[ISN] Linux Advisory Watch - July 24th 2009

From: InfoSec News <alerts_at_private>
Date: Mon, 27 Jul 2009 04:22:37 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| July 24th, 2009                                 Volume 10, Number 30 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for xulrunner, gst-plugins,
pulseaudito, dbus, fckeditor, mozvoikko, perl-gtk, yelp, ruby, chmsee,
eclipse, epiphany, evoluation, galeon, hulahop, java, miro, firefox,
blam, wxGTK, moin, mediawiki, libtiff, compat, wordpress, poppler,
seamonkey, bluez, net-snmp, dhcp, and pulseaudi.  The distributors
include Debian, Fedora, Gentoo, Mandriva, Red Hat, SuSE, Ubuntu, and
Pardus.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New xulrunner packages fix several vulnerabilities (Jul 23)
  -------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149461

* Debian: New gst-plugins-good0.10 packages fix arbitrary code execution (Jul 19)
  -------------------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149401

* Debian: New pulseaudio packages fix privilege escalation (Jul 18)
  -----------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149399

* Debian: New dbus packages fix denial of service (Jul 18)
  --------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149398

* Debian: New fckeditor packages fix arbitrary code execution (Jul 16)
  --------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149390

------------------------------------------------------------------------

* Fedora 11 Update: (Jul 22)
  --------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149456

* Fedora 11 Update: mozvoikko-0.9.7-0.5.rc1.fc11 (Jul 22)
  -------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149457

* Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.3 (Jul 22)
  -----------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149458

* Fedora 11 Update: yelp-2.26.0-5.fc11 (Jul 22)
  ---------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149459

* Fedora 11 Update: ruby-gnome2-0.19.0-3.fc11.1 (Jul 22)
  ------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149460

* Fedora 11 Update: chmsee-1.0.1-9.fc11 (Jul 22)
  ----------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149444

* Fedora 11 Update: eclipse-3.4.2-13.fc11 (Jul 22)
  ------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149445

* Fedora 11 Update: epiphany-2.26.3-2.fc11 (Jul 22)
  -------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149446

* Fedora 11 Update: epiphany-extensions-2.26.1-4.fc11 (Jul 22)
  ------------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149447

* Fedora 11 Update: evolution-rss-0.1.2-11.fc11 (Jul 22)
  ------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149448

* Fedora 11 Update: galeon-2.0.7-12.fc11 (Jul 22)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149449

* Fedora 11 Update: gnome-python2-extras-2.25.3-5.fc11 (Jul 22)
  -------------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149450

* Fedora 11 Update: gnome-web-photo-0.7-4.fc11 (Jul 22)
  -----------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149451

* Fedora 11 Update: google-gadgets-0.11.0-2.fc11 (Jul 22)
  -------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149452

* Fedora 11 Update: hulahop-0.4.9-6.fc11 (Jul 22)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149453

* Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-25.b16.fc11 (Jul 22)
  -----------------------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149454

* Fedora 11 Update: Miro-2.0.5-2.fc11 (Jul 22)
  --------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149455

* Fedora 11 Update: firefox-3.5.1-1.fc11 (Jul 22)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149441

* Fedora 11 Update: xulrunner-1.9.1.1-1.fc11 (Jul 22)
  ---------------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149442

* Fedora 11 Update: blam-1.8.5-12.fc11 (Jul 22)
  ---------------------------------------------
  Update to new upstream Firefox version 3.5.1, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.1	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/149443

* Fedora 10 Update: wxGTK-2.8.10-2.fc10 (Jul 22)
  ----------------------------------------------
  added fix for CVE-2009-2369

  http://www.linuxsecurity.com/content/view/149440

* Fedora 11 Update: wxGTK-2.8.10-2.fc11 (Jul 22)
  ----------------------------------------------
  added fix for CVE-2009-2369

  http://www.linuxsecurity.com/content/view/149439

* Fedora 10 Update: perl-IO-Socket-SSL-1.26-1.fc10 (Jul 19)
  ---------------------------------------------------------
  This update to version 1.26 fixes an issue where only the prefix of
  the hostname was checked if there was no wildcard present, so for
  example www.example.org would match a certificate starting with
  www.exam.

  http://www.linuxsecurity.com/content/view/149415

* Fedora 11 Update: moin-1.8.4-2.fc11 (Jul 19)
  --------------------------------------------
  This update removes the filemanager directory from the embedded
  FCKeditor, it contains code with know security vulnerabilities, even
  though that code couldn't be invoked when Moin was used with the
  default settings. Moin was probably not affected, but installing this
  update is still recommended as a security measure. CVE-2009-2265 is
  the related CVE identifier.

  http://www.linuxsecurity.com/content/view/149414

* Fedora 11 Update: mediawiki-1.15.1-48.fc11 (Jul 19)
  ---------------------------------------------------
  This update upgrades mediawiki code to 1.15.1 and fixes some path
  references. Upstream comments:  This is a security and bugfix release
  of MediaWiki 1.15.1 and 1.14.1.    A cross-site scripting (XSS)
  vulnerability was discovered. Only versions 1.14.0, 1.15.0 and
  release candidates for those releases are affected.

  http://www.linuxsecurity.com/content/view/149413

* Fedora 11 Update: libtiff-3.8.2-14.fc11 (Jul 19)
  ------------------------------------------------
  CVE-2009-2347 libtiff: integer overflows in various inter-color
  spaces conversion tools (crash, ACE)	  Not the same as last week's
  libtiff security issue ...

  http://www.linuxsecurity.com/content/view/149412

* Fedora 10 Update: compat-wxGTK26-2.6.4-10.fc10 (Jul 19)
  -------------------------------------------------------
  Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10

  http://www.linuxsecurity.com/content/view/149410

* Fedora 11 Update: mingw32-libtiff-3.8.2-17.fc11 (Jul 19)
  --------------------------------------------------------
  - update upstream URL  - Fix some more LZW decoding vulnerabilities
  (CVE-2009-2285)

  http://www.linuxsecurity.com/content/view/149411

* Fedora 10 Update: moin-1.6.4-3.fc10 (Jul 19)
  --------------------------------------------
  This update removes the filemanager and _samples directories from the
  embedded FCKeditor, they contain code with know security
  vulnerabilities, even though that code couldn't be invoked when Moin
  was used with the default settings. Moin was probably not affected,
  but installing this update is still recommended as a security
  measure. CVE-2009-2265 is the related CVE identifier.

  http://www.linuxsecurity.com/content/view/149409

* Fedora 11 Update: compat-wxGTK26-2.6.4-10.fc11 (Jul 19)
  -------------------------------------------------------
  Added rediffed fix for CVE-2009-2369 as found in wxGTK 2.8.10

  http://www.linuxsecurity.com/content/view/149407

* Fedora 10 Update: mediawiki-1.15.1-48.fc10 (Jul 19)
  ---------------------------------------------------
  This update upgrades mediawiki code to 1.15.1 and fixes some path
  references. Upstream comments:  This is a security and bugfix release
  of MediaWiki 1.15.1 and 1.14.1.    A cross-site scripting (XSS)
  vulnerability was discovered. Only versions 1.14.0, 1.15.0 and
  release candidates for those releases are affected.

  http://www.linuxsecurity.com/content/view/149408

* Fedora 10 Update: wordpress-2.8.1-1.fc10 (Jul 19)
  -------------------------------------------------


  http://www.linuxsecurity.com/content/view/149406

* Fedora 10 Update: libtiff-3.8.2-14.fc10 (Jul 19)
  ------------------------------------------------
  CVE-2009-2347 libtiff: integer overflows in various inter-color
  spaces conversion tools (crash, ACE)	  Not the same as last week's
  libtiff security issue ...

  http://www.linuxsecurity.com/content/view/149405

* Fedora 10 Update: mingw32-libtiff-3.8.2-17.fc10 (Jul 19)
  --------------------------------------------------------
  - update upstream URL     - Fix some more LZW decoding
  vulnerabilities (CVE-2009-2285)  Bugzilla: #511015

  http://www.linuxsecurity.com/content/view/149404

* Fedora 11 Update: perl-IO-Socket-SSL-1.26-1.fc11 (Jul 19)
  ---------------------------------------------------------
  This update to version 1.26 fixes an issue where only the prefix of
  the hostname was checked if there was no wildcard present, so for
  example www.example.org would match a certificate starting with
  www.exam.

  http://www.linuxsecurity.com/content/view/149402

* Fedora 11 Update: wordpress-2.8.1-1.fc11 (Jul 19)
  -------------------------------------------------


  http://www.linuxsecurity.com/content/view/149403

* Fedora 10 Update: perl-5.10.0-73.fc10 (Jul 16)
  ----------------------------------------------
  This security update fixes an off-by-one overflow in
  Compress::Raw::Zlib (CVE-2009-1391)  Moreover, it contains a subtle
  change to the configuration that does not affect the Perl interpreter
  itself, but fixes the propagation of the chosen options to the
  modules.  For example, a rebuild of perl-Wx against perl-5.10.0-73
  will fix bug 508496.

  http://www.linuxsecurity.com/content/view/149385

* Fedora 11 Update: poppler-0.10.7-2.fc11 (Jul 16)
  ------------------------------------------------
  An update to the latest stable upstream release fixing many bugs, as
  well as addressing several security issues.	 Release announcement,
  http://lists.freedesktop.org/archives/poppler/2009-May/004721.html

  http://www.linuxsecurity.com/content/view/149384

* Fedora 11 Update: seamonkey-1.1.17-1.fc11 (Jul 16)
  --------------------------------------------------
  Update to upstream version 1.1.17, fixing multiple security flaws:
  http://www.mozilla.org/security/known-
  vulnerabilities/seamonkey11.html#seamonkey1.1.17

  http://www.linuxsecurity.com/content/view/149383

* Fedora 10 Update: seamonkey-1.1.17-1.fc10 (Jul 16)
  --------------------------------------------------
  Update to upstream version 1.1.17, fixing multiple security flaws:
  http://www.mozilla.org/security/known-
  vulnerabilities/seamonkey11.html#seamonkey1.1.17

  http://www.linuxsecurity.com/content/view/149382

------------------------------------------------------------------------

* Gentoo: Python Integer overflows (Jul 19)
  -----------------------------------------
  Multiple integer overflows in Python have an unspecified impact.

  http://www.linuxsecurity.com/content/view/149419

* Gentoo: Nagios Execution of arbitrary code (Jul 19)
  ---------------------------------------------------
  Multiple vulnerabilities in Nagios may lead to the execution of
  arbitrary code.

  http://www.linuxsecurity.com/content/view/149418

* Gentoo: Rasterbar libtorrent Directory traversal (Jul 17)
  ---------------------------------------------------------
  A directory traversal vulnerability in Rasterbar libtorrent might
  allow a remote attacker to overwrite arbitrary files.

  http://www.linuxsecurity.com/content/view/149392

* Gentoo: PulseAudio Local privilege escalation (Jul 16)
  ------------------------------------------------------
  A vulnerability in PulseAudio may allow a local user to execute code
  with escalated privileges.

  http://www.linuxsecurity.com/content/view/149386

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2009:132 ] gnome-power-manager (Jul 20)
  -------------------------------------------------------------------------------------
  The gnome-power-manager package shipped in Mandriva 2009 Spring is
  not working without the gnome-session running in user's Desktop
  Environment. This update fixes this issue making gnome-power-manager
  work fine even if gnome-session is not started.

  http://www.linuxsecurity.com/content/view/149426

* Mandriva: Subject: [Security Announce] [ MDVA-2009:131 ] bluez (Jul 19)
  -----------------------------------------------------------------------
  In mandriva 2009.1 the bluetooth alsa plugins were installed on the
  root lib dir. This prevent A2DP bluetooth devices from working
  because they search those libs on the standart lib directory.

  http://www.linuxsecurity.com/content/view/149424

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19)
  -----------------------------------------------------------------------------------------
  A vulnerability has been found and corrected in
  perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in
  Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in
  AMaViS, SpamAssassin, and possibly other products, allows
  context-dependent attackers to cause a denial of service (hang or
  crash) via a crafted zlib compressed stream that triggers a
  heap-based buffer overflow, as exploited in the wild by
  Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update
  provides fixes for this vulnerability.

  http://www.linuxsecurity.com/content/view/149423

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:157 ] perl-Compress-Raw-Zlib (Jul 19)
  -----------------------------------------------------------------------------------------
  A vulnerability has been found and corrected in
  perl-Compress-Raw-Zlib: Off-by-one error in the inflate function in
  Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in
  AMaViS, SpamAssassin, and possibly other products, allows
  context-dependent attackers to cause a denial of service (hang or
  crash) via a crafted zlib compressed stream that triggers a
  heap-based buffer overflow, as exploited in the wild by
  Trojan.Downloader-71014 in June 2009 (CVE-2009-1391). This update
  provides fixes for this vulnerability.

  http://www.linuxsecurity.com/content/view/149422

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:156 ] net-snmp (Jul 19)
  ---------------------------------------------------------------------------
  A vulnerability has been found and corrected in net-snmp:
  agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise
  Linux (RHEL) 3 allows remote attackers to cause a denial of service
  (daemon crash) via a crafted SNMP GETBULK request that triggers a
  divide-by-zero error.  NOTE: this vulnerability exists because of an
  incorrect fix for CVE-2008-4309 (CVE-2009-1887). This update provides
  fixes for this vulnerability.

  http://www.linuxsecurity.com/content/view/149421

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:155 ] git (Jul 19)
  ----------------------------------------------------------------------
  A vulnerability has been found and corrected in git: git-daemon in
  git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial
  of service (infinite loop and CPU consumption) via a request
  containing extra unrecognized arguments (CVE-2009-2108). This update
  provides fixes for this vulnerability.

  http://www.linuxsecurity.com/content/view/149420

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:154 ] dhcp (Jul 19)
  -----------------------------------------------------------------------
  A vulnerability has been found and corrected in ISC DHCP: ISC DHCP
  Server is vulnerable to a denial of service, caused by the improper
  handling of DHCP requests. If the host definitions are mixed using
  dhcp-client-identifier and hardware ethernet, a remote attacker could
  send specially-crafted DHCP requests to cause the server to stop
  responding (CVE-2009-1892). This update provides fixes for this
  vulnerability.

  http://www.linuxsecurity.com/content/view/149417

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17)
  -----------------------------------------------------------------------
  A vulnerability has been found and corrected in ISC DHCP: Integer
  overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1;
  and the DHCP server in EMC VMware Workstation before 5.5.5 Build
  56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build
  56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build
  54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4
  Build 56528; allows remote attackers to cause a denial of service
  (daemon crash) or execute arbitrary code via a malformed DHCP packet
  with a large dhcp-max-message-size that triggers a stack-based buffer
  overflow, related to servers configured to send many DHCP options to
  clients (CVE-2007-0062). This update provides fixes for this
  vulnerability.

  http://www.linuxsecurity.com/content/view/149397

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:153 ] dhcp (Jul 17)
  -----------------------------------------------------------------------
  A vulnerability has been found and corrected in ISC DHCP: Integer
  overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1;
  and the DHCP server in EMC VMware Workstation before 5.5.5 Build
  56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build
  56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build
  54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4
  Build 56528; allows remote attackers to cause a denial of service
  (daemon crash) or execute arbitrary code via a malformed DHCP packet
  with a large dhcp-max-message-size that triggers a stack-based buffer
  overflow, related to servers configured to send many DHCP options to
  clients (CVE-2007-0062). This update provides fixes for this
  vulnerability.

  http://www.linuxsecurity.com/content/view/149396

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17)
  -----------------------------------------------------------------------------
  A vulnerability has been found and corrected in pulseaudio: Tavis
  Ormandy and Julien Tinnes of the Google Security Team discovered that
  pulseaudio, when installed setuid root, does not drop privileges
  before re-executing itself to achieve immediate bindings. This can be
  exploited by a user who has write access to any directory on the file
  system containing /usr/bin to gain local root access. The user needs
  to exploit a race condition related to creating a hard link
  (CVE-2009-1894). This update provides fixes for this vulnerability.

  http://www.linuxsecurity.com/content/view/149395

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:152 ] pulseaudio (Jul 17)
  -----------------------------------------------------------------------------
  A vulnerability has been found and corrected in pulseaudio: Tavis
  Ormandy and Julien Tinnes of the Google Security Team discovered that
  pulseaudio, when installed setuid root, does not drop privileges
  before re-executing itself to achieve immediate bindings. This can be
  exploited by a user who has write access to any directory on the file
  system containing /usr/bin to gain local root access. The user needs
  to exploit a race condition related to creating a hard link
  (CVE-2009-1894). This update provides fixes for this vulnerability.

  http://www.linuxsecurity.com/content/view/149394

------------------------------------------------------------------------

* RedHat: Moderate: libtiff security update (Jul 16)
  --------------------------------------------------
  Updated libtiff packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3, 4, and 5. This update has
  been rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/149391

------------------------------------------------------------------------

* SuSE: Linux Kernel (SUSE-SA:2009:038) (Jul 23)
  ----------------------------------------------


  http://www.linuxsecurity.com/content/view/149462

------------------------------------------------------------------------

* Ubuntu:  Ruby vulnerabilities (Jul 20)
  --------------------------------------
  It was discovered that Ruby did not properly validate certificates.
  An attacker could exploit this and present invalid or revoked X.509
  certificates. (CVE-2009-0642) It was discovered that Ruby did not
  properly handle string arguments that represent large numbers. An
  attacker could exploit this and cause a denial of service.
  (CVE-2009-1904)

  http://www.linuxsecurity.com/content/view/149427

------------------------------------------------------------------------

* Pardus: Perl IO::Socket::SSL: Security (Jul 22)
  -----------------------------------------------
  exploited by malicious people to bypass certain security
  restrictions.

  http://www.linuxsecurity.com/content/view/149438

* Pardus: WxGtk: Integer Overflow (Jul 19)
  ----------------------------------------
  exploited by malicious people to potentially compromise a user's
  system.

  http://www.linuxsecurity.com/content/view/149416

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Attend Black Hat USA, July 25-30 in Las Vegas, 
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Mon Jul 27 2009 - 02:22:37 PDT

This archive was generated by hypermail 2.2.0 : Mon Jul 27 2009 - 02:48:06 PDT