+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| September 18th, 2009 Volume 10, Number 38 |
| |
| Editorial Team: Dave Wreski <dwreski@linuxsecurity.com> |
| Benjamin D. Thomas <bthomas@linuxsecurity.com> |
+----------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for icu, openssl, rails, iceweasel,
xulrunner, uginx, nagios2, devscripts, dovcot, kdesdk, kdegames,
oxygen-icon-theme, kdepim, kdenetwork, kdeutils, kdeedu,
ocaml-camlimages, puppet, firefox, ikiwiki, mozvoikko, hulahop, miro,
kazehakase, yelp, ruby, epiphany, seahorse, chmsee, pcmanx, blam,
galeon, perl, mugshot, znc, wireshark, irssi, horde, silc-toolkit, kvm,
nss, htmldoc, freeradius, and openexr. The distributors include
Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, and Ubuntu.
---
>> Linux+DVD Magazine <<
In each issue you can find information concerning the best use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
Catch up with what professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software are doing!
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
---
Review: Googling Security: How Much Does Google Know About You
--------------------------------------------------------------
If I ask "How much do you know about Google?" You may not take even a
second to respond. But if I may ask "How much does Google know about
you"? You may instantly reply "Wait... what!? Do they!?" The book
"Googling Security: How Much Does Google Know About You" by Greg Conti
(Computer Science Professor at West Point) is the first book to reveal
how Google's vast information stockpiles could be used against you or
your business and what you can do to protect yourself.
http://www.linuxsecurity.com/content/view/145939
---
A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.
http://www.linuxsecurity.com/content/view/144088
--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--
------------------------------------------------------------------------
* EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.22 (Version 3.0, Release 22). This release includes
many updated packages and bug fixes and some feature enhancements to
the EnGarde Secure Linux Installer and the SELinux policy.
http://www.linuxsecurity.com/content/view/145668
------------------------------------------------------------------------
* Debian: New icu packages correct multibyte sequence parsing (Sep 16)
--------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150146
* Debian: New openssl packages deprecate MD2 hash signatures (Sep 15)
-------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150140
* Debian: New rails packages fix cross-site scripting (Sep 15)
------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150135
* Debian: New iceweasel packages fix several vulnerabilities (Sep 14)
-------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150071
* Debian: New xulrunner packages fix several vulnerabilities (Sep 14)
-------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150070
* Debian: New nginx packages fix arbitrary code execution (Sep 14)
----------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150069
* Debian: New nagios2 packages fix regression (Sep 14)
----------------------------------------------------
http://www.linuxsecurity.com/content/view/150068
* Debian: New devscripts packages fix regressions (Sep 11)
--------------------------------------------------------
http://www.linuxsecurity.com/content/view/150004
* Debian: New nagios2 packages fix several cross-site scriptings (Sep 10)
-----------------------------------------------------------------------
http://www.linuxsecurity.com/content/view/150001
------------------------------------------------------------------------
* Fedora 10 Update: nginx-0.7.62-1.fc10 (Sep 15)
----------------------------------------------
http://www.linuxsecurity.com/content/view/150139
* Fedora 11 Update: nginx-0.7.62-1.fc11 (Sep 15)
----------------------------------------------
http://www.linuxsecurity.com/content/view/150138
* Fedora 10 Update: planet-2.0-10.fc10 (Sep 15)
---------------------------------------------
security patch to sanitize content from rss feeds for javascript
http://www.linuxsecurity.com/content/view/150130
* Fedora 11 Update: planet-2.0-10.fc11 (Sep 15)
---------------------------------------------
Security update for sanitizing input from rss feeds.
http://www.linuxsecurity.com/content/view/150129
* Fedora 10 Update: dovecot-1.1.18-2.fc10 (Sep 15)
------------------------------------------------
dovecot-sieve updated to 1.1.7 It is derived from CMU sieve used
by cyrus- imapd and was affected by CVE-2009-2632 too. See
upstream announcement for further details:
http://dovecot.org/list/dovecot- news/2009-September/000135.html
http://www.linuxsecurity.com/content/view/150128
* Fedora 10 Update: kdesdk-4.3.1-1.fc10 (Sep 15)
----------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150123
* Fedora 10 Update: kdetoys-4.3.1-1.fc10 (Sep 15)
-----------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150124
* Fedora 10 Update: kdegames-4.3.1-4.fc10 (Sep 15)
------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150125
* Fedora 10 Update: oxygen-icon-theme-4.3.1-1.fc10 (Sep 15)
---------------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150126
* Fedora 10 Update: kde-l10n-4.3.1-2.fc10 (Sep 15)
------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150127
* Fedora 10 Update: kdelibs-experimental-4.3.1-1.fc10 (Sep 15)
------------------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150116
* Fedora 10 Update: kdepim-4.3.1-1.fc10 (Sep 15)
----------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150117
* Fedora 10 Update: kdenetwork-4.3.1-1.fc10 (Sep 15)
--------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150118
* Fedora 10 Update: kdepim-runtime-4.3.1-1.fc10 (Sep 15)
------------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150119
* Fedora 10 Update: kdeutils-4.3.1-1.fc10 (Sep 15)
------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150120
* Fedora 10 Update: kdepimlibs-4.3.1-1.fc10 (Sep 15)
--------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150121
* Fedora 10 Update: kdeplasma-addons-4.3.1-1.fc10 (Sep 15)
--------------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150122
* Fedora 10 Update: kdeedu-4.3.1-1.fc10 (Sep 15)
----------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150111
* Fedora 10 Update: kdebindings-4.3.1-3.fc10 (Sep 15)
---------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150112
* Fedora 10 Update: kdegraphics-4.3.1-1.fc10 (Sep 15)
---------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150113
* Fedora 10 Update: kdelibs-4.3.1-3.fc10 (Sep 15)
-----------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150114
* Fedora 10 Update: kdemultimedia-4.3.1-1.fc10 (Sep 15)
-----------------------------------------------------
This updates KDE to 4.3.1, the latest upstream bugfix release. The
main improvements are: * KDE 4.3 is now also available in Croatian.
* A crash when editing toolbar setup has been fixed. * Support for
transferring files through SSH using KIO::Fish has been fixed. * A
number of bugs in KWin, KDE's window and compositing manager has been
fixed. * A large number of bugs in KMail, KDE's email client are now
gone. See http://kde.org/announcements/announce-4.3.1.php for more
information. In addition, this update: * fixes a potential
security issue (CVE-2009-2702) with certificate validation in the KIO
KSSL code. It is believed that the affected code is not actually used
(the code in Qt, for which a security update was already issued, is)
and thus the issue is only potential, but KSSL is being patched just
in case, * splits PolicyKit-kde out of kdebase-workspace again to
avoid forcing it onto GNOME-based setups, where PolicyKit-gnome is
desired instead (#519654).
http://www.linuxsecurity.com/content/view/150115
* Fedora 10 Update: ocaml-camlimages-3.0.1-3.fc10.2 (Sep 11)
----------------------------------------------------------
http://www.linuxsecurity.com/content/view/150058
* Fedora 11 Update: puppet-0.24.8-4.fc11 (Sep 11)
-----------------------------------------------
This update fixes a number of bugs in both the packaging and upstream
source. See the package changelog and bug reports for complete
details.
http://www.linuxsecurity.com/content/view/150057
* Fedora 11 Update: xulrunner-1.9.1.3-1.fc11 (Sep 11)
---------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150054
* Fedora 11 Update: firefox-3.5.3-1.fc11 (Sep 11)
-----------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150055
* Fedora 11 Update: ikiwiki-3.1415926-1.fc11 (Sep 11)
---------------------------------------------------
Fix CVE-2009-2944, see bz 520543.
http://www.linuxsecurity.com/content/view/150056
* Fedora 11 Update: gnome-python2-extras-2.25.3-7.fc11 (Sep 11)
-------------------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150044
* Fedora 11 Update: mozvoikko-0.9.7-0.7.rc1.fc11 (Sep 11)
-------------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150045
* Fedora 11 Update: evolution-rss-0.1.4-3.fc11 (Sep 11)
-----------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150046
* Fedora 11 Update: google-gadgets-0.11.0-5.fc11 (Sep 11)
-------------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150047
* Fedora 11 Update: hulahop-0.4.9-8.fc11 (Sep 11)
-----------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150048
* Fedora 11 Update: Miro-2.5.2-4.fc11 (Sep 11)
--------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150049
* Fedora 11 Update: perl-Gtk2-MozEmbed-0.08-6.fc11.5 (Sep 11)
-----------------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150050
* Fedora 11 Update: kazehakase-0.5.7-2.fc11 (Sep 11)
--------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150051
* Fedora 11 Update: yelp-2.26.0-7.fc11 (Sep 11)
---------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150052
* Fedora 11 Update: ruby-gnome2-0.19.1-2.fc11 (Sep 11)
----------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150053
* Fedora 11 Update: epiphany-extensions-2.26.1-6.fc11 (Sep 11)
------------------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150034
* Fedora 11 Update: monodevelop-2.0-5.fc11 (Sep 11)
-------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150035
* Fedora 11 Update: eclipse-3.4.2-15.fc11 (Sep 11)
------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150036
* Fedora 11 Update: epiphany-2.26.3-4.fc11 (Sep 11)
-------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150037
* Fedora 11 Update: seahorse-plugins-2.26.2-5.fc11 (Sep 11)
---------------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150038
* Fedora 11 Update: chmsee-1.0.1-11.fc11 (Sep 11)
-----------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150039
* Fedora 11 Update: gnome-web-photo-0.7-6.fc11 (Sep 11)
-----------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150040
* Fedora 11 Update: pcmanx-gtk2-0.3.8-8.fc11 (Sep 11)
---------------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150041
* Fedora 11 Update: blam-1.8.5-14.fc11 (Sep 11)
---------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150042
* Fedora 11 Update: galeon-2.0.7-14.fc11 (Sep 11)
-----------------------------------------------
Update to new upstream Firefox version 3.5.3, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox35.html#firefox3.5.3 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150043
* Fedora 10 Update: perl-Gtk2-MozEmbed-0.08-6.fc10.5 (Sep 11)
-----------------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150031
* Fedora 10 Update: firefox-3.0.14-1.fc10 (Sep 11)
------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150032
* Fedora 10 Update: xulrunner-1.9.0.14-1.fc10 (Sep 11)
----------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150033
* Fedora 10 Update: evolution-rss-0.1.4-3.fc10 (Sep 11)
-----------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150025
* Fedora 10 Update: kazehakase-0.5.6-4.fc10.6 (Sep 11)
----------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150026
* Fedora 10 Update: pcmanx-gtk2-0.3.8-13.fc10 (Sep 11)
----------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150027
* Fedora 10 Update: google-gadgets-0.10.5-10.fc10 (Sep 11)
--------------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150028
* Fedora 10 Update: yelp-2.24.0-13.fc10 (Sep 11)
----------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150029
* Fedora 10 Update: mugshot-1.2.2-13.fc10 (Sep 11)
------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150030
* Fedora 10 Update: epiphany-2.24.3-10.fc10 (Sep 11)
--------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150016
* Fedora 10 Update: epiphany-extensions-2.24.3-5.fc10 (Sep 11)
------------------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150017
* Fedora 10 Update: Miro-2.0.5-4.fc10 (Sep 11)
--------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150018
* Fedora 10 Update: ruby-gnome2-0.19.1-2.fc10 (Sep 11)
----------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150019
* Fedora 10 Update: blam-1.8.5-14.fc10 (Sep 11)
---------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150020
* Fedora 10 Update: gnome-python2-extras-2.19.1-34.fc10 (Sep 11)
--------------------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150021
* Fedora 10 Update: gecko-sharp2-0.13-12.fc10 (Sep 11)
----------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150022
* Fedora 10 Update: mozvoikko-0.9.5-14.fc10 (Sep 11)
--------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150023
* Fedora 10 Update: gnome-web-photo-0.3-22.fc10 (Sep 11)
------------------------------------------------------
Update to new upstream Firefox version 3.0.14, fixing multiple
security issues detailed in the upstream advisories:
http://www.mozilla.org/security/known-
vulnerabilities/firefox30.html#firefox3.0.14 Update also includes
all packages depending on gecko-libs rebuilt against new version of
Firefox / XULRunner.
http://www.linuxsecurity.com/content/view/150024
* Fedora 10 Update: puppet-0.24.8-4.fc10 (Sep 11)
-----------------------------------------------
This update fixes a number of bugs in both the packaging and upstream
source. See the package changelog and bug reports for complete
details.
http://www.linuxsecurity.com/content/view/150014
* Fedora 10 Update: ikiwiki-2.72-2.fc10 (Sep 11)
----------------------------------------------
Fix CVE-2009-2944, see bz 520543.
http://www.linuxsecurity.com/content/view/150015
* Fedora 10 Update: postgresql-8.3.8-1.fc10 (Sep 11)
--------------------------------------------------
Update to PostgreSQL 8.3.8, for various fixes described at
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
including three security issues
http://www.linuxsecurity.com/content/view/150013
* Fedora 11 Update: postgresql-8.3.8-1.fc11 (Sep 11)
--------------------------------------------------
Update to PostgreSQL 8.3.8, for various fixes described at
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
including three security issues
http://www.linuxsecurity.com/content/view/150012
------------------------------------------------------------------------
* Gentoo: ZNC Directory traversal (Sep 13)
----------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D A directory traversal was found in ZNC,
allowing for overwriting of arbitrary files.
http://www.linuxsecurity.com/content/view/150064
* Gentoo: Wireshark Denial of Service (Sep 13)
--------------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been
discovered in Wireshark which allow for Denial of Service.
http://www.linuxsecurity.com/content/view/150063
* Gentoo: Lynx Arbitrary command execution (Sep 12)
-------------------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D An incomplete fix for an issue related to
the Lynx URL handler might allow for the remote execution of
arbitrary commands.
http://www.linuxsecurity.com/content/view/150062
* Gentoo: HTMLDOC User-assisted execution of arbitrary (Sep 12)
-------------------------------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D Multiple insecure calls to the sscanf()
function in HTMLDOC might result in the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/150059
* Gentoo: irssi Execution of arbitrary code (Sep 12)
--------------------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D A remotely exploitable off-by-one error
leading to a heap overflow was found in irssi which might result in
the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/150060
* Gentoo: Horde Multiple vulnerabilities (Sep 12)
-----------------------------------------------
=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been
discovered in Horde and two modules, allowing for the execution of
arbitrary code, information disclosure, or Cross-Site Scripting.
http://www.linuxsecurity.com/content/view/150061
------------------------------------------------------------------------
* Mandriva: Subject: [Security Announce] [ MDVA-2009:161 ] silc-toolkit (Sep 18)
------------------------------------------------------------------------------
The silc-toolkit was linked in a wrong way, it depended on symbols no
longer exported by libidn. This made it impossible to use the SILC
protocol from pidgin. This update changes the linking to use the
included IDN resolver instead of libidn.
http://www.linuxsecurity.com/content/view/150152
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:235 ] silc-toolkit (Sep
15)
-------------------------------------------------------------------------------
Multiple vulnerabilities was discovered and corrected in
silc-toolkit: Multiple format string vulnerabilities in
lib/silcclient/client_entry.c in Secure Internet Live Conferencing
(SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
remote attackers to execute arbitrary code via format string
specifiers in a nickname field, related to the (1)
silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051). Multiple
format string vulnerabilities in lib/silcclient/command.c in Secure
Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC
Client 1.1.8 and earlier, allow remote attackers to execute arbitrary
code via format string specifiers in a channel name, related to (1)
silc_client_command_topic, (2) silc_client_command_kick, (3)
silc_client_command_leave, and (4) silc_client_command_users
(CVE-2009-3163). This update provides a solution to these
vulnerabilities.
http://www.linuxsecurity.com/content/view/150134
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:234-1 ] silc-toolkit (Sep
15)
---------------------------------------------------------------------------------
Multiple vulnerabilities was discovered and corrected in
silc-toolkit: Multiple format string vulnerabilities in
lib/silcclient/client_entry.c in Secure Internet Live Conferencing
(SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
remote attackers to execute arbitrary code via format string
specifiers in a nickname field, related to the (1)
silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051). The
silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in
Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows
remote attackers to overwrite a stack location and possibly execute
arbitrary code via a crafted OID value, related to incorrect use of a
%lu format string (CVE-2008-7159). The silc_http_server_parse
function in lib/silchttp/silchttpserver.c in the internal HTTP server
in silcd in Secure Internet Live Conferencing (SILC) Toolkit before
1.1.9 allows remote attackers to overwrite a stack location and
possibly execute arbitrary code via a crafted Content-Length header,
related to incorrect use of a %lu format string (CVE-2008-7160).
Multiple format string vulnerabilities in lib/silcclient/command.c in
Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client 1.1.8 and earlier, allow remote attackers to execute
arbitrary code via format string specifiers in a channel name,
related to (1) silc_client_command_topic, (2)
silc_client_command_kick, (3) silc_client_command_leave, and (4)
silc_client_command_users (CVE-2009-3163). This update provides a
solution to these vulnerabilities.
Update:
Packages for MES5 was not provided previousely, this update addresses
this problem.
http://www.linuxsecurity.com/content/view/150133
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:234 ] silc-toolkit (Sep
15)
-------------------------------------------------------------------------------
Multiple vulnerabilities was discovered and corrected in
silc-toolkit: Multiple format string vulnerabilities in
lib/silcclient/client_entry.c in Secure Internet Live Conferencing
(SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow
remote attackers to execute arbitrary code via format string
specifiers in a nickname field, related to the (1)
silc_client_add_client, (2) silc_client_update_client, and (3)
silc_client_nickname_format functions (CVE-2009-3051). The
silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in
Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows
remote attackers to overwrite a stack location and possibly execute
arbitrary code via a crafted OID value, related to incorrect use of a
%lu format string (CVE-2008-7159). The silc_http_server_parse
function in lib/silchttp/silchttpserver.c in the internal HTTP server
in silcd in Secure Internet Live Conferencing (SILC) Toolkit before
1.1.9 allows remote attackers to overwrite a stack location and
possibly execute arbitrary code via a crafted Content-Length header,
related to incorrect use of a %lu format string (CVE-2008-7160).
Multiple format string vulnerabilities in lib/silcclient/command.c in
Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and
SILC Client 1.1.8 and earlier, allow remote attackers to execute
arbitrary code via format string specifiers in a channel name,
related to (1) silc_client_command_topic, (2)
silc_client_command_kick, (3) silc_client_command_leave, and (4)
silc_client_command_users (CVE-2009-3163). This update provides a
solution to these vulnerabilities.
http://www.linuxsecurity.com/content/view/150132
* Mandriva: Subject: [Security Announce] [ MDVA-2009:160 ] kvm (Sep 14)
---------------------------------------------------------------------
The required symbolic link or binary /usr/bin/qemu-kvm was missing.
The virtual machines generated with virt-manager is depending on it.
http://www.linuxsecurity.com/content/view/150072
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:232 ] libsamplerate (Sep
11)
--------------------------------------------------------------------------------
A security vulnerability has been identified and fixed in
libsamplerate: Lev Givon discovered a buffer overflow in
libsamplerate that could lead to a segfault with specially crafted
python code. This problem has been fixed with libsamplerate-0.1.7 but
older versions are affected. This update provides a solution to this
vulnerability.
http://www.linuxsecurity.com/content/view/150011
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:197-2 ] nss (Sep 11)
------------------------------------------------------------------------
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404). This update
provides the latest versions of NSS and NSPR libraries which are not
vulnerable to those attacks.
Update:
This update also provides fixed packages for Mandriva Linux 2008.1
and fixes mozilla-thunderbird error messages.
http://www.linuxsecurity.com/content/view/150010
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:228 ] libneon (Sep 11)
--------------------------------------------------------------------------
A vulnerability has been found and corrected in neon: neon before
0.28.6, when OpenSSL is used, does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field of
an X.509 certificate, which allows man-in-the-middle attackers to
spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408.
(CVE-2009-2474) This update provides a solution to this
vulnerability.
http://www.linuxsecurity.com/content/view/150009
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:231 ] htmldoc (Sep 11)
--------------------------------------------------------------------------
A security vulnerability has been identified and fixed in htmldoc:
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
1.8.27 and earlier allows context-dependent attackers to execute
arbitrary code via a long MEDIA SIZE comment. NOTE: it was later
reported that there were additional vectors in htmllib.cxx and
ps-pdf.cxx using an AFM font file with a long glyph name, but these
vectors do not cross privilege boundaries (CVE-2009-3050). This
update provides a solution to this vulnerability.
http://www.linuxsecurity.com/content/view/150008
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:230 ] pidgin (Sep 11)
-------------------------------------------------------------------------
Security vulnerabilities has been identified and fixed in pidgin: The
msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c
in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and
Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary
code or cause a denial of service (memory corruption and application
crash) by sending multiple crafted SLP (aka MSNSLP) messages to
trigger an overwrite of an arbitrary memory location. NOTE: this
issue reportedly exists because of an incomplete fix for
CVE-2009-1376 (CVE-2009-2694). Unspecified vulnerability in Pidgin
2.6.0 allows remote attackers to cause a denial of service (crash)
via a link in a Yahoo IM (CVE-2009-3025) protocols/jabber/auth.c in
libpurple in Pidgin 2.6.0, and possibly other versions, does not
follow the require TLS/SSL preference when connecting to older Jabber
servers that do not follow the XMPP specification, which causes
libpurple to connect to the server without the expected encryption
and allows remote attackers to sniff sessions (CVE-2009-3026).
libpurple/protocols/irc/msgs.c in the IRC protocol plugin in
libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a
denial of service (NULL pointer dereference and application crash)
via a TOPIC message that lacks a topic string (CVE-2009-2703). The
msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN
protocol plugin in libpurple in Pidgin before 2.6.2 allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via an SLP invite message that lacks certain
required fields, as demonstrated by a malformed message from a KMess
client (CVE-2009-3083). The msn_slp_process_msg function in
libpurple/protocols/msn/slpcall.c in the MSN protocol plugin in
libpurple 2.6.0 and 2.6.1, as used in Pidgin before 2.6.2, allows
remote attackers to cause a denial of service (application crash) via
a handwritten (aka Ink) message, related to an uninitialized variable
and the incorrect UTF16-LE charset name (CVE-2009-3084). The XMPP
protocol plugin in libpurple in Pidgin before 2.6.2 does not properly
handle an error IQ stanza during an attempted fetch of a custom
smiley, which allows remote attackers to cause a denial of service
(application crash) via XHTML-IM content with cid: images
(CVE-2009-3085). This update provides pidgin 2.6.2, which is not
vulnerable to these issues.
http://www.linuxsecurity.com/content/view/150007
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:229 ] cyrus-imapd (Sep 11)
------------------------------------------------------------------------------
A vulnerability has been found and corrected in cyrus-imapd: Buffer
overflow in the SIEVE script component (sieve/script.c) in
cyrus-imapd in Cyrus IMAP Server 2.2.13 and 2.3.14 allows local users
to execute arbitrary code and read or modify arbitrary messages via a
crafted SIEVE script, related to the incorrect use of the sizeof
operator for determining buffer length, combined with an integer
signedness error (CVE-2009-2632). This update provides a solution to
this vulnerability.
http://www.linuxsecurity.com/content/view/150006
* Mandriva: Subject: [Security Announce] [ MDVA-2009:159 ] hplip (Sep 10)
-----------------------------------------------------------------------
This update resolves a runtime error with hplip found after the KDE4
updates and in conjunction with the newer python-qt4-gui package.
This version upgrade provides hplip v3.9.2 that addresses this
problem.
http://www.linuxsecurity.com/content/view/150003
* Mandriva: Subject: [Security Announce] [ MDVSA-2009:226 ] freeradius (Sep 10)
-----------------------------------------------------------------------------
A vulnerability has been found and corrected in freeradius: The
rad_decode function in FreeRADIUS before 1.1.8 allows remote
attackers to cause a denial of service (radiusd crash) via
zero-length Tunnel-Password attributes. NOTE: this is a regression
error related to CVE-2003-0967 (CVE-2009-3111). This update provides
a solution to this vulnerability.
http://www.linuxsecurity.com/content/view/150002
------------------------------------------------------------------------
* RedHat: Moderate: freeradius security update (Sep 17)
-----------------------------------------------------
Updated freeradius packages that fix a security issue are now
available for Red Hat Enterprise Linux 5. This update has been rated
as having moderate security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/150148
* RedHat: Important: kernel security and bug fix update (Sep 15)
--------------------------------------------------------------
Updated kernel packages that fix several security issues and several
bugs are now available for Red Hat Enterprise Linux 4. This update
has been rated as having important security impact by the Red Hat
Security Response Team.
http://www.linuxsecurity.com/content/view/150131
------------------------------------------------------------------------
* Slackware: mozilla-firefox (Sep 14)
-------------------------------------
New mozilla-firefox packages are available for Slackware 12.2, 13.0,
and -current to fix security issues. The Firefox 3.0.14 package may
also be used with Slackware 11.0 or newer.
More details about the issues may be found on the Mozilla website:
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
http://www.linuxsecurity.com/content/view/150065
------------------------------------------------------------------------
* Ubuntu: FreeRADIUS vulnerability (Sep 16)
------------------------------------------
It was discovered that FreeRADIUS did not correctly handle certain
malformed attributes. A remote attacker could exploit this flaw and
cause the FreeRADIUS server to crash, resulting in a denial of
service.
http://www.linuxsecurity.com/content/view/150147
* Ubuntu: OpenSSL vulnerability (Sep 14)
---------------------------------------
Dan Kaminsky discovered OpenSSL would still accept certificates with
MD2 hash signatures. As a result, an attacker could potentially
create a malicious trusted certificate to impersonate another site.
This update handles this issue by completely disabling MD2 for
certificate validation.
http://www.linuxsecurity.com/content/view/150073
* Ubuntu: OpenEXR vulnerabilities (Sep 14)
-----------------------------------------
Drew Yao discovered several flaws in the way OpenEXR handled certain
malformed EXR image files. If a user were tricked into opening a
crafted EXR image file, an attacker could cause a denial of service
via application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2009-1720,
CVE-2009-1721) It was discovered that OpenEXR did not properly handle
certain malformed EXR image files. If a user were tricked into
opening a crafted EXR image file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program. This issue only
affected Ubuntu 8.04 LTS. (CVE-2009-1722)
http://www.linuxsecurity.com/content/view/150074
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
|