AOH :: ISNQ5301.HTM
Linux Advisory Watch - August 14th 2009
|
Linux Advisory Watch - August 14th 2009
Linux Advisory Watch - August 14th 2009
+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 14th, 2009 Volume 10, Number 33 |
| |
| Editorial Team: Dave Wreski |
| Benjamin D. Thomas |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for ruby, libmxl2, imagemagick,
camlimages, squid3, mantis, subversion, memcached, fetchmail, viewvc,
ocaml, wordpress, xmlsec, libvorbis, apr, java, libTIFF, mmc, samba,
coreutils, openldap, nss, urpmi, curl, java, and Firefox. The
distributors include Debian, Fedora, Mandriva, Red Hat, Slackware,
SuSE, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New Ruby packages fix several issues (Aug 12)
-----------------------------------------------------
http://www.linuxsecurity.com/content/view/149744
* Debian: New libxml2 packages fix several issues (Aug 10)
--------------------------------------------------------
http://www.linuxsecurity.com/content/view/149723
* Debian: New imagemagick packages fix several vulnerabilities (Aug 10)
---------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149717
* Debian: New camlimages packages fix arbitrary code execution (Aug 9)
--------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149711
* Debian: New squid3 packages fix regression (Aug 9)
--------------------------------------------------
http://www.linuxsecurity.com/content/view/149710
* Debian: New mantis packages fix information leak (Aug 8)
--------------------------------------------------------
http://www.linuxsecurity.com/content/view/149706
* Debian: New subversion packages fix arbitrary code execution (Aug 8)
--------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149705
* Debian: New APR packages fix arbitrary code execution (Aug 8)
-------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149704
* Debian: New memcached packages fix arbitrary code execution (Aug 7)
-------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149690
* Debian: New fetchmail packages fix SSL certificate verification weakness (Aug 7)
--------------------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149689
* Debian: New gst-plugins-bad0.10 packages fix arbitrary code execution (Aug 6)
-----------------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/149663
------------------------------------------------------------------------
* Fedora 11 Update: viewvc-1.1.2-2.fc11 (Aug 12)
----------------------------------------------
CHANGES in 1.1.2: - security fix: validate the 'view' parameter to
avoid XSS attack - security fix: avoid printing illegal parameter
names and values - add optional support for character encoding
detection (issue #400) - fix username case handling in svnauthz
module (issue #419) - fix cvsdbadmin/svnadmin rebuild error on
missing repos (issue #420) - don't drop leading blank lines from
colorized file contents (issue #422) - add file.ezt template logic
for optionally hiding binary file contents Also includes:
Install and populate mimetypes.conf. This should hopefully help when
colouring syntax using pygments. Install and populate mimetypes.conf.
http://www.linuxsecurity.com/content/view/149748
* Fedora 11 Update: ocaml-camlimages-3.0.1-7.fc11.2 (Aug 12)
----------------------------------------------------------
CVE 2009-2295
http://www.linuxsecurity.com/content/view/149746
* Fedora 10 Update: viewvc-1.0.9-1.fc10 (Aug 12)
----------------------------------------------
CHANGES in 1.0.9: - security fix: validate the 'view' parameter to
avoid XSS attack - security fix: avoid printing illegal parameter
names and values Also includes: Patch by Patrick Monnerat to make
allow_tar work on F-10.
http://www.linuxsecurity.com/content/view/149747
* Fedora 11 Update: libxml2-2.7.3-3.fc11 (Aug 11)
-----------------------------------------------
two patches for parsing problems raised by Ficora
http://www.linuxsecurity.com/content/view/149737
* Fedora 10 Update: libxml2-2.7.3-2.fc10 (Aug 11)
-----------------------------------------------
two patches for parsing problems raised by ficora
http://www.linuxsecurity.com/content/view/149736
* Fedora 10 Update: wordpress-2.8.3-2.fc10 (Aug 11)
-------------------------------------------------
security update to fix "Remote admin reset password":
http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137
.html
http://www.linuxsecurity.com/content/view/149735
* Fedora 11 Update: wordpress-2.8.3-2.fc11 (Aug 11)
-------------------------------------------------
security update to fix "Remote admin reset password":
http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137
.html
http://www.linuxsecurity.com/content/view/149733
* Fedora 11 Update: xmlsec1-1.2.12-1.fc11 (Aug 11)
------------------------------------------------
http://www.linuxsecurity.com/content/view/149734
* Fedora 10 Update: xmlsec1-1.2.12-1.fc10 (Aug 11)
------------------------------------------------
http://www.linuxsecurity.com/content/view/149732
* Fedora 11 Update: subversion-1.6.4-2.fc11 (Aug 10)
--------------------------------------------------
This update includes the latest stable release of Subversion, fixing
many bugs and a security issue: Matt Lewis reported multiple heap
overflow flaws in Subversion (servers and clients) when parsing
binary deltas. Malicious users with commit access to a vulnerable
server could uses these flaws to cause a heap overflow on the server
running Subversion. A malicious Subversion server could use these
flaws to cause a heap overflow on vulnerable clients when they
attempt to checkout or update, resulting in a crash or, possibly,
arbitrary code execution on the vulnerable client. (CVE-2009-2411)
This update also adds support for storing passwords in the GNOME
Keyring or KDE Wallet, via the new subversion-gnome and
subversion-kde subpackages. For more details of the bug fixes
included in this update, see:
http://svn.collab.net/repos/svn/tags/1.6.4/CHANGES
http://www.linuxsecurity.com/content/view/149727
* Fedora 11 Update: libvorbis-1.2.0-8.fc11 (Aug 10)
-------------------------------------------------
Fixes CVE-2009-2663
http://www.linuxsecurity.com/content/view/149726
* Fedora 10 Update: libvorbis-1.2.0-6.fc10 (Aug 10)
-------------------------------------------------
Fixes CVE-2009-2663
http://www.linuxsecurity.com/content/view/149725
* Fedora 10 Update: subversion-1.6.4-2.fc10 (Aug 10)
--------------------------------------------------
This update includes the latest stable release of Subversion,
including several enhancements, many bug fixes, and a fix for a
security issue: Matt Lewis reported multiple heap overflow flaws
in Subversion (servers and clients) when parsing binary deltas.
Malicious users with commit access to a vulnerable server could uses
these flaws to cause a heap overflow on the server running
Subversion. A malicious Subversion server could use these flaws to
cause a heap overflow on vulnerable clients when they attempt to
checkout or update, resulting in a crash or, possibly, arbitrary code
execution on the vulnerable client. (CVE-2009-2411) Version 1.6
offers many bug fixes and enhancements over 1.5, with the notable
major features: - identical files share storage space in
repository - file-externals support for intra-repository files -
"tree" conflicts now handled more gracefully - repository root
relative URL support on most commands For more information on
changes in 1.6, see the release notes:
http://subversion.tigris.org/svn_1.6_releasenotes.html This update
includes the latest release of Subversion, version 1.6.2. Version
1.6 offers many bug fixes and enhancements over 1.5, with the notable
major features: * identical files share storage space in
repository * file- externals support for intra-repository files *
"tree" conflicts now handled more gracefully * repository root
relative URL support on most commands
http://www.linuxsecurity.com/content/view/149724
* Fedora 10 Update: apr-1.3.8-1.fc10 (Aug 7)
------------------------------------------
CVE-2009-2412: allocator alignment fixes Full details here:
http://www.apache.org/dist/apr/patches/
http://www.linuxsecurity.com/content/view/149681
* Fedora 11 Update: apr-util-1.3.9-1.fc11 (Aug 7)
-----------------------------------------------
CVE-2009-2412: allocator alignment fixes Full details here:
http://www.apache.org/dist/apr/patches/
http://www.linuxsecurity.com/content/view/149680
* Fedora 11 Update: apr-1.3.8-1.fc11 (Aug 7)
------------------------------------------
CVE-2009-2412: allocator alignment fixes Full details here:
http://www.apache.org/dist/apr/patches/
http://www.linuxsecurity.com/content/view/149678
* Fedora 10 Update: java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 (Aug 7)
----------------------------------------------------------------
Urgent security fixes have been included.
http://www.linuxsecurity.com/content/view/149679
* Fedora 10 Update: wordpress-2.8.3-1.fc10 (Aug 7)
------------------------------------------------
Update to upstream version 2.8.3:
http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rel
ease/
http://www.linuxsecurity.com/content/view/149676
* Fedora 11 Update: java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 (Aug 7)
----------------------------------------------------------------
Urgent security updates have been included
http://www.linuxsecurity.com/content/view/149677
* Fedora 10 Update: apr-util-1.3.9-1.fc10 (Aug 7)
-----------------------------------------------
CVE-2009-2412: allocator alignment fixes Full details here:
http://www.apache.org/dist/apr/patches/
http://www.linuxsecurity.com/content/view/149675
* Fedora 11 Update: wordpress-2.8.3-1.fc11 (Aug 7)
------------------------------------------------
Update to upstream version 2.8.3:
http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rel
ease/
http://www.linuxsecurity.com/content/view/149674
------------------------------------------------------------------------
* Gentoo: Adobe products Multiple vulnerabilities (Aug 7)
-------------------------------------------------------
Multiple vulnerabilities in Adobe Reader and Adobe Flash Player allow
for attacks including the remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/149687
* Gentoo: libTIFF User-assisted execution of arbitrary code (Aug 7)
-----------------------------------------------------------------
Multiple boundary checking vulnerabilities in libTIFF may allow for
the remote execution of arbitrary code.
http://www.linuxsecurity.com/content/view/149686
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:201 ] fetchmail (Aug 12)
----------------------------------------------------------------------------
A vulnerability has been found and corrected in fetchmail: socket.c
in fetchmail before 6.3.11 does not properly handle a '\0' character
in a domain name in the subject's Common Name (CN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof
arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2666). This update provides a solution to this
vulnerability.
http://www.linuxsecurity.com/content/view/149745
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:200 ] libxml (Aug 12)
-------------------------------------------------------------------------
Multiple vulnerabilities has been found and corrected in libxml:
Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26,
2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent
attackers to cause a denial of service (application crash) via a
large depth of element declarations in a DTD, related to a function
recursion, as demonstrated by the Codenomicon XML fuzzing framework
(CVE-2009-2414). Multiple use-after-free vulnerabilities in libxml2
2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow
context-dependent attackers to cause a denial of service (application
crash) via crafted (1) Notation or (2) Enumeration attribute types in
an XML file, as demonstrated by the Codenomicon XML fuzzing framework
(CVE-2009-2416). This update provides a solution to these
vulnerabilities.
http://www.linuxsecurity.com/content/view/149739
* Mandriva: Subject: [Security Announce] [ MDVA-2009:150 ] mmc (Aug 11)
---------------------------------------------------------------------
Problems were discovered with the mmc-wizard: After configuring a DNS
server with mmc-wizard, how to add a MX DNS entry in the mmc
(Mandriva Directory server)? The version of Mandriva Directory Server
in mes5 is 2.3.1. http://mds.mandriva.org/ shows that the MDS 2.3.2
correct this problem. First point in release features is: - a new
functionality for DNS zones management: support for MX and NS
records. Additionally squidGuard was missing and therefore
squidGuard-1.4 is provided with this updgrade as well.
http://www.linuxsecurity.com/content/view/149730
* Mandriva: Subject: [Security Announce] [ MDVA-2009:149 ] gtkmm2.4 (Aug 11)
--------------------------------------------------------------------------
A memory allocation bug in gtkmm would make applications using the
library crash on the x86_64 architecture. This update corrects the
problem.
http://www.linuxsecurity.com/content/view/149729
* Mandriva: Subject: [Security Announce] [ MDVA-2009:148 ] samba (Aug 10)
-----------------------------------------------------------------------
Interoperability problems were discovered with
samba-3.2.7/samba-3.2.13 in Enterprise Server 5 and samba-3.0.23d in
Corporate Server 4. This update provides samba 3.0.36 to address
these issues. Additionally this upgrade also fixes many upstream
bugs.
http://www.linuxsecurity.com/content/view/149718
* Mandriva: Subject: [Security Announce] [ MDVA-2009:147 ] indilib (Aug 10)
-------------------------------------------------------------------------
urpmi kstars or urpmi kdeedu4 results in dependency problems. This
update addresses this issue.
http://www.linuxsecurity.com/content/view/149716
* Mandriva: Subject: [Security Announce] [ MDVA-2009:146 ] coreutils (Aug 9)
--------------------------------------------------------------------------
There is no man page for the su command. This update fixes this
problem making the man page for the su command show again.
http://www.linuxsecurity.com/content/view/149709
* Mandriva: Subject: [Security Announce] [ MDVA-2009:145 ] x11-driver-input-synaptics (Aug 9)
-------------------------------------------------------------------------------------------
The synaptics touchpad driver shipped with 2009.1 has problems
correctly identifying and scaling the right hand scroll zone on
certain hardware (including the ASUS EeePC 701). This updated version
addresses this and several other minor issues. Fixing (among others)
Mandriva bug #51845.
http://www.linuxsecurity.com/content/view/149708
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:199 ] subversion (Aug 8)
----------------------------------------------------------------------------
A vulnerability has been found and corrected in subversion: Multiple
integer overflows in the libsvn_delta library in Subversion before
1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and
remote Subversion servers to execute arbitrary code via an svndiff
stream with large windows that trigger a heap-based buffer overflow,
a related issue to CVE-2009-2412 (CVE-2009-2411). This update
provides a solution to this vulnerability and in turn upgrades
subversion where possible to provide additional features and upstream
bugfixes and adds required dependencies where needed.
http://www.linuxsecurity.com/content/view/149707
* Mandriva: Subject: [Security Announce] [ MDVA-2009:144 ] libv4l (Aug 8)
-----------------------------------------------------------------------
This update addresses the issue of urpmi preventing installation of
both i586/x86_64 versions of libv4l wrappers (Mandriva bug #45316).
Updated packages are provided to fix this issue.
http://www.linuxsecurity.com/content/view/149703
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:161-1 ] squid (Aug 8)
-------------------------------------------------------------------------
Multiple vulnerabilities has been found and corrected in squid: Due
to incorrect buffer limits and related bound checks Squid is
vulnerable to a denial of service attack when processing specially
crafted requests or responses (CVE-2009-2621). Due to incorrect data
validation Squid is vulnerable to a denial of service attack when
processing specially crafted responses (CVE-2009-2622). This update
provides fixes for these vulnerabilities.
Update:
Additional upstream security patches were applied: Debug warnings
fills up the logs. Upstream Bug 2728: regression: assertion failed:
http.cc:705: !eof
http://www.linuxsecurity.com/content/view/149702
* Mandriva: Subject: [Security Announce] [ MDVA-2009:143 ] openldap (Aug 7)
-------------------------------------------------------------------------
The script ldap-hot-db-backup in /etc/cron.daily doesn't work because
the db_archive, db_stat tools are missing. db_archive, db_stat tools
depends of db4-utils.
http://www.linuxsecurity.com/content/view/149701
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:198 ] firefox (Aug 7)
-------------------------------------------------------------------------
Security issues were identified and fixed in firefox 3.0.x: Security
researcher Juan Pablo Lopez Yacubian reported that an attacker could
call window.open() on an invalid URL which looks similar to a
legitimate URL and then use document.write() to place content within
the new document, appearing to have come from the spoofed location
(CVE-2009-2654). Moxie Marlinspike reported a heap overflow
vulnerability in the code that handles regular expressions in
certificate names. This vulnerability could be used to compromise the
browser and run arbitrary code by presenting a specially crafted
certificate to the client (CVE-2009-2404). IOActive security
researcher Dan Kaminsky reported a mismatch in the treatment of
domain names in SSL certificates between SSL clients and the
Certificate Authorities (CA) which issue server certificates. These
certificates could be used to intercept and potentially alter
encrypted communication between the client and a server such as
sensitive bank account transactions (CVE-2009-2408). This update
provides the latest Mozilla Firefox 3.0.x to correct these issues.
Additionally, some packages which require so, have been rebuilt and
are being provided as updates.
http://www.linuxsecurity.com/content/view/149700
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:197 ] nss (Aug 7)
---------------------------------------------------------------------
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404). This update
provides the latest versions of NSS and NSPR libraries which are not
vulnerable to those attacks.
http://www.linuxsecurity.com/content/view/149699
* Mandriva: Subject: [Security Announce] [ MDVA-2009:142 ] mandriva-doc (Aug 7)
-----------------------------------------------------------------------------
Minor bugs has been fixed in the mandriva-doc-mes5 package: - Fix
both en and fr menu access for documentation - Fix fr link to french
documentation - Update en documentation
http://www.linuxsecurity.com/content/view/149698
* Mandriva: Subject: [Security Announce] [ MDVA-2009:141 ] urpmi (Aug 7)
----------------------------------------------------------------------
This update fixes a minor issue with urpmi: - no error message and 0
exit code when using CD/DVD media and hal isn't running
http://www.linuxsecurity.com/content/view/149697
* Mandriva: Subject: [Security Announce] [ MDVA-2009:140 ] x11-driver-video-openchrome (Aug 7)
--------------------------------------------------------------------------------------------
This update fixes three issues with the openchrome driver for VIA
video cards. - Fix a segmentation fault when using the EXA
acceleration architecture. - Fix a segmentation fault on hardware
that do not support Xv. - Improve EXA performance on a fallback case.
http://www.linuxsecurity.com/content/view/149696
* Mandriva: Subject: [Security Announce] [ MDVA-2009:139 ] ocsinventory-agent (Aug 7)
-----------------------------------------------------------------------------------
This fix add a requires smartmontools and bump release 1.02.1
(internal 1.0.1).
http://www.linuxsecurity.com/content/view/149695
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:196 ] samba (Aug 7)
-----------------------------------------------------------------------
Multiple vulnerabilities has been found and corrected in samba:
Multiple format string vulnerabilities in client/client.c in
smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent
attackers to execute arbitrary code via format string specifiers in a
filename (CVE-2009-1886). The acl_group_override function in
smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and
3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is
enabled, allows remote attackers to modify access control lists for
files via vectors related to read access to uninitialized memory
(CVE-2009-1888). This update provides samba 3.2.13 to address these
issues.
http://www.linuxsecurity.com/content/view/149693
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:195-1 ] apr (Aug 6)
-----------------------------------------------------------------------
A vulnerability has been identified and corrected in apr and
apr-util: Multiple integer overflows in the Apache Portable Runtime
(APR) library and the Apache Portable Utility library (aka APR-util)
0.9.x and 1.3.x allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via vectors
that trigger crafted calls to the (1) allocator_alloc or (2)
apr_palloc function in memory/unix/apr_pools.c in APR; or crafted
calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5)
apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to
buffer overflows. NOTE: some of these details are obtained from third
party information (CVE-2009-2412). This update provides fixes for
these vulnerabilities.
Update:
apr-util packages were missing for Mandriva Enterprise Server 5 i586,
this has been adressed with this update.
http://www.linuxsecurity.com/content/view/149669
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:195 ] apr (Aug 6)
---------------------------------------------------------------------
A vulnerability has been identified and corrected in apr and
apr-util: Fix potential overflow in pools (apr) and rmm (apr-util),
where size alignment was taking place (CVE-2009-2412). This update
provides fixes for these vulnerabilities.
http://www.linuxsecurity.com/content/view/149667
------------------------------------------------------------------------
* RedHat: Moderate: curl security update (Aug 13)
-----------------------------------------------
Updated curl packages that fix security issues are now available for
Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as
having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/149749
* RedHat: Important: kernel security and bug fix update (Aug 13)
--------------------------------------------------------------
Updated kernel packages that fix several security issues and several
bugs are now available for Red Hat Enterprise Linux 4. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/149750
* RedHat: Critical: nspr and nss security update (Aug 12)
-------------------------------------------------------
Updated nspr and nss packages that fix security issues are now
available for Red Hat Enterprise Linux 5.2 Extended Update Support.
This update has been rated as having critical security impact by the
Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149738
* RedHat: Moderate: httpd security and bug fix update (Aug 10)
------------------------------------------------------------
Updated httpd packages that fix multiple security issues and a bug
are now available for Red Hat Enterprise Linux 3. This update has
been rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/149721
* RedHat: Moderate: libxml and libxml2 security update (Aug 10)
-------------------------------------------------------------
Updated libxml and libxml2 packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 3, 4, and 5. This
update has been rated as having moderate security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149722
* RedHat: Moderate: apr and apr-util security update (Aug 10)
-----------------------------------------------------------
Updated apr and apr-util packages that fix multiple security issues
are now available for Red Hat Enterprise Linux 4 and 5. This update
has been rated as having moderate security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/149720
* RedHat: Important: subversion security update (Aug 10)
------------------------------------------------------
Updated subversion packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 and 5. This update has been
rated as having important security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/149719
* RedHat: Important: java-1.6.0-openjdk security and bug (Aug 6)
--------------------------------------------------------------
Updated java-1.6.0-openjdk packages that fix several security issues
and a bug are now available for Red Hat Enterprise Linux 5. This
update has been rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149672
* RedHat: Critical: java-1.6.0-ibm security update (Aug 6)
--------------------------------------------------------
Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149673
* RedHat: Critical: java-1.5.0-sun security update (Aug 6)
--------------------------------------------------------
Updated java-1.5.0-sun packages that correct several security issues
are now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149670
* RedHat: Critical: java-1.6.0-sun security update (Aug 6)
--------------------------------------------------------
Updated java-1.6.0-sun packages that correct several security issues
are now available for Red Hat Enterprise Linux 4 Extras and 5
Supplementary. This update has been rated as having critical security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/149671
------------------------------------------------------------------------
* Slackware: subversion (Aug 7)
-------------------------------
New subversion packages are available for Slackware 12.0, 12.1, 12.2,
and -current to fix a security issue. More details about this issue
may be found in the Common Vulnerabilities and Exposures (CVE)
database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411
http://www.linuxsecurity.com/content/view/149682
* Slackware: apr-util (Aug 7)
-----------------------------
New apr-util packages are available for Slackware 11.0, 12.0, 12.1,
12.2, and -current to fix a security issue. More details about this
issue may be found in the Common Vulnerabilities and Exposures (CVE)
database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
http://www.linuxsecurity.com/content/view/149683
* Slackware: apr (Aug 7)
------------------------
New apr packages are available for Slackware 11.0, 12.0, 12.1, 12.2,
and -current to fix a security issue. More details about this issue
may be found in the Common Vulnerabilities and Exposures (CVE)
database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
http://www.linuxsecurity.com/content/view/149684
* Slackware: fetchmail (Aug 6)
------------------------------
New fetchmail packages are available for Slackware 8.1, 9.0, 9.1,
10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to a fix
security issue. More details about this issue may be found in the
Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666
http://www.linuxsecurity.com/content/view/149665
------------------------------------------------------------------------
* SuSE: Sun Java (SUSE-SA:2009:043) (Aug 7)
-----------------------------------------
http://www.linuxsecurity.com/content/view/149688
* SuSE: Mozilla Firefox 3.0 (Aug 6)
---------------------------------
http://www.linuxsecurity.com/content/view/149664
------------------------------------------------------------------------
* Ubuntu: libxml2 vulnerabilities (Aug 11)
-----------------------------------------
It was discovered that libxml2 did not correctly handle root XML
document element DTD definitions. If a user were tricked into
processing a specially crafted XML document, a remote attacker could
cause the application linked against libxml2 to crash, leading to a
denial of service. (CVE-2009-2414) It was discovered that libxml2 did
not correctly parse Notation and Enumeration attribute types. If a
user were tricked into processing a specially crafted XML document, a
remote attacker could cause the application linked against libxml2 to
crash, leading to a denial of service. (CVE-2009-2416) USN-644-1
fixed a vulnerability in libxml2. This advisory provides the
corresponding update for Ubuntu 9.04. Original advisory details: It
was discovered that libxml2 did not correctly handle long entity
names. If a user were tricked into processing a specially crafted
XML document, a remote attacker could execute arbitrary code with
user privileges or cause the application linked against libxml2 to
crash, leading to a denial of service. (CVE-2008-3529)
http://www.linuxsecurity.com/content/view/149731
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org
Site design & layout copyright © 1986- CodeGods