http://www.linuxsecurity.com/ The central voice for Linux and Open Source security news. en-us update-rss-feeds.pl (1.01) http://www.linuxsecurity.com/content/view/141239?rdf Wed, 03 Sep 2008 23:39:00 +0000 <b>LinuxSecurity.com</b>: New php packages are available for Slackware 10.2 and 11.0 to fix security issues. These releases are the last to contain PHP 4.4.x, which was upgraded to version 4.4.9 to fix PCRE issues and other bugs. Please note that this is the FINAL release of PHP4, and it has already passed the announced end-of-life. Sites should seriously consider migrating to PHP5 rather than upgrading to php-4.4.9. http://www.linuxsecurity.com/content/view/141239?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/141238?rdf Wed, 03 Sep 2008 19:10:00 +0000 <b>LinuxSecurity.com</b>: Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system's CPU resources, leading to a denial of service. http://www.linuxsecurity.com/content/view/141238?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/141236?rdf Wed, 03 Sep 2008 16:50:00 +0000 <b>LinuxSecurity.com</b>: A cross-site request forgery vulnerability was discovered in Django that, if exploited, could be used to perform unrequested deletion or modification of data. Updated versions of Django will now discard posts from users whose sessions have expired, so data will need to be re-entered in these cases. http://www.linuxsecurity.com/content/view/141236?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/141235?rdf Wed, 03 Sep 2008 15:16:00 +0000 <b>LinuxSecurity.com</b>: Drew Yaro of the Apple Product Security Team reported multiple uses of uninitialized values in libtiff's LZW compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked to libtiff to crash or potentially execute arbitrary code (CVE-2008-2327). The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/141235?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/141232?rdf Tue, 02 Sep 2008 17:16:00 +0000 <b>LinuxSecurity.com</b>: Chaskiel M Grundman found that OpenSC would initialize smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN without first having the PIN or PUK, or the superuser's PIN or PUK (CVE-2008-2235). http://www.linuxsecurity.com/content/view/141232?rdf LinuxSecurity.com http://www.linuxsecurity.com/content/view/141231?rdf Tue, 02 Sep 2008 17:07:00 +0000 <b>LinuxSecurity.com</b>: Drew Yao discovered that the TIFF library did not correctly validate LZW compressed TIFF images. If a user or automated system were tricked into processing a malicious image, a remote attacker could execute arbitrary code or cause an application linked against libtiff to crash, leading to a denial of service. http://www.linuxsecurity.com/content/view/141231?rdf LinuxSecurity.com