|
|
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 16th, 2010 Volume 11, Number 16 |
| |
| Editorial Team: Dave Wreski
Read on
for my best practices for using Secure Shell.
http://www.linuxsecurity.com/content/view/133312
Review: Linux Firewalls
-----------------------
Security is at the forefront of everyone's mind and a firewall can be an
integral part of your Linux defense. But is Michael's Rash's "Linux
Firewalls," the newest release from NoStarchPress, up for the challenge?
Eckie S. here at Linuxsecurity.com gives you the low-down on this newest
addition to the Linux security resource library and how it's one of the
best ways to crack down on attacks to your Linux network.
http://www.linuxsecurity.com/content/view/130392
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available!
----------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: 2033-1: ejabberd: heap overflow (Apr 15)
------------------------------------------------
It was discovered that in ejabberd, a distributed XMPP/Jabber server
written in Erlang, a problem in ejabberd_c2s.erl allows remote
authenticated users to cause a denial of service by sending a large
number of c2s (client2server) messages; that triggers an overload of
the [More...]
http://www.linuxsecurity.com/content/view/152149
* Debian: 2032-1: libpng: Multiple vulnerabilities (Apr 11)
---------------------------------------------------------
Several vulnerabilities have been discovered in libpng, a library for
reading and writing PNG files. The Common Vulnerabilities and
Exposures project identifies the following problems: [More...]
http://www.linuxsecurity.com/content/view/152113
* Debian: 2031-1: krb5: use-after-free (Apr 11)
---------------------------------------------
Sol Jerome discovered that kadmind service in krb5, a system for
authenticating users and services on a network, allows remote
authenticated users to cause a denial of service (daemon crash) via a
request from a kadmin client that sends [More...]
http://www.linuxsecurity.com/content/view/152112
------------------------------------------------------------------------
* Mandriva: 2010:075: openoffice.org (Apr 15)
-------------------------------------------
This updates provides a security update to the OpenOffice.org
described as follow: OpenOffice's xmlsec uses a bundled Libtool which
might load .la file in the current working directory allowing local
users to gain [More...]
http://www.linuxsecurity.com/content/view/152152
* Mandriva: 2010:074: kdebase (Apr 15)
------------------------------------
A vulnerability has been found and corrected in kdm
(kdebase/kdebase4-workspace): KDM contains a race condition that
allows local attackers to make arbitrary files on the system
world-writeable. This can happen [More...]
http://www.linuxsecurity.com/content/view/152150
* Mandriva: 2010:073-1: cups (Apr 14)
-----------------------------------
Multiple vulnerabilities has been found and corrected in cups: CUPS
in does not properly handle (1) HTTP headers and (2) HTML templates,
which allows remote attackers to conduct cross-site scripting (XSS)
attacks and HTTP response splitting attacks via vectors [More...]
http://www.linuxsecurity.com/content/view/152140
* Mandriva: 2010:073: cups (Apr 14)
---------------------------------
Multiple vulnerabilities has been found and corrected in cups: CUPS
in does not properly handle (1) HTTP headers and (2) HTML templates,
which allows remote attackers to conduct cross-site scripting (XSS)
attacks and HTTP response splitting attacks via vectors [More...]
http://www.linuxsecurity.com/content/view/152139
* Mandriva: 2010:072: cups (Apr 14)
---------------------------------
Multiple vulnerabilities has been found and corrected in cups: CUPS
in does not properly handle (1) HTTP headers and (2) HTML templates,
which allows remote attackers to conduct cross-site scripting (XSS)
attacks and HTTP response splitting attacks via vectors [More...]
http://www.linuxsecurity.com/content/view/152138
* Mandriva: 2010:071: krb5 (Apr 13)
---------------------------------
A vulnerability has been found and corrected in krb5: Use-after-free
vulnerability in kadmin/server/server_stubs.c in kadmind in MIT
Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated
users to cause a denial of service (daemon crash) via a [More...]
http://www.linuxsecurity.com/content/view/152132
* Mandriva: 2010:070: firefox (Apr 13)
------------------------------------
Security issues were identified and fixed in firefox: Security
researcher regenrecht reported (via TippingPoint's Zero Day
Initiative) a potential reuse of a deleted image frame in Firefox
3.6's handling of multipart/x-mixed-replace images. Although no
exploit was [More...]
http://www.linuxsecurity.com/content/view/152123
------------------------------------------------------------------------
* Red Hat: 2010:0348-01: kdebase: Important Advisory (Apr 14)
-----------------------------------------------------------
Updated kdebase packages that fix one security issue are now
available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security
Response Team has rated this update as having [More...]
http://www.linuxsecurity.com/content/view/152135
* Red Hat: 2010:0349-01: acroread: Critical Advisory (Apr 14)
-----------------------------------------------------------
Updated acroread packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat
Enterprise Linux 5 Supplementary. [More...]
http://www.linuxsecurity.com/content/view/152136
* Red Hat: 2010:0347-01: nss_db: Moderate Advisory (Apr 13)
---------------------------------------------------------
Updated nss_db packages that fix one security issue are now available
for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
has rated this update as having moderate [More...]
http://www.linuxsecurity.com/content/view/152133
------------------------------------------------------------------------
* SuSE: Weekly Summary 2010:009 (Apr 14)
--------------------------------------
To avoid flooding mailing lists with SUSE Security Announcements for
minor issues, SUSE Security releases weekly summary reports for the
low profile vulnerability fixes. The SUSE Security Summary Reports do
not list or download URLs like the SUSE Security Announcements that
are released for more severe vulnerabilities. List of
vulnerabilities in this summary include: viewvc, krb5, pango, gimp,
kdebase3, kde4-kdm.
http://www.linuxsecurity.com/content/view/152137
------------------------------------------------------------------------
* Ubuntu: 929-1: irssi vulnerabilities (Apr 15)
---------------------------------------------
It was discovered that irssi did not perform certificate host
validationwhen using SSL connections. An attacker could exploit this
to perform a manin the middle attack to view sensitive information or
alter encryptedcommunications. (CVE-2010-1155) [More...]
http://www.linuxsecurity.com/content/view/152153
* Ubuntu: 890-6: CMake vulnerabilities (Apr 15)
---------------------------------------------
USN-890-1 fixed vulnerabilities in Expat. This update provides
thecorresponding updates for CMake. [More...]
http://www.linuxsecurity.com/content/view/152151
* Ubuntu: 928-1: Sudo vulnerability (Apr 15)
------------------------------------------
Valerio Costamagna discovered that sudo did not properly validate the
pathfor the 'sudoedit' pseudo-command when the PATH contained only a
dot ('.').If secure_path and ignore_dot were disabled, a local
attacker could exploitthis to execute arbitrary code as root if sudo
was configured to allow theattacker to use sudoedit. By default,
secure_path is used and the sudoedit [More...]
http://www.linuxsecurity.com/content/view/152148
* Ubuntu: 927-3: Thunderbird regression (Apr 11)
----------------------------------------------
USN-927-1 fixed vulnerabilities in NSS. Due to upstream changes in
NSS3.12.6, Thunderbird would be unable to initialize the security
componentand connect with SSL/TLS if the old libnss3-0d transition
package wasinstalled. This update fixes the problem. [More...]
http://www.linuxsecurity.com/content/view/152114
* Ubuntu: 920-1: Firefox 3.0 and Xulrunner vulnerabilities (Apr 9)
----------------------------------------------------------------
Martijn Wargers, Josh Soref, Jesse Ruderman, and Ehsan Akhgari
discoveredflaws in the browser engine of Firefox. If a user were
tricked into viewinga malicious website, a remote attacker could
cause a denial of service orpossibly execute arbitrary code with the
privileges of the user invokingthe program. (CVE-2010-0174) [More...]
http://www.linuxsecurity.com/content/view/152110
* Ubuntu: 927-1: NSS vulnerability (Apr 9)
----------------------------------------
Marsh Ray and Steve Dispensa discovered a flaw in the TLS and
SSLv3protocols. If an attacker could perform a man in the middle
attack at thestart of a TLS connection, the attacker could inject
arbitrary content atthe beginning of the user's session. This update
adds support for the newnew renegotiation extension and will use it
when the server supports it. [More...]
http://www.linuxsecurity.com/content/view/152109
* Ubuntu: 926-1: ClamAV vulnerabilities (Apr 8)
---------------------------------------------
It was discovered that ClamAV did not properly verify its input
whenprocessing CAB files. A remote attacker could send a specially
craftedCAB file to evade malware detection. (CVE-2010-0098) [More...]
http://www.linuxsecurity.com/content/view/152105
* Ubuntu: 925-1: MoinMoin vulnerabilities (Apr 8)
-----------------------------------------------
It was discovered that MoinMoin did not properly sanitize its input
whenprocessing Despam actions, resulting in cross-site scripting
(XSS)vulnerabilities. If a privileged wiki user were tricked into
performingthe Despam action on a page with a crafted title, a remote
attacker couldexploit this to execute JavaScript code.
(CVE-2010-0828) [More...]
http://www.linuxsecurity.com/content/view/152104
------------------------------------------------------------------------
* Pardus: 2010-46: [UPDATE] OpenSSL: Denial of Service (Apr 9)
------------------------------------------------------------
A vulnerability has been fixed in OpenSSL, which can be exploited by
malicious people to manipulate certain data and cause a DoS (Denial
of Service) UPDATE: The same problem has been addressed in Pardus
2008
http://www.linuxsecurity.com/content/view/152106
* Pardus: 2010-48: Kernel: Denial of Service (Apr 9)
--------------------------------------------------
A vulnerability and a security issue have been fixed, which can be
exploited by malicious, local users to bypass certain security
restrictions, cause a DoS (Denial of Service), and potentially gain
escalated privileges.
http://www.linuxsecurity.com/content/view/152107
* Pardus: 2010-49: Cups: Privilege Escalation (Apr 9)
---------------------------------------------------
A vulnerability has been fixed in Cups, which can be exploited by
malicious people to gain certain privileges.
http://www.linuxsecurity.com/content/view/152108
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!
http://conference.hitb.org/hitbsecconf2010dxb/