AOH :: IS1665.HTM

Linux Advisory Watch - January 30th 2009




Linux Advisory Watch - January 30th 2009
Linux Advisory Watch - January 30th 2009



+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| January 30th, 2009                               Volume 10, Number 5 |
|                                                                      |
| Editorial Team: Dave Wreski  | 
| Benjamin D. Thomas  | 
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for moin, rt, typo3,
ganglia-monitor-core, dia, kernel, vnc, ntp, tor, libnasl, nessus,
drupal, amaorok, mumbles, moodle, uw-imap, cups, phpMyAdmin, pidgin,
java, openssl, bind, vim, ktorrent, xine-lib, libpng, python, and dbus.
 The distributors include Debian, Fedora, Mandriva, Red Hat, SuSE, and
Pardus.

---

>> Linux+DVD Magazine <<

In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 

---

Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond.  But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?"  The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.

http://www.linuxsecurity.com/content/view/145939 

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088 

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- 

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
  ------------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668 

------------------------------------------------------------------------

* Debian: New moin packages fix insufficient input sanitising (Jan 29)
  --------------------------------------------------------------------
  It was discovered that the AttachFile action in moin, a python clone
  of WikiWiki, is prone to cross-site scripting attacks
  (CVE-2009-0260). Another cross-site scripting vulnerability was
  discovered in the antispam feature (CVE-2009-0312).

http://www.linuxsecurity.com/content/view/147871 

* Debian: New rt2570 packages fix arbitrary code execution (Jan 28)
  -----------------------------------------------------------------
  It was discovered that an integer overflow in the "Probe Request"
  packet parser of the Ralinktech wireless drivers might lead to remote
  denial of service or the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/147870 

* Debian: New rt2500 packages fix arbitrary code execution (Jan 28)
  -----------------------------------------------------------------
  It was discovered that an integer overflow in the "Probe Request"
  packet parser of the Ralinktech wireless drivers might lead to remote
  denial of service or the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/147869 

* Debian: New rt2400 packages fix arbitrary code execution (Jan 28)
  -----------------------------------------------------------------
  It was discovered that an integer overflow in the "Probe Request"
  packet parser of the Ralinktech wireless drivers might lead to remote
  denial of service or the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/147868 

* Debian: New TYPO3 packages fix remote code execution (Jan 26)
  -------------------------------------------------------------
  Several remotely exploitable vulnerabilities have been discovered in
  the TYPO3 web content management framework.  The Common
  Vulnerabilities and Exposures project identifies the following
  problems...

http://www.linuxsecurity.com/content/view/147856 

* Debian: New ganglia-monitor-core packages fix remote code execution (Jan 25)
  ----------------------------------------------------------------------------
  Spike Spiegel discovered a stack-based buffer overflow in gmetad, the
  meta-daemon for the ganglia cluster monitoring toolkit, which could
  be triggered via a request with long path names and might enable
  arbitrary code execution.

http://www.linuxsecurity.com/content/view/147842 

------------------------------------------------------------------------

* Fedora 9 Update: dia-0.96.1-7.fc9 (Jan 26)
  ------------------------------------------
  Filter out untrusted python modules search path to remove the
  possibility to run arbitrary code on the user's system if there is a
  python file in dia's working directory named the same as one that
  dia's python scripts try to import.

http://www.linuxsecurity.com/content/view/147862 

* Fedora 9 Update: kernel-2.6.27.12-78.2.8.fc9 (Jan 26)
  -----------------------------------------------------
  Includes security fixes:  CVE-2009-0029 Linux Kernel insecure 64 bit
  system call argument passing	CVE-2009-0065 kernel: sctp: memory
  overflow when FWD-TSN chunk is received with bad stream ID	Also
  fixes bug 478299, reported against Fedora 10:  AVC denials on kernel
  2.6.27.9-159.fc10.x86_64    Reverts ALSA driver to the version that
  is upstream in kernel 2.6.27. This should fix lack of audio on
  headphone outputs for some notebooks.

http://www.linuxsecurity.com/content/view/147861 

* Fedora 9 Update: vnc-4.1.3-1.fc9 (Jan 26)
  -----------------------------------------
  Update to 4.1.3 maintenance release which contains fix for
  CVE-2008-4770

http://www.linuxsecurity.com/content/view/147860 

* Fedora 10 Update: vnc-4.1.3-1.fc10 (Jan 26)
  -------------------------------------------
  Update to 4.1.3 maintenance release which contains fix for
  CVE-2008-4770

http://www.linuxsecurity.com/content/view/147859 

* Fedora 10 Update: kernel-2.6.27.12-170.2.5.fc10 (Jan 26)
  --------------------------------------------------------
  Includes security fixes:  CVE-2009-0029 Linux Kernel insecure 64 bit
  system call argument passing	CVE-2009-0065 kernel: sctp: memory
  overflow when FWD-TSN chunk is received with bad stream ID	Reverts
  ALSA driver to the version that is upstream in kernel 2.6.27.    This
  should be the last 2.6.27 kernel update for Fedora 10.  A 2.6.28
  update kernel is being tested.

http://www.linuxsecurity.com/content/view/147858 

* Fedora 10 Update: dia-0.96.1-9.fc10 (Jan 26)
  --------------------------------------------
  Filter out untrusted python modules search path to remove the
  possibility to run arbitrary code on the user's system if there is a
  python file in dia's working directory named the same as one that
  dia's python scripts try to import.

http://www.linuxsecurity.com/content/view/147857 

* Fedora 9 Update: ntp-4.2.4p6-1.fc9 (Jan 26)
  -------------------------------------------
  This update fixes CVE-2009-0021:    NTP 4.2.4 before 4.2.4p5 and
  4.2.5 before 4.2.5p150 does not properly check the return value from
  the OpenSSL EVP_VerifyFinal function, which allows remote attackers
  to bypass validation of the certificate chain via a malformed SSL/TLS
  signature for DSA and ECDSA keys, a similar vulnerability to
  CVE-2008-5077.

http://www.linuxsecurity.com/content/view/147844 

* Fedora 10 Update: ntp-4.2.4p6-1.fc10 (Jan 26)
  ---------------------------------------------
  This update fixes CVE-2009-0021:    NTP 4.2.4 before 4.2.4p5 and
  4.2.5 before 4.2.5p150 does not properly check the return value from
  the OpenSSL EVP_VerifyFinal function, which allows remote attackers
  to bypass validation of the certificate chain via a malformed SSL/TLS
  signature for DSA and ECDSA keys, a similar vulnerability to
  CVE-2008-5077.

http://www.linuxsecurity.com/content/view/147845 

* Fedora 9 Update: tor-0.2.0.33-1.fc9 (Jan 26)
  --------------------------------------------
  New upstream release 0.2.0.33, with lots of bug fixes and one
  security fix:
  https://blog.torproject.org/blog/tor-0.2.0.33-stable-released

http://www.linuxsecurity.com/content/view/147846 

* Fedora 10 Update: libnasl-2.2.11-3.fc10 (Jan 26)
  ------------------------------------------------
  libnasl: OpenSSL incorrect checks for malformed signatures
  https://bugzilla.redhat.com/show_bug.cgi?id=479655

http://www.linuxsecurity.com/content/view/147847 

* Fedora 10 Update: nessus-core-2.2.11-1.fc10 (Jan 26)
  ----------------------------------------------------
  OpenSSL incorrect checks for malformed signatures
  https://bugzilla.redhat.com/show_bug.cgi?id=479655

http://www.linuxsecurity.com/content/view/147848 

* Fedora 10 Update: nessus-libraries-2.2.11-1.fc10 (Jan 26)
  ---------------------------------------------------------
  libnasl: OpenSSL incorrect checks for malformed signatures
  https://bugzilla.redhat.com/show_bug.cgi?id=479655

http://www.linuxsecurity.com/content/view/147849 

* Fedora 10 Update: tor-0.2.0.33-1.fc10 (Jan 26)
  ----------------------------------------------
  New upstream release 0.2.0.33, with lots of bug fixes and one
  security fix:
  https://blog.torproject.org/blog/tor-0.2.0.33-stable-released

http://www.linuxsecurity.com/content/view/147850 

* Fedora 9 Update: libnasl-2.2.11-3.fc9 (Jan 26)
  ----------------------------------------------
  libnasl: OpenSSL incorrect checks for malformed signatures
  https://bugzilla.redhat.com/show_bug.cgi?id=479655

http://www.linuxsecurity.com/content/view/147851 

* Fedora 9 Update: nessus-core-2.2.11-1.fc9 (Jan 26)
  --------------------------------------------------
  libnasl: OpenSSL incorrect checks for malformed signatures
  https://bugzilla.redhat.com/show_bug.cgi?id=479655

http://www.linuxsecurity.com/content/view/147852 

* Fedora 9 Update: nessus-libraries-2.2.11-1.fc9 (Jan 26)
  -------------------------------------------------------
  libnasl: OpenSSL incorrect checks for malformed signatures
  https://bugzilla.redhat.com/show_bug.cgi?id=479655

http://www.linuxsecurity.com/content/view/147853 

* Fedora 10 Update: drupal-6.9-1.fc10 (Jan 22)
  --------------------------------------------
SA-CORE-2009-001 ( http://drupal.org/node/358957 )	Remember to log 
  in to your site as the admin user before upgrading this package.
After upgrading the package, browse to http://host/drupal/update.php 
  to run the upgrade script.

http://www.linuxsecurity.com/content/view/147690 

* Fedora 9 Update: drupal-6.9-1.fc9 (Jan 22)
  ------------------------------------------
SA-CORE-2009-001 ( http://drupal.org/node/358957 )	Remember to log 
  in to your site as the admin user before upgrading this package.
After upgrading the package, browse to http://host/drupal/update.php 
  to run the upgrade script.

http://www.linuxsecurity.com/content/view/147691 

* Fedora 9 Update: amarok-1.4.10-2.fc9 (Jan 22)
  ---------------------------------------------
  This build includes a security fix concerning the parsing of
  malformed Audible digital audio files.

http://www.linuxsecurity.com/content/view/147692 

* Fedora 10 Update: mumbles-0.4-9.fc10 (Jan 22)
  ---------------------------------------------
  - Fixed path to make mumbles run on x86_64 bug #479158  - Security
  fix for Firefox plugin bug #479171

http://www.linuxsecurity.com/content/view/147693 

* Fedora 9 Update: moodle-1.9.3-5.fc9 (Jan 22)
  --------------------------------------------
  Fix for spellcheck security flaw, and some font correction.

http://www.linuxsecurity.com/content/view/147694 

* Fedora 10 Update: moodle-1.9.3-5.fc10 (Jan 22)
  ----------------------------------------------
  Fix for spellcheck security flaw, and some font correction.

http://www.linuxsecurity.com/content/view/147695 

* Fedora 10 Update: uw-imap-2007e-1.fc10 (Jan 22)
  -----------------------------------------------
  Update to new upstream version - 2007e.    Contains fix for a
  security issue - buffer overflow in rfc822_output_char /
  rfc822_output_data (CVE-2008-5514).

http://www.linuxsecurity.com/content/view/147696 

* Fedora 9 Update: DevIL-1.7.5-2.fc9 (Jan 22)
  -------------------------------------------
  - Fix missing symbols (rh 480269)  - Fix off by one error in
  CVE-2008-5262 check (rh 479864)

http://www.linuxsecurity.com/content/view/147697 

* Fedora 9 Update: uw-imap-2007e-1.fc9 (Jan 22)
  ---------------------------------------------
  Update to new upstream version - 2007e.    Contains fix for a
  security issue - buffer overflow in rfc822_output_char /
  rfc822_output_data (CVE-2008-5514).

http://www.linuxsecurity.com/content/view/147698 

* Fedora 10 Update: DevIL-1.7.5-2.fc10 (Jan 22)
  ---------------------------------------------
  - Fix missing symbols (rh 480269)  - Fix off by one error in
  CVE-2008-5262 check (rh 479864)

http://www.linuxsecurity.com/content/view/147699 

------------------------------------------------------------------------

* Mandriva: [ MDVSA-2009:030 ] amarok (Jan 27)
  --------------------------------------------
  Data length values in metadata Audible Audio media file (.aa) can
  lead to an integer overflow enabling remote attackers use it to
  trigger an heap overflow and enabling the possibility to execute
  arbitrary code (CVE-2009-0135). Failure on checking heap allocation
  on Audible Audio media files (.aa) allows remote attackers either to
  cause denial of service or execute arbitrary code via a crafted media
  file (CVE-2009-0136). This update provide the fix for these security
  issues.

http://www.linuxsecurity.com/content/view/147865 

* Mandriva: [ MDVSA-2009:029 ] cups (Jan 24)
  ------------------------------------------
  Security vulnerabilities have been discovered and corrected in CUPS.
  CUPS 1.1.17 through 1.3.9 allows remote attackers to execute
  arbitrary code via a PNG image with a large height value, which
  bypasses a validation check and triggers a buffer overflow
  (CVE-2008-5286). CUPS shipped with Mandriva Linux allows local users
  to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log
  temporary file (CVE-2009-0032). The updated packages have been
  patched to prevent this.

http://www.linuxsecurity.com/content/view/147841 

* Mandriva: [ MDVSA-2009:028 ] cups (Jan 24)
  ------------------------------------------
  Security vulnerabilities have been discovered and corrected in CUPS.
  CUPS before 1.3.8 allows local users, and possibly remote attackers,
  to cause a denial of service (daemon crash) by adding a large number
  of RSS Subscriptions, which triggers a NULL pointer dereference
  (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before
  1.3.8 uses the guest username when a user is not logged on to the web
  server, which makes it easier for remote attackers to bypass intended
  policy and conduct CSRF attacks via the (1) add and (2) cancel RSS
  subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9
  allows remote attackers to execute arbitrary code via a PNG image
  with a large height value, which bypasses a validation check and
  triggers a buffer overflow (CVE-2008-5286). CUPS shipped with
  Mandriva Linux allows local users to overwrite arbitrary files via a
  symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032).
  The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/147840 

* Mandriva: [ MDVSA-2009:027 ] cups (Jan 24)
  ------------------------------------------
  A vulnerability has been discovered in CUPS shipped with Mandriva
  Linux which allows local users to overwrite arbitrary files via a
  symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032).
  The updated packages have been patched to prevent this.

http://www.linuxsecurity.com/content/view/147839 

* Mandriva: [ MDVSA-2009:026 ] phpMyAdmin (Jan 23)
  ------------------------------------------------
  Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows remote
  attackers to inject arbitrary web script or HTML by using db script
  parameter when register_global php parameter is
  enabled (CVE-2008-4775). Cross-site request forgery (CSRF)
  vulnerability in tbl_structure.php allows remote attackers perform
  SQL injection and execute arbitrary code by using table script
  parameter (CVE-2008-5621). Multiple cross-site request forgery (CSRF)
  vulnerabilities in allows remote attackers perform SQL injection by
  using unknown vectors related to table script parameter
  (CVE-2008-5622). This update provide the fix for these security
  issues.

http://www.linuxsecurity.com/content/view/147710 

* Mandriva: [ MDVSA-2009:025 ] pidgin (Jan 22)
  --------------------------------------------
  The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL
  certificates, which makes it easier for remote attackers to trick a
  user into accepting an invalid server certificate for a spoofed
  service... The updated packages have been patched to fix these
  issues.

http://www.linuxsecurity.com/content/view/147700 

------------------------------------------------------------------------

* RedHat: Moderate: ntp security update (Jan 29)
  ----------------------------------------------
  Updated ntp packages to correct a security issue are now available
  for Red Hat Enterprise Linux 4 and 5. This update has been rated as
  having moderate security impact by the Red Hat Security Response
  Team.

http://www.linuxsecurity.com/content/view/147875 

* RedHat: Important: kernel security and bug fix update (Jan 22)
  --------------------------------------------------------------
  Updated kernel packages that fix several security issues and several
  bugs are now available for Red Hat Enterprise MRG 1.0. This update
  has been rated as having important security impact by the Red Hat
  Security Response Team.

http://www.linuxsecurity.com/content/view/147689 

------------------------------------------------------------------------

* SuSE: Linux kernel (SUSE-SA:2009:008) (Jan 29)
  ----------------------------------------------
  The SUSE Linux Enterprise 10 Service Pack 2 kernel was updated to
  version 2.6.16.60-0.34 to fix some security issues and various bugs.
  The following security problems have been fixed...

http://www.linuxsecurity.com/content/view/147877 

* SuSE: IBM Java 5 (SUSE-SA:2009:007) (Jan 29)
  --------------------------------------------
  The IBM Java JRE 5 was brought to Service Release 9 fixing quite a
  number of security issues and bugs.  The update fixes the following
  security problems...

http://www.linuxsecurity.com/content/view/147876 

* SuSE: OpenSSL certificate verification (Jan 23)
  -----------------------------------------------
  The OpenSSL certificate checking routines EVP_VerifyFinal can return
    negative values and 0 on failure. In some places negative values
  were not checked and considered successful verification.    Prior to
  this update it was possible to bypass the certification    chain
  checks of openssl.   This advisory is for the updates that improve
  the verification of	 return values inside the OpenSSL library
  itself.

http://www.linuxsecurity.com/content/view/147709 

* SuSE: bind (SUSE-SA:2009:005) (Jan 22)
  --------------------------------------
  The DNS daemon bind is used to resolve and lookup addresses on the
  inter-    net.    Some month ago a vulnerability in the DNS protocol
  and its numbers was	 published that allowed easy spoofing of DNS
  entries. The only way to pro-    tect against spoofing is to use
  DNSSEC.    Unfortunately the bind code that verifys the certification
  chain of a DNS-    SEC zone transfer does not properly check the
  return value of function    DSA_do_verify(). This allows the spoofing
  of records signed with DSA or    NSEC3DSA.

http://www.linuxsecurity.com/content/view/147688 

------------------------------------------------------------------------

* Ubuntu:  Vim vulnerabilities (Jan 27)
  -------------------------------------
  Jan Minar discovered that Vim did not properly sanitize inputs before
  invoking the execute or system functions inside Vim scripts. If a
  user were tricked into running Vim scripts with a specially crafted
  input, an attacker could execute arbitrary code with the privileges
  of the user invoking the program. (CVE-2008-2712) Ben Schmidt
  discovered that Vim did not properly escape characters when
  performing keyword or tag lookups. If a user were tricked into
  running specially crafted commands, an attacker could execute
  arbitrary code with the privileges of the user invoking the program.
  (CVE-2008-4101)

http://www.linuxsecurity.com/content/view/147863 

* Ubuntu:  KTorrent vulnerabilities (Jan 26)
  ------------------------------------------
  It was discovered that KTorrent did not properly restrict access when
  using the web interface plugin. A remote attacker could use a crafted
  http request and upload arbitrary torrent files to trigger the start
  of downloads and seeding. (CVE-2008-5905) It was discovered that
  KTorrent did not properly handle certain parameters when using the
  web interface plugin. A remote attacker could use crafted http
  requests to execute arbitrary PHP code. (CVE-2008-5906)

http://www.linuxsecurity.com/content/view/147854 

* Ubuntu:  xine-lib vulnerabilities (Jan 26)
  ------------------------------------------
  It was discovered that xine-lib did not correctly handle certain
  malformed Ogg and Windows Media files. If a user or automated system
  were tricked into opening a specially crafted Ogg or Windows Media
  file, an attacker could cause xine-lib to crash, creating a denial of
  service. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04
  LTS. (CVE-2008-3231)...

http://www.linuxsecurity.com/content/view/147855 

------------------------------------------------------------------------

* Pardus: gst-plugins-good: Denial of Service (Jan 29)
  ----------------------------------------------------
  Tobias  Klein has  reported  some  vulnerabilities  in  GStreamer
  Good	Plug-ins, which can potentially be exploited  by  malicious
  people  to  compromise a vulnerable system.

http://www.linuxsecurity.com/content/view/147874 

* Pardus: nsf-utils: Security Bypass (Jan 29)
  -------------------------------------------
  There is a weakness in nfs-utils, which can be exploited  by
  malicious  people to bypass certain security restrictions.

http://www.linuxsecurity.com/content/view/147873 

* Pardus: xine-lib: Multiple Overflows (Jan 29)
  ---------------------------------------------
  There are multiple overflows in xine-lib.

http://www.linuxsecurity.com/content/view/147872 

* Pardus: Kernel: Multiple Denial of Service (Jan 23)
  ---------------------------------------------------
  There are multiple Denial of Service and buffer overflow
  vulnerabilities in Linux kernel.

http://www.linuxsecurity.com/content/view/147706 

* Pardus: Libmikmod: Denial of Service (Jan 23)
  ---------------------------------------------
  Some vulnerabilities have been reported  in  libmikmod,  which  can
  be  exploited by malicious people to cause a DoS (Denial of Service).

http://www.linuxsecurity.com/content/view/147705 

* Pardus: DevIL: Multiple Buffer Overflows (Jan 23)
  -------------------------------------------------
  The vulnerabilities are  caused  due	to  boundary  errors  within
  the  "iGetHdrHeader()"  function in  src-IL/src/il_hdr.c.  These
  can	be   exploited	to cause  a  stack-based  buffer  overflow
  when	processing  specially crafted Radiance RGBE files.

http://www.linuxsecurity.com/content/view/147704 

* Pardus: Libpng: Memory Overwrite (Jan 23)
  -----------------------------------------
  The png_check_keyword function in pngwutil.c in libpng  before
  1.0.42,  and 1.2.x before 1.2.34, might allow context-dependent
  attackers to set  the value of an arbitrary memory location to zero
  via vectors involving  creation of crafted PNG files with keywords,
  related to an implicit cast of the '\0' character constant to a NULL
  pointer.

http://www.linuxsecurity.com/content/view/147703 

* Pardus: Python: Multiple Integer Overflows (Jan 23)
  ---------------------------------------------------
  Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6,
  allow context-dependent attackers to have  an  unknown  impact  via
  a  large  integer value in the tabsize argument  to  the  expandtabs
  method,  as  implemented    by (1)	the    string_expandtabs
  function     in     Objects/stringobject.c  and (2)  the
  unicode_expandtabs  function	in   Objects/unicodeobject.c.

http://www.linuxsecurity.com/content/view/147702 

* Pardus: Dbus: Security Bypass (Jan 23)
  --------------------------------------
  The default configuration of system.conf in  D-Bus  (aka  DBus)
  before  1.2.6 omits the send_type attribute in certain rules.

http://www.linuxsecurity.com/content/view/147701 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

To unsubscribe email vuln-newsletter-request@linuxsecurity.com 
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Best Selling Security Books & More!
http://www.shopinfosecnews.org/ 

Site design & layout copyright © 1986-2014 CodeGods