LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: July 25th, 2014
Linux Advisory Watch: July 18th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: October 18th, 2013 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

Password guessing with Medusa 2.0 - Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit http://www.foofus.net/jmk/medusa/changelog


  Debian: 2780-1: mysql-5.1: Multiple vulnerabilities (Oct 18)
 

This DSA updates the MySQL database to 5.1.72. This fixes multiple unspecified security problems in the Optimizer component: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html [More...]

  Debian: 2779-1: libxml2: denial of service (Oct 13)
 

Aki Helin of OUSPG discovered many out-of-bounds read issues in libxml2, the GNOME project's XML parser library, which can lead to denial of service issues when handling XML documents that end abruptly. [More...]

  Debian: 2778-1: libapache2-mod-fcgid: heap-based buffer overflow (Oct 11)
 

Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service [More...]

  Debian: 2777-1: systemd: Multiple vulnerabilities (Oct 11)
 

Multiple security issues in systemd have been discovered by Sebastian Krahmer and Florian Weimer: Insecure interaction with DBUS could lead to the bypass of Policykit restrictions and privilege escalation or denial of service through an integer overflow in journald and missing [More...]

  Debian: 2776-1: drupal6: Multiple vulnerabilities (Oct 11)
 

Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in information disclosure, insufficient validation, cross-site scripting and cross-site request forgery. [More...]

  Debian: 2775-1: ejabberd: insecure SSL usage (Oct 10)
 

It was discovered that ejabberd, a Jabber/XMPP server, uses SSLv2 and weak ciphers for communication, which are considered insecure. The software offers no runtime configuration options to disable these. This update disables the use of SSLv2 and weak ciphers. [More...]

  Debian: 2774-1: gnupg2: Multiple vulnerabilities (Oct 10)
 

Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]

  Debian: 2773-1: gnupg: Multiple vulnerabilities (Oct 10)
 

Two vulnerabilities were discovered in GnuPG, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]

  Debian: 2772-1: typo3-src: cross-site scripting (Oct 10)
 

Markus Pieton and Vytautas Paulikas discovered that the embedded video and audio player in the TYPO3 web content management system is suspectible to cross-site-scripting. [More...]


  Gentoo: 201310-11 Perl Parallel-ForkManager Module: Insecure temporary file (Oct 17)
 

An insecure temporary file usage has been reported in the Perl Parallel-ForkManager module, possibly allowing symlink attacks.

  Gentoo: 201310-10 PolarSSL: Multiple vulnerabilities (Oct 17)
 

Multiple vulnerabilities have been found in PolarSSL, the worst of which might allow a remote attacker to cause a Denial of Service condition.

  Gentoo: 201310-09 Setuptools: Man-in-the-Middle attack (Oct 10)
 

A vulnerability in Setuptools could allow remote attackers to perform man-in-the-middle attacks.

  Gentoo: 201310-08 Quagga: Multiple vulnerabilities (Oct 10)
 

Multiple vulnerabilities have been found in Quagga, the worst of which could lead to arbitrary code execution.

  Gentoo: 201310-07 OpenJPEG: User-assisted execution of arbitrary code (Oct 10)
 

Multiple vulnerabilities in OpenJPEG could result in execution of arbitrary code.


  Mandriva: 2013:256: apache-mod_fcgid (Oct 18)
 

Updated apache-mod_fcgid package fixes security vulnerability: Apache mod_fcgid before version 2.3.9 fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial [More...]

  Mandriva: 2013:255: clutter (Oct 18)
 

Updated clutter packages fix security vulnerability: A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when [More...]

  Mandriva: 2013:254: quagga (Oct 18)
 

Updated quagga packages fix security vulnerability: Remotely exploitable buffer overflow in ospf_api.c and ospfclient.c when processing LSA messages in quagga before 0.99.22.2 (CVE-2013-2236). [More...]

  Mandriva: 2013:253: libtar (Oct 18)
 

Updated libtar packages fixes security vulnerability: Two heap-based buffer overflow flaws were found in the way libtar handled certain archives. If a user were tricked into expanding a specially-crafted archive, it could cause the libtar executable or an [More...]

  Mandriva: 2013:252: torque (Oct 18)
 

Updated torque package fixes security vulnerability: A non-priviledged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root [More...]

  Mandriva: 2013:251: aircrack-ng (Oct 18)
 

Updated aircrack-ng package fixes security vulnerability: A buffer overflow vulnerability has been discovered in Aircrack-ng. A remote attacker could entice a user to open a specially crafted dump file using Aircrack-ng, possibly resulting in execution of [More...]

  Mandriva: 2013:250: mysql (Oct 17)
 

Multiple vulnerabilities has been discovered and corrected in mysql: Unspecified vulnerability in MySQL 5.5.x before 5.5.23 has unknown impact and attack vectors related to a Security Fix, aka Bug #59533. NOTE: this might be a duplicate of CVE-2012-1689, but as of [More...]

  Mandriva: 2013:249: libraw (Oct 10)
 

Updated libraw packages fix security vulnerabilities: It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to [More...]

  Mandriva: 2013:248: xinetd (Oct 10)
 

Updated xinetd package fixes security vulnerability: It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was [More...]

  Mandriva: 2013:247: gnupg (Oct 10)
 

Multiple vulnerabilities has been discovered and corrected in gnupg: GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass [More...]


  Red Hat: 2013:1441-01: rubygems: Moderate Advisory (Oct 17)
 

An updated rubygems package that fixes three security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:1440-01: java-1.7.0-oracle: Critical Advisory (Oct 17)
 

Updated java-1.7.0-oracle packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:1436-01: kernel: Moderate Advisory (Oct 16)
 

Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2013:1426-01: xorg-x11-server: Important Advisory (Oct 15)
 

Updated xorg-x11-server packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]

  Red Hat: 2013:1418-01: libtar: Moderate Advisory (Oct 10)
 

An updated libtar package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]


  Slackware: 2013-287-03: gnutls: Security Update (Oct 14)
 

New gnutls packages are available for Slackware 12.1, 12.2, 13.0, 13.1, and 13.37 to fix security issues. [More Info...]

  Slackware: 2013-287-02: gnupg2: Security Update (Oct 14)
 

New gnupg2 packages are available for Slackware 13.37, 14.0, and -current to fix security issues. These packages will require the updated libgpg-error package. [More Info...]

  Slackware: 2013-287-01: gnupg: Security Update (Oct 14)
 

New gnupg packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. [More Info...]

  Slackware: 2013-287-04: libgpg-error: Security Update (Oct 14)
 

New libgpg-error packages are available for Slackware 13.37 and 14.0. These are needed for the updated gnupg2 package. [More Info...]

  Slackware: 2013-287-05: xorg-server: Security Update (Oct 14)
 

New xorg-server packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. [More Info...]


  Ubuntu: 1990-1: X.Org X server vulnerabilities (Oct 17)
 

The X.Org X server could be made to crash or run programs as anadministrator if it received specially crafted input.

  Ubuntu: 1989-1: ICU vulnerabilities (Oct 15)
 

ICU could be made to crash or run programs as your login if it processedspecially crafted data.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Four fake Google haxbots hit YOUR WEBSITE every day
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil'
What I Learned from Edward Snowden at the Hacker Conference
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.