[ISN] Linux Advisory Watch: April 10th, 2010

From: InfoSec News <alerts_at_private>
Date: Mon, 12 Apr 2010 00:23:52 -0500 (CDT)
+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| April 10th, 2010                                Volume 11, Number 15 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

Vulnerabilities in Web Applications
-----------------------------------
This paper aims to raise awareness by discussing common vulnerabilities
and mistakes in web application development. It also considers mitigating
factors, strategies and corrective measures.

http://www.linuxsecurity.com/content/view/118427


A Secure Nagios Server
----------------------
This article will not show you how to install Nagios since there are tons
of them out there but it will show you in detail ways to improve your
Nagios security.

http://www.linuxsecurity.com/content/view/144088

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
  ----------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2030-1: mahara: sql injection (Apr 6)
  ---------------------------------------------
  It was discovered that mahara, an electronic portfolio, weblog, and
  resume builder is not properly escaping input when generating a
  unique username based on a remote user name from a single sign-on
  application. An attacker can use this to compromise the mahara
  database via crafted user names. [More...]

  http://www.linuxsecurity.com/content/view/152083

* Debian: 2029-1: imlib2: Multiple vulnerabilities (Apr 5)
  --------------------------------------------------------
  It was discovered that imlib2, a library to load and process several
  image formats, did not properly process various image file types.
  Several heap and stack based buffer overflows - partly due to integer
  overflows - in the ARGB, BMP, JPEG, LBM, PNM, TGA and XPM loaders can
  [More...]

  http://www.linuxsecurity.com/content/view/152079

* Debian: 2028-1: xpdf: Multiple vulnerabilities (Apr 5)
  ------------------------------------------------------
  Several vulnerabilities have been identified in xpdf, a suite of
  tools for viewing and converting Portable Document Format (PDF)
  files. The Common Vulnerabilities and Exposures project identifies
  the following [More...]

  http://www.linuxsecurity.com/content/view/152078

* Debian: 2027-1: xulrunner: Multiple vulnerabilities (Apr 3)
  -----------------------------------------------------------
  Several remote vulnerabilities have been discovered in Xulrunner, a
  runtime environment for XUL applications, such as the Iceweasel web
  browser. The Common Vulnerabilities and Exposures project identifies
  the following problems: [More...]

  http://www.linuxsecurity.com/content/view/152065

* Debian: 2026-1: netpbm-free: stack-based buffer overflow (Apr 2)
  ----------------------------------------------------------------
  Marc Schoenefeld discovered a stack-based buffer overflow in the XPM
  reader implementation in netpbm-free, a suite of image manipulation
  utilities. An attacker could cause a denial of service (application
  crash) or possibly [More...]

  http://www.linuxsecurity.com/content/view/152063

------------------------------------------------------------------------

* Mandriva: 2010:069: nss (Apr 6)
  -------------------------------
  A vulnerability has been found and corrected in nss: The TLS
  protocol, and the SSL protocol 3.0 and possibly earlier, as used in
  Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the
  Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
  [More...]

  http://www.linuxsecurity.com/content/view/152090

------------------------------------------------------------------------

* Red Hat: 2010:0343-01: krb5: Important Advisory (Apr 6)
  -------------------------------------------------------
  Updated krb5 packages that fix one security issue and one bug are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having [More...]

  http://www.linuxsecurity.com/content/view/152089

* Red Hat: 2010:0342-01: kernel: Important Advisory (Apr 6)
  ---------------------------------------------------------
  Updated kernel packages that fix one security issue and one bug are
  now available for Red Hat Enterprise Linux 4.7 Extended Update
  Support. The Red Hat Security Response Team has rated this update as
  having [More...]

  http://www.linuxsecurity.com/content/view/152088

------------------------------------------------------------------------

* Slackware: 2010-095-01: mozilla-thunderbird: Security Update (Apr 5)
  --------------------------------------------------------------------
  New mozilla-thunderbird packages are available for Slackware 10.2,
  11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues.
  [More Info...]

  http://www.linuxsecurity.com/content/view/152068

* Slackware: 2010-095-02: mozilla-firefox: Security Update (Apr 5)
  ----------------------------------------------------------------
  New mozilla-firefox packages are available for Slackware 12.2, 13.0,
  and -current to fix security issues.	[More Info...]

  http://www.linuxsecurity.com/content/view/152066

* Slackware: 2010-095-03: seamonkey: Security Update (Apr 5)
  ----------------------------------------------------------
  New seamonkey packages are available for Slackware 12.2, 13.0, and
  -current to fix security issues.  [More Info...]

  http://www.linuxsecurity.com/content/view/152067

------------------------------------------------------------------------

* SuSE: Weekly Summary 2010:008 (Apr 7)
  -------------------------------------
  To avoid flooding mailing lists with SUSE Security Announcements for
  minor issues, SUSE Security releases weekly summary reports for the
  low profile vulnerability fixes. The SUSE Security Summary Reports do
  not list or download URLs like the SUSE Security Announcements that
  are released for more severe vulnerabilities.  List of
  vulnerabilities in this summary include: gnome-screensaver, tomcat5,
  tomcat6, libtheora, java-1_6_0-sun, samba.

  http://www.linuxsecurity.com/content/view/152093

------------------------------------------------------------------------

* Ubuntu: 926-1: ClamAV vulnerabilities (Apr 8)
  ---------------------------------------------
  It was discovered that ClamAV did not properly verify its input
  whenprocessing CAB files. A remote attacker could send a specially
  craftedCAB file to evade malware detection. (CVE-2010-0098) [More...]

  http://www.linuxsecurity.com/content/view/152105

* Ubuntu: 925-1: MoinMoin vulnerabilities (Apr 8)
  -----------------------------------------------
  It was discovered that MoinMoin did not properly sanitize its input
  whenprocessing Despam actions, resulting in cross-site scripting
  (XSS)vulnerabilities. If a privileged wiki user were tricked into
  performingthe Despam action on a page with a crafted title, a remote
  attacker couldexploit this to execute JavaScript code.
  (CVE-2010-0828) [More...]

  http://www.linuxsecurity.com/content/view/152104

* Ubuntu: 923-1: OpenJDK vulnerabilities (Apr 7)
  ----------------------------------------------
  Marsh Ray and Steve Dispensa discovered a flaw in the TLS and
  SSLv3protocols. If an attacker could perform a man in the middle
  attack at thestart of a TLS connection, the attacker could inject
  arbitrary contentat the beginning of the user's session.
  (CVE-2009-3555) [More...]

  http://www.linuxsecurity.com/content/view/152091

* Ubuntu: 924-1: Kerberos vulnerabilities (Apr 7)
  -----------------------------------------------
  Sol Jerome discovered that the Kerberos kadmind service did not
  correctlyfree memory.  An unauthenticated remote attacker could send
  speciallycrafted traffic to crash the kadmind process, leading to a
  denial ofservice. (CVE-2010-0629) [More...]

  http://www.linuxsecurity.com/content/view/152092

------------------------------------------------------------------------

* Pardus: 2010-46: OpenSSL: Denial of Service (Apr 6)
  ---------------------------------------------------
  A vulnerability has been fixed in OpenSSL, which can be exploited by
  malicious people to manipulate certain data and cause a DoS (Denial
  of Service)

  http://www.linuxsecurity.com/content/view/152080

* Pardus: 2010-47: Firefox: Multiple Vulnerabilities (Apr 6)
  ----------------------------------------------------------
  Multiple vulnerabilities have been fixed in Firefox.

  http://www.linuxsecurity.com/content/view/152081

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/
Received on Sun Apr 11 2010 - 22:23:52 PDT

This archive was generated by hypermail 2.2.0 : Sun Apr 11 2010 - 22:32:49 PDT