[ISN] Linux Advisory Watch - August 14th 2009

From: InfoSec News <alerts_at_private>
Date: Mon, 17 Aug 2009 00:14:40 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| August 14th, 2009                               Volume 10, Number 33 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for ruby, libmxl2, imagemagick,
camlimages, squid3, mantis, subversion, memcached, fetchmail, viewvc,
ocaml, wordpress, xmlsec, libvorbis, apr, java, libTIFF, mmc, samba,
coreutils,  openldap, nss, urpmi, curl, java, and Firefox.  The
distributors include Debian, Fedora, Mandriva, Red Hat, Slackware,
SuSE, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New Ruby packages fix several issues (Aug 12)
  -----------------------------------------------------


  http://www.linuxsecurity.com/content/view/149744

* Debian: New libxml2 packages fix several issues (Aug 10)
  --------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149723

* Debian: New imagemagick packages fix several vulnerabilities (Aug 10)
  ---------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149717

* Debian: New camlimages packages fix arbitrary code execution (Aug 9)
  --------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149711

* Debian: New squid3 packages fix regression (Aug 9)
  --------------------------------------------------


  http://www.linuxsecurity.com/content/view/149710

* Debian: New mantis packages fix information leak (Aug 8)
  --------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149706

* Debian: New subversion packages fix arbitrary code execution (Aug 8)
  --------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149705

* Debian: New APR packages fix arbitrary code execution (Aug 8)
  -------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149704

* Debian: New memcached packages fix arbitrary code execution (Aug 7)
  -------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149690

* Debian: New fetchmail packages fix SSL certificate verification weakness (Aug 7)
  --------------------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149689

* Debian: New gst-plugins-bad0.10 packages fix arbitrary code execution (Aug 6)
  -----------------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/149663

------------------------------------------------------------------------

* Fedora 11 Update: viewvc-1.1.2-2.fc11 (Aug 12)
  ----------------------------------------------
  CHANGES in 1.1.2:    - security fix: validate the 'view' parameter to
  avoid XSS attack  - security fix: avoid printing illegal parameter
  names and values  - add optional support for character encoding
  detection (issue #400)  - fix username case handling in svnauthz
  module (issue #419)  - fix cvsdbadmin/svnadmin rebuild error on
  missing repos (issue #420)  - don't drop leading blank lines from
  colorized file contents (issue #422)	- add file.ezt template logic
  for optionally hiding binary file contents	Also includes:
  Install and populate mimetypes.conf. This should hopefully help when
  colouring syntax using pygments. Install and populate mimetypes.conf.

  http://www.linuxsecurity.com/content/view/149748

* Fedora 11 Update: ocaml-camlimages-3.0.1-7.fc11.2 (Aug 12)
  ----------------------------------------------------------
  CVE 2009-2295

  http://www.linuxsecurity.com/content/view/149746

* Fedora 10 Update: viewvc-1.0.9-1.fc10 (Aug 12)
  ----------------------------------------------
  CHANGES in 1.0.9:    - security fix: validate the 'view' parameter to
  avoid XSS attack  - security fix: avoid printing illegal parameter
  names and values Also includes:     Patch by Patrick Monnerat to make
  allow_tar work on F-10.

  http://www.linuxsecurity.com/content/view/149747

* Fedora 11 Update: libxml2-2.7.3-3.fc11 (Aug 11)
  -----------------------------------------------
  two patches for parsing problems raised by Ficora

  http://www.linuxsecurity.com/content/view/149737

* Fedora 10 Update: libxml2-2.7.3-2.fc10 (Aug 11)
  -----------------------------------------------
  two patches for parsing problems raised by ficora

  http://www.linuxsecurity.com/content/view/149736

* Fedora 10 Update: wordpress-2.8.3-2.fc10 (Aug 11)
  -------------------------------------------------
  security update to fix "Remote admin reset password":
  http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137
  .html

  http://www.linuxsecurity.com/content/view/149735

* Fedora 11 Update: wordpress-2.8.3-2.fc11 (Aug 11)
  -------------------------------------------------
  security update to fix "Remote admin reset password":
  http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137
  .html

  http://www.linuxsecurity.com/content/view/149733

* Fedora 11 Update: xmlsec1-1.2.12-1.fc11 (Aug 11)
  ------------------------------------------------


  http://www.linuxsecurity.com/content/view/149734

* Fedora 10 Update: xmlsec1-1.2.12-1.fc10 (Aug 11)
  ------------------------------------------------


  http://www.linuxsecurity.com/content/view/149732

* Fedora 11 Update: subversion-1.6.4-2.fc11 (Aug 10)
  --------------------------------------------------
  This update includes the latest stable release of Subversion, fixing
  many bugs and a security issue:    Matt Lewis reported multiple heap
  overflow flaws in Subversion (servers and clients) when parsing
  binary deltas. Malicious users with commit access to a vulnerable
  server could uses these flaws to cause a heap overflow on the server
  running Subversion. A malicious Subversion server could use these
  flaws to cause a heap overflow on vulnerable clients when they
  attempt to checkout or update, resulting in a crash or, possibly,
  arbitrary code execution on the vulnerable client. (CVE-2009-2411)
  This update also adds support for storing passwords in the GNOME
  Keyring or KDE Wallet, via the new subversion-gnome and
  subversion-kde subpackages.	 For more details of the bug fixes
  included in this update, see:
  http://svn.collab.net/repos/svn/tags/1.6.4/CHANGES

  http://www.linuxsecurity.com/content/view/149727

* Fedora 11 Update: libvorbis-1.2.0-8.fc11 (Aug 10)
  -------------------------------------------------
  Fixes CVE-2009-2663

  http://www.linuxsecurity.com/content/view/149726

* Fedora 10 Update: libvorbis-1.2.0-6.fc10 (Aug 10)
  -------------------------------------------------
  Fixes CVE-2009-2663

  http://www.linuxsecurity.com/content/view/149725

* Fedora 10 Update: subversion-1.6.4-2.fc10 (Aug 10)
  --------------------------------------------------
  This update includes the latest stable release of Subversion,
  including several enhancements, many bug fixes, and a fix for a
  security issue:    Matt Lewis reported multiple heap overflow flaws
  in Subversion (servers and clients) when parsing binary deltas.
  Malicious users with commit access to a vulnerable server could uses
  these flaws to cause a heap overflow on the server running
  Subversion. A malicious Subversion server could use these flaws to
  cause a heap overflow on vulnerable clients when they attempt to
  checkout or update, resulting in a crash or, possibly, arbitrary code
  execution on the vulnerable client. (CVE-2009-2411)	 Version 1.6
  offers many bug fixes and enhancements over 1.5, with the notable
  major features:    - identical files share storage space in
  repository  - file-externals support for intra-repository files  -
  "tree" conflicts now handled more gracefully	- repository root
  relative URL support on most commands    For more information on
  changes in 1.6, see the release notes:
  http://subversion.tigris.org/svn_1.6_releasenotes.html    This update
  includes the latest release of Subversion, version 1.6.2.    Version
  1.6 offers many bug fixes and enhancements over 1.5, with the notable
  major features:     * identical files share storage space in
  repository   * file- externals support for intra-repository files   *
  "tree" conflicts now handled more gracefully	 * repository root
  relative URL support on most commands

  http://www.linuxsecurity.com/content/view/149724

* Fedora 10 Update: apr-1.3.8-1.fc10 (Aug 7)
  ------------------------------------------
  CVE-2009-2412: allocator alignment fixes    Full details here:
  http://www.apache.org/dist/apr/patches/

  http://www.linuxsecurity.com/content/view/149681

* Fedora 11 Update: apr-util-1.3.9-1.fc11 (Aug 7)
  -----------------------------------------------
  CVE-2009-2412: allocator alignment fixes    Full details here:
  http://www.apache.org/dist/apr/patches/

  http://www.linuxsecurity.com/content/view/149680

* Fedora 11 Update: apr-1.3.8-1.fc11 (Aug 7)
  ------------------------------------------
  CVE-2009-2412: allocator alignment fixes    Full details here:
  http://www.apache.org/dist/apr/patches/

  http://www.linuxsecurity.com/content/view/149678

* Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 (Aug 7)
  ----------------------------------------------------------------
  Urgent security fixes have been included.

  http://www.linuxsecurity.com/content/view/149679

* Fedora 10 Update: wordpress-2.8.3-1.fc10 (Aug 7)
  ------------------------------------------------
  Update to upstream version 2.8.3:
  http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rel
  ease/

  http://www.linuxsecurity.com/content/view/149676

* Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 (Aug 7)
  ----------------------------------------------------------------
  Urgent security updates have been included

  http://www.linuxsecurity.com/content/view/149677

* Fedora 10 Update: apr-util-1.3.9-1.fc10 (Aug 7)
  -----------------------------------------------
  CVE-2009-2412: allocator alignment fixes    Full details here:
  http://www.apache.org/dist/apr/patches/

  http://www.linuxsecurity.com/content/view/149675

* Fedora 11 Update: wordpress-2.8.3-1.fc11 (Aug 7)
  ------------------------------------------------
  Update to upstream version 2.8.3:
  http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rel
  ease/

  http://www.linuxsecurity.com/content/view/149674

------------------------------------------------------------------------

* Gentoo: Adobe products Multiple vulnerabilities (Aug 7)
  -------------------------------------------------------
  Multiple vulnerabilities in Adobe Reader and Adobe Flash Player allow
  for attacks including the remote execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/149687

* Gentoo: libTIFF User-assisted execution of arbitrary code (Aug 7)
  -----------------------------------------------------------------
  Multiple boundary checking vulnerabilities in libTIFF may allow for
  the remote execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/149686

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:201 ] fetchmail (Aug 12)
  ----------------------------------------------------------------------------
  A vulnerability has been found and corrected in fetchmail: socket.c
  in fetchmail before 6.3.11 does not properly handle a '\0' character
  in a domain name in the subject's Common Name (CN) field of an X.509
  certificate, which allows man-in-the-middle attackers to spoof
  arbitrary SSL servers via a crafted certificate issued by a
  legitimate Certification Authority, a related issue to CVE-2009-2408
  (CVE-2009-2666). This update provides a solution to this
  vulnerability.

  http://www.linuxsecurity.com/content/view/149745

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:200 ] libxml (Aug 12)
  -------------------------------------------------------------------------
  Multiple vulnerabilities has been found and corrected in libxml:
  Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26,
  2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent
  attackers to cause a denial of service (application crash) via a
  large depth of element declarations in a DTD, related to a function
  recursion, as demonstrated by the Codenomicon XML fuzzing framework
  (CVE-2009-2414). Multiple use-after-free vulnerabilities in libxml2
  2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow
  context-dependent attackers to cause a denial of service (application
  crash) via crafted (1) Notation or (2) Enumeration attribute types in
  an XML file, as demonstrated by the Codenomicon XML fuzzing framework
  (CVE-2009-2416). This update provides a solution to these
  vulnerabilities.

  http://www.linuxsecurity.com/content/view/149739

* Mandriva: Subject: [Security Announce] [ MDVA-2009:150 ] mmc (Aug 11)
  ---------------------------------------------------------------------
  Problems were discovered with the mmc-wizard: After configuring a DNS
  server with mmc-wizard, how to add a MX DNS entry in the mmc
  (Mandriva Directory server)? The version of Mandriva Directory Server
  in mes5 is 2.3.1. http://mds.mandriva.org/ shows that the MDS 2.3.2
  correct this problem. First point in release features is: - a new
  functionality for DNS zones management: support for MX and NS
  records. Additionally squidGuard was missing and therefore
  squidGuard-1.4 is provided with this updgrade as well.

  http://www.linuxsecurity.com/content/view/149730

* Mandriva: Subject: [Security Announce] [ MDVA-2009:149 ] gtkmm2.4 (Aug 11)
  --------------------------------------------------------------------------
  A memory allocation bug in gtkmm would make applications using the
  library crash on the x86_64 architecture. This update corrects the
  problem.

  http://www.linuxsecurity.com/content/view/149729

* Mandriva: Subject: [Security Announce] [ MDVA-2009:148 ] samba (Aug 10)
  -----------------------------------------------------------------------
  Interoperability problems were discovered with
  samba-3.2.7/samba-3.2.13 in Enterprise Server 5 and samba-3.0.23d in
  Corporate Server 4. This update provides samba 3.0.36 to address
  these issues. Additionally this upgrade also fixes many upstream
  bugs.

  http://www.linuxsecurity.com/content/view/149718

* Mandriva: Subject: [Security Announce] [ MDVA-2009:147 ] indilib (Aug 10)
  -------------------------------------------------------------------------
  urpmi kstars or urpmi kdeedu4 results in dependency problems. This
  update addresses this issue.

  http://www.linuxsecurity.com/content/view/149716

* Mandriva: Subject: [Security Announce] [ MDVA-2009:146 ] coreutils (Aug 9)
  --------------------------------------------------------------------------
  There is no man page for the su command. This update fixes this
  problem making the man page for the su command show again.

  http://www.linuxsecurity.com/content/view/149709

* Mandriva: Subject: [Security Announce] [ MDVA-2009:145 ] x11-driver-input-synaptics (Aug 9)
  -------------------------------------------------------------------------------------------
  The synaptics touchpad driver shipped with 2009.1 has problems
  correctly identifying and scaling the right hand scroll zone on
  certain hardware (including the ASUS EeePC 701). This updated version
  addresses this and several other minor issues. Fixing (among others)
  Mandriva bug #51845.

  http://www.linuxsecurity.com/content/view/149708

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:199 ] subversion (Aug 8)
  ----------------------------------------------------------------------------
  A vulnerability has been found and corrected in subversion: Multiple
  integer overflows in the libsvn_delta library in Subversion before
  1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and
  remote Subversion servers to execute arbitrary code via an svndiff
  stream with large windows that trigger a heap-based buffer overflow,
  a related issue to CVE-2009-2412 (CVE-2009-2411). This update
  provides a solution to this vulnerability and in turn upgrades
  subversion where possible to provide additional features and upstream
  bugfixes and adds required dependencies where needed.

  http://www.linuxsecurity.com/content/view/149707

* Mandriva: Subject: [Security Announce] [ MDVA-2009:144 ] libv4l (Aug 8)
  -----------------------------------------------------------------------
  This update addresses the issue of urpmi preventing installation of
  both i586/x86_64 versions of libv4l wrappers (Mandriva bug #45316).
  Updated packages are provided to fix this issue.

  http://www.linuxsecurity.com/content/view/149703

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:161-1 ] squid (Aug 8)
  -------------------------------------------------------------------------
  Multiple vulnerabilities has been found and corrected in squid: Due
  to incorrect buffer limits and related bound checks Squid is
  vulnerable to a denial of service attack when processing specially
  crafted requests or responses (CVE-2009-2621). Due to incorrect data
  validation Squid is vulnerable to a denial of service attack when
  processing specially crafted responses (CVE-2009-2622). This update
  provides fixes for these vulnerabilities.

  Update:

  Additional upstream security patches were applied: Debug warnings
  fills up the logs. Upstream Bug 2728: regression: assertion failed:
  http.cc:705: !eof

  http://www.linuxsecurity.com/content/view/149702

* Mandriva: Subject: [Security Announce] [ MDVA-2009:143 ] openldap (Aug 7)
  -------------------------------------------------------------------------
  The script ldap-hot-db-backup in /etc/cron.daily doesn't work because
  the db_archive, db_stat tools are missing. db_archive, db_stat tools
  depends of db4-utils.

  http://www.linuxsecurity.com/content/view/149701

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:198 ] firefox (Aug 7)
  -------------------------------------------------------------------------
  Security issues were identified and fixed in firefox 3.0.x: Security
  researcher Juan Pablo Lopez Yacubian reported that an attacker could
  call window.open() on an invalid URL which looks similar to a
  legitimate URL and then use document.write() to place content within
  the new document, appearing to have come from the spoofed location
  (CVE-2009-2654). Moxie Marlinspike reported a heap overflow
  vulnerability in the code that handles regular expressions in
  certificate names. This vulnerability could be used to compromise the
  browser and run arbitrary code by presenting a specially crafted
  certificate to the client (CVE-2009-2404). IOActive security
  researcher Dan Kaminsky reported a mismatch in the treatment of
  domain names in SSL certificates between SSL clients and the
  Certificate Authorities (CA) which issue server certificates. These
  certificates could be used to intercept and potentially alter
  encrypted communication between the client and a server such as
  sensitive bank account transactions (CVE-2009-2408). This update
  provides the latest Mozilla Firefox 3.0.x to correct these issues.
  Additionally, some packages which require so, have been rebuilt and
  are being provided as updates.

  http://www.linuxsecurity.com/content/view/149700

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:197 ] nss (Aug 7)
  ---------------------------------------------------------------------
  Security issues in nss prior to 3.12.3 could lead to a
  man-in-the-middle attack via a spoofed X.509 certificate
  (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
  cause a denial-of-service and possible code execution via a long
  domain name in X.509 certificate (CVE-2009-2404). This update
  provides the latest versions of NSS and NSPR libraries which are not
  vulnerable to those attacks.

  http://www.linuxsecurity.com/content/view/149699

* Mandriva: Subject: [Security Announce] [ MDVA-2009:142 ] mandriva-doc (Aug 7)
  -----------------------------------------------------------------------------
  Minor bugs has been fixed in the mandriva-doc-mes5 package: - Fix
  both en and fr menu access for documentation - Fix fr link to french
  documentation - Update en documentation

  http://www.linuxsecurity.com/content/view/149698

* Mandriva: Subject: [Security Announce] [ MDVA-2009:141 ] urpmi (Aug 7)
  ----------------------------------------------------------------------
  This update fixes a minor issue with urpmi: - no error message and 0
  exit code when using CD/DVD media and hal isn't running

  http://www.linuxsecurity.com/content/view/149697

* Mandriva: Subject: [Security Announce] [ MDVA-2009:140 ] x11-driver-video-openchrome (Aug 7)
  --------------------------------------------------------------------------------------------
  This update fixes three issues with the openchrome driver for VIA
  video cards. - Fix a segmentation fault when using the EXA
  acceleration architecture. - Fix a segmentation fault on hardware
  that do not support Xv. - Improve EXA performance on a fallback case.

  http://www.linuxsecurity.com/content/view/149696

* Mandriva: Subject: [Security Announce] [ MDVA-2009:139 ] ocsinventory-agent (Aug 7)
  -----------------------------------------------------------------------------------
  This fix add a requires smartmontools and bump release 1.02.1
  (internal 1.0.1).

  http://www.linuxsecurity.com/content/view/149695

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:196 ] samba (Aug 7)
  -----------------------------------------------------------------------
  Multiple vulnerabilities has been found and corrected in samba:
  Multiple format string vulnerabilities in client/client.c in
  smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent
  attackers to execute arbitrary code via format string specifiers in a
  filename (CVE-2009-1886). The acl_group_override function in
  smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and
  3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is
  enabled, allows remote attackers to modify access control lists for
  files via vectors related to read access to uninitialized memory
  (CVE-2009-1888). This update provides samba 3.2.13 to address these
  issues.

  http://www.linuxsecurity.com/content/view/149693

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:195-1 ] apr (Aug 6)
  -----------------------------------------------------------------------
  A vulnerability has been identified and corrected in apr and
  apr-util: Multiple integer overflows in the Apache Portable Runtime
  (APR) library and the Apache Portable Utility library (aka APR-util)
  0.9.x and 1.3.x allow remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via vectors
  that trigger crafted calls to the (1) allocator_alloc or (2)
  apr_palloc function in memory/unix/apr_pools.c in APR; or crafted
  calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5)
  apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to
  buffer overflows. NOTE: some of these details are obtained from third
  party information (CVE-2009-2412). This update provides fixes for
  these vulnerabilities.

  Update:

  apr-util packages were missing for Mandriva Enterprise Server 5 i586,
  this has been adressed with this update.

  http://www.linuxsecurity.com/content/view/149669

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:195 ] apr (Aug 6)
  ---------------------------------------------------------------------
  A vulnerability has been identified and corrected in apr and
  apr-util: Fix potential overflow in pools (apr) and rmm (apr-util),
  where size alignment was taking place (CVE-2009-2412). This update
  provides fixes for these vulnerabilities.

  http://www.linuxsecurity.com/content/view/149667

------------------------------------------------------------------------

* RedHat: Moderate: curl security update (Aug 13)
  -----------------------------------------------
  Updated curl packages that fix security issues are now available for
  Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as
  having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/149749

* RedHat: Important: kernel security and bug fix update (Aug 13)
  --------------------------------------------------------------
  Updated kernel packages that fix several security issues and several
  bugs are now available for Red Hat Enterprise Linux 4. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149750

* RedHat: Critical: nspr and nss security update (Aug 12)
  -------------------------------------------------------
  Updated nspr and nss packages that fix security issues are now
  available for Red Hat Enterprise Linux 5.2 Extended Update Support.
  This update has been rated as having critical security impact by the
  Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149738

* RedHat: Moderate: httpd security and bug fix update (Aug 10)
  ------------------------------------------------------------
  Updated httpd packages that fix multiple security issues and a bug
  are now available for Red Hat Enterprise Linux 3. This update has
  been rated as having moderate security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/149721

* RedHat: Moderate: libxml and libxml2 security update (Aug 10)
  -------------------------------------------------------------
  Updated libxml and libxml2 packages that fix multiple security issues
  are now available for Red Hat Enterprise Linux 3, 4, and 5. This
  update has been rated as having moderate security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149722

* RedHat: Moderate: apr and apr-util security update (Aug 10)
  -----------------------------------------------------------
  Updated apr and apr-util packages that fix multiple security issues
  are now available for Red Hat Enterprise Linux 4 and 5. This update
  has been rated as having moderate security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/149720

* RedHat: Important: subversion security update (Aug 10)
  ------------------------------------------------------
  Updated subversion packages that fix multiple security issues are now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having important security impact by the Red Hat Security
  Response Team.

  http://www.linuxsecurity.com/content/view/149719

* RedHat: Important: java-1.6.0-openjdk security and bug (Aug 6)
  --------------------------------------------------------------
  Updated java-1.6.0-openjdk packages that fix several security issues
  and a bug are now available for Red Hat Enterprise Linux 5. This
  update has been rated as having important security impact by the Red
  Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149672

* RedHat: Critical: java-1.6.0-ibm security update (Aug 6)
  --------------------------------------------------------
  Updated java-1.6.0-ibm packages that fix several security issues are
  now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149673

* RedHat: Critical: java-1.5.0-sun security update (Aug 6)
  --------------------------------------------------------
  Updated java-1.5.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149670

* RedHat: Critical: java-1.6.0-sun security update (Aug 6)
  --------------------------------------------------------
  Updated java-1.6.0-sun packages that correct several security issues
  are now available for Red Hat Enterprise Linux 4 Extras and 5
  Supplementary. This update has been rated as having critical security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/149671

------------------------------------------------------------------------

* Slackware:   subversion (Aug 7)
  -------------------------------
  New subversion packages are available for Slackware 12.0, 12.1, 12.2,
  and -current to fix a security issue. More details about this issue
  may be found in the Common Vulnerabilities and Exposures (CVE)
  database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411

  http://www.linuxsecurity.com/content/view/149682

* Slackware:   apr-util (Aug 7)
  -----------------------------
  New apr-util packages are available for Slackware 11.0, 12.0, 12.1,
  12.2, and -current to fix a security issue. More details about this
  issue may be found in the Common Vulnerabilities and Exposures (CVE)
  database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412

  http://www.linuxsecurity.com/content/view/149683

* Slackware:   apr (Aug 7)
  ------------------------
  New apr packages are available for Slackware 11.0, 12.0, 12.1, 12.2,
  and -current to fix a security issue. More details about this issue
  may be found in the Common Vulnerabilities and Exposures (CVE)
  database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412

  http://www.linuxsecurity.com/content/view/149684

* Slackware:   fetchmail (Aug 6)
  ------------------------------
  New fetchmail packages are available for Slackware 8.1, 9.0, 9.1,
  10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix
  security issue. More details about this issue may be found in the
  Common Vulnerabilities and Exposures (CVE) database:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666

  http://www.linuxsecurity.com/content/view/149665

------------------------------------------------------------------------

* SuSE: Sun Java (SUSE-SA:2009:043) (Aug 7)
  -----------------------------------------


  http://www.linuxsecurity.com/content/view/149688

* SuSE: Mozilla Firefox 3.0 (Aug 6)
  ---------------------------------


  http://www.linuxsecurity.com/content/view/149664

------------------------------------------------------------------------

* Ubuntu:  libxml2 vulnerabilities (Aug 11)
  -----------------------------------------
  It was discovered that libxml2 did not correctly handle root XML
  document element DTD definitions. If a user were tricked into
  processing a specially crafted XML document, a remote attacker could
  cause the application linked against libxml2 to crash, leading to a
  denial of service. (CVE-2009-2414) It was discovered that libxml2 did
  not correctly parse Notation and Enumeration attribute types. If a
  user were tricked into processing a specially crafted XML document, a
  remote attacker could cause the application linked against libxml2 to
  crash, leading to a denial of service. (CVE-2009-2416) USN-644-1
  fixed a vulnerability in libxml2. This advisory provides the
  corresponding update for Ubuntu 9.04. Original advisory details:  It
  was discovered that libxml2 did not correctly handle long entity
  names.  If a user were tricked into processing a specially crafted
  XML document, a  remote attacker could execute arbitrary code with
  user privileges or cause  the application linked against libxml2 to
  crash, leading to a denial of  service. (CVE-2008-3529)

  http://www.linuxsecurity.com/content/view/149731



------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org
Received on Sun Aug 16 2009 - 22:14:40 PDT

This archive was generated by hypermail 2.2.0 : Sun Aug 16 2009 - 22:24:13 PDT