LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: November 29th, 2013 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

Password guessing with Medusa 2.0 - Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit http://www.foofus.net/jmk/medusa/changelog


  Debian: 2806-1: nbd: privilege escalation (Nov 29)
 

It was discovered that nbd-server, the server for the Network Block Device protocol, did incorrect parsing of the access control lists, allowing access to any hosts with an IP address sharing a prefix with an allowed address. [More...]

  Debian: 2805-1: sup-mail: command injection (Nov 27)
 

joernchen of Phenoelit discovered two command injection flaws in Sup, a console-based email client. An attacker might execute arbitrary command if the user opens a maliciously crafted email. [More...]

  Debian: 2804-1: drupal7: Multiple vulnerabilities (Nov 26)
 

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting. [More...]

  Debian: 2803-1: quagga: Multiple vulnerabilities (Nov 26)
 

Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon: CVE-2013-2236 [More...]

  Debian: 2800-1: nss: buffer overflow (Nov 25)
 

Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code. [More...]

  Debian: 2802-1: nginx: restriction bypass (Nov 21)
 

Ivan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request. [More...]

  Debian: 2801-1: libhttp-body-perl: design error (Nov 21)
 

Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to upload files to a service that uses [More...]


  Gentoo: 201311-22 Namazu: Multiple vulnerabilities (Nov 28)
 

Multiple vulnerabilities have been found in Namazu, worst of which allows remote attackers to cause a Denial of Service condition.

  Gentoo: 201311-21 cpio: Arbitrary code execution (Nov 28)
 

A heap-based buffer overflow in cpio might allow a remote rmt server to execute arbitrary code or cause a Denial of Service condition.

  Gentoo: 201311-20 Okular: Arbitrary code execution (Nov 28)
 

A heap-based buffer overflow in Okular might allow a remote attacker to execute arbitrary code or cause a Denial of Service condition.

  Gentoo: 201311-19 rssh: Access restriction bypass (Nov 28)
 

Multiple vulnerabilities have been found in rssh, allowing local attackers to bypass access restrictions.

  Gentoo: 201311-18 Unbound: Denial of Service (Nov 28)
 

Multiple Denial of Service vulnerabilities have been found in Unbound.

  Gentoo: 201311-17 Perl: Multiple vulnerabilities (Nov 28)
 

Multiple vulnerabilities were found in Perl, the worst of which could allow a local attacker to cause a Denial of Service condition.

  Gentoo: 201311-15 Zabbix: Multiple vulnerabilities (Nov 25)
 

Multiple vulnerabilities have been found in Zabbix, possibly leading to SQL injection attacks, Denial of Service, or information disclosure.

  Gentoo: 201311-16 fcron: Information disclosure (Nov 25)
 

A vulnerability has been found in fcron, allowing local attackers to conduct symlink attacks.

  Gentoo: 201311-14 QtCore, QtGui: Multiple vulnerabilities (Nov 22)
 

Multiple vulnerabilities have been discovered in QtCore and QtGui, possibly resulting in execution of arbitrary code, Denial of Service, or man-in-the-middle attacks.


  Mandriva: 2013:287: drupal (Nov 26)
 

Multiple security issues was identified and fixed in drupal: Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, [More...]

  Mandriva: 2013:286: ruby (Nov 26)
 

A vulnerability was found and corrected in ruby: Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service [More...]

  Mandriva: 2013:285: bugzilla (Nov 26)
 

Multiple vulnerabilities was found and corrected in bugzilla: Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via [More...]

  Mandriva: 2013:284: glibc (Nov 25)
 

Multiple vulnerabilities was found and corrected in glibc: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary [More...]

  Mandriva: 2013:283: glibc (Nov 25)
 

Updated glibc packages fixes the following security issues: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary [More...]

  Mandriva: 2013:282: perl-HTTP-Body (Nov 25)
 

Updated perl-HTTP-Body package fixes security vulnerability: Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the [More...]

  Mandriva: 2013:281: nginx (Nov 24)
 

Updated nginx package fixes security vulnerability: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might [More...]

  Mandriva: 2013:280: memcached (Nov 22)
 

A vulnerability was found and corrected in memcached: Memcached is vulnerable to a denial of service as it can be made to crash when it receives a specially crafted packet over the network (CVE-2011-4971). [More...]

  Mandriva: 2013:279: wireshark (Nov 22)
 

Multiple vulnerabilities was found and corrected in Wireshark: The ieee802154_map_rec function in epan/dissectors/packet-ieee802154.c in the IEEE 802.15.4 dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 uses an incorrect pointer chain, which allows [More...]

  Mandriva: 2013:278: samba (Nov 21)
 

A vulnerability has been found and corrected in samba: Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL [More...]

  Mandriva: 2013:277: lighttpd (Nov 21)
 

Updated lighttpd packages fix security vulnerabilities: lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain [More...]

  Mandriva: 2013:276: curl (Nov 21)
 

Updated curl packages fix security vulnerability: Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host [More...]

  Mandriva: 2013:271: pmake (Nov 21)
 

Updated pmake package fixes security vulnerability: The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and earlier, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related [More...]

  Mandriva: 2013:273: libjpeg (Nov 21)
 

Updated libjpeg packages fix security vulnerabilities: libjpeg 6b and libjpeg-turbo will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb) (CVE-2013-6629). [More...]

  Mandriva: 2013:275: krb5 (Nov 21)
 

Updated krb5 package fixes security vulnerabily: If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. This can be triggered by an unauthenticated user [More...]

  Mandriva: 2013:272: poppler (Nov 21)
 

Updated poppler packages fix security vulnerabilities: Poppler is found to be affected by a stack based buffer overflow vulnerability in the pdfseparate utility. Successfully exploiting this issue could allow remote attackers to execute arbitrary code in [More...]

  Mandriva: 2013:274: libjpeg (Nov 21)
 

Updated libjpeg packages fix security vulnerabilities: A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create [More...]

  Mandriva: 2013:270: nss (Nov 21)
 

Multiple security issues was identified and fixed in mozilla NSPR and NSS: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which [More...]

  Mandriva: 2013:268: torque (Nov 21)
 

Updated torque packages fix security vulnerability: A user could submit executable shell commands on the tail of what is passed with the -M switch for qsub. This was later passed to a pipe, making it possible for these commands to be executed as root on the [More...]

  Mandriva: 2013:269: firefox (Nov 21)
 

Multiple security issues was identified and fixed in mozilla NSPR, NSS and firefox: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which [More...]

  Mandriva: 2013:267: java-1.7.0-openjdk (Nov 21)
 

Updated java-1.7.0-openjdk packages fix security vulnerabilities: Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to [More...]

  Mandriva: 2013:266: java-1.6.0-openjdk (Nov 21)
 

Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to [More...]


  Red Hat: 2013:1767-01: ruby: Critical Advisory (Nov 26)
 

Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.2, 6.3, and 6.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:1764-01: ruby: Critical Advisory (Nov 25)
 

Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...]

  Red Hat: 2013:1752-01: 389-ds-base: Important Advisory (Nov 21)
 

Updated 389-ds-base packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]

  Red Hat: 2013:1661-02: RDMA stack: Moderate Advisory (Nov 21)
 

Updated rdma, libibverbs, libmlx4, librdmacm, qperf, perftest, openmpi, compat-openmpi, infinipath-psm, mpitests, and rds-tools packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. [More...]

  Red Hat: 2013:1701-02: sudo: Low Advisory (Nov 21)
 

An updated sudo package that fixes two security issues, several bugs, and adds two enhancements is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:1732-02: busybox: Low Advisory (Nov 21)
 

Updated busybox packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low [More...]

  Red Hat: 2013:1674-02: dracut: Moderate Advisory (Nov 21)
 

Updated dracut packages that fix one security issue, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]


  Ubuntu: 2035-1: Ruby vulnerabilities (Nov 27)
 

Several security issues were fixed in Ruby.

  Ubuntu: 2034-1: OpenStack Keystone vulnerability (Nov 25)
 

Keystone would improperly remove roles when it was configured to use theLDAP backend.

  Ubuntu: 2033-1: OpenJDK 6 vulnerabilities (Nov 21)
 

Several security issues were fixed in OpenJDK 6.

  Ubuntu: 2032-1: Thunderbird vulnerabilities (Nov 21)
 

Several security issues were fixed in Thunderbird.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.