LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: May 14th, 2012
Linux Advisory Watch: May 10th, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: July 24th, 2009 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for xulrunner, gst-plugins, pulseaudito, dbus, fckeditor, mozvoikko, perl-gtk, yelp, ruby, chmsee, eclipse, epiphany, evoluation, galeon, hulahop, java, miro, firefox, blam, wxGTK, moin, mediawiki, libtiff, compat, wordpress, poppler, seamonkey, bluez, net-snmp, dhcp, and pulseaudi. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, SuSE, Ubuntu, and Pardus.

Linux+DVD Magazine Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc.

In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments.

LinuxSecurity.com Feature Extras:

Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.

A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
 

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668
  Debian: New xulrunner packages fix several vulnerabilities (Jul 23)
 

http://www.linuxsecurity.com/content/view/149461
  Debian: New gst-plugins-good0.10 packages fix arbitrary code execution (Jul 19)
 

http://www.linuxsecurity.com/content/view/149401
  Debian: New pulseaudio packages fix privilege escalation (Jul 18)
 

http://www.linuxsecurity.com/content/view/149399
  Debian: New dbus packages fix denial of service (Jul 18)
 

http://www.linuxsecurity.com/content/view/149398
  Debian: New fckeditor packages fix arbitrary code execution (Jul 16)
 

http://www.linuxsecurity.com/content/view/149390
  Fedora 11 Update: (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149456
  Fedora 11 Update: mozvoikko-0.9.7-0.5.rc1.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149457
  Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.3 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149458
  Fedora 11 Update: yelp-2.26.0-5.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149459
  Fedora 11 Update: ruby-gnome2-0.19.0-3.fc11.1 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149460
  Fedora 11 Update: chmsee-1.0.1-9.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149444
  Fedora 11 Update: eclipse-3.4.2-13.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149445
  Fedora 11 Update: epiphany-2.26.3-2.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149446
  Fedora 11 Update: epiphany-extensions-2.26.1-4.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149447
  Fedora 11 Update: evolution-rss-0.1.2-11.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149448
  Fedora 11 Update: galeon-2.0.7-12.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149449
  Fedora 11 Update: gnome-python2-extras-2.25.3-5.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149450
  Fedora 11 Update: gnome-web-photo-0.7-4.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149451
  Fedora 11 Update: google-gadgets-0.11.0-2.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149452
  Fedora 11 Update: hulahop-0.4.9-6.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149453
  Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-25.b16.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149454
  Fedora 11 Update: Miro-2.0.5-2.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149455
  Fedora 11 Update: firefox-3.5.1-1.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149441
  Fedora 11 Update: xulrunner-1.9.1.1-1.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149442
  Fedora 11 Update: blam-1.8.5-12.fc11 (Jul 22)
 

Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner.

http://www.linuxsecurity.com/content/view/149443
  Fedora 10 Update: wxGTK-2.8.10-2.fc10 (Jul 22)
 

added fix for CVE-2009-2369

http://www.linuxsecurity.com/content/view/149440
  Fedora 11 Update: wxGTK-2.8.10-2.fc11 (Jul 22)
 

added fix for CVE-2009-2369

http://www.linuxsecurity.com/content/view/149439
  Fedora 10 Update: perl-IO-Socket-SSL-1.26-1.fc10 (Jul 19)
 

This update to version 1.26 fixes an issue where only the prefix of the hostname was checked if there was no wildcard present, so for example www.example.org would match a certificate starting with www.exam.

http://www.linuxsecurity.com/content/view/149415
  Fedora 11 Update: moin-1.8.4-2.fc11 (Jul 19)
 

This update removes the filemanager directory from the embedded FCKeditor, it contains code with know security vulnerabilities, even though that code couldn't be invoked when Moin was used with the default settings. Moin was probably not affected, but installing this update is still recommended as a security measure. CVE-2009-2265 is the related CVE identifier.

http://www.linuxsecurity.com/content/view/149414
  Fedora 11 Update: mediawiki-1.15.1-48.fc11 (Jul 19)
 

This update upgrades mediawiki code to 1.15.1 and fixes some path references. Upstream comments: This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1. A cross-site scripting (XSS) vulnerability was discovered. Only versions 1.14.0, 1.15.0 and release candidates for those releases are affected.

http://www.linuxsecurity.com/content/view/149413
  Fedora 11 Update: libtiff-3.8.2-14.fc11 (Jul 19)
 

CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE) Not the same as last week's libtiff security issue ...

http://www.linuxsecurity.com/content/view/149412
  Fedora 10 Update: compat-wxGTK26-2.6.4-10.fc10 (Jul 19)
 

Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10

http://www.linuxsecurity.com/content/view/149410
  Fedora 11 Update: mingw32-libtiff-3.8.2-17.fc11 (Jul 19)
 

- update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285)

http://www.linuxsecurity.com/content/view/149411
  Fedora 10 Update: moin-1.6.4-3.fc10 (Jul 19)
 

This update removes the filemanager and _samples directories from the embedded FCKeditor, they contain code with know security vulnerabilities, even though that code couldn't be invoked when Moin was used with the default settings. Moin was probably not affected, but installing this update is still recommended as a security measure. CVE-2009-2265 is the related CVE identifier.

http://www.linuxsecurity.com/content/view/149409
  Fedora 11 Update: compat-wxGTK26-2.6.4-10.fc11 (Jul 19)
 

Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10

http://www.linuxsecurity.com/content/view/149407
  Fedora 10 Update: mediawiki-1.15.1-48.fc10 (Jul 19)
 

This update upgrades mediawiki code to 1.15.1 and fixes some path references. Upstream comments: This is a security and bugfix release of MediaWiki 1.15.1 and 1.14.1. A cross-site scripting (XSS) vulnerability was discovered. Only versions 1.14.0, 1.15.0 and release candidates for those releases are affected.

http://www.linuxsecurity.com/content/view/149408
  Fedora 10 Update: wordpress-2.8.1-1.fc10 (Jul 19)
 

http://www.linuxsecurity.com/content/view/149406
  Fedora 10 Update: libtiff-3.8.2-14.fc10 (Jul 19)
 

CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE) Not the same as last week's libtiff security issue ...

http://www.linuxsecurity.com/content/view/149405
  Fedora 10 Update: mingw32-libtiff-3.8.2-17.fc10 (Jul 19)
 

- update upstream URL - Fix some more LZW decoding vulnerabilities (CVE-2009-2285) Bugzilla: #511015

http://www.linuxsecurity.com/content/view/149404
  Fedora 11 Update: perl-IO-Socket-SSL-1.26-1.fc11 (Jul 19)
 

This update to version 1.26 fixes an issue where only the prefix of the hostname was checked if there was no wildcard present, so for example www.example.org would match a certificate starting with www.exam.

http://www.linuxsecurity.com/content/view/149402
  Fedora 11 Update: wordpress-2.8.1-1.fc11 (Jul 19)
 

http://www.linuxsecurity.com/content/view/149403
  Fedora 10 Update: perl-5.10.0-73.fc10 (Jul 16)
 

This security update fixes an off-by-one overflow in Compress::Raw::Zlib (CVE-2009-1391) Moreover, it contains a subtle change to the configuration that does not affect the Perl interpreter itself, but fixes the propagation of the chosen options to the modules. For example, a rebuild of perl-Wx against perl-5.10.0-73 will fix bug 508496.

http://www.linuxsecurity.com/content/view/149385
  Fedora 11 Update: poppler-0.10.7-2.fc11 (Jul 16)
 

An update to the latest stable upstream release fixing many bugs, as well as addressing several security issues. Release announcement, http://lists.freedesktop.org/archives/poppler/2009-May/004721.html

http://www.linuxsecurity.com/content/view/149384
  Fedora 11 Update: seamonkey-1.1.17-1.fc11 (Jul 16)
 

Update to upstream version 1.1.17, fixing multiple security flaws: http://www.mozilla.org/security/known- vulnerabilities/seamonkey11.html#seamonkey1.1.17

http://www.linuxsecurity.com/content/view/149383
  Fedora 10 Update: seamonkey-1.1.17-1.fc10 (Jul 16)
 

Update to upstream version 1.1.17, fixing multiple security flaws: http://www.mozilla.org/security/known- vulnerabilities/seamonkey11.html#seamonkey1.1.17

http://www.linuxsecurity.com/content/view/149382
  Gentoo: Python Integer overflows (Jul 19)
 

Multiple integer overflows in Python have an unspecified impact.

http://www.linuxsecurity.com/content/view/149419
  Gentoo: Nagios Execution of arbitrary code (Jul 19)
 

Multiple vulnerabilities in Nagios may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/149418
  Gentoo: Rasterbar libtorrent Directory traversal (Jul 17)
 

A directory traversal vulnerability in Rasterbar libtorrent might allow a remote attacker to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/149392
  Gentoo: PulseAudio Local privilege escalation (Jul 16)
 

A vulnerability in PulseAudio may allow a local user to execute code with escalated privileges.

http://www.linuxsecurity.com/content/view/149386
  Mandriva: Subject: [Security Announce] [ MDVA-2009:132 ] gnome-power-manager (Jul 20)
 

The gnome-power-manager package shipped in Mandriva 2009 Spring is not working without the gnome-session running in user's Desktop Environment. This update fixes this issue making gnome-power-manager work fine even if gnome-session is not started.

http://www.linuxsecurity.com/content/view/149426
  Mandriva: Subject: [Security Announce] [ MDVA-2009:131 ] bluez (Jul 19)
 

In mandriva 2009.1 the bluetooth alsa plugins were installed on the root lib dir. This prevent A2DP bluetooth devices from working because they search those libs on the standart lib directory.

http://www.linuxsecurity.com/content/view/149424
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19)
 

A vulnerability has been found and corrected in perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149423
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19)
 

A vulnerability has been found and corrected in perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149422
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:156 ] net-snmp (Jul 19)
 

A vulnerability has been found and corrected in net-snmp: agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309 (CVE-2009-1887). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149421
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:155 ] git (Jul 19)
 

A vulnerability has been found and corrected in git: git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments (CVE-2009-2108). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149420
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:154 ] dhcp (Jul 19)
 

A vulnerability has been found and corrected in ISC DHCP: ISC DHCP Server is vulnerable to a denial of service, caused by the improper handling of DHCP requests. If the host definitions are mixed using dhcp-client-identifier and hardware ethernet, a remote attacker could send specially-crafted DHCP requests to cause the server to stop responding (CVE-2009-1892). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149417
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17)
 

A vulnerability has been found and corrected in ISC DHCP: Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients (CVE-2007-0062). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149397
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17)
 

A vulnerability has been found and corrected in ISC DHCP: Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients (CVE-2007-0062). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149396
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17)
 

A vulnerability has been found and corrected in pulseaudio: Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149395
  Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17)
 

A vulnerability has been found and corrected in pulseaudio: Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that pulseaudio, when installed setuid root, does not drop privileges before re-executing itself to achieve immediate bindings. This can be exploited by a user who has write access to any directory on the file system containing /usr/bin to gain local root access. The user needs to exploit a race condition related to creating a hard link (CVE-2009-1894). This update provides fixes for this vulnerability.

http://www.linuxsecurity.com/content/view/149394
  RedHat: Moderate: libtiff security update (Jul 16)
 

Updated libtiff packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/149391
  SuSE: Linux Kernel (SUSE-SA:2009:038) (Jul 23)
 

http://www.linuxsecurity.com/content/view/149462
  Ubuntu: Ruby vulnerabilities (Jul 20)
 

It was discovered that Ruby did not properly validate certificates. An attacker could exploit this and present invalid or revoked X.509 certificates. (CVE-2009-0642) It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. (CVE-2009-1904)

http://www.linuxsecurity.com/content/view/149427
  Pardus: Perl IO::Socket::SSL: Security (Jul 22)
 

exploited by malicious people to bypass certain security restrictions.

http://www.linuxsecurity.com/content/view/149438
  Pardus: WxGtk: Integer Overflow (Jul 19)
 

exploited by malicious people to potentially compromise a user's system.

http://www.linuxsecurity.com/content/view/149416

Only registered users can write comments.
Please login or register.

Powered by AkoComment!
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
Bredolab botnet author sentenced to 4 years in prison in Armenia
Flaw Found in Common Network Security Technology
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.