+----------------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 2nd, 2010 Volume 11, Number 14 | | | | Editorial Team: Dave Wreski <dwreski_at_private> | | Benjamin D. Thomas <bthomas_at_private> | +----------------------------------------------------------------------+ Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available. Vulnerabilities in Web Applications ----------------------------------- This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures. http://www.linuxsecurity.com/content/view/118427 A Secure Nagios Server ---------------------- This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security. http://www.linuxsecurity.com/content/view/144088 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- ------------------------------------------------------------------------ * EnGarde Secure Community 3.0.22 Now Available! ---------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668 ------------------------------------------------------------------------ * Debian: 2026-1: netpbm-free: stack-based buffer overflow (Apr 2) ---------------------------------------------------------------- Marc Schoenefeld discovered a stack-based buffer overflow in the XPM reader implementation in netpbm-free, a suite of image manipulation utilities. An attacker could cause a denial of service (application crash) or possibly [More...] http://www.linuxsecurity.com/content/view/152063 * Debian: 2025-1: icedove: several vulnerabilities (Mar 31) --------------------------------------------------------- Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: [More...] http://www.linuxsecurity.com/content/view/152041 * Debian: 2024-1: moin: insufficient input sanitisi (Mar 31) ---------------------------------------------------------- Jamie Strandboge discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize the page name in "Despam" action, allowing remote attackers to perform cross-site scripting (XSS) attacks. [More...] http://www.linuxsecurity.com/content/view/152040 * Debian: 2023-1: curl: buffer overflow (Mar 27) ---------------------------------------------- Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl's maximum limit [More...] http://www.linuxsecurity.com/content/view/152006 ------------------------------------------------------------------------ * Mandriva: 2010:068: php (Mar 27) -------------------------------- A vulnerability has been found and corrected in php: The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of [More...] http://www.linuxsecurity.com/content/view/152005 * Mandriva: 2010:067: kernel (Mar 25) ----------------------------------- This update provides a fix to the correction of CVE-2010-0307, which resulted in crashes when running i586 applications on x86_64. To update your kernel, please follow the directions located at: [More...] http://www.linuxsecurity.com/content/view/151996 ------------------------------------------------------------------------ * Red Hat: 2010:0339-01: java-1.6.0-openjdk: Important Advisory (Mar 31) ---------------------------------------------------------------------- Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/152058 * Red Hat: 2010:0337-01: java-1.6.0-sun: Critical Advisory (Mar 31) ----------------------------------------------------------------- Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/152057 * Red Hat: 2010:0338-01: java-1.5.0-sun: Critical Advisory (Mar 31) ----------------------------------------------------------------- The java-1.5.0-sun packages as shipped in Red Hat Enterprise Linux 4 Extras and 5 Supplementary contain security flaws and should not be used. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/152056 * Red Hat: 2010:0332-01: firefox: Critical Advisory (Mar 30) ---------------------------------------------------------- Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/152039 * Red Hat: 2010:0333-01: seamonkey: Critical Advisory (Mar 30) ------------------------------------------------------------ Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having critical [More...] http://www.linuxsecurity.com/content/view/152038 * Red Hat: 2010:0330-01: GFS: Moderate Advisory (Mar 30) ------------------------------------------------------ Updated GFS packages that fix one security issue are now available for Red Hat Enterprise Linux 3.9, kernel release 2.4.21-63.EL. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/152036 * Red Hat: 2010:0331-01: GFS-kernel: Moderate Advisory (Mar 30) ------------------------------------------------------------- Updated GFS-kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 4.8, kernel release 2.6.9-89.0.20.EL. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/152037 * Red Hat: 2010:0329-01: curl: Moderate Advisory (Mar 30) ------------------------------------------------------- Updated curl packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/152034 * Red Hat: 2010:0321-04: automake: Low Advisory (Mar 30) ------------------------------------------------------ Updated automake, automake14, automake15, automake16, and automake17 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. [More...] http://www.linuxsecurity.com/content/view/152035 * Red Hat: 2010:0291-04: gfs-kmod: Moderate Advisory (Mar 30) ----------------------------------------------------------- Updated gfs-kmod packages that fix one security issue, numerous bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.5, kernel release 2.6.18-194.el5. [More...] http://www.linuxsecurity.com/content/view/152033 * Red Hat: 2010:0273-05: curl: Moderate Advisory (Mar 30) ------------------------------------------------------- Updated curl packages that fix one security issue, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/152032 * Red Hat: 2010:0271-04: kvm: Important Advisory (Mar 30) ------------------------------------------------------- Updated kvm packages that fix one security issue, multiple bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/152031 * Red Hat: 2010:0181-05: brltty: Low Advisory (Mar 30) ---------------------------------------------------- Updated brltty packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/152030 * Red Hat: 2010:0258-04: pam_krb5: Low Advisory (Mar 30) ------------------------------------------------------ Updated pam_krb5 packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/152029 * Red Hat: 2010:0237-05: sendmail: Low Advisory (Mar 30) ------------------------------------------------------ Updated sendmail packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/152028 * Red Hat: 2010:0198-04: openldap: Moderate Advisory (Mar 30) ----------------------------------------------------------- Updated openldap packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/152027 * Red Hat: 2010:0221-04: squid: Low Advisory (Mar 30) --------------------------------------------------- An updated squid package that fixes two security issues and several bugs is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/152026 * Red Hat: 2010:0175-01: httpd: Low Advisory (Mar 25) --------------------------------------------------- Updated httpd packages that fix one security issue, a bug, and add an enhancement are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low [More...] http://www.linuxsecurity.com/content/view/151995 * Red Hat: 2010:0168-01: httpd: Moderate Advisory (Mar 25) -------------------------------------------------------- Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151985 * Red Hat: 2010:0167-01: gnutls: Moderate Advisory (Mar 25) --------------------------------------------------------- Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151984 * Red Hat: 2010:0164-01: openssl097a: Moderate Advisory (Mar 25) -------------------------------------------------------------- Updated openssl097a packages that fix a security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151982 * Red Hat: 2010:0173-02: openssl096b: Important Advisory (Mar 25) --------------------------------------------------------------- Updated openssl096b packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/151983 * Red Hat: 2010:0165-01: nss: Moderate Advisory (Mar 25) ------------------------------------------------------ Updated nss packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151981 * Red Hat: 2010:0163-01: openssl: Moderate Advisory (Mar 25) ---------------------------------------------------------- Updated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151979 * Red Hat: 2010:0162-01: openssl: Important Advisory (Mar 25) ----------------------------------------------------------- Updated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...] http://www.linuxsecurity.com/content/view/151980 * Red Hat: 2010:0166-01: gnutls: Moderate Advisory (Mar 25) --------------------------------------------------------- Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...] http://www.linuxsecurity.com/content/view/151978 ------------------------------------------------------------------------ * Slackware: 2010-090-03: seamonkey: Security Update (Mar 31) ----------------------------------------------------------- New seamonkey packages are available for Slackware 11.0, 12.0, and 12.1 to fix security issues. For more information, see: [More Info...] http://www.linuxsecurity.com/content/view/152053 * Slackware: 2010-090-01: openssl: Security Update (Mar 31) --------------------------------------------------------- New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues. More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database: A recompiled proftpd package is required if you run ProFTPD. [More Info...] http://www.linuxsecurity.com/content/view/152054 * Slackware: 2010-090-02: mozilla-firefox: Security Update (Mar 31) ----------------------------------------------------------------- New mozilla-firefox packages are available for Slackware 13.0 and -current to fix security issues. More details about the issues may be found on the Mozilla website: [More Info...] http://www.linuxsecurity.com/content/view/152055 ------------------------------------------------------------------------ * SuSE: Weekly Summary 2010:007 (Mar 30) -------------------------------------- To avoid flooding mailing lists with SUSE Security Announcements for minor issues, SUSE Security releases weekly summary reports for the low profile vulnerability fixes. The SUSE Security Summary Reports do not list or download URLs like the SUSE Security Announcements that are released for more severe vulnerabilities. List of vulnerabilities in this summary include: cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc. http://www.linuxsecurity.com/content/view/152020 * SuSE: 2010-019: Linux kernel (Mar 30) ------------------------------------- This update fixes lots of bugs and some security issues in the SUSE Linux Enterprise 10 SP 3 kernel. CVE-2009-4020: Stack-based buffer overflow in the hfs subsystem in the Linux kernel allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to [More...] http://www.linuxsecurity.com/content/view/152019 ------------------------------------------------------------------------ * Pardus: 2010-42: tar/cpio: Buffer Overflow (Mar 29) --------------------------------------------------- A vulnerability has been fixed in GNU tar, which can potentially be exploited by malicious people to compromise a vulnerable system. http://www.linuxsecurity.com/content/view/152014 * Pardus: 2010-43: Curl: Excessive Data Length in (Mar 29) -------------------------------------------------------- A security issue has been fixed in cURL / libcURL, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library http://www.linuxsecurity.com/content/view/152015 * Pardus: 2010-45: Apache: Multiple Vulnerabilities (Mar 29) ---------------------------------------------------------- Multiple vulnerabilities have been fixed in Apache, where one has unknown impacts and others can be exploited by malicious people to gain access to potentially sensitive information or cause a DoS (Denial of Service). http://www.linuxsecurity.com/content/view/152010 * Pardus: 2010-44: Php: Multiple Vulnerabilities (Mar 29) ------------------------------------------------------- Multiple vulnerabilities have been fixed in PHP, which can be exploited by malicious users to bypass certain security restrictions. http://www.linuxsecurity.com/content/view/152011 * Pardus: 2010-41: Libpng: Denial of Service (Mar 29) --------------------------------------------------- A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). http://www.linuxsecurity.com/content/view/152012 * Pardus: 2010-40: Pango: Denial of Service (Mar 29) -------------------------------------------------- A vulnerability was fixed in Pango, which can allow remote or local user to cause denial of service conditions http://www.linuxsecurity.com/content/view/152013 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request_at_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ___________________________________________________________ Register now for HITBSecConf2010 - Dubai, the premier deep-knowledge network security event in the GCC, featuring keynote speakers John Viega and Matt Watchinski! http://conference.hitb.org/hitbsecconf2010dxb/Received on Sun Apr 04 2010 - 23:07:43 PDT
This archive was generated by hypermail 2.2.0 : Sun Apr 04 2010 - 23:11:52 PDT