[ISN] Linux Advisory Watch - September 18th 2009

From: InfoSec News <alerts_at_private>
Date: Tue, 22 Sep 2009 03:01:23 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| September 18th, 2009                            Volume 10, Number 38 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for icu, openssl, rails, iceweasel,
xulrunner, uginx, nagios2, devscripts, dovcot, kdesdk, kdegames,
oxygen-icon-theme, kdepim, kdenetwork, kdeutils, kdeedu,
ocaml-camlimages, puppet, firefox, ikiwiki, mozvoikko, hulahop, miro,
kazehakase, yelp, ruby, epiphany, seahorse, chmsee, pcmanx, blam,
galeon, perl, mugshot, znc, wireshark, irssi, horde, silc-toolkit, kvm,
nss, htmldoc, freeradius, and openexr.	The distributors include
Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: New icu packages correct multibyte sequence parsing (Sep 16)
  --------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150146

* Debian: New openssl packages deprecate MD2 hash signatures (Sep 15)
  -------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150140

* Debian: New rails packages fix cross-site scripting (Sep 15)
  ------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150135

* Debian: New iceweasel packages fix several vulnerabilities (Sep 14)
  -------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150071

* Debian: New xulrunner packages fix several vulnerabilities (Sep 14)
  -------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150070

* Debian: New nginx packages fix arbitrary code execution (Sep 14)
  ----------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150069

* Debian: New nagios2 packages fix regression (Sep 14)
  ----------------------------------------------------


  http://www.linuxsecurity.com/content/view/150068

* Debian: New devscripts packages fix regressions (Sep 11)
  --------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150004

* Debian: New nagios2 packages fix several cross-site scriptings (Sep 10)
  -----------------------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150001

------------------------------------------------------------------------

* Fedora 10 Update: nginx-0.7.62-1.fc10 (Sep 15)
  ----------------------------------------------


  http://www.linuxsecurity.com/content/view/150139

* Fedora 11 Update: nginx-0.7.62-1.fc11 (Sep 15)
  ----------------------------------------------


  http://www.linuxsecurity.com/content/view/150138

* Fedora 10 Update: planet-2.0-10.fc10 (Sep 15)
  ---------------------------------------------
  security patch to sanitize content from rss feeds for javascript

  http://www.linuxsecurity.com/content/view/150130

* Fedora 11 Update: planet-2.0-10.fc11 (Sep 15)
  ---------------------------------------------
  Security update for sanitizing input from rss feeds.

  http://www.linuxsecurity.com/content/view/150129

* Fedora 10 Update: dovecot-1.1.18-2.fc10 (Sep 15)
  ------------------------------------------------
  dovecot-sieve updated to 1.1.7    It is derived from CMU sieve used
  by cyrus- imapd and was affected by CVE-2009-2632 too.    See
  upstream announcement for further details:
  http://dovecot.org/list/dovecot- news/2009-September/000135.html

  http://www.linuxsecurity.com/content/view/150128

* Fedora 10 Update: kdesdk-4.3.1-1.fc10 (Sep 15)
  ----------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150123

* Fedora 10 Update: kdetoys-4.3.1-1.fc10 (Sep 15)
  -----------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150124

* Fedora 10 Update: kdegames-4.3.1-4.fc10 (Sep 15)
  ------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150125

* Fedora 10 Update: oxygen-icon-theme-4.3.1-1.fc10 (Sep 15)
  ---------------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150126

* Fedora 10 Update: kde-l10n-4.3.1-2.fc10 (Sep 15)
  ------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150127

* Fedora 10 Update: kdelibs-experimental-4.3.1-1.fc10 (Sep 15)
  ------------------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150116

* Fedora 10 Update: kdepim-4.3.1-1.fc10 (Sep 15)
  ----------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150117

* Fedora 10 Update: kdenetwork-4.3.1-1.fc10 (Sep 15)
  --------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150118

* Fedora 10 Update: kdepim-runtime-4.3.1-1.fc10 (Sep 15)
  ------------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150119

* Fedora 10 Update: kdeutils-4.3.1-1.fc10 (Sep 15)
  ------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150120

* Fedora 10 Update: kdepimlibs-4.3.1-1.fc10 (Sep 15)
  --------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150121

* Fedora 10 Update: kdeplasma-addons-4.3.1-1.fc10 (Sep 15)
  --------------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150122

* Fedora 10 Update: kdeedu-4.3.1-1.fc10 (Sep 15)
  ----------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150111

* Fedora 10 Update: kdebindings-4.3.1-3.fc10 (Sep 15)
  ---------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150112

* Fedora 10 Update: kdegraphics-4.3.1-1.fc10 (Sep 15)
  ---------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150113

* Fedora 10 Update: kdelibs-4.3.1-3.fc10 (Sep 15)
  -----------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150114

* Fedora 10 Update: kdemultimedia-4.3.1-1.fc10 (Sep 15)
  -----------------------------------------------------
  This updates KDE to 4.3.1, the latest upstream bugfix release. The
  main improvements are:  * KDE 4.3 is now also available in Croatian.
  * A crash when editing toolbar setup has been fixed.	* Support for
  transferring files through SSH using KIO::Fish has been fixed.  * A
  number of bugs in KWin, KDE's window and compositing manager has been
  fixed.  * A large number of bugs in KMail, KDE's email client are now
  gone.    See http://kde.org/announcements/announce-4.3.1.php for more
  information.	  In addition, this update:  * fixes a potential
  security issue (CVE-2009-2702) with certificate validation in the KIO
  KSSL code. It is believed that the affected code is not actually used
  (the code in Qt, for which a security update was already issued, is)
  and thus the issue is only potential, but KSSL is being patched just
  in case,  * splits PolicyKit-kde out of kdebase-workspace again to
  avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
  desired instead (#519654).

  http://www.linuxsecurity.com/content/view/150115

* Fedora 10 Update: ocaml-camlimages-3.0.1-3.fc10.2 (Sep 11)
  ----------------------------------------------------------


  http://www.linuxsecurity.com/content/view/150058

* Fedora 11 Update: puppet-0.24.8-4.fc11 (Sep 11)
  -----------------------------------------------
  This update fixes a number of bugs in both the packaging and upstream
  source. See the package changelog and bug reports for complete
  details.

  http://www.linuxsecurity.com/content/view/150057

* Fedora 11 Update: xulrunner-1.9.1.3-1.fc11 (Sep 11)
  ---------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150054

* Fedora 11 Update: firefox-3.5.3-1.fc11 (Sep 11)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150055

* Fedora 11 Update: ikiwiki-3.1415926-1.fc11 (Sep 11)
  ---------------------------------------------------
  Fix CVE-2009-2944, see bz 520543.

  http://www.linuxsecurity.com/content/view/150056

* Fedora 11 Update: gnome-python2-extras-2.25.3-7.fc11 (Sep 11)
  -------------------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150044

* Fedora 11 Update: mozvoikko-0.9.7-0.7.rc1.fc11 (Sep 11)
  -------------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150045

* Fedora 11 Update: evolution-rss-0.1.4-3.fc11 (Sep 11)
  -----------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150046

* Fedora 11 Update: google-gadgets-0.11.0-5.fc11 (Sep 11)
  -------------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150047

* Fedora 11 Update: hulahop-0.4.9-8.fc11 (Sep 11)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150048

* Fedora 11 Update: Miro-2.5.2-4.fc11 (Sep 11)
  --------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150049

* Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.5 (Sep 11)
  -----------------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150050

* Fedora 11 Update: kazehakase-0.5.7-2.fc11 (Sep 11)
  --------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150051

* Fedora 11 Update: yelp-2.26.0-7.fc11 (Sep 11)
  ---------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150052

* Fedora 11 Update: ruby-gnome2-0.19.1-2.fc11 (Sep 11)
  ----------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150053

* Fedora 11 Update: epiphany-extensions-2.26.1-6.fc11 (Sep 11)
  ------------------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150034

* Fedora 11 Update: monodevelop-2.0-5.fc11 (Sep 11)
  -------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150035

* Fedora 11 Update: eclipse-3.4.2-15.fc11 (Sep 11)
  ------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150036

* Fedora 11 Update: epiphany-2.26.3-4.fc11 (Sep 11)
  -------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150037

* Fedora 11 Update: seahorse-plugins-2.26.2-5.fc11 (Sep 11)
  ---------------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150038

* Fedora 11 Update: chmsee-1.0.1-11.fc11 (Sep 11)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150039

* Fedora 11 Update: gnome-web-photo-0.7-6.fc11 (Sep 11)
  -----------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150040

* Fedora 11 Update: pcmanx-gtk2-0.3.8-8.fc11 (Sep 11)
  ---------------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150041

* Fedora 11 Update: blam-1.8.5-14.fc11 (Sep 11)
  ---------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150042

* Fedora 11 Update: galeon-2.0.7-14.fc11 (Sep 11)
  -----------------------------------------------
  Update to new upstream Firefox version 3.5.3, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox35.html#firefox3.5.3	 Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150043

* Fedora 10 Update: perl-Gtk2-MozEmbed-0.08-6.fc10.5 (Sep 11)
  -----------------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150031

* Fedora 10 Update: firefox-3.0.14-1.fc10 (Sep 11)
  ------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150032

* Fedora 10 Update: xulrunner-1.9.0.14-1.fc10 (Sep 11)
  ----------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150033

* Fedora 10 Update: evolution-rss-0.1.4-3.fc10 (Sep 11)
  -----------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150025

* Fedora 10 Update: kazehakase-0.5.6-4.fc10.6 (Sep 11)
  ----------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150026

* Fedora 10 Update: pcmanx-gtk2-0.3.8-13.fc10 (Sep 11)
  ----------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150027

* Fedora 10 Update: google-gadgets-0.10.5-10.fc10 (Sep 11)
  --------------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150028

* Fedora 10 Update: yelp-2.24.0-13.fc10 (Sep 11)
  ----------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150029

* Fedora 10 Update: mugshot-1.2.2-13.fc10 (Sep 11)
  ------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150030

* Fedora 10 Update: epiphany-2.24.3-10.fc10 (Sep 11)
  --------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150016

* Fedora 10 Update: epiphany-extensions-2.24.3-5.fc10 (Sep 11)
  ------------------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150017

* Fedora 10 Update: Miro-2.0.5-4.fc10 (Sep 11)
  --------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150018

* Fedora 10 Update: ruby-gnome2-0.19.1-2.fc10 (Sep 11)
  ----------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150019

* Fedora 10 Update: blam-1.8.5-14.fc10 (Sep 11)
  ---------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150020

* Fedora 10 Update: gnome-python2-extras-2.19.1-34.fc10 (Sep 11)
  --------------------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150021

* Fedora 10 Update: gecko-sharp2-0.13-12.fc10 (Sep 11)
  ----------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150022

* Fedora 10 Update: mozvoikko-0.9.5-14.fc10 (Sep 11)
  --------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150023

* Fedora 10 Update: gnome-web-photo-0.3-22.fc10 (Sep 11)
  ------------------------------------------------------
  Update to new upstream Firefox version 3.0.14, fixing multiple
  security issues detailed in the upstream advisories:
  http://www.mozilla.org/security/known-
  vulnerabilities/firefox30.html#firefox3.0.14	  Update also includes
  all packages depending on gecko-libs rebuilt against new version of
  Firefox / XULRunner.

  http://www.linuxsecurity.com/content/view/150024

* Fedora 10 Update: puppet-0.24.8-4.fc10 (Sep 11)
  -----------------------------------------------
  This update fixes a number of bugs in both the packaging and upstream
  source. See the package changelog and bug reports for complete
  details.

  http://www.linuxsecurity.com/content/view/150014

* Fedora 10 Update: ikiwiki-2.72-2.fc10 (Sep 11)
  ----------------------------------------------
  Fix CVE-2009-2944, see bz 520543.

  http://www.linuxsecurity.com/content/view/150015

* Fedora 10 Update: postgresql-8.3.8-1.fc10 (Sep 11)
  --------------------------------------------------
  Update to PostgreSQL 8.3.8, for various fixes described at
  http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
  including three security issues

  http://www.linuxsecurity.com/content/view/150013

* Fedora 11 Update: postgresql-8.3.8-1.fc11 (Sep 11)
  --------------------------------------------------
  Update to PostgreSQL 8.3.8, for various fixes described at
  http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
  including three security issues

  http://www.linuxsecurity.com/content/view/150012

------------------------------------------------------------------------

* Gentoo: ZNC Directory traversal (Sep 13)
  ----------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D A directory traversal was found in ZNC,
  allowing for overwriting of arbitrary files.

  http://www.linuxsecurity.com/content/view/150064

* Gentoo: Wireshark Denial of Service (Sep 13)
  --------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been
  discovered in Wireshark which allow for Denial of Service.

  http://www.linuxsecurity.com/content/view/150063

* Gentoo: Lynx Arbitrary command execution (Sep 12)
  -------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D An incomplete fix for an issue related to
  the Lynx URL handler might allow for the remote execution of
  arbitrary commands.

  http://www.linuxsecurity.com/content/view/150062

* Gentoo: HTMLDOC User-assisted execution of arbitrary (Sep 12)
  -------------------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple insecure calls to the sscanf()
  function in HTMLDOC might result in the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/150059

* Gentoo: irssi Execution of arbitrary code (Sep 12)
  --------------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D A remotely exploitable off-by-one error
  leading to a heap overflow was found in irssi which might result in
  the execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/150060

* Gentoo: Horde Multiple vulnerabilities (Sep 12)
  -----------------------------------------------
  =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been
  discovered in Horde and two modules, allowing for the execution of
  arbitrary code, information disclosure, or Cross-Site Scripting.

  http://www.linuxsecurity.com/content/view/150061

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVA-2009:161 ] silc-toolkit (Sep 18)
  ------------------------------------------------------------------------------
  The silc-toolkit was linked in a wrong way, it depended on symbols no
  longer exported by libidn. This made it impossible to use the SILC
  protocol from pidgin. This update changes the linking to use the
  included IDN resolver instead of libidn.

  http://www.linuxsecurity.com/content/view/150152

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:235 ] silc-toolkit (Sep 15)
  -------------------------------------------------------------------------------
  Multiple vulnerabilities was discovered and corrected in
  silc-toolkit: Multiple format string vulnerabilities in
  lib/silcclient/client_entry.c in Secure Internet Live Conferencing
  (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
  remote attackers to execute arbitrary code via format string
  specifiers in a nickname field, related to the (1)
  silc_client_add_client, (2) silc_client_update_client, and (3)
  silc_client_nickname_format functions (CVE-2009-3051). Multiple
  format string vulnerabilities in lib/silcclient/command.c in Secure
  Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC
  Client 1.1.8 and earlier, allow remote attackers to execute arbitrary
  code via format string specifiers in a channel name, related to (1)
  silc_client_command_topic, (2) silc_client_command_kick, (3)
  silc_client_command_leave, and (4) silc_client_command_users
  (CVE-2009-3163). This update provides a solution to these
  vulnerabilities.

  http://www.linuxsecurity.com/content/view/150134

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:234-1 ] silc-toolkit (Sep 15)
  ---------------------------------------------------------------------------------
  Multiple vulnerabilities was discovered and corrected in
  silc-toolkit: Multiple format string vulnerabilities in
  lib/silcclient/client_entry.c in Secure Internet Live Conferencing
  (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
  remote attackers to execute arbitrary code via format string
  specifiers in a nickname field, related to the (1)
  silc_client_add_client, (2) silc_client_update_client, and (3)
  silc_client_nickname_format functions (CVE-2009-3051). The
  silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in
  Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows
  remote attackers to overwrite a stack location and possibly execute
  arbitrary code via a crafted OID value, related to incorrect use of a
  %lu format string (CVE-2008-7159). The silc_http_server_parse
  function in lib/silchttp/silchttpserver.c in the internal HTTP server
  in silcd in Secure Internet Live Conferencing (SILC) Toolkit before
  1.1.9 allows remote attackers to overwrite a stack location and
  possibly execute arbitrary code via a crafted Content-Length header,
  related to incorrect use of a %lu format string (CVE-2008-7160).
  Multiple format string vulnerabilities in lib/silcclient/command.c in
  Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
  SILC Client 1.1.8 and earlier, allow remote attackers to execute
  arbitrary code via format string specifiers in a channel name,
  related to (1) silc_client_command_topic, (2)
  silc_client_command_kick, (3) silc_client_command_leave, and (4)
  silc_client_command_users (CVE-2009-3163). This update provides a
  solution to these vulnerabilities.

  Update:

  Packages for MES5 was not provided previousely, this update addresses
  this problem.

  http://www.linuxsecurity.com/content/view/150133

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:234 ] silc-toolkit (Sep 15)
  -------------------------------------------------------------------------------
  Multiple vulnerabilities was discovered and corrected in
  silc-toolkit: Multiple format string vulnerabilities in
  lib/silcclient/client_entry.c in Secure Internet Live Conferencing
  (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
  remote attackers to execute arbitrary code via format string
  specifiers in a nickname field, related to the (1)
  silc_client_add_client, (2) silc_client_update_client, and (3)
  silc_client_nickname_format functions (CVE-2009-3051). The
  silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in
  Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows
  remote attackers to overwrite a stack location and possibly execute
  arbitrary code via a crafted OID value, related to incorrect use of a
  %lu format string (CVE-2008-7159). The silc_http_server_parse
  function in lib/silchttp/silchttpserver.c in the internal HTTP server
  in silcd in Secure Internet Live Conferencing (SILC) Toolkit before
  1.1.9 allows remote attackers to overwrite a stack location and
  possibly execute arbitrary code via a crafted Content-Length header,
  related to incorrect use of a %lu format string (CVE-2008-7160).
  Multiple format string vulnerabilities in lib/silcclient/command.c in
  Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
  SILC Client 1.1.8 and earlier, allow remote attackers to execute
  arbitrary code via format string specifiers in a channel name,
  related to (1) silc_client_command_topic, (2)
  silc_client_command_kick, (3) silc_client_command_leave, and (4)
  silc_client_command_users (CVE-2009-3163). This update provides a
  solution to these vulnerabilities.

  http://www.linuxsecurity.com/content/view/150132

* Mandriva: Subject: [Security Announce] [ MDVA-2009:160 ] kvm (Sep 14)
  ---------------------------------------------------------------------
  The required symbolic link or binary /usr/bin/qemu-kvm was missing.
  The virtual machines generated with virt-manager is depending on it.

  http://www.linuxsecurity.com/content/view/150072

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:232 ] libsamplerate (Sep 11)
  --------------------------------------------------------------------------------
  A security vulnerability has been identified and fixed in
  libsamplerate: Lev Givon discovered a buffer overflow in
  libsamplerate that could lead to a segfault with specially crafted
  python code. This problem has been fixed with libsamplerate-0.1.7 but
  older versions are affected. This update provides a solution to this
  vulnerability.

  http://www.linuxsecurity.com/content/view/150011

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:197-2 ] nss (Sep 11)
  ------------------------------------------------------------------------
  Security issues in nss prior to 3.12.3 could lead to a
  man-in-the-middle attack via a spoofed X.509 certificate
  (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
  cause a denial-of-service and possible code execution via a long
  domain name in X.509 certificate (CVE-2009-2404). This update
  provides the latest versions of NSS and NSPR libraries which are not
  vulnerable to those attacks.

  Update:

  This update also provides fixed packages for Mandriva Linux 2008.1
  and fixes mozilla-thunderbird error messages.

  http://www.linuxsecurity.com/content/view/150010

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:228 ] libneon (Sep 11)
  --------------------------------------------------------------------------
  A vulnerability has been found and corrected in neon: neon before
  0.28.6, when OpenSSL is used, does not properly handle a '\0'
  character in a domain name in the subject's Common Name (CN) field of
  an X.509 certificate, which allows man-in-the-middle attackers to
  spoof arbitrary SSL servers via a crafted certificate issued by a
  legitimate Certification Authority, a related issue to CVE-2009-2408.
  (CVE-2009-2474) This update provides a solution to this
  vulnerability.

  http://www.linuxsecurity.com/content/view/150009

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:231 ] htmldoc (Sep 11)
  --------------------------------------------------------------------------
  A security vulnerability has been identified and fixed in htmldoc:
  Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
  1.8.27 and earlier allows context-dependent attackers to execute
  arbitrary code via a long MEDIA SIZE comment.  NOTE: it was later
  reported that there were additional vectors in htmllib.cxx and
  ps-pdf.cxx using an AFM font file with a long glyph name, but these
  vectors do not cross privilege boundaries (CVE-2009-3050). This
  update provides a solution to this vulnerability.

  http://www.linuxsecurity.com/content/view/150008

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:230 ] pidgin (Sep 11)
  -------------------------------------------------------------------------
  Security vulnerabilities has been identified and fixed in pidgin: The
  msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c
  in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and
  Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary
  code or cause a denial of service (memory corruption and application
  crash) by sending multiple crafted SLP (aka MSNSLP) messages to
  trigger an overwrite of an arbitrary memory location.  NOTE: this
  issue reportedly exists because of an incomplete fix for
  CVE-2009-1376 (CVE-2009-2694). Unspecified vulnerability in Pidgin
  2.6.0 allows remote attackers to cause a denial of service (crash)
  via a link in a Yahoo IM (CVE-2009-3025) protocols/jabber/auth.c in
  libpurple in Pidgin 2.6.0, and possibly other versions, does not
  follow the require TLS/SSL preference when connecting to older Jabber
  servers that do not follow the XMPP specification, which causes
  libpurple to connect to the server without the expected encryption
  and allows remote attackers to sniff sessions (CVE-2009-3026).
  libpurple/protocols/irc/msgs.c in the IRC protocol plugin in
  libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a
  denial of service (NULL pointer dereference and application crash)
  via a TOPIC message that lacks a topic string (CVE-2009-2703). The
  msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN
  protocol plugin in libpurple in Pidgin before 2.6.2 allows remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via an SLP invite message that lacks certain
  required fields, as demonstrated by a malformed message from a KMess
  client (CVE-2009-3083). The msn_slp_process_msg function in
  libpurple/protocols/msn/slpcall.c in the MSN protocol plugin in
  libpurple 2.6.0 and 2.6.1, as used in Pidgin before 2.6.2, allows
  remote attackers to cause a denial of service (application crash) via
  a handwritten (aka Ink) message, related to an uninitialized variable
  and the incorrect UTF16-LE charset name (CVE-2009-3084). The XMPP
  protocol plugin in libpurple in Pidgin before 2.6.2 does not properly
  handle an error IQ stanza during an attempted fetch of a custom
  smiley, which allows remote attackers to cause a denial of service
  (application crash) via XHTML-IM content with cid: images
  (CVE-2009-3085). This update provides pidgin 2.6.2, which is not
  vulnerable to these issues.

  http://www.linuxsecurity.com/content/view/150007

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:229 ] cyrus-imapd (Sep 11)
  ------------------------------------------------------------------------------
  A vulnerability has been found and corrected in cyrus-imapd: Buffer
  overflow in the SIEVE script component (sieve/script.c) in
  cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14 allows local users
  to execute arbitrary code and read or modify arbitrary messages via a
  crafted SIEVE script, related to the incorrect use of the sizeof
  operator for determining buffer length, combined with an integer
  signedness error (CVE-2009-2632). This update provides a solution to
  this vulnerability.

  http://www.linuxsecurity.com/content/view/150006

* Mandriva: Subject: [Security Announce] [ MDVA-2009:159 ] hplip (Sep 10)
  -----------------------------------------------------------------------
  This update resolves a runtime error with hplip found after the KDE4
  updates and in conjunction with the newer python-qt4-gui package.
  This version upgrade provides hplip v3.9.2 that addresses this
  problem.

  http://www.linuxsecurity.com/content/view/150003

* Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] freeradius (Sep 10)
  -----------------------------------------------------------------------------
  A vulnerability has been found and corrected in freeradius: The
  rad_decode function in FreeRADIUS before 1.1.8 allows remote
  attackers to cause a denial of service (radiusd crash) via
  zero-length Tunnel-Password attributes.  NOTE: this is a regression
  error related to CVE-2003-0967 (CVE-2009-3111). This update provides
  a solution to this vulnerability.

  http://www.linuxsecurity.com/content/view/150002

------------------------------------------------------------------------

* RedHat: Moderate: freeradius security update (Sep 17)
  -----------------------------------------------------
  Updated freeradius packages that fix a security issue are now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red Hat Security Response
  Team.

  http://www.linuxsecurity.com/content/view/150148

* RedHat: Important: kernel security and bug fix update (Sep 15)
  --------------------------------------------------------------
  Updated kernel packages that fix several security issues and several
  bugs are now available for Red Hat Enterprise Linux 4. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

  http://www.linuxsecurity.com/content/view/150131

------------------------------------------------------------------------

* Slackware:   mozilla-firefox (Sep 14)
  -------------------------------------
  New mozilla-firefox packages are available for Slackware 12.2, 13.0,
  and -current to fix security issues. The Firefox 3.0.14 package may
  also be used with Slackware 11.0 or newer.

  More details about the issues may be found on the Mozilla website:
  http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
   http://www.mozilla.org/security/known-vulnerabilities/firefox35.html

  http://www.linuxsecurity.com/content/view/150065

------------------------------------------------------------------------

* Ubuntu:  FreeRADIUS vulnerability (Sep 16)
  ------------------------------------------
  It was discovered that FreeRADIUS did not correctly handle certain
  malformed attributes. A remote attacker could exploit this flaw and
  cause the FreeRADIUS server to crash, resulting in a denial of
  service.

  http://www.linuxsecurity.com/content/view/150147

* Ubuntu:  OpenSSL vulnerability (Sep 14)
  ---------------------------------------
  Dan Kaminsky discovered OpenSSL would still accept certificates with
  MD2 hash signatures. As a result, an attacker could potentially
  create a malicious trusted certificate to impersonate another site.
  This update handles this issue by completely disabling MD2 for
  certificate validation.

  http://www.linuxsecurity.com/content/view/150073

* Ubuntu:  OpenEXR vulnerabilities (Sep 14)
  -----------------------------------------
  Drew Yao discovered several flaws in the way OpenEXR handled certain
  malformed EXR image files. If a user were tricked into opening a
  crafted EXR image file, an attacker could cause a denial of service
  via application crash, or possibly execute arbitrary code with the
  privileges of the user invoking the program. (CVE-2009-1720,
  CVE-2009-1721) It was discovered that OpenEXR did not properly handle
  certain malformed EXR image files. If a user were tricked into
  opening a crafted EXR image file, an attacker could cause a denial of
  service via application crash, or possibly execute arbitrary code
  with the privileges of the user invoking the program. This issue only
  affected Ubuntu 8.04 LTS. (CVE-2009-1722)

  http://www.linuxsecurity.com/content/view/150074

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Sep 22 2009 - 01:01:23 PDT

This archive was generated by hypermail 2.2.0 : Tue Sep 22 2009 - 01:12:56 PDT