Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Password guessing with Medusa 2.0 - Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit

Password guessing as an attack vector - Using password guessing as an attack vector. Over the years we've been taught a strong password must be long and complex to be considered secure. Some of us have taken that notion to heart and always ensure our passwords are strong. But some don't give a second thought to the complexity or length of our password.

(Jul 2)

Qualys Vulnerability & Malware Research Labs discovered a vulnerability in ModSecurity, a security module for the Apache webserver. In situations where both 'Content:Disposition: attachment' and 'Content-Type: multipart' were present in HTTP headers, the vulernability could allow an attacker to bypass [More...]
(Jun 28)

It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests. [More...]
(Jun 28)

It was discovered that malicious clients can trick the server component of the Bcfg2 configuration management system to execute commands with root privileges. [More...]
Mandriva: 2012:096-1: python (Jul 2)

Multiple vulnerabilities has been discovered and corrected in python: The _ssl module would always disable the CBC IV attack countermeasure (CVE-2011-3389). [More...]
Red Hat: 2012:1054-01: libtiff: Important Advisory (Jul 3)

Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having [More...]
Ubuntu: 1496-1: OpenOffice.org vulnerabilities (Jul 2)

OpenOffice.org could be made to crash or potentially run programs as yourlogin if it opened a specially crafted file.
Ubuntu: 1495-1: LibreOffice vulnerabilities (Jul 2)

LibreOffice could be made to crash or potentially run programs as yourlogin if it opened a specially crafted file.
Ubuntu: 1494-1: Linux kernel (OMAP4) vulnerability (Jul 2)

The system could be made to crash if it received specially crafted networktraffic.
Ubuntu: 1485-1: AccountsService vulnerability (Jun 28)

AccountsService could be made to read arbitrary files as the administrator.
Ubuntu: 1484-1: PyCrypto vulnerability (Jun 28)

PyCrypto improperly created ElGamal encryption keys.