was used to read specially-crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9

http://www.linuxsecurity.com/content/view/148992
  Fedora 9 Update: ntp-4.2.4p7-1.fc9 (May 29)
 

This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq.

http://www.linuxsecurity.com/content/view/148990
  Fedora 9 Update: opensc-0.11.8-1.fc9 (May 29)
 

A minor update fixing security problem within pkcs11-tool command. http://www .opensc-project.org/pipermail/opensc-announce/2009-May/000025.html

http://www.linuxsecurity.com/content/view/148989
  Fedora 10 Update: opensc-0.11.8-1.fc10 (May 29)
 

A minor update fixing security problem within pkcs11-tool command. http://www .opensc-project.org/pipermail/opensc-announce/2009-May/000025.html

http://www.linuxsecurity.com/content/view/148988
  Fedora 10 Update: ntp-4.2.4p7-1.fc10 (May 29)
 

This update fixes a denial of service issue if autokey is enabled (default is disabled) and a crash in ntpq.

http://www.linuxsecurity.com/content/view/148987
  Fedora 11 Update: opensc-0.11.8-1.fc11 (May 29)
 

A minor update fixing security problem within pkcs11-tool command. http://www .opensc-project.org/pipermail/opensc-announce/2009-May/000025.html

http://www.linuxsecurity.com/content/view/148986
  Fedora 11 Update: freetype1-1.4-0.8.pre.fc11 (May 28)
 

Port of freetype2 security fixes

http://www.linuxsecurity.com/content/view/148978
  Fedora 9 Update: acpid-1.0.6-8.fc9 (May 28)
 

Fixed CVE-2009-0798 (too many open files DoS)

http://www.linuxsecurity.com/content/view/148977
  Fedora 10 Update: acpid-1.0.6-11.fc10 (May 28)
 

Fixed CVE-2009-0798 (too many open files DoS)

http://www.linuxsecurity.com/content/view/148976
  Fedora 9 Update: eggdrop-1.6.19-4.fc9 (May 28)
 

mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807. The current remote denial of service is tracked as CVE-2009-1789.

http://www.linuxsecurity.com/content/view/148974
  Fedora 10 Update: eggdrop-1.6.19-4.fc10 (May 28)
 

mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807. The current remote denial of service is tracked as CVE-2009-1789.

http://www.linuxsecurity.com/content/view/148975
  Fedora 10 Update: freetype1-1.4-0.8.pre.fc10 (May 28)
 

Port of freetype2 security fixes

http://www.linuxsecurity.com/content/view/148973
  Gentoo: Asterisk Multiple (May 30)
 

Multiple vulnerabilities have been found in Asterisk allowing for Denial of Service and username disclosure.

http://www.linuxsecurity.com/content/view/148996
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:128 ] libmodplug (Jun 4)
 

Multiple security vulnerabilities has been identified and fixed in libmodplug: Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp) in libmodplug before 0.8.6, as used in gstreamer-plugins and other products, allows context-dependent attackers to execute arbitrary code via a MED file with a crafted (1) song comment or (2) song name, which triggers a heap-based buffer overflow (CVE-2009-1438). Buffer overflow in the PATinst function in src/load_pat.cpp in libmodplug before 0.8.7 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long instrument name (CVE-2009-1513). The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/149032
  Mandriva: Subject: [Security Announce] [ MDVA-2009:089 ] openssl (Jun 4)
 

This update fixes a build problem with openssl-0.9.7g-2.8.20060mlcs4 on Corporate Server 4.

http://www.linuxsecurity.com/content/view/149031
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:127 ] gaim (Jun 3)
 

It was discovered that Gaim did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927)

http://www.linuxsecurity.com/content/view/149026
  Mandriva: Subject: [Security Announce] [ MDVA-2009:088 ] rpmdrake (Jun 3)
 

This update fixes one issues with MandrivaUpdate: in previous update, a fix wrongly break the displaying of update descriptions & reasons.

http://www.linuxsecurity.com/content/view/149021
  Mandriva: Subject: [Security Announce] [ MDVA-2009:087 ] mandriva-kde4-config (Jun 3)
 

This update introduces the kde4 artwork for the upcoming Mandriva 2009 Spring Flash version.

http://www.linuxsecurity.com/content/view/149020
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:126 ] eggdrop (Jun 1)
 

mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807 (CVE-2009-1789).

http://www.linuxsecurity.com/content/view/149005
  Mandriva: Subject: [Security Announce] [ MDVA-2009:086 ] sudo (May 31)
 

The version of sudo shipped with 2009.1 has an incorrect path to /etc/ldap.conf compiled in. This means that users who have their sudo config supplied by their ldap server will find their rules no longer apply. This updated package uses the correct /etc/ldap.conf file. See http://www.sudo.ws/sudo/readme_ldap.html for more information on configuring sudo with ldap.

http://www.linuxsecurity.com/content/view/148999
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:125 ] wireshark (May 31)
 

A vulnerability has been identified and corrected in wireshark: o Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets (CVE-2009-1829). This update provides Wireshark 1.0.8, which is not vulnerable to this issue.

http://www.linuxsecurity.com/content/view/148998
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:124 ] apache (May 31)
 

Multiple vulnerabilities has been found and corrected in apache: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). This update provides fixes for these vulnerabilities.

http://www.linuxsecurity.com/content/view/148997
  Mandriva: Subject: [Security Announce] [ MDVA-2009:076-1 ] kdelibs (May 29)
 

On Mandriva Linux 2009.0, installing a KDE3 package wouldn't automatically install the locales package for the system's language. This update fixes the issue.

Update:

On the previous kdelibs update we added a require on kde-i18n. After some discussion it appears that adding a suggests is a better choice. This also fixes the update, which would not work via MandrivaUpdate.

http://www.linuxsecurity.com/content/view/148985
  Mandriva: Subject: [Security Announce] [ MDVA-2009:085 ] mesa (May 28)
 

A bug in mesa would cause hardware accelerated yuv conversion to fail, resulting in videos being displayed with wrong colors while using a gl video output driver. This update fixes this issue.

http://www.linuxsecurity.com/content/view/148979
  RedHat: Important: cups security update (Jun 3)
 

Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149027
  RedHat: Important: kernel-rt security and bug fix update (Jun 3)
 

Updated kernel-rt packages that fix several security issues and various bugs are now available for Red Hat Enterprise MRG 1.1.3. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149028
  RedHat: Important: cups security update (Jun 3)
 

Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149029
  RedHat: Important: kernel security and bug fix update (Jun 2)
 

Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149015
  RedHat: Low: Red Hat Enterprise Linux 2.1 - End Of Life (Jun 1)
 

This is the End Of Life notification for Red Hat Enterprise Linux 2.1.

http://www.linuxsecurity.com/content/view/149000
  Slackware: ntp (Jun 4)
 

New ntp packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252

http://www.linuxsecurity.com/content/view/149030
  Ubuntu: Pidgin vulnerabilities (Jun 3)
 

It was discovered that Pidgin did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Pidgin to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373) It was discovered that Pidgin did not properly handle certain malformed messages in the QQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash. This issue only affected Ubuntu 8.10 and 9.04. (CVE-2009-1374) It was discovered that Pidgin did not properly handle certain malformed messages in the XMPP and Sametime protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash. (CVE-2009-1375) It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)

http://www.linuxsecurity.com/content/view/149023
  Ubuntu: Gaim vulnerabilities (Jun 3)
 

It was discovered that Gaim did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Gaim to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373) It was discovered that Gaim did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)

http://www.linuxsecurity.com/content/view/149024
  Ubuntu: CUPS vulnerability (Jun 3)
 

Anibal Sacco discovered that CUPS did not properly handle certain network operations. A remote attacker could exploit this flaw and cause the CUPS server to crash, resulting in a denial of service.

http://www.linuxsecurity.com/content/view/149025
  Pardus: Libsndfile: Multiple (Jun 3)
 

exploited by malicious people to cause a DoS (Denial of Service).

http://www.linuxsecurity.com/content/view/149019

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
Hackers Hit Apple Supplier Foxconn, Leak Usernames And Passwords
Hackers Mug Google's Wallet App on Rooted Android Devices
Google Chrome will no longer check for revoked SSL certificates online
Have Your Users' Passwords Already Been Hacked?
DDoS Tools Flourish, Give Attackers Many Options
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.