linux-advisory-watch February 2011 archive
Main Archive Page > Month Archives  > linux-advisory-watch archives
linux-advisory-watch: Linux Advisory Watch: February 11th, 2011

Linux Advisory Watch: February 11th, 2011

From: <vuln-newsletter-admins_at_nospam>
Date: Sat Feb 12 2011 - 03:16:22 GMT
To: vuln-newsletter@linuxsecurity.com

+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| February 11th, 2011 Volume 12, Number 7 |
| |
| Editorial Team: Dave Wreski <dwreski@linuxsecurity.com> |
| Benjamin D. Thomas <bthomas@linuxsecurity.com> |
+----------------------------------------------------------------------+

Thank you for reading the Linux Advisory Watch Security Newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's vendor security bulletins and pointers on methods to improve
the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be
sure to read through to find the updates your distributor have made
available.

Review: The Official Ubuntu Book
--------------------------------
If you haven't used Linux before, are new to Ubuntu, or would like a
quick update on the latest in open source advancements for the desktop,
then The Official Ubuntu Book is a great place to start.

http://www.linuxsecurity.com/content/view/153159

--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.22 Now Available!
   ----------------------------------------------
   Guardian Digital is happy to announce the release of EnGarde Secure
   Community 3.0.22 (Version 3.0, Release 22). This release includes
   many updated packages and bug fixes and some feature enhancements to
   the EnGarde Secure Linux Installer and the SELinux policy.

   http://www.linuxsecurity.com/content/view/145668

------------------------------------------------------------------------

* Debian: 2159-1: vlc: missing input sanitising (Feb 10)
   ------------------------------------------------------
   Dan Rosenberg discovered that insufficient input validation in VLC's
   processing of Matroska/WebM containers could lead to the execution of
   arbitrary code. [More...]

   http://www.linuxsecurity.com/content/view/154346

* Debian: 2158-1: cgiirc: cross-site scripting (Feb 9)
   ----------------------------------------------------
   Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
   cgiirc, a web based IRC client, which could lead to the execution of
   arbitrary javascript. [More...]

   http://www.linuxsecurity.com/content/view/154335

* Debian: 2157-1: postgresql-8.3, postgresql-8.4, postgresql-9.0: buffer overflow (Feb 3)
   ---------------------------------------------------------------------------------------
   It was discovered that PostgreSQL's intarray contrib module does not
   properly handle integers with a large number of digits, leading to a
   server crash and potentially arbitary code execution. [More...]

   http://www.linuxsecurity.com/content/view/154301

------------------------------------------------------------------------

* Mandriva: 2011:025: krb5 (Feb 9)
   --------------------------------
   Multiple vulnerabilities were discovered and corrected in krb5: The
   MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a
   denial-of-service attack triggered by invalid network input. If a
   kpropd worker process receives invalid input that causes it to exit
   [More...]

   http://www.linuxsecurity.com/content/view/154332

* Mandriva: 2011:024: krb5 (Feb 9)
   --------------------------------
   Multiple vulnerabilities were discovered and corrected in krb5: The
   MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial
   of service attacks from unauthenticated remote attackers
   (CVE-2011-0281, CVE-2011-0282). [More...]

   http://www.linuxsecurity.com/content/view/154331

* Mandriva: 2011:023: proftpd (Feb 8)
   -----------------------------------
   A vulnerability has been found and corrected in proftpd: Heap-based
   buffer overflow in the sql_prepare_where function (contrib/mod_sql.c)
   in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote
   attackers to cause a denial of service (crash) and [More...]

   http://www.linuxsecurity.com/content/view/154325

* Mandriva: 2011:022: dhcp (Feb 7)
   --------------------------------
   A vulnerability has been found and corrected in dhcp: The DHCPv6
   server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1, 4.0-ESV and
   4.1-ESV before 4.1-ESV-R1, and 4.2.x before 4.2.1b1 allows remote
   attackers to cause a denial of service (assertion failure and daemon
   [More...]

   http://www.linuxsecurity.com/content/view/154317

* Mandriva: 2011:021: postgresql (Feb 7)
   --------------------------------------
   A vulnerability was discovered and corrected in postgresql: Buffer
   overflow in the gettoken function in contrib/intarray/_int_bool.c in
   the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x
   before 8.4.7, 8.3.x before 8.3.14, and 8.2.x [More...]

   http://www.linuxsecurity.com/content/view/154314

------------------------------------------------------------------------

* Red Hat: 2011:0214-01: java-1.6.0-openjdk: Moderate Advisory (Feb 10)
   ---------------------------------------------------------------------
   Updated java-1.6.0-openjdk packages that fix one security issue are
   now available for Red Hat Enterprise Linux 5 and 6. The Red Hat
   Security Response Team has rated this update as having moderate
   [More...]

   http://www.linuxsecurity.com/content/view/154347

* Red Hat: 2011:0206-01: flash-plugin: Critical Advisory (Feb 9)
   --------------------------------------------------------------
   An updated Adobe Flash Player package that fixes multiple security
   issues is now available for Red Hat Enterprise Linux 5 and 6
   Supplementary. The Red Hat Security Response Team has rated this
   update as having critical [More...]

   http://www.linuxsecurity.com/content/view/154333

* Red Hat: 2011:0200-01: krb5: Important Advisory (Feb 8)
   -------------------------------------------------------
   Updated krb5 packages that fix three security issues are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/154327

* Red Hat: 2011:0199-01: krb5: Important Advisory (Feb 8)
   -------------------------------------------------------
   Updated krb5 packages that fix two security issues are now available
   for Red Hat Enterprise Linux 5. The Red Hat Security Response Team
   has rated this update as having [More...]

   http://www.linuxsecurity.com/content/view/154326

* Red Hat: 2011:0198-01: postgresql84: Moderate Advisory (Feb 3)
   --------------------------------------------------------------
   Updated postgresql84 packages that fix one security issue are now
   available for Red Hat Enterprise Linux 5. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154305

* Red Hat: 2011:0197-01: postgresql: Moderate Advisory (Feb 3)
   ------------------------------------------------------------
   Updated postgresql packages that fix one security issue are now
   available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat
   Security Response Team has rated this update as having moderate
   [More...]

   http://www.linuxsecurity.com/content/view/154304

* Red Hat: 2011:0195-01: php: Moderate Advisory (Feb 3)
   -----------------------------------------------------
   Updated php packages that fix multiple security issues are now
   available for Red Hat Enterprise Linux 6. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154302

* Red Hat: 2011:0196-01: php53: Moderate Advisory (Feb 3)
   -------------------------------------------------------
   Updated php53 packages that fix three security issues are now
   available for Red Hat Enterprise Linux 5. The Red Hat Security
   Response Team has rated this update as having moderate [More...]

   http://www.linuxsecurity.com/content/view/154303

------------------------------------------------------------------------

* Slackware: 2011-041-02: expat: Security Update (Feb 10)
   -------------------------------------------------------
   New expat packages are available for Slackware 11.0, 12.0, 12.1,
   12.2, 13.0, 13.1, and -current to fix security issues. [More
   Info...]

   http://www.linuxsecurity.com/content/view/154351

* Slackware: 2011-041-04: openssl: Security Update (Feb 10)
   ---------------------------------------------------------
   New openssl packages are available for 11.0, 12.0, 12.1, 12.2, 13.0,
   13.1, and -current to fix a security issue. [More Info...]

   http://www.linuxsecurity.com/content/view/154352

* Slackware: 2011-041-01: apr-util: Security Update (Feb 10)
   ----------------------------------------------------------
   New apr and apr-util packages are available for Slackware 11.0, 12.0,
   12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. [More
   Info...]

   http://www.linuxsecurity.com/content/view/154348

* Slackware: 2011-041-03: httpd: Security Update (Feb 10)
   -------------------------------------------------------
   New httpd packages are available for Slackware 12.0, 12.1, 12.2,
   13.0, 13.1, and -current to fix security issues. [More Info...]

   http://www.linuxsecurity.com/content/view/154349

* Slackware: 2011-041-05: sudo: Security Update (Feb 10)
   ------------------------------------------------------
   New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
   10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a
   security issue. [More Info...]

   http://www.linuxsecurity.com/content/view/154350

------------------------------------------------------------------------

* SuSE: 2011-008: Linux kernel (Feb 11)
   -------------------------------------
   This patch updates the SUSE Linux Enterprise Server 9 kernel to fix
   various security issues and some bugs. Following security issues were
   fixed: CVE-2010-4242: The hci_uart_tty_open function in the HCI UART
   driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did not
   verify [More...]

   http://www.linuxsecurity.com/content/view/154353

* SuSE: Weekly Summary 2011:003 (Feb 8)
   -------------------------------------
   To avoid flooding mailing lists with SUSE Security Announcements for
   minor issues, SUSE Security releases weekly summary reports for the
   low profile vulnerability fixes. The SUSE Security Summary Reports do
   not list or download URLs like the SUSE Security Announcements that
   are released for more severe vulnerabilities. List of
   vulnerabilities in this summary include: gnutls, tomcat6,
   perl-CGI-Simple, pcsc-lite, obs-server, dhcp, java-1_6_0-openjdk,
   opera.

   http://www.linuxsecurity.com/content/view/154320

------------------------------------------------------------------------

* Ubuntu: 1060-1: Exim vulnerabilities (Feb 10)
   ---------------------------------------------
   It was discovered that Exim contained a design flaw in the way it
   processedalternate configuration files. An attacker that obtained
   privileges of the"Debian-exim" user could use an alternate
   configuration file to obtainroot privileges. (CVE-2010-4345)
   [More...]

   http://www.linuxsecurity.com/content/view/154345

* Ubuntu: 1059-1: Dovecot vulnerabilities (Feb 7)
   -----------------------------------------------
   It was discovered that the ACL plugin in Dovecot would
   incorrectlypropagate ACLs to new mailboxes. A remote authenticated
   user could possiblyread new mailboxes that were created with the
   wrong ACL. (CVE-2010-3304) [More...]

   http://www.linuxsecurity.com/content/view/154318

* Ubuntu: 1058-1: PostgreSQL vulnerability (Feb 3)
   ------------------------------------------------
   Geoff Keating reported that a buffer overflow exists in the
   intarraymodule's input function for the query_int type. This could
   allow anattacker to cause a denial of service or possibly execute
   arbitrarycode as the postgres user. [More...]

   http://www.linuxsecurity.com/content/view/154306

* Ubuntu: 1057-1: Linux kernel vulnerabilities (Feb 3)
   ----------------------------------------------------
   Dave Chinner discovered that the XFS filesystem did not correctly
   orderinode lookups when exported by NFS. A remote attacker could
   exploit this toread or write disk blocks that had changed file
   assignment or had becomeunlinked, leading to a loss of privacy.
   (CVE-2010-2943) [More...]

   http://www.linuxsecurity.com/content/view/154300

------------------------------------------------------------------------

* Pardus: 2011-26: Php: Multiple Vulnerabilities (Feb 9)
   ------------------------------------------------------
   Multiple Vulnerabilities have been fixed in php.

   http://www.linuxsecurity.com/content/view/154334

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------