linux-advisory-watch September 2010 archive
Main Archive Page > Month Archives  > linux-advisory-watch archives
linux-advisory-watch: Linux Advisory Watch: September 3rd, 2010

Linux Advisory Watch: September 3rd, 2010

From: <vuln-newsletter-admins_at_nospam>
Date: Fri Sep 03 2010 - 17:10:08 GMT
To: vuln-newsletter@linuxsecurity.com

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| September 3rd, 2010 Volume 11, Number 36 |
| |
| Editorial Team: Dave Wreski <dwreski@linuxsecurity.com> |
| Benjamin D. Thomas <bthomas@linuxsecurity.com> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.

http://www.linuxsecurity.com/content/view/153159

Review: Zabbix 1.8 Network Monitoring
-------------------------------------
If you have anything more than a small home network, you need to be
monitoring the status of your systems to ensure they are providing the
services they were designed to provide. Rihards Olups has created a
comprehensive reference and usability guide for the latest version of
Zabbix that anyone being tasked with implementing should have by their
side.

http://www.linuxsecurity.com/content/view/152990

--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
   ----------------------------------------------
   Guardian Digital is happy to announce the release of EnGarde Secure
   Community 3.0.22 (Version 3.0, Release 22). This release includes
   many updated packages and bug fixes and some feature enhancements to
   the EnGarde Secure Linux Installer and the SELinux policy.

   http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2102-1: barnowl: unchecked return value (Sep 3)
   -------------------------------------------------------
   It has been discovered that in barnowl, a curses-based
   instant-messaging client, the return codes of calls to the ZPending
   and ZReceiveNotice functions in libzephyr were not checked, allowing
   attackers to cause a denial of service (crash of the application),
   and possibly execute [More...]

   http://www.linuxsecurity.com/content/view/153191

* Debian: 2101-1: wireshark: Multiple vulnerabilities (Aug 31)
   ------------------------------------------------------------
   Several implementation errors in the dissector of the Wireshark
   network traffic analyzer for the ASN.1 BER protocol and in the
   SigComp Universal Decompressor Virtual Machine may lead to the
   execution of arbitrary code. [More...]

   http://www.linuxsecurity.com/content/view/153167

* Debian: 2100-1: openssl: double free (Aug 30)
   ---------------------------------------------
   George Guninski discovered a double free in the ECDH code of the
   OpenSSL crypto library, which may lead to denial of service and
   potentially the execution of arbitrary code. [More...]

   http://www.linuxsecurity.com/content/view/153158

* Debian: : openoffice.org: buffer overflows (Aug 30)
   ---------------------------------------------------
   Charlie Miller has discovered two vulnerabilities in OpenOffice.org
   Impress, which can be exploited by malicious people to compromise a
   user's system and execute arbitrary code. [More...]

   http://www.linuxsecurity.com/content/view/153145

* Debian: 2098-1: typo3-src: Multiple vulnerabilities (Aug 29)
   ------------------------------------------------------------
   Several remote vulnerabilities have been discovered in the TYPO3 web
   content management framework: cross-site Scripting, open redirection,
   SQL injection, broken authentication and session management, insecure
   randomness, information disclosure and arbitrary code [More...]

   http://www.linuxsecurity.com/content/view/153144

* Debian: 2097-1: phpmyadmin: insufficient input sanitisi (Aug 29)
   ----------------------------------------------------------------
   Several remote vulnerabilities have been discovered in phpMyAdmin, a
   tool to administer MySQL over the web. The Common Vulnerabilities and
   Exposures project identifies the following problems: [More...]

   http://www.linuxsecurity.com/content/view/153143

------------------------------------------------------------------------

* Gentoo: 201009-01: wxGTK: User-assisted execution of arbitrary code (Sep 2)
   ---------------------------------------------------------------------------
   An integer overflow vulnerability in wxGTK might enable
   remoteattackers to cause the execution of arbitrary code.

   http://www.linuxsecurity.com/content/view/153187

------------------------------------------------------------------------

* Mandriva: 2010:170: wget (Sep 2)
   --------------------------------
   A vulnerability has been found and corrected in wget: GNU Wget 1.12
   and earlier uses a server-provided filename instead of the original
   URL to determine the destination filename of a download, which allows
   remote servers to create or overwrite arbitrary files [More...]

   http://www.linuxsecurity.com/content/view/153188

* Mandriva: 2010:169: mozilla-thunderbird (Sep 2)
   -----------------------------------------------
   Multiple vulnerabilities has been found and corrected in
   mozilla-thunderbird: dom/base/nsJSEnvironment.cpp in Mozilla Firefox
   3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before
   3.0.6 and 3.1.x [More...]

   http://www.linuxsecurity.com/content/view/153179

* Mandriva: 2010:168: openssl (Sep 1)
   -----------------------------------
   A vulnerability has been found and corrected in openssl: Double free
   vulnerability in the ssl3_get_key_exchange function in the OpenSSL
   client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly
   other versions, when using ECDH, allows context-dependent [More...]

   http://www.linuxsecurity.com/content/view/153177

* Mandriva: 2010:167: perl-libwww-perl (Aug 31)
   ---------------------------------------------
   A vulnerability has been found and corrected in perl-libwww-perl:
   lwp-download in libwww-perl before 5.835 does not reject downloads to
   filenames that begin with a . (dot) character, which allows remote
   servers to create or overwrite files via (1) a 3xx redirect to a
   [More...]

   http://www.linuxsecurity.com/content/view/153168

* Mandriva: 2010:166: libgdiplus (Aug 31)
   ---------------------------------------
   A vulnerability has been found and corrected in libgdiplus: Multiple
   integer overflows in libgdiplus 2.6.7, as used in Mono, allow
   attackers to execute arbitrary code via (1) a crafted TIFF file,
   related to the gdip_load_tiff_image function in tiffcodec.c;
   [More...]

   http://www.linuxsecurity.com/content/view/153166

* Mandriva: 2010:165: libHX (Aug 30)
   ----------------------------------
   A vulnerability has been found and corrected in libHX: Heap-based
   buffer overflow in the HX_split function in string.c in libHX before
   3.6 allows remote attackers to execute arbitrary code or cause a
   denial of service (application crash) via a string that [More...]

   http://www.linuxsecurity.com/content/view/153157

* Mandriva: 2010:164: phpmyadmin (Aug 30)
   ---------------------------------------
   A vulnerability has been found and corrected in phpmyadmin: It was
   possible to conduct a XSS attack using crafted URLs or POST
   parameters on several pages (CVE-2010-3056). [More...]

   http://www.linuxsecurity.com/content/view/153148

* Mandriva: 2010:163: phpmyadmin (Aug 30)
   ---------------------------------------
   Multiple vulnerabilities has been found and corrected in phpmyadmin:
   The setup script used to generate configuration can be fooled using a
   crafted POST request to include arbitrary PHP code in generated
   configuration file. Combined with the ability to save files on the
   [More...]

   http://www.linuxsecurity.com/content/view/153146

* Mandriva: 2010:162: kdegraphics4 (Aug 26)
   -----------------------------------------
   A vulnerability has been found and corrected in okular (kdegraphics):
   A specially crafted PDF or PS file could cause okular to crash or
   execute arbitrary code (CVE-2010-2575). [More...]

   http://www.linuxsecurity.com/content/view/153131

------------------------------------------------------------------------

* Red Hat: 2010:0670-01: kernel: Important Advisory (Sep 2)
   ---------------------------------------------------------
   Updated kernel packages that fix two security issues and three bugs
   are now available for Red Hat Enterprise Linux 5.4 Extended Update
   Support. The Red Hat Security Response Team has rated this update as
   having [More...]

   http://www.linuxsecurity.com/content/view/153186

* Red Hat: 2010:0661-01: kernel: Important Advisory (Aug 30)
   ----------------------------------------------------------
   Updated kernel packages that fix one security issue are now available
   for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
   has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/153156

* Red Hat: 2010:0660-01: kernel: Important Advisory (Aug 30)
   ----------------------------------------------------------
   Updated kernel packages that fix two security issues and multiple
   bugs are now available for Red Hat Enterprise Linux 5.3 Extended
   Update Support. The Red Hat Security Response Team has rated this
   update as having [More...]

   http://www.linuxsecurity.com/content/view/153155

* Red Hat: 2010:0659-01: httpd: Moderate Advisory (Aug 30)
   --------------------------------------------------------
   Updated httpd packages that fix two security issues and multiple bugs
   are now available for Red Hat Enterprise Linux 5. The Red Hat
   Security Response Team has rated this update as having moderate
   [More...]

   http://www.linuxsecurity.com/content/view/153154

* Red Hat: 2010:0657-02: gdm: Low Advisory (Aug 26)
   -------------------------------------------------
   An updated gdm package that fixes one security issue and one bug is
   now available for Red Hat Enterprise Linux 4. The Red Hat Security
   Response Team has rated this update as having low [More...]

   http://www.linuxsecurity.com/content/view/153130

------------------------------------------------------------------------

* Slackware: 2010-240-02: httpd: Security Update (Aug 28)
   -------------------------------------------------------
   New httpd packages are available for Slackware 12.0, 12.1, 12.2,
   13.0, 13.1, and -current to fix a security issue. [More Info...]

   http://www.linuxsecurity.com/content/view/153141

* Slackware: 2010-240-01: gnupg2: Security Update (Aug 28)
   --------------------------------------------------------
   New gnupg2 packages are available for Slackware 12.0, 12.1, 12.2,
   13.0, 13.1, and -current to fix a security issue. [More Info...]

   http://www.linuxsecurity.com/content/view/153142

* Slackware: 2010-240-03: kdegraphics: Security Update (Aug 28)
   -------------------------------------------------------------
   New kdegraphics packages are available for Slackware 13.1 to fix a
   security issue in the okular document viewer. [More Info...]

   http://www.linuxsecurity.com/content/view/153137

* Slackware: 2010-240-04: php: Security Update (Aug 28)
   -----------------------------------------------------
   New php packages are available for Slackware 11.0 (extra), 12.0,
   12.1, 12.2, 13.0, 13.1, and -current to fix security issues. [More
   Info...]

   http://www.linuxsecurity.com/content/view/153138

* Slackware: 2010-240-06: xorg-server: Security Update (Aug 28)
   -------------------------------------------------------------
   New xorg-server packages are available for Slackware 12.0, 12.1,
   12.2, 13.0, 13.1, and -current to fix a security issue. [More
   Info...]

   http://www.linuxsecurity.com/content/view/153139

* Slackware: 2010-240-05: pidgin: Security Update (Aug 28)
   --------------------------------------------------------
   New pidgin packages are available for Slackware 12.0, 12.1, 12.2,
   13.0, 13.1, and -current to fix security issues. [More Info...]

   http://www.linuxsecurity.com/content/view/153140

------------------------------------------------------------------------

* SuSE: 2010-038: kernel (Sep 3)
   ------------------------------
   This SUSE Linux Enterprise 10 SP3 kernel update contains several bug
   fixes and fixes for the following security issues: CVE-2010-2240:
   the stack of a process could grow into other mapped areas, therefore
   overwriting memory instead of terminating the [More...]

   http://www.linuxsecurity.com/content/view/153192

* SuSE: 2010-036: kernel (Sep 1)
   ------------------------------
   This update fixes various security issues and some bugs in the SUSE
   Linux Enterprise 9 kernel. Following security issues were fixed:
   CVE-2010-2521: A crafted NFS write request might have caused a buffer
   overwrite, [More...]

   http://www.linuxsecurity.com/content/view/153170

* SuSE: Weekly Summary 2010:016 (Aug 26)
   --------------------------------------
   To avoid flooding mailing lists with SUSE Security Announcements for
   minor issues, SUSE Security releases weekly summary reports for the
   low profile vulnerability fixes. The SUSE Security Summary Reports do
   not list or download URLs like the SUSE Security Announcements that
   are released for more severe vulnerabilities. List of
   vulnerabilities in this summary include:
   yast2-webclient-patch_updates, perl, openldap2, opera,
   freetype2/libfreetype6, java-1_6_0-openjdk.

   http://www.linuxsecurity.com/content/view/153124

------------------------------------------------------------------------

* Ubuntu: 982-1: Wget vulnerability (Sep 2)
   -----------------------------------------
   It was discovered that Wget would use filenames provided by the
   server whenfollowing 3xx redirects. If a user or automated system
   were tricked intodownloading a file from a malicious site, a remote
   attacker could createthe file with an arbitrary name (e.g. .wgetrc),
   and possibly run arbitrarycode. [More...]

   http://www.linuxsecurity.com/content/view/153178

* Ubuntu: 981-1: libwww-perl vulnerability (Aug 31)
   -------------------------------------------------
   It was discovered that libwww-perl incorrectly filtered filenames
   suggestedby Content-Disposition headers. If a user were tricked into
   downloading afile from a malicious site, a remote attacker could
   overwrite hidden filesin the user's directory. [More...]

   http://www.linuxsecurity.com/content/view/153160

* Ubuntu: 979-1: okular vulnerability (Aug 26)
   --------------------------------------------
   Stefan Cornelius of Secunia Research discovered a boundary error
   duringRLE decompression in the "TranscribePalmImageToJPEG()" function
   ingenerators/plucker/inplug/image.cpp of okular when processing
   imagesembedded in PDB files, which can be exploited to cause a
   heap-basedbuffer overflow. (CVE-2010-2575) [More...]

   http://www.linuxsecurity.com/content/view/153132

------------------------------------------------------------------------

* Pardus: 2010-119: OpenSSL: Use-after-free (Sep 3)
   -------------------------------------------------
   A vulnerability has been fixed in OpenSSL, which can be exploited by
   malicious people to cause a DoS (Denial of Service) and potentially
   compromise an application using the library.

   http://www.linuxsecurity.com/content/view/153189

* Pardus: 2010-120: Flashplugin: Multiple (Sep 3)
   -----------------------------------------------
   Multiple vulnerabilities have been fixed in flashplugin.

   http://www.linuxsecurity.com/content/view/153190

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------