Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668

http://www.linuxsecurity.com/content/view/149177

http://www.linuxsecurity.com/content/view/149176

http://www.linuxsecurity.com/content/view/149164

http://www.linuxsecurity.com/content/view/149162

http://www.linuxsecurity.com/content/view/149151

http://www.linuxsecurity.com/content/view/149085

http://www.linuxsecurity.com/content/view/149083

Update to libpng 1.2.37, to fix CVE-2009-2042. This is a pretty low-risk issue, but it's been classified as a security issue...

http://www.linuxsecurity.com/content/view/149172

This package updates Moin to 1.8.4, http://moinmo.in/MoinMoinRelease1.8 has a list of changes. This package includes a security fix for a hierarchical ACL vulnerability (hierarchical is not the default ACL mode), http://moinmo.in/SecurityFixes has the details of the fix.

http://www.linuxsecurity.com/content/view/149171

This update includes a security fix for a hierarchical ACL vulnerability (hierarchical is not the default ACL mode), http://moinmo.in/SecurityFixes has the details of the fix.

http://www.linuxsecurity.com/content/view/149170

This update includes a security fix for a hierarchical ACL vulnerability (hierarchical is not the default ACL mode), http://moinmo.in/SecurityFixes has the details of the fix.

http://www.linuxsecurity.com/content/view/149169

Update to libpng 1.2.37, to fix CVE-2009-2042. This is a pretty low-risk issue, but it's been classified as a security issue...

http://www.linuxsecurity.com/content/view/149168

- Update to 4.1.6 containing several upstream fixes etc. - Solved multilib problems with documentation (#465208, #474538) - Removed static library from giflib-devel package (#225796 #c1)

http://www.linuxsecurity.com/content/view/149167

Update to libpng 1.2.37, to fix CVE-2009-2042. This is a pretty low-risk issue, but it's been classified as a security issue...

http://www.linuxsecurity.com/content/view/149166

Fix for CVE-2009-1753, insecure /tmp file vulnerability.

http://www.linuxsecurity.com/content/view/149142

This update fixes a problem with SSL certificate chain verification (CVE-2009-1390).

http://www.linuxsecurity.com/content/view/149141

http://www.linuxsecurity.com/content/view/149140

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149135

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149136

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149137

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149138

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149139

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149127

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149128

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149129

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149130

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149131

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149132

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149133

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149134

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149125

Update to new upstream Firefox version 3.0.11, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox30.html#firefox3.0.11 Update also includes all packages depending on gecko-libs rebuild against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149126

On x86_64, rubygems assumes that the gem installation path is in /usr/lib64/ruby. This is problematic because all of the Mandriva ruby-* packages install their rb files under /usr/lib/ruby regardless of the machine architecture; rubygems consequently cannot find any of the installed gems. This update fixes this issue.

http://www.linuxsecurity.com/content/view/149179

New glibc release to fix some issues found in glibc 2.8 present in Mandriva 2009.0: - ulimit(UL_SETFSIZE) does not return the integer part of the new file size limit divided by 512 (http://linuxtesting.org/results/report?num=S0167, Mandriva bug #51685) - When including pthread.h and using pthread_cleanup_pop or pthread_cleanup_pop_restore_np macros, a compiler warning is issued or build error happens if -Werror is used (http://sourceware.org/bugzilla/show_bug.cgi?id=7056, Mandriva bug #49142)

http://www.linuxsecurity.com/content/view/149178

Webkit shipped in 2009.1 has a bug that closes The Gimp help-browser plugin, this update fixes this issue.

http://www.linuxsecurity.com/content/view/149175

The logcheck package shipped in mandriva 2009.1 had two issues, preventing it to run properly: - its configuration directory (/etc/logcheck) is not readable with the identity used for running logcheck - it uses run-parts utility with unsupported --list option

http://www.linuxsecurity.com/content/view/149174

This update fixes a minor issue with rpm: - mdvsys mass-update can segfault when parsing the %apply_patches macros through librpm (bug #50579)

http://www.linuxsecurity.com/content/view/149173

In some cases, the wpa_supplicant configuration file would not be read correctly by drakx-net, mostly with WPA-Enterprise networks. This update fixes the issue.

http://www.linuxsecurity.com/content/view/149165

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c in the SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10, when compat_net is enabled, omits calls to avc_has_perm for the (1) node and (2) port, which allows local users to bypass intended restrictions on network traffic. NOTE: this was incorrectly reported as an issue fixed in 2.6.27.21. (CVE-2009-1184) The exit_notify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application. (CVE-2009-1337) The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functions in drivers/char/agp/generic.c in the agp subsystem in the Linux kernel before 2.6.30-rc3 do not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages. (CVE-2009-1192) The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call. (CVE-2009-0029) The __inet6_check_established function in net/ipv6/inet6_hashtables.c in the Linux kernel before 2.6.29, when Network Namespace Support (aka NET_NS) is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via vectors involving IPv6 packets. (CVE-20090-1360) The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions. (CVE-2009-1961) Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel before 2.6.30-rc8, the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size. (CVE-2009-1385) The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver. (CVE-2009-1630) Additionally, the kernel package was updated to the Linux upstream stable version 2.6.27.24. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate

http://www.linuxsecurity.com/content/view/149161

Security vulnerabilities have been discovered and corrected in Mozilla Firefox 3.x: CVE-2009-1392: Firefox browser engine crashes CVE-2009-1832: Firefox double frame construction flaw CVE-2009-1833: Firefox JavaScript engine crashes CVE-2009-1834: Firefox URL spoofing with invalid unicode characters CVE-2009-1835: Firefox Arbitrary domain cookie access by local file: resources CVE-2009-1836: Firefox SSL tampering via non-200 responses to proxy CONNECT requests CVE-2009-1837: Firefox Race condition while accessing the private data of a NPObject JS wrapper class object CVE-2009-1838: Firefox arbitrary code execution flaw CVE-2009-1839: Firefox information disclosure flaw CVE-2009-1840: Firefox XUL scripts skip some security checks CVE-2009-1841: Firefox JavaScript arbitrary code execution CVE-2009-2043: firefox - remote TinyMCE denial of service CVE-2009-2044: firefox - remote GIF denial of service CVE-2009-2061: firefox - man-in-the-middle exploit CVE-2009-2065: firefox - man-in-the-middle exploit This update provides the latest Mozilla Firefox 3.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates.

http://www.linuxsecurity.com/content/view/149160

A vulnerability has been found and corrected in irssi: Off-by-one error in the event_wallops function in fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow (CVE-2009-1959). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149147

This update provides latest sqlite3 package, which is required by Firefox 3.0.11 and xulrunner 1.9.0.11 update.

http://www.linuxsecurity.com/content/view/149143

During the LSB 4.0 validation tests it was discovered a single patch added to the Mandriva qt3 package made the test suite fail. The patch was only a cosmetic related patch, and when removed the qt3 packages passed the tests.

http://www.linuxsecurity.com/content/view/149089

This update provides mysql-5.0.83 (Community Server) with the latest bugfixes for mysql-5.0.x.

http://www.linuxsecurity.com/content/view/149078

Due to a interface change in version 1.2 of the xcb library, programs depending on libx11 would not be able to run without the proper version of that library. But libx11 package did not require this version explicitly allowing that this package to be installed with a wrong version of libxcb. This update fixes this issue.

http://www.linuxsecurity.com/content/view/149077

udev network hotplug scripts before this update doesn't ignore tmpbridge interface, created by xen network-bridge script. This makes bridged xen network setup to fail. The update addresses the issue, making network hotplug ignore tmpbridge interface. Affects only xen users using bridges for network setup.

http://www.linuxsecurity.com/content/view/149075

This update fixes a minor issue with grep: During LSB 4.0 tests grep was failing with the -i option and with certain locales. The new version 2.5.4 passes the LSB 4.0 tests without problems.

http://www.linuxsecurity.com/content/view/149072

This update fixes minor issue with urpmi: - some signatures are sometimes wrongly considered as invalid (when the same package exists in 2 different media) - no error message and 0 exit code when using CD/DVD media and hal isn't running

http://www.linuxsecurity.com/content/view/149071

This bugfix release makes it possible to pass additional options to the freshclam utility and the clamd server by utilizing the /etc/sysconfig/freshclam and /etc/sysconfig/clamd files while starting the services. The clamav packages has also been upgraded to the latest version 0.95.2 that also has a number of upstream fixes.

http://www.linuxsecurity.com/content/view/149070

Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149157

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149152

Updated apr-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149153

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149154

Updated wireshark packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149144

An updated cscope package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149145

An updated cscope package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149146

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149073

Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149074

New apr-util (and apr) packages are available for Slackware 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. The issues are with apr-util, but older Slackware releases will require a new version of the apr package as well. More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955

http://www.linuxsecurity.com/content/view/149155

New mozilla-firefox packages are available for Slackware 12.2, and -current to fix security issues. The updated packages may also be used with Slackware 11.0 or newer.

More details about the issues may be found on the Mozilla website: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

http://www.linuxsecurity.com/content/view/149156

http://www.linuxsecurity.com/content/view/149149

http://www.linuxsecurity.com/content/view/149148

Iida Minehiko discovered that Tomcat did not properly normalise paths. A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content. (CVE-2008-5515) Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used. A remote attacker could send specially crafted requests containing invalid headers to the server and cause a temporary denial of service. (CVE-2009-0033) D. Matscheko and T. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. (CVE-2009-0580) Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2009-0781) Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files. (CVE-2009-0783)

http://www.linuxsecurity.com/content/view/149088

Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).

http://www.linuxsecurity.com/content/view/149082

A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to bypass certain security restrictions.

http://www.linuxsecurity.com/content/view/149081

Some vulnerabilities have been reported in Xvid, which can be exploited by malicious people to potentially compromise an application using the library.

http://www.linuxsecurity.com/content/view/149079

A vulnerability has been reported in libpng, which can be exploited by malicious people to disclose potentially sensitive information.

http://www.linuxsecurity.com/content/view/149080