Thank you for reading the Linux Advisory Watch Security Newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's vendor security bulletins and pointers on
methods to improve the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so
be sure to read through to find the updates your distributor have
made available.
|
(Jan 9) |
|
It was discovered that Rails, the Ruby web application development framework, performed insufficient validation on input parameters, allowing unintended type conversions. An attacker may use this to bypass authentication systems, inject arbitrary SQL, inject and [More...]
|
|
(Jan 9) |
|
Paul Ling discovered that Emacs insufficiently restricted the evaluation of Lisp code if enable-local-variables is set to "safe". For the stable distribution (squeeze), this problem has been fixed in [More...]
|
|
(Jan 8) |
|
Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information. [More...]
|
|
(Jan 6) |
|
KB Sriram discovered that GnuPG, the GNU Privacy Guard did not sufficiently sanitise public keys on import, which could lead to memory and keyring corruption. [More...]
|
|
(Jan 6) |
|
Jann Horn discovered that users of the CUPS printing system who are part of the lpadmin group could modify several configuration parameters with security impact. Specifically, this allows an attacker to read or write arbitrary files as root which can be used to elevate privileges. [More...]
|
|
(Jan 6) |
|
Google, Inc. discovered that the TurkTrust certification authority included in the Network Security Service libraries (nss) mis-issued two intermediate CA's which could be used to generate rogue end-entity certificates. This update explicitly distrusts those two intermediate [More...]
|
|
(Jan 5) |
|
Two security issues have been discovered in Weechat a, fast, light and extensible chat client: CVE-2011-1428 [More...]
|
|
(Jan 4) |
|
joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to "find_by_*" methods. Depending on how the ruby on rails application is using these methods, this allows an attacker [More...]
|
|
|
|
(Jan 8) |
|
Multiple vulnerabilities were found in DokuWiki, the worst of which leading to privilege escalation.
|
|
(Jan 8) |
|
Multiple vulnerabilities have been found in ISC DHCP, the worst of which may allow remote Denial of Service.
|
|
(Jan 8) |
|
An integer overflow vulnerability has been found in bzip2 and could result in execution of arbitrary code or Denial of Service.
|
|
(Jan 8) |
|
A vulnerability has been found in dhcpcd, allowing remote attackers to execute arbitrary code on the DHCP client.
|
|
(Jan 8) |
|
Multiple vulnerabilities have been found in Tor, allowing attackers to cause Denial of Service or obtain sensitive information.
|
|
(Jan 8) |
|
A buffer overflow in HAProxy may allow execution of arbitrary code.
|
|
(Jan 7) |
|
Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may allow execution of arbitrary code or local privilege escalation.
|
|
|
|
Mandriva: 2013:004: tomcat5 (Jan 10) |
|
Multiple vulnerabilites has been found and corrected in tomcat5: The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) [More...]
|
|
Mandriva: 2013:003: rootcerts (Jan 9) |
|
Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not [More...]
|
|
Mandriva: 2013:002: firefox (Jan 9) |
|
Multiple security issue were identified and fixed in mozilla firefox: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was [More...]
|
|
|
|
Red Hat: 2013:0150-01: acroread: Critical Advisory (Jan 9) |
|
Updated acroread packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
|
|
Red Hat: 2013:0149-01: flash-plugin: Critical Advisory (Jan 9) |
|
An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
|
|
Red Hat: 2013:0144-01: firefox: Critical Advisory (Jan 8) |
|
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
|
|
Red Hat: 2013:0148-01: openshift-origin-node-util: Moderate Advisory (Jan 8) |
|
An updated openshift-origin-node-util package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:0145-01: thunderbird: Critical Advisory (Jan 8) |
|
An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
|
|
Red Hat: 2013:0135-01: gtk2: Low Advisory (Jan 8) |
|
Updated gtk2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0131-01: gnome-vfs2: Low Advisory (Jan 8) |
|
Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0133-01: hplip3: Low Advisory (Jan 8) |
|
Updated hplip3 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0132-01: autofs: Low Advisory (Jan 8) |
|
An updated autofs package that fixes one security issue, several bugs, and adds one enhancement is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0129-01: ruby: Moderate Advisory (Jan 8) |
|
Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:0134-01: freeradius2: Low Advisory (Jan 8) |
|
Updated freeradius2 packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0127-01: libvirt: Low Advisory (Jan 8) |
|
Updated libvirt packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0130-01: httpd: Low Advisory (Jan 8) |
|
Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0125-01: wireshark: Moderate Advisory (Jan 8) |
|
Updated wireshark packages that fix several security issues, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:0126-01: squirrelmail: Low Advisory (Jan 8) |
|
An updated squirrelmail package that fixes one security issue and several bugs is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0123-01: OpenIPMI: Low Advisory (Jan 8) |
|
Updated OpenIPMI packages that fix one security issue, multiple bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0128-01: conga: Low Advisory (Jan 8) |
|
Updated conga packages that fix one security issue, multiple bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
Red Hat: 2013:0124-01: net-snmp: Moderate Advisory (Jan 8) |
|
Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:0122-01: tcl: Moderate Advisory (Jan 8) |
|
Updated tcl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:0120-01: quota: Low Advisory (Jan 8) |
|
An updated quota package that fixes one security issue and multiple bugs is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
|
|
|
|
(Jan 10) |
|
New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
|
|
(Jan 10) |
|
New seamonkey packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
|
|
(Jan 10) |
|
New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]
|
|
|
|
Ubuntu: 1684-1: Linux kernel (EC2) vulnerability (Jan 10) |
|
The system could be made to leak sensitive system information.
|
|
Ubuntu: 1683-1: Linux kernel vulnerability (Jan 10) |
|
The system could be made to leak sensitive system information.
|
|
Ubuntu: 1682-1: GnuPG vulnerability (Jan 9) |
|
GnuPG could be made to corrupt the keyring if it imported a speciallycrafted key.
|
|
Ubuntu: 1681-2: Thunderbird vulnerabilities (Jan 8) |
|
Several security issues were fixed in Thunderbird.
|
|
Ubuntu: 1681-1: Firefox vulnerabilities (Jan 8) |
|
Several security issues were fixed in Firefox.
|
