LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: December 22nd, 2014
Linux Advisory Watch: December 19th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: January 11th, 2013 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Password guessing with Medusa 2.0 - Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit http://www.foofus.net/jmk/medusa/changelog

Password guessing as an attack vector - Using password guessing as an attack vector. Over the years we've been taught a strong password must be long and complex to be considered secure. Some of us have taken that notion to heart and always ensure our passwords are strong. But some don't give a second thought to the complexity or length of our password.


  Debian: 2604-1: rails: insufficient input validati (Jan 9)
 

It was discovered that Rails, the Ruby web application development framework, performed insufficient validation on input parameters, allowing unintended type conversions. An attacker may use this to bypass authentication systems, inject arbitrary SQL, inject and [More...]

  Debian: 2603-1: emacs23: programming error (Jan 9)
 

Paul Ling discovered that Emacs insufficiently restricted the evaluation of Lisp code if enable-local-variables is set to "safe". For the stable distribution (squeeze), this problem has been fixed in [More...]

  Debian: 2602-1: zendframework: XML external entity inclusi (Jan 8)
 

Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information. [More...]

  Debian: 2601-1: gnupg, gnupg2: missing input sanitation (Jan 6)
 

KB Sriram discovered that GnuPG, the GNU Privacy Guard did not sufficiently sanitise public keys on import, which could lead to memory and keyring corruption. [More...]

  Debian: 2600-1: rails: privilege escalation (Jan 6)
 

Jann Horn discovered that users of the CUPS printing system who are part of the lpadmin group could modify several configuration parameters with security impact. Specifically, this allows an attacker to read or write arbitrary files as root which can be used to elevate privileges. [More...]

  Debian: 2599-1: nss: mis-issued intermediates (Jan 6)
 

Google, Inc. discovered that the TurkTrust certification authority included in the Network Security Service libraries (nss) mis-issued two intermediate CA's which could be used to generate rogue end-entity certificates. This update explicitly distrusts those two intermediate [More...]

  Debian: 2598-1: weechat: Multiple vulnerabilities (Jan 5)
 

Two security issues have been discovered in Weechat a, fast, light and extensible chat client: CVE-2011-1428 [More...]

  Debian: 2597-1: rails: input validation error (Jan 4)
 

joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to "find_by_*" methods. Depending on how the ruby on rails application is using these methods, this allows an attacker [More...]


  Gentoo: 201301-07 DokuWiki: Multiple vulnerabilities (Jan 8)
 

Multiple vulnerabilities were found in DokuWiki, the worst of which leading to privilege escalation.

  Gentoo: 201301-06 ISC DHCP: Denial of Service (Jan 8)
 

Multiple vulnerabilities have been found in ISC DHCP, the worst of which may allow remote Denial of Service.

  Gentoo: 201301-05 bzip2: User-assisted execution of arbitrary code (Jan 8)
 

An integer overflow vulnerability has been found in bzip2 and could result in execution of arbitrary code or Denial of Service.

  Gentoo: 201301-04 dhcpcd: Arbitrary code execution (Jan 8)
 

A vulnerability has been found in dhcpcd, allowing remote attackers to execute arbitrary code on the DHCP client.

  Gentoo: 201301-03 Tor: Multiple vulnerabilities (Jan 8)
 

Multiple vulnerabilities have been found in Tor, allowing attackers to cause Denial of Service or obtain sensitive information.

  Gentoo: 201301-02 HAProxy: Arbitrary code execution (Jan 8)
 

A buffer overflow in HAProxy may allow execution of arbitrary code.

  Gentoo: 201301-01 Mozilla Products: Multiple vulnerabilities (Jan 7)
 

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may allow execution of arbitrary code or local privilege escalation.


  Mandriva: 2013:004: tomcat5 (Jan 10)
 

Multiple vulnerabilites has been found and corrected in tomcat5: The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) [More...]

  Mandriva: 2013:003: rootcerts (Jan 9)
 

Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not [More...]

  Mandriva: 2013:002: firefox (Jan 9)
 

Multiple security issue were identified and fixed in mozilla firefox: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was [More...]


  Red Hat: 2013:0150-01: acroread: Critical Advisory (Jan 9)
 

Updated acroread packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:0149-01: flash-plugin: Critical Advisory (Jan 9)
 

An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:0144-01: firefox: Critical Advisory (Jan 8)
 

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:0148-01: openshift-origin-node-util: Moderate Advisory (Jan 8)
 

An updated openshift-origin-node-util package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.0. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:0145-01: thunderbird: Critical Advisory (Jan 8)
 

An updated thunderbird package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:0135-01: gtk2: Low Advisory (Jan 8)
 

Updated gtk2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0131-01: gnome-vfs2: Low Advisory (Jan 8)
 

Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0133-01: hplip3: Low Advisory (Jan 8)
 

Updated hplip3 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0132-01: autofs: Low Advisory (Jan 8)
 

An updated autofs package that fixes one security issue, several bugs, and adds one enhancement is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0129-01: ruby: Moderate Advisory (Jan 8)
 

Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:0134-01: freeradius2: Low Advisory (Jan 8)
 

Updated freeradius2 packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0127-01: libvirt: Low Advisory (Jan 8)
 

Updated libvirt packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0130-01: httpd: Low Advisory (Jan 8)
 

Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0125-01: wireshark: Moderate Advisory (Jan 8)
 

Updated wireshark packages that fix several security issues, three bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:0126-01: squirrelmail: Low Advisory (Jan 8)
 

An updated squirrelmail package that fixes one security issue and several bugs is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0123-01: OpenIPMI: Low Advisory (Jan 8)
 

Updated OpenIPMI packages that fix one security issue, multiple bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0128-01: conga: Low Advisory (Jan 8)
 

Updated conga packages that fix one security issue, multiple bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:0124-01: net-snmp: Moderate Advisory (Jan 8)
 

Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:0122-01: tcl: Moderate Advisory (Jan 8)
 

Updated tcl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:0120-01: quota: Low Advisory (Jan 8)
 

An updated quota package that fixes one security issue and multiple bugs is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]


  Slackware: 2013-009-01: mozilla-firefox: Security Update (Jan 10)
 

New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]

  Slackware: 2013-009-03: seamonkey: Security Update (Jan 10)
 

New seamonkey packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]

  Slackware: 2013-009-02: mozilla-thunderbird: Security Update (Jan 10)
 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. [More Info...]


  Ubuntu: 1684-1: Linux kernel (EC2) vulnerability (Jan 10)
 

The system could be made to leak sensitive system information.

  Ubuntu: 1683-1: Linux kernel vulnerability (Jan 10)
 

The system could be made to leak sensitive system information.

  Ubuntu: 1682-1: GnuPG vulnerability (Jan 9)
 

GnuPG could be made to corrupt the keyring if it imported a speciallycrafted key.

  Ubuntu: 1681-2: Thunderbird vulnerabilities (Jan 8)
 

Several security issues were fixed in Thunderbird.

  Ubuntu: 1681-1: Firefox vulnerabilities (Jan 8)
 

Several security issues were fixed in Firefox.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.