[ISN] Linux Advisory Watch: March 20th, 2010

From: InfoSec News <alerts_at_private>
Date: Mon, 22 Mar 2010 00:03:23 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| March 20th, 2010                                Volume 11, Number 12 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

Vulnerabilities in Web Applications
-----------------------------------
This paper aims to raise awareness by discussing common vulnerabilities
and mistakes in web application development. It also considers mitigating
factors, strategies and corrective measures.

http://www.linuxsecurity.com/content/view/118427


A Secure Nagios Server
----------------------
This article will not show you how to install Nagios since there are tons
of them out there but it will show you in detail ways to improve your
Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
  ----------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2020-1: ikiwiki: insufficient input sanitiza (Mar 20)
  -------------------------------------------------------------
  Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a
  wiki compiler, performs insufficient input sanitization on
  data:image/svg+xml URIs. As these can contain script code this can be
  used by an attacker to conduct cross-site scripting attacks.
  [More...]

  http://www.linuxsecurity.com/content/view/151947

* Debian: 2019-1: pango1.0: missing input sanitization (Mar 20)
  -------------------------------------------------------------
  Marc Schoenefeld discovered an improper input sanitization in Pango,
  a library for layout and rendering of text, leading to array indexing
  error. If a local user was tricked into loading a specially-crafted
  font file in an [More...]

  http://www.linuxsecurity.com/content/view/151946

* Debian: 2018-1: php5: DoS (crash) (Mar 18)
  ------------------------------------------
  Auke van Slooten discovered that PHP 5, an hypertext preprocessor,
  crashes (because of a NULL pointer dereference) when processing
  invalid XML-RPC requests. [More...]

  http://www.linuxsecurity.com/content/view/151937

* Debian: : drbd8: privilege escalation (Mar 15)
  ----------------------------------------------
  A local vulnerability has been discovered in drbd8. Philipp Reisner
  fixed an issue in the drbd kernel module that allows local users to
  send netlink packets to perform actions that should be [More...]

  http://www.linuxsecurity.com/content/view/151906

* Debian: 2017-1: pulseaudio: insecure temporary director (Mar 15)
  ----------------------------------------------------------------
  Dan Rosenberg discovered that the PulseAudio sound server creates a
  temporary directory with a predictable name. This allows a local
  attacker to create a Denial of Service condition or possibly disclose
  sensitive information to unprivileged users. [More...]

  http://www.linuxsecurity.com/content/view/151900

* Debian: 2016-1: drupal6: Multiple vulnerabilities (Mar 13)
  ----------------------------------------------------------
  Several vulnerabilities (SA-CORE-2010-001) have been discovered in
  drupal6, a fully-featured content management framework. [More...]

  http://www.linuxsecurity.com/content/view/151895

* Debian: 2014-1: moin: Multiple vulnerabilities (Mar 12)
  -------------------------------------------------------
  Several vulnerabilities have been discovered in moin, a python clone
  of WikiWiki. The Common Vulnerabilities and Exposures project
  identifies the following problems: [More...]

  http://www.linuxsecurity.com/content/view/151888

------------------------------------------------------------------------

* Mandriva: 2010:062: curl (Mar 19)
  ---------------------------------
  A vulnerability has been found and corrected in curl:
  content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is
  enabled, does not properly restrict the amount of callback data sent
  to an application that requests automatic decompression, which might
  [More...]

  http://www.linuxsecurity.com/content/view/151945

------------------------------------------------------------------------

* Red Hat: 2010:0155-01: java-1.4.2-ibm: Moderate Advisory (Mar 17)
  -----------------------------------------------------------------
  Updated java-1.4.2-ibm packages that fix one security issue and a bug
  are now available for Red Hat Enterprise Linux 3 Extras, Red Hat
  Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
  Supplementary. [More...]

  http://www.linuxsecurity.com/content/view/151928

* Red Hat: 2010:0154-02: thunderbird: Moderate Advisory (Mar 17)
  --------------------------------------------------------------
  An updated thunderbird package that fixes several security issues is
  now available for Red Hat Enterprise Linux 4. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151927

* Red Hat: 2010:0153-02: thunderbird: Moderate Advisory (Mar 17)
  --------------------------------------------------------------
  An updated thunderbird package that fixes several security issues is
  now available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

  http://www.linuxsecurity.com/content/view/151926

* Red Hat: 2010:0149-01: kernel: Important Advisory (Mar 17)
  ----------------------------------------------------------
  Updated kernel packages that fix three security issues and multiple
  bugs are now available for Red Hat Enterprise Linux 5.3 Extended
  Update Support. The Red Hat Security Response Team has rated this
  update as having [More...]

  http://www.linuxsecurity.com/content/view/151920

* Red Hat: 2010:0148-01: kernel: Important Advisory (Mar 17)
  ----------------------------------------------------------
  Updated kernel packages that fix two security issues and several bugs
  are now available for Red Hat Enterprise Linux 5.2 Extended Update
  Support. The Red Hat Security Response Team has rated this update as
  having [More...]

  http://www.linuxsecurity.com/content/view/151919

* Red Hat: 2010:0147-01: kernel: Important Advisory (Mar 16)
  ----------------------------------------------------------
  Updated kernel packages that fix multiple security issues and several
  bugs are now available for Red Hat Enterprise Linux 5. The Red Hat
  Security Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/151918

* Red Hat: 2010:0146-01: kernel: Important Advisory (Mar 16)
  ----------------------------------------------------------
  Updated kernel packages that fix multiple security issues and several
  bugs are now available for Red Hat Enterprise Linux 4. The Red Hat
  Security Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/151917

* Red Hat: 2010:0145-01: cpio: Moderate Advisory (Mar 15)
  -------------------------------------------------------
  An updated cpio package that fixes two security issues is now
  available for Red Hat Enterprise Linux 3. This update has been rated
  as having moderate security impact by the Red [More...]

  http://www.linuxsecurity.com/content/view/151907

* Red Hat: 2010:0144-01: cpio: Moderate Advisory (Mar 15)
  -------------------------------------------------------
  An updated cpio package that fixes two security issues is now
  available for Red Hat Enterprise Linux 5. This update has been rated
  as having moderate security impact by the Red [More...]

  http://www.linuxsecurity.com/content/view/151905

* Red Hat: 2010:0142-01: tar: Moderate Advisory (Mar 15)
  ------------------------------------------------------
  An updated tar package that fixes one security issue is now available
  for Red Hat Enterprise Linux 3. This update has been rated as having
  moderate security impact by the Red [More...]

  http://www.linuxsecurity.com/content/view/151904

* Red Hat: 2010:0141-01: tar: Moderate Advisory (Mar 15)
  ------------------------------------------------------
  An updated tar package that fixes two security issues is now
  available for Red Hat Enterprise Linux 4 and 5. This update has been
  rated as having moderate security impact by the Red [More...]

  http://www.linuxsecurity.com/content/view/151903

* Red Hat: 2010:0143-01: cpio: Moderate Advisory (Mar 15)
  -------------------------------------------------------
  An updated cpio package that fixes one security issue is now
  available for Red Hat Enterprise Linux 4. This update has been rated
  as having moderate security impact by the Red [More...]

  http://www.linuxsecurity.com/content/view/151902

* Red Hat: 2010:0140-01: pango: Moderate Advisory (Mar 15)
  --------------------------------------------------------
  Updated pango and evolution28-pango packages that fix one security
  issue are now available for Red Hat Enterprise Linux 3, 4, and 5.
  This update has been rated as having moderate security impact by the
  Red [More...]

  http://www.linuxsecurity.com/content/view/151901

------------------------------------------------------------------------

* SuSE: 2010-017: OpenOffice.org (Mar 16)
  ---------------------------------------
  This update of OpenOffice_org includes fixes for the following
  vulnerabilities: - CVE-2009-0217: XML signature weakness -
  CVE-2009-2949: XPM Import Integer Overflow - CVE-2009-2950: GIF
  Import Heap Overflow	[More...]

  http://www.linuxsecurity.com/content/view/151908

* SuSE: Weekly Summary 2010:006 (Mar 15)
  --------------------------------------
  To avoid flooding mailing lists with SUSE Security Announcements for
  minor issues, SUSE Security releases weekly summary reports for the
  low profile vulnerability fixes. The SUSE Security Summary Reports do
  not list or download URLs like the SUSE Security Announcements that
  are released for more severe vulnerabilities.

  http://www.linuxsecurity.com/content/view/151897

------------------------------------------------------------------------

* Ubuntu: 914-1: Linux kernel vulnerabilities (Mar 16)
  ----------------------------------------------------
  Mathias Krause discovered that the Linux kernel did not correctly
  handlemissing ELF interpreters. A local attacker could exploit this
  to cause thesystem to crash, leading to a denial of service.
  (CVE-2010-0307) [More...]

  http://www.linuxsecurity.com/content/view/151916

* Ubuntu: 912-1: Audio File Library vulnerability (Mar 16)
  --------------------------------------------------------
  It was discovered that Audio File Library contained a heap-based
  bufferoverflow. If a user or automated system processed a crafted WAV
  file, anattacker could cause a denial of service via application
  crash, or possiblyexecute arbitrary code with the privileges of the
  user invoking theprogram. The default compiler options for Ubuntu
  should reduce this [More...]

  http://www.linuxsecurity.com/content/view/151909

* Ubuntu: 913-1: libpng vulnerabilities (Mar 16)
  ----------------------------------------------
  It was discovered that libpng did not properly initialize memory
  whendecoding certain 1-bit interlaced images. If a user or automated
  systemwere tricked into processing crafted PNG images, an attacker
  could possiblyuse this flaw to read sensitive information stored in
  memory. This issueonly affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and
  9.04. (CVE-2009-2042) [More...]

  http://www.linuxsecurity.com/content/view/151910

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/
Received on Sun Mar 21 2010 - 23:03:23 PDT

This archive was generated by hypermail 2.2.0 : Sun Mar 21 2010 - 23:19:55 PDT