AOH :: ISNQ6102.HTM

Linux Advisory Watch: March 28th, 2010




Linux Advisory Watch: March 28th, 2010
Linux Advisory Watch: March 28th, 2010



+----------------------------------------------------------------------+
| LinuxSecurity.com                               Linux Advisory Watch |
| March 28th, 2010                                Volume 11, Number 14 |
|                                                                      |
| Editorial Team: Dave Wreski  | 
| Benjamin D. Thomas  | 
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

Vulnerabilities in Web Applications
-----------------------------------
This paper aims to raise awareness by discussing common vulnerabilities
and mistakes in web application development. It also considers mitigating
factors, strategies and corrective measures.

http://www.linuxsecurity.com/content/view/118427 


A Secure Nagios Server
----------------------
This article will not show you how to install Nagios since there are tons
of them out there but it will show you in detail ways to improve your
Nagios security.

http://www.linuxsecurity.com/content/view/144088 

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- 

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
  ----------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.22 (Version 3.0, Release 22).  This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668 

------------------------------------------------------------------------

* Debian: 2023-1: curl: buffer overflow (Mar 27)
  ----------------------------------------------
  Wesley Miaw discovered that libcurl, a multi-protocol file transfer
  library, is prone to a buffer overflow via the callback function when
  an application relies on libcurl to automatically uncompress data.
  Note that this only affects applications that trust libcurl's maximum
  limit [More...]

http://www.linuxsecurity.com/content/view/152006 

* Debian: 2022-1: mediawiki: Multiple vulnerabilities (Mar 23)
  ------------------------------------------------------------
  Several vulnerabilities have been discovered in mediawiki, a
  web-based wiki engine. The following issues have been identified:
  Insufficient input sanitization in the CSS validation code allows
  editors [More...]

http://www.linuxsecurity.com/content/view/151964 

* Debian: 2021-1: spamass-milter: missing input sanitization (Mar 22)
  -------------------------------------------------------------------
  It was discovered a missing input sanitization in spamass-milter, a
  milter used to filter mail through spamassassin. This allows a remote
  attacker to inject and execute arbitrary shell commands. [More...]

http://www.linuxsecurity.com/content/view/151949 

* Debian: 2020-1: ikiwiki: insufficient input sanitiza (Mar 20)
  -------------------------------------------------------------
  Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a
  wiki compiler, performs insufficient input sanitization on
  data:image/svg+xml URIs. As these can contain script code this can be
  used by an attacker to conduct cross-site scripting attacks.
  [More...]

http://www.linuxsecurity.com/content/view/151947 

* Debian: 2019-1: pango1.0: missing input sanitization (Mar 20)
  -------------------------------------------------------------
  Marc Schoenefeld discovered an improper input sanitization in Pango,
  a library for layout and rendering of text, leading to array indexing
  error. If a local user was tricked into loading a specially-crafted
  font file in an [More...]

http://www.linuxsecurity.com/content/view/151946 

------------------------------------------------------------------------

* Mandriva: 2010:068: php (Mar 27)
  --------------------------------
  A vulnerability has been found and corrected in php: The xmlrpc
  extension in PHP 5.3.1 does not properly handle a missing methodName
  element in the first argument to the xmlrpc_decode_request function,
  which allows context-dependent attackers to cause a denial of
  [More...]

http://www.linuxsecurity.com/content/view/152005 

* Mandriva: 2010:067: kernel (Mar 25)
  -----------------------------------
  This update provides a fix to the correction of CVE-2010-0307, which
  resulted in crashes when running i586 applications on x86_64. To
  update your kernel, please follow the directions located at:
  [More...]

http://www.linuxsecurity.com/content/view/151996 

* Mandriva: 2010:066: kernel (Mar 24)
  -----------------------------------
  Some vulnerabilities were discovered and corrected in the Linux 2.6
  kernel: The gfs2_lock function in the Linux kernel before
  2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux
  [More...]

http://www.linuxsecurity.com/content/view/151977 

* Mandriva: 2010:065: cpio (Mar 23)
  ---------------------------------
  A vulnerability has been found and corrected in cpio and tar:
  Heap-based buffer overflow in the rmt_read__ function in
  lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23
  and GNU cpio before 2.11 allows remote rmt servers to cause a denial
  of service [More...]

http://www.linuxsecurity.com/content/view/151959 

* Mandriva: 2010:064: libpng (Mar 23)
  -----------------------------------
  A vulnerability has been found and corrected in libpng: The
  png_decompress_chunk function in pngrutil.c in libpng 1.0.x before
  1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly
  handle compressed ancillary-chunk data that has a disproportionately
  [More...]

http://www.linuxsecurity.com/content/view/151958 

* Mandriva: 2010:063: libpng (Mar 22)
  -----------------------------------
  Multiple vulnerabilities has been found and corrected in libpng:
  libpng before 1.2.37 does not properly parse 1-bit interlaced images
  with width values that are not divisible by 8, which causes libpng to
  include uninitialized bits in certain rows of a PNG file and
  [More...]

http://www.linuxsecurity.com/content/view/151957 

------------------------------------------------------------------------

* Red Hat: 2010:0175-01: httpd: Low Advisory (Mar 25)
  ---------------------------------------------------
  Updated httpd packages that fix one security issue, a bug, and add an
  enhancement are now available for Red Hat Enterprise Linux 4. The Red
  Hat Security Response Team has rated this update as having low
  [More...]

http://www.linuxsecurity.com/content/view/151995 

* Red Hat: 2010:0168-01: httpd: Moderate Advisory (Mar 25)
  --------------------------------------------------------
  Updated httpd packages that fix two security issues and add an
  enhancement are now available for Red Hat Enterprise Linux 5. The Red
  Hat Security Response Team has rated this update as having moderate
  [More...]

http://www.linuxsecurity.com/content/view/151985 

* Red Hat: 2010:0167-01: gnutls: Moderate Advisory (Mar 25)
  ---------------------------------------------------------
  Updated gnutls packages that fix two security issues are now
  available for Red Hat Enterprise Linux 4. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

http://www.linuxsecurity.com/content/view/151984 

* Red Hat: 2010:0164-01: openssl097a: Moderate Advisory (Mar 25)
  --------------------------------------------------------------
  Updated openssl097a packages that fix a security issue are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

http://www.linuxsecurity.com/content/view/151982 

* Red Hat: 2010:0173-02: openssl096b: Important Advisory (Mar 25)
  ---------------------------------------------------------------
  Updated openssl096b packages that fix one security issue are now
  available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security
  Response Team has rated this update as having [More...]

http://www.linuxsecurity.com/content/view/151983 

* Red Hat: 2010:0165-01: nss: Moderate Advisory (Mar 25)
  ------------------------------------------------------
  Updated nss packages that fix a security issue are now available for
  Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team
  has rated this update as having moderate [More...]

http://www.linuxsecurity.com/content/view/151981 

* Red Hat: 2010:0163-01: openssl: Moderate Advisory (Mar 25)
  ----------------------------------------------------------
  Updated openssl packages that fix several security issues are now
  available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

http://www.linuxsecurity.com/content/view/151979 

* Red Hat: 2010:0162-01: openssl: Important Advisory (Mar 25)
  -----------------------------------------------------------
  Updated openssl packages that fix several security issues are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having [More...]

http://www.linuxsecurity.com/content/view/151980 

* Red Hat: 2010:0166-01: gnutls: Moderate Advisory (Mar 25)
  ---------------------------------------------------------
  Updated gnutls packages that fix two security issues are now
  available for Red Hat Enterprise Linux 5. The Red Hat Security
  Response Team has rated this update as having moderate [More...]

http://www.linuxsecurity.com/content/view/151978 

* Red Hat: 2010:0161-01: kernel-rt: Important Advisory (Mar 23)
  -------------------------------------------------------------
  Updated kernel-rt packages that fix multiple security issues and
  several bugs are now available for Red Hat Enterprise MRG 1.2. The
  Red Hat Security Response Team has rated this update as having
  [More...]

http://www.linuxsecurity.com/content/view/151962 

------------------------------------------------------------------------

* SuSE: 2010-018: Linux kernel (Mar 22)
  -------------------------------------
  This update of the openSUSE 11.2 kernel contains a lot of bug and
  security fixes.  Following security issues were fixed: CVE-2010-0622:
  The wake_futex_pi function in kernel/futex.c in the Linux  [More...]

http://www.linuxsecurity.com/content/view/151956 

------------------------------------------------------------------------

* Ubuntu: 917-1: Puppet vulnerabilities (Mar 24)
  ----------------------------------------------
  It was discovered that Puppet did not drop supplementary groups when
  beingrun as a different user. A local user may be able to use this
  flaw tobypass security restrictions and gain access to restricted
  files.(CVE-2009-3564) [More...]

http://www.linuxsecurity.com/content/view/151973 

* Ubuntu: 918-1: Samba vulnerability (Mar 24)
  -------------------------------------------
  It was discovered the Samba handled symlinks in an unexpected way
  when both"wide links" and "UNIX extensions" were enabled, which is
  the default. Aremote attacker could create symlinks and access
  arbitrary files from theserver. [More...]

http://www.linuxsecurity.com/content/view/151974 

* Ubuntu: 916-1: Kerberos vulnerabilities (Mar 23)
  ------------------------------------------------
  Emmanuel Bouillon discovered that Kerberos did not correctly
  handlecertain message types.	An unauthenticated remote attacker
  could sendspecially crafted traffic to cause the KDC to crash,
  leading to a denialof service. (CVE-2010-0283) [More...]

http://www.linuxsecurity.com/content/view/151965 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

To unsubscribe email vuln-newsletter-request@linuxsecurity.com 
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/ 



Site design & layout copyright © 1986-2014 CodeGods