Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Password guessing with Medusa 2.0 - Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit

Password guessing as an attack vector - Using password guessing as an attack vector. Over the years we've been taught a strong password must be long and complex to be considered secure. Some of us have taken that notion to heart and always ensure our passwords are strong. But some don't give a second thought to the complexity or length of our password.

(Mar 15)

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. [More...]
(Mar 12)

Dominic Hargreaves and Niko Tyni discovered two format string vulnerabilities in YAML::LibYAML, a Perl interface to the libyaml library. [More...]
(Mar 11)

Niko Tyni discovered two format string vulnerabilities in DBD::Pg, a Perl DBI driver for the PostgreSQL database server, which can be exploited by a rogue database server. [More...]
(Mar 10)

Markus Vervier discovered a double free in the Python interface to the PAM library, which could lead to denial of service. For the stable distribution (squeeze), this problem has been fixed in [More...]
(Mar 8)

Mateusz Jurczyk from the Google Security Team discovered several vulnerabilties in Freetype's parsing of BDF, Type1 and TrueType fonts, which could result in the execution of arbitrary code if a malformed font file is processed. [More...]
Mandriva: 2012:030: systemd (Mar 16)

A vulnerability has been found and corrected in systemd: A TOCTOU race condition was found in the way the systemd-logind login manager of the systemd, a system and service manager for Linux, performed removal of particular records related with user session upon [More...]
Mandriva: 2012:029: pidgin (Mar 16)

Multiple vulnerabilities has been discovered and corrected in pidgin: The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname [More...]
Red Hat: 2012:0393-01: glibc: Moderate Advisory (Mar 15)

Updated glibc packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
Red Hat: 2012:0388-01: thunderbird: Critical Advisory (Mar 14)

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
Red Hat: 2012:0387-01: firefox: Critical Advisory (Mar 14)

Updated firefox packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
Red Hat: 2012:0376-01: systemtap: Moderate Advisory (Mar 8)

Updated systemtap packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
Ubuntu: 1398-1: LTSP Display Manager vulnerability (Mar 12)

LTSP Display Manager could be made to run programs as an administrator.
Ubuntu: 1397-1: MySQL vulnerabilities (Mar 12)

Several security issues were fixed in MySQL.