LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: January 24th, 2014 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 2826-2: denyhosts: regression (Jan 23)
 

A regression has been found on the denyhosts packages fixing CVE-2013-6890. This regression could cause an attempted breakin attempt to be missed by denyhosts, which would then fail to enforce a ban. [More...]

  Debian: 2848-1: mysql-5.5: Multiple vulnerabilities (Jan 23)
 

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: [More...]

  Debian: 2847-1: drupal7: Multiple vulnerabilities (Jan 20)
 

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]

  Debian: 2846-1: libvirt: Multiple vulnerabilities (Jan 17)
 

Multiple security issues have been found in Libvirt, a virtualisation abstraction library: CVE-2013-6458 [More...]

  Debian: 2831-2: puppet: regression (Jan 17)
 

The fix for CVE-2013-4969 contained a regression affecting the default file mode if none is specified on a file resource. The oldstable distribution (squeeze) is not affected by this regression. [More...]

  Debian: 2845-1: mysql-5.1: Multiple vulnerabilities (Jan 17)
 

This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple unspecified security problems in MySQL: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html [More...]


  Gentoo: 201401-26 Zabbix: Shell command injection (Jan 23)
 

A vulnerability in Zabbix could allow remote attackers to execute arbitrary shell code.

  Gentoo: 201401-25 ldns: Arbitrary code execution (Jan 21)
 

A heap-based buffer overflow in ldns might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.

  Gentoo: 201401-24 INN: Man-in-the-middle attack (Jan 21)
 

A vulnerability in INN's STARTTLS implementation could allow a remote attacker to conduct a man-in-the-middle attack.

  Gentoo: 201401-23 sudo: Privilege escalation (Jan 21)
 

Multiple vulnerabilities have been found in sudo which could result in privilege escalation.

  Gentoo: 201401-22 Active Record: SQL injection (Jan 21)
 

A vulnerability in Active Record could allow a remote attacker to inject SQL commands.

  Gentoo: 201401-21 Poppler: Multiple vulnerabilities (Jan 21)
 

Multiple vulnerabilities have been found in Poppler, allowing remote attackers to execute arbitrary code or cause a Denial of Service condition.

  Gentoo: 201401-20 Cacti: Multiple vulnerabilities (Jan 21)
 

Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks.

  Gentoo: 201401-19 GMime: Arbitrary code execution (Jan 21)
 

A buffer overflow error in GMime might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.

  Gentoo: 201401-18 OpenSC: Arbitrary code execution (Jan 21)
 

Multiple stack-based buffer overflows have been found in OpenSC, allowing attackers to execute arbitrary code.

  Gentoo: 201401-17 PCSC-Lite: Arbitrary code execution (Jan 21)
 

A vulnerability in PCSC-Lite could result in execution of arbitrary code or Denial of Service.

  Gentoo: 201401-16 CCID: Arbitrary code execution (Jan 21)
 

A vulnerability in CCID could result in execution of arbitrary code.

  Gentoo: 201401-15 Asterisk: Multiple vulnerabilities (Jan 20)
 

Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code.

  Gentoo: 201401-14 cURL: Multiple vulnerabilities (Jan 20)
 

Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service.

  Gentoo: 201401-13 VirtualBox: Multiple Vulnerabilities (Jan 20)
 

Multiple vulnerabilities have been found in VirtualBox, allowing local attackers to escalate their privileges or cause a Denial of Service condition.

  Gentoo: 201401-12 GNUstep Base library: Multiple vulnerabilities (Jan 20)
 

Multiple vulnerabilities have been found in GNUstep Base library, the worst of which allow execution of arbitrary code.

  Gentoo: 201401-11 Perl, Locale Maketext Perl module: Multiple vulnerabilities (Jan 19)
 

Multiple vulnerabilities have been found in Perl and Locale::Maketext Perl module, the worst of which could allow a context-dependent attacker to execute arbitrary code.

  Gentoo: 201401-10 libexif, exif: Multiple vulnerabilities (Jan 19)
 

Multiple vulnerabilities have been found in libexif and exif, some of which may allow execution of arbitrary code.

  Gentoo: 201401-09 Openswan: User-assisted execution of arbitrary code (Jan 18)
 

A vulnerability in Openswan could result in execution of arbitrary code or Denial of Service.


  Mandriva: 2014:020: x11-server (Jan 22)
 

Updated x11-server package fixes security vulnerability: Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code (CVE-2013-6424). [More...]

  Mandriva: 2014:019: elinks (Jan 22)
 

Updated elinks package fixes security vulnerability: When verifying SSL certificates, elinks fails to warn the user if the hostname of the certificate does not match the hostname of the website. [More...]

  Mandriva: 2014:018: net-snmp (Jan 22)
 

Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, [More...]

  Mandriva: 2014:017: net-snmp (Jan 22)
 

Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, [More...]

  Mandriva: 2014:016: spice (Jan 22)
 

Updated spice packages fix security vulnerability: A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able [More...]

  Mandriva: 2014:015: cups (Jan 22)
 

Updated cups packages fix security vulnerability: Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, [More...]

  Mandriva: 2014:014: php (Jan 21)
 

Multiple vulnerabilities has been discovered and corrected in php: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field [More...]

  Mandriva: 2014:013: libxfont (Jan 21)
 

A vulnerability has been discovered and corrected in libxfont: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute [More...]

  Mandriva: 2014:012: nss (Jan 20)
 

A vulnerability has been discovered and corrected in Mozilla NSS: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof [More...]

  Mandriva: 2014:011: java-1.7.0-openjdk (Jan 20)
 

Multiple vulnerabilities has been discovered and corrected in java-1.7.0-openjdk: An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java [More...]

  Mandriva: 2014:010: memcached (Jan 17)
 

Multiple vulnerabilities has been discovered and corrected in memcached: The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows [More...]

  Mandriva: 2014:009: librsvg (Jan 17)
 

Updated librsvg and gtk+3.0 packages fix security vulnerability: librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference (CVE-2013-1881). [More...]

  Mandriva: 2014:008: openjpeg (Jan 17)
 

Updated openjpeg package fixes security vulnerabilities: Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, [More...]

  Mandriva: 2014:007: openssl (Jan 17)
 

A vulnerability has been discovered and corrected in openssl: The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle [More...]

  Mandriva: 2014:006: libxslt (Jan 16)
 

A vulnerability has been discovered and corrected in ejabberd: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. [More...]

  Mandriva: 2014:005: ejabberd (Jan 16)
 

A vulnerability has been discovered and corrected in ejabberd: The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack (CVE-2013-6169). [More...]

  Mandriva: 2014:004: nagios (Jan 16)
 

Multiple vulnerabilities has been discovered and corrected in nagios: Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from [More...]

  Mandriva: 2014:003: nrpe (Jan 16)
 

A vulnerability has been discovered and corrected in nrpe: Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via $() shell metacharacters, which are [More...]

  Mandriva: 2014:002: bind (Jan 16)
 

A vulnerability has been discovered and corrected in ISC BIND: The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause [More...]


  Red Hat: 2014:0091-01: openstack-neutron: Moderate Advisory (Jan 22)
 

Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]

  Red Hat: 2014:0090-01: openstack-heat: Moderate Advisory (Jan 22)
 

Updated openstack-heat packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]

  Red Hat: 2014:0089-01: openstack-keystone: Moderate Advisory (Jan 22)
 

Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2014:0044-01: augeas: Moderate Advisory (Jan 20)
 

Updated augeas packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]

  Red Hat: 2014:0043-01: bind: Moderate Advisory (Jan 20)
 

Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]


  Ubuntu: 2089-1: openjdk-7 vulnerabilities (Jan 23)
 

Several security issues were fixed in OpenJDK 7.

  Ubuntu: 2088-1: NSS vulnerability (Jan 23)
 

NSS could be made to expose sensitive information over the network.

  Ubuntu: 2087-1: NSPR vulnerability (Jan 23)
 

NSPR could be made to crash or run programs if it received a speciallycrafted certificate.

  Ubuntu: 2084-1: devscripts vulnerability (Jan 21)
 

devscripts could be made to run programs if it opened a specially craftedfile.

  Ubuntu: 2085-1: HPLIP vulnerabilities (Jan 21)
 

Several security issues were fixed in HPLIP.

  Ubuntu: 2086-1: MySQL vulnerabilities (Jan 21)
 

Several security issues were fixed in MySQL.

  Ubuntu: 2083-1: Graphviz vulnerabilities (Jan 16)
 

Graphviz could be made to crash or run programs as your login if it openeda specially crafted file.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
DARPA-derived secure microkernel goes open source tomorrow
Hacker Gary McKinnon turns into a search expert
Hackers seed Amazon cloud with potent denial-of-service bots
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.