Thank you for reading the Linux Advisory Watch Security Newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's vendor security bulletins and pointers on
methods to improve the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so
be sure to read through to find the updates your distributor have
made available.
|
(Oct 18) |
|
This DSA updates the MySQL database to 5.1.72. This fixes multiple unspecified security problems in the Optimizer component: https://www.oracle.com/security-alerts/cpuoct2013.html [More...]
|
|
(Oct 13) |
|
Aki Helin of OUSPG discovered many out-of-bounds read issues in libxml2, the GNOME project's XML parser library, which can lead to denial of service issues when handling XML documents that end abruptly. [More...]
|
|
(Oct 11) |
|
Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service [More...]
|
|
(Oct 11) |
|
Multiple security issues in systemd have been discovered by Sebastian Krahmer and Florian Weimer: Insecure interaction with DBUS could lead to the bypass of Policykit restrictions and privilege escalation or denial of service through an integer overflow in journald and missing [More...]
|
|
(Oct 11) |
|
Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in information disclosure, insufficient validation, cross-site scripting and cross-site request forgery. [More...]
|
|
(Oct 10) |
|
It was discovered that ejabberd, a Jabber/XMPP server, uses SSLv2 and weak ciphers for communication, which are considered insecure. The software offers no runtime configuration options to disable these. This update disables the use of SSLv2 and weak ciphers. [More...]
|
|
(Oct 10) |
|
Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
|
|
(Oct 10) |
|
Two vulnerabilities were discovered in GnuPG, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
|
|
(Oct 10) |
|
Markus Pieton and Vytautas Paulikas discovered that the embedded video and audio player in the TYPO3 web content management system is suspectible to cross-site-scripting. [More...]
|
|
|
|
(Oct 17) |
|
An insecure temporary file usage has been reported in the Perl Parallel-ForkManager module, possibly allowing symlink attacks.
|
|
(Oct 17) |
|
Multiple vulnerabilities have been found in PolarSSL, the worst of which might allow a remote attacker to cause a Denial of Service condition.
|
|
(Oct 10) |
|
A vulnerability in Setuptools could allow remote attackers to perform man-in-the-middle attacks.
|
|
(Oct 10) |
|
Multiple vulnerabilities have been found in Quagga, the worst of which could lead to arbitrary code execution.
|
|
(Oct 10) |
|
Multiple vulnerabilities in OpenJPEG could result in execution of arbitrary code.
|
|
|
|
Mandriva: 2013:256: apache-mod_fcgid (Oct 18) |
|
Updated apache-mod_fcgid package fixes security vulnerability: Apache mod_fcgid before version 2.3.9 fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial [More...]
|
|
Mandriva: 2013:255: clutter (Oct 18) |
|
Updated clutter packages fix security vulnerability: A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when [More...]
|
|
Mandriva: 2013:254: quagga (Oct 18) |
|
Updated quagga packages fix security vulnerability: Remotely exploitable buffer overflow in ospf_api.c and ospfclient.c when processing LSA messages in quagga before 0.99.22.2 (CVE-2013-2236). [More...]
|
|
Mandriva: 2013:253: libtar (Oct 18) |
|
Updated libtar packages fixes security vulnerability: Two heap-based buffer overflow flaws were found in the way libtar handled certain archives. If a user were tricked into expanding a specially-crafted archive, it could cause the libtar executable or an [More...]
|
|
Mandriva: 2013:252: torque (Oct 18) |
|
Updated torque package fixes security vulnerability: A non-priviledged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root [More...]
|
|
Mandriva: 2013:251: aircrack-ng (Oct 18) |
|
Updated aircrack-ng package fixes security vulnerability: A buffer overflow vulnerability has been discovered in Aircrack-ng. A remote attacker could entice a user to open a specially crafted dump file using Aircrack-ng, possibly resulting in execution of [More...]
|
|
Mandriva: 2013:250: mysql (Oct 17) |
|
Multiple vulnerabilities has been discovered and corrected in mysql: Unspecified vulnerability in MySQL 5.5.x before 5.5.23 has unknown impact and attack vectors related to a Security Fix, aka Bug #59533. NOTE: this might be a duplicate of CVE-2012-1689, but as of [More...]
|
|
Mandriva: 2013:249: libraw (Oct 10) |
|
Updated libraw packages fix security vulnerabilities: It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to [More...]
|
|
Mandriva: 2013:248: xinetd (Oct 10) |
|
Updated xinetd package fixes security vulnerability: It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was [More...]
|
|
Mandriva: 2013:247: gnupg (Oct 10) |
|
Multiple vulnerabilities has been discovered and corrected in gnupg: GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass [More...]
|
|
|
|
Red Hat: 2013:1441-01: rubygems: Moderate Advisory (Oct 17) |
|
An updated rubygems package that fixes three security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:1440-01: java-1.7.0-oracle: Critical Advisory (Oct 17) |
|
Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]
|
|
Red Hat: 2013:1436-01: kernel: Moderate Advisory (Oct 16) |
|
Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2013:1426-01: xorg-x11-server: Important Advisory (Oct 15) |
|
Updated xorg-x11-server packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
|
|
Red Hat: 2013:1418-01: libtar: Moderate Advisory (Oct 10) |
|
An updated libtar package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
|
|
(Oct 14) |
|
New gnutls packages are available for Slackware 12.1, 12.2, 13.0, 13.1, and 13.37 to fix security issues. [More Info...]
|
|
(Oct 14) |
|
New gnupg2 packages are available for Slackware 13.37, 14.0, and -current to fix security issues. These packages will require the updated libgpg-error package. [More Info...]
|
|
(Oct 14) |
|
New gnupg packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. [More Info...]
|
|
(Oct 14) |
|
New libgpg-error packages are available for Slackware 13.37 and 14.0. These are needed for the updated gnupg2 package. [More Info...]
|
|
(Oct 14) |
|
New xorg-server packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]
|
|
|
|
Ubuntu: 1990-1: X.Org X server vulnerabilities (Oct 17) |
|
The X.Org X server could be made to crash or run programs as anadministrator if it received specially crafted input.
|
|
Ubuntu: 1989-1: ICU vulnerabilities (Oct 15) |
|
ICU could be made to crash or run programs as your login if it processedspecially crafted data.
|
