[ISN] Linux Advisory Watch - March 27th 2009

From: InfoSec News <alerts_at_private>
Date: Mon, 30 Mar 2009 02:19:44 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| March 27th, 2009                                Volume 10, Number 13 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for systemtap, lcms, webcit,
xulrunner, libpng, libsoup, glib, ghostscript, java, argyllcms,
phpmyadmin, compiz-fusion, openjdk, postgresql, drupal, squid,
muttprint, ffmpeg, pam, evolution, drakconf, dhcp, and thunderbird.
The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat,
Ubuntu, and Pardus.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New systemtap packages fix local privilege escalation (Mar 25)
  ----------------------------------------------------------------------
  Erik Sjoelund discovered that a race condition in the stap tool
  shipped by Systemtap, an instrumentation system for Linux 2.6, allows
  local privilege escalation for members of the stapusr group.

  http://www.linuxsecurity.com/content/view/148378

* Debian: New lcms packages fix regression (Mar 25)
  -------------------------------------------------
  Several security issues have been discovered in lcms, a color
  management library.

  http://www.linuxsecurity.com/content/view/148363

* Debian: New webcit packages fix potential remote code execution (Mar 23)
  ------------------------------------------------------------------------
  Wilfried Goesgens discovered that WebCit, the web-based user
  interface for the Citadel groupware system, contains a format string
  vulnerability in the mini_calendar component, possibly allowing
  arbitrary code execution (CVE-2009-0364).

  http://www.linuxsecurity.com/content/view/148344

* Debian: New xulrunner packages fix several vulnerabilities (Mar 22)
  -------------------------------------------------------------------
  Several remote vulnerabilities have been discovered in Xulrunner, a
  runtime environment for XUL applications, such as the Iceweasel web
  browser.

  http://www.linuxsecurity.com/content/view/148336

* Debian: New libpng packages fix several vulnerabilities (Mar 22)
  ----------------------------------------------------------------
  Several vulnerabilities have been discovered in libpng, a library for
  reading and writing PNG files.

  http://www.linuxsecurity.com/content/view/148335

* Debian: New Linux 2.6.26 packages fix several vulnerabilities (Mar 20)
  ----------------------------------------------------------------------
  Several vulnerabilities have been discovered in the Linux kernel that
  may lead to a denial of service or privilege escalation.

  http://www.linuxsecurity.com/content/view/148326

* Debian: New libsoup packages fix arbitrary code execution (Mar 20)
  ------------------------------------------------------------------
  It was discovered that libsoup, an HTTP library implementation in C,
  handles large strings insecurely via its Base64 encoding functions.
  This could possibly lead to the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148320

* Debian: New glib2.0 packages fix arbitrary code execution (Mar 20)
  ------------------------------------------------------------------
  Diego Petten discovered that glib2.0, the GLib library of C routines,
  handles large strings insecurely via its Base64 encoding functions.
  This could possible lead to the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148319

* Debian: New ghostscript packages fix arbitrary code execution (Mar 20)
  ----------------------------------------------------------------------
  Two security issues have been discovered in ghostscript, the GPL
  Ghostscript PostScript/PDF interpreter.

  http://www.linuxsecurity.com/content/view/148317

* Debian: New lcms packages fix arbitrary code execution (Mar 20)
  ---------------------------------------------------------------
  Several security issues have been discovered in lcms, a color
  management library.

  http://www.linuxsecurity.com/content/view/148316

------------------------------------------------------------------------

* Fedora 9 Update: java-1.6.0-openjdk-1.6.0.0-0.23.b09.fc9 (Mar 25)
  -----------------------------------------------------------------
  lcms in OpenJDK upgraded to 1.18 fixing many related security issues.

  http://www.linuxsecurity.com/content/view/148377

* Fedora 9 Update: argyllcms-1.0.3-3.fc9 (Mar 25)
  -----------------------------------------------
  Multiple integer overflows were found in the International Color
  Consortium Format Library (icclib). An attacker could use this flaw
  to  potentially execute arbitrary code by requesting to translate a
  specially-  crafted image file created on one device into another's
  device native color  space via a device file.

  http://www.linuxsecurity.com/content/view/148376

* Fedora 10 Update: argyllcms-1.0.3-3.fc10 (Mar 25)
  -------------------------------------------------
  Multiple integer overflows were found in the International Color
  Consortium Format Library (icclib). An attacker could use this flaw
  to  potentially execute arbitrary code by requesting to translate a
  specially-  crafted image file created on one device into another's
  device native color  space via a device file.

  http://www.linuxsecurity.com/content/view/148375

* Fedora 10 Update: phpMyAdmin-3.1.3.1-1.fc10 (Mar 25)
  ----------------------------------------------------
  Improvements for 3.1.3.1:  - [security] HTTP Response Splitting and
  file inclusion vulnerabilities  - [security] XSS vulnerability on
  export page  - [security] Insufficient output sanitizing when
  generating configuration file

  http://www.linuxsecurity.com/content/view/148374

* Fedora 9 Update: compiz-fusion-0.7.6-6.fc9 (Mar 25)
  ---------------------------------------------------
  This update fixes a security issue in the expo plugin which allows
  local users with physical access to drag the screen saver aside and
  access the locked desktop by using Expo mouse shortcuts.

  http://www.linuxsecurity.com/content/view/148373

* Fedora 9 Update: phpMyAdmin-3.1.3.1-1.fc9 (Mar 25)
  --------------------------------------------------
  Improvements for 3.1.3.1:  - [security] HTTP Response Splitting and
  file inclusion vulnerabilities  - [security] XSS vulnerability on
  export page  - [security] Insufficient output sanitizing when
  generating configuration file

  http://www.linuxsecurity.com/content/view/148371

* Fedora 10 Update: compiz-fusion-0.7.8-4.fc10 (Mar 25)
  -----------------------------------------------------
  This update fixes a security issue in the expo plugin which allows
  local users with physical access to drag the screen saver aside and
  access the locked desktop by using Expo mouse shortcuts.

  http://www.linuxsecurity.com/content/view/148372

* Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-11.b14.fc10 (Mar 24)
  -----------------------------------------------------------------
  Fixes important lcms security bug which gives unwarranted access to
  malicious users.

  http://www.linuxsecurity.com/content/view/148352

* Fedora 9 Update: java-1.6.0-openjdk-1.6.0.0-0.21.b09.fc9 (Mar 24)
  -----------------------------------------------------------------
  Fixes important lcms security bug which gives unwarranted access to
  malicious users.

  http://www.linuxsecurity.com/content/view/148353

* Fedora 10 Update: lcms-1.18-0.1.beta2.fc10 (Mar 23)
  ---------------------------------------------------
  Some patches that was collected in the fedora package have just been
  submitted upstream. Changes are hight that this update can be
  superseeded by a beta3 or a stable release from upstream.

  http://www.linuxsecurity.com/content/view/148343

* Fedora 10 Update: postgresql-8.3.7-1.fc10 (Mar 23)
  --------------------------------------------------
  Update to PostgreSQL 8.3.7, for various fixes described at
  http://www.postgresql.org/docs/8.3/static/release-8-3-7.html

  http://www.linuxsecurity.com/content/view/148342

* Fedora 9 Update: postgresql-8.3.7-1.fc9 (Mar 23)
  ------------------------------------------------
  Update to PostgreSQL 8.3.7, for various fixes described at
  http://www.postgresql.org/docs/8.3/static/release-8-3-7.html

  http://www.linuxsecurity.com/content/view/148340

* Fedora 9 Update: lcms-1.18-0.1.beta2.fc9 (Mar 23)
  -------------------------------------------------
  Some patches that was collected in the fedora package have just been
  submitted upstream. Changes are hight that this update can be
  superseeded by a beta3 or a stable release from upstream.

  http://www.linuxsecurity.com/content/view/148339

* Fedora 10 Update: ghostscript-8.63-5.fc10 (Mar 20)
  --------------------------------------------------
  Security update for integer overflows (CVE-2009-0583) and upper
  bounds checks (CVE-2009-0584) in the ICC profile handling.

  http://www.linuxsecurity.com/content/view/148331

* Fedora 9 Update: thunderbird-2.0.0.21-1.fc9 (Mar 20)
  ----------------------------------------------------
  Several flaws were found in the processing of malformed HTML mail
  content. An HTML mail message containing malicious content could
  cause Thunderbird to crash or, potentially, execute arbitrary code as
  the user running Thunderbird. (CVE-2009-0040, CVE-2009-0352,
  CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775)
  Several flaws were found in the way malformed content was processed.
  An HTML mail message containing specially-crafted content could
  potentially trick a Thunderbird user into surrendering sensitive
  information. (CVE-2009-0355, CVE-2009-0776)	 Note: JavaScript
  support is disabled by default in Thunderbird. None of the above
  issues are exploitable unless JavaScript is enabled.

  http://www.linuxsecurity.com/content/view/148330

* Fedora 10 Update: thunderbird-2.0.0.21-1.fc10 (Mar 20)
  ------------------------------------------------------
  Several flaws were found in the processing of malformed HTML mail
  content. An HTML mail message containing malicious content could
  cause Thunderbird to crash or, potentially, execute arbitrary code as
  the user running Thunderbird. (CVE-2009-0040, CVE-2009-0352,
  CVE-2009-0353, CVE-2009-0772, CVE-2009-0774, CVE-2009-0775)
  Several flaws were found in the way malformed content was processed.
  An HTML mail message containing specially-crafted content could
  potentially trick a Thunderbird user into surrendering sensitive
  information. (CVE-2009-0355, CVE-2009-0776)	 Note: JavaScript
  support is disabled by default in Thunderbird. None of the above
  issues are exploitable unless JavaScript is enabled.

  http://www.linuxsecurity.com/content/view/148328

* Fedora 9 Update: ghostscript-8.63-2.fc9 (Mar 20)
  ------------------------------------------------
  Security update for integer overflows (CVE-2009-0583) and upper
  bounds checks (CVE-2009-0584) in the ICC profile handling.

  http://www.linuxsecurity.com/content/view/148329

* Fedora 10 Update: drupal-cck-6.x.2.2-1.fc10 (Mar 20)
  ----------------------------------------------------
  Fixes DRUPAL-SA-CONTRIB-2009-013 - XSS issue.

  http://www.linuxsecurity.com/content/view/148322

* Fedora 9 Update: drupal-cck-6.x.2.2-1.fc9 (Mar 20)
  --------------------------------------------------
  Fixes DRUPAL-SA-CONTRIB-2009-013 - XSS issue.

  http://www.linuxsecurity.com/content/view/148323

------------------------------------------------------------------------

* Gentoo: Squid Multiple Denial of Service vulnerabilities (Mar 24)
  -----------------------------------------------------------------
  Multiple vulnerabilities have been found in Squid which allow for
  remote Denial of Service attacks.

  http://www.linuxsecurity.com/content/view/148357

* Gentoo: Ghostscript User-assisted execution of arbitrary (Mar 23)
  -----------------------------------------------------------------
  Multiple integer overflows in the Ghostscript ICC library might allow
  for user-assisted execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148351

* Gentoo: MLDonkey Information disclosure (Mar 23)
  ------------------------------------------------
  A vulnerability in the MLDonkey web interface allows remote attackers
  to disclose arbitrary files.

  http://www.linuxsecurity.com/content/view/148350

* Gentoo: Muttprint Insecure temporary file usage (Mar 23)
  --------------------------------------------------------
  An insecure temporary file usage in Muttprint allows for symlink
  attacks.

  http://www.linuxsecurity.com/content/view/148349

* Gentoo: Amarok User-assisted execution of arbitrary code (Mar 20)
  -----------------------------------------------------------------
  Multiple vulnerabilities in Amarok might allow for user-assisted
  execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/148325

* Gentoo: FFmpeg Multiple vulnerabilities (Mar 19)
  ------------------------------------------------
  Multiple vulnerabilities in FFmpeg may lead to the remote execution
  of arbitrary code or a Denial of Service.

  http://www.linuxsecurity.com/content/view/148315

------------------------------------------------------------------------

* Mandriva: [ MDVSA-2009:079 ] postgresql (Mar 23)
  ------------------------------------------------
  PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows
  remote authenticated users to cause a denial of service (stack
  consumption and crash) by triggering a failure in the conversion of a
  localized error message to a client-specified encoding, as
  demonstrated using mismatched encoding conversion requests
  (CVE-2009-0922). This update provides a fix for this vulnerability.

  http://www.linuxsecurity.com/content/view/148348

* Mandriva: [ MDVSA-2009:078 ] evolution-data-server (Mar 23)
  -----------------------------------------------------------
  A wrong handling of signed Secure/Multipurpose Internet Mail
  Extensions (S/MIME) e-mail messages enables attackers to spoof its
  signatures by modifying the latter copy (CVE-2009-0547). Crafted
  authentication challange packets (NT Lan Manager type 2) sent by a
  malicious remote mail server enables remote attackers either to cause
  denial of service and to read information from the process memory of
  the client (CVE-2009-0582). Multiple integer overflows in Base64
  encoding functions enables attackers either to cause denial of
  service and to execute arbitrary code (CVE-2009-0587). This update
  provides fixes for those vulnerabilities.

  http://www.linuxsecurity.com/content/view/148347

* Mandriva: [ MDVSA-2009:077 ] pam (Mar 21)
  -----------------------------------------
  A security vulnerability has been identified and fixed in pam:
  Integer signedness error in the _pam_StrTok function in
  libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
  configuration file contains non-ASCII usernames, might allow remote
  attackers to cause a denial of service, and might allow remote
  authenticated users to obtain login access with a different user's
  non-ASCII username, via a login attempt (CVE-2009-0887). The updated
  packages have been patched to prevent this. Additionally some
  development packages were missing that are required to build pam for
  CS4, these are also provided with this update.

  http://www.linuxsecurity.com/content/view/148334

* Mandriva: [ MDVA-2009:047 ] drakconf (Mar 21)
  ---------------------------------------------
  This update prevents drakconf from crashing if the tool currently
  embedded within drakconf segfaulted in some rare case (bug #48080).

  http://www.linuxsecurity.com/content/view/148333

* Mandriva: [ MDVA-2009:046 ] pidgin (Mar 21)
  -------------------------------------------
  Protocol changes on the ICQ servers made pidgin incompatible. This
  update upgrades pidgin to version 2.5.5 which will take care of this
  problem.

  http://www.linuxsecurity.com/content/view/148332

* Mandriva: [ MDVA-2009:045 ] dhcp (Mar 20)
  -----------------------------------------
  dhclient-script, in dhcp-client package as released with Mandriva
  Linux 2009, would put the network interface down on some
  circumstances, as part of it's workings. Coupled with a bug in the
  kernel wireless stack, when done on wireless interfaces this could
  cause the wireless association to be lost and never automatically
  remade. This update fixes dhcp-client to use a better way instead of
  putting the interface down, working around the wireless stack bug,
  fixing many cases of the lost association problem.

  http://www.linuxsecurity.com/content/view/148327

* Mandriva: [ MDVSA-2009:060-1 ] nfs-utils (Mar 19)
  -------------------------------------------------
  A security vulnerability has been identified and fixed in nfs-utils,
  which caused TCP Wrappers to ignore netgroups and allows remote
  attackers to bypass intended access restrictions (CVE-2008-4552). The
  updated packages have been patched to prevent this.

  http://www.linuxsecurity.com/content/view/148314

------------------------------------------------------------------------

* RedHat: Critical: java-1.6.0-ibm security update (Mar 25)
  ---------------------------------------------------------
  Updated java-1.6.0-ibm packages that fix several security issues are
  now available for Red Hat Enterprise Linux 4 Extras and Red Hat
  Enterprise Linux 5 Supplementary. This update has been rated as
  having critical security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148370

* RedHat: Moderate: NetworkManager security update (Mar 25)
  ---------------------------------------------------------
  Updated NetworkManager packages that fix a security issue are now
  available for Red Hat Enterprise Linux 4. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148366

* RedHat: Moderate: NetworkManager security update (Mar 25)
  ---------------------------------------------------------
  Updated NetworkManager packages that fix two security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148367

* RedHat: Critical: acroread security update (Mar 25)
  ---------------------------------------------------
  Updated acroread packages that fix multiple security issues are now
  available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise
  Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary. This
  update has been rated as having critical security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/148368

* RedHat: Moderate: thunderbird security update (Mar 24)
  ------------------------------------------------------
  An updated thunderbird package that fixes several security issues is
  now available for Red Hat Enterprise Linux 4 and 5. This update has
  been rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/148354

* RedHat: Moderate: glib2 security update (Mar 24)
  ------------------------------------------------
  Updated glib2 packages that fix several security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148355

* RedHat: Moderate: libvirt security update (Mar 19)
  --------------------------------------------------
  Updated libvirt packages that fix two security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148312

* RedHat: Moderate: curl security update (Mar 19)
  -----------------------------------------------
  Updated curl packages that fix a security issue are now available for
  Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148310

* RedHat: Moderate: ghostscript security update (Mar 19)
  ------------------------------------------------------
  Updated ghostscript packages that fix multiple security issues are
  now available for Red Hat Enterprise Linux 3, 4, and 5. This update
  has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/148311

* RedHat: Moderate: lcms security update (Mar 19)
  -----------------------------------------------
  Updated lcms packages that resolve several security issues are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/148309

------------------------------------------------------------------------

* Slackware:   seamonkey (Mar 24)
  -------------------------------
  New seamonkey packages are available for Slackware 11.0, 12.0, 12.1,
  12.2, and -current to fix security issues.

  http://www.linuxsecurity.com/content/view/148358

* Slackware:   mozilla-thunderbird (Mar 24)
  -----------------------------------------
  New mozilla-thunderbird packages are available for Slackware 10.2,
  11.0, 12.0, 12.1, 12.2, and -current to fix security issues.

  http://www.linuxsecurity.com/content/view/148359

* Slackware:   lcms (Mar 24)
  --------------------------
  New lcms packages are available for Slackware 10.0, 10.1, 10.2, 11.0,
  12.0, 12.1, 12.2, and -current to fix security issues.

  http://www.linuxsecurity.com/content/view/148360

------------------------------------------------------------------------

* Ubuntu:  Ghostscript vulnerabilities (Mar 23)
  ---------------------------------------------
  It was discovered that Ghostscript contained multiple integer
  overflows in its ICC color management library. If a user or automated
  system were tricked into opening a crafted Postscript file, an
  attacker could cause a denial of service or execute arbitrary code
  with privileges of the user invoking the program. (CVE-2009-0583) It
  was discovered that Ghostscript did not properly perform bounds
  checking in its ICC color management library. If a user or automated
  system were tricked into opening a crafted Postscript file, an
  attacker could cause a denial of service or execute arbitrary code
  with privileges of the user invoking the program. (CVE-2009-0584)

  http://www.linuxsecurity.com/content/view/148345

* Ubuntu:  LittleCMS vulnerabilities (Mar 23)
  -------------------------------------------
  Chris Evans discovered that LittleCMS did not properly handle certain
  error conditions, resulting in a large memory leak. If a user or
  automated system were tricked into processing an image with malicious
  ICC tags, a remote attacker could cause a denial of service.
  (CVE-2009-0581) Chris Evans discovered that LittleCMS contained
  multiple integer overflows. If a user or automated system were
  tricked into processing an image with malicious ICC tags, a remote
  attacker could crash applications linked against liblcms1, leading to
  a denial of service, or possibly execute arbitrary code with user
  privileges. (CVE-2009-0723) Chris Evans discovered that LittleCMS did
  not properly perform bounds checking, leading to a buffer overflow.
  If a user or automated system were tricked into processing an image
  with malicious ICC tags, a remote attacker could execute arbitrary
  code with user privileges. (CVE-2009-0733)

  http://www.linuxsecurity.com/content/view/148346

* Ubuntu:  JasPer vulnerabilities (Mar 19)
  ----------------------------------------
  It was discovered that JasPer did not correctly handle memory
  allocation when parsing certain malformed JPEG2000 images. If a user
  were tricked into opening a specially crafted image with an
  application that uses libjasper, an attacker could cause a denial of
  service and possibly execute arbitrary code with the user's
  privileges. (CVE-2008-3520) It was discovered that JasPer created
  temporary files in an insecure way. Local users could exploit a race
  condition and cause a denial of service in libjasper applications.
  (CVE-2008-3521) It was discovered that JasPer did not correctly
  handle certain formatting operations. If a user were tricked into
  opening a specially crafted image with an application that uses
  libjasper, an attacker could cause a denial of service and possibly
  execute arbitrary code with the user's privileges. (CVE-2008-3522)

  http://www.linuxsecurity.com/content/view/148313

------------------------------------------------------------------------

* Pardus: Thunderbird: Multiple (Mar 25)
  --------------------------------------
  Some vulnerabilities have been reported in Mozilla  Thunderbird,
  which can potentially be exploited by malicious people to compromise
  a user's system.

  http://www.linuxsecurity.com/content/view/148365

* Pardus: PostgreSQL: Denial of Service (Mar 25)
  ----------------------------------------------
  A weakness and a security issue have been reported in PostgreSQL,
  which can be exploited by malicious users to disclose  potentially
  sensitive information or cause a DoS (Denial of Service).

  http://www.linuxsecurity.com/content/view/148364

* Pardus: Glib2: Integer Overflow (Mar 25)
  ----------------------------------------
  Some vulnerabilities have been reported in GLib, which can
  potentially be exploited by malicious people to compromise an
  application using the library.

  http://www.linuxsecurity.com/content/view/148362

* Pardus: Flashplugin: Multiple (Mar 25)
  --------------------------------------
  Some vulnerabilities have been reported in Adobe Flash Player, which
  can be exploited by malicious, local users to disclose sensitive
  information and potentially gain escalated privileges, and by
  malicious  people  to bypass certain security restrictions,  disclose
   potentially	sensitive information, and compromise a user's system.

  http://www.linuxsecurity.com/content/view/148361

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Mon Mar 30 2009 - 01:19:44 PDT

This archive was generated by hypermail 2.2.0 : Mon Mar 30 2009 - 01:23:41 PDT