Thank you for reading the Linux Advisory Watch Security Newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's vendor security bulletins and pointers on
methods to improve the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so
be sure to read through to find the updates your distributor have
made available.
|
Debian: 2826-2: denyhosts: regression (Jan 23) |
|
A regression has been found on the denyhosts packages fixing CVE-2013-6890. This regression could cause an attempted breakin attempt to be missed by denyhosts, which would then fail to enforce a ban. [More...]
|
|
(Jan 23) |
|
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: [More...]
|
|
(Jan 20) |
|
Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues: [More...]
|
|
(Jan 17) |
|
Multiple security issues have been found in Libvirt, a virtualisation abstraction library: CVE-2013-6458 [More...]
|
|
Debian: 2831-2: puppet: regression (Jan 17) |
|
The fix for CVE-2013-4969 contained a regression affecting the default file mode if none is specified on a file resource. The oldstable distribution (squeeze) is not affected by this regression. [More...]
|
|
(Jan 17) |
|
This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple unspecified security problems in MySQL: https://www.oracle.com/security-alerts/cpujan2014.html [More...]
|
|
|
|
(Jan 23) |
|
A vulnerability in Zabbix could allow remote attackers to execute arbitrary shell code.
|
|
(Jan 21) |
|
A heap-based buffer overflow in ldns might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
|
|
(Jan 21) |
|
A vulnerability in INN's STARTTLS implementation could allow a remote attacker to conduct a man-in-the-middle attack.
|
|
(Jan 21) |
|
Multiple vulnerabilities have been found in sudo which could result in privilege escalation.
|
|
(Jan 21) |
|
A vulnerability in Active Record could allow a remote attacker to inject SQL commands.
|
|
(Jan 21) |
|
Multiple vulnerabilities have been found in Poppler, allowing remote attackers to execute arbitrary code or cause a Denial of Service condition.
|
|
(Jan 21) |
|
Multiple vulnerabilities have been found in Cacti, allowing attackers to execute arbitrary code or perform XSS attacks.
|
|
(Jan 21) |
|
A buffer overflow error in GMime might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
|
|
(Jan 21) |
|
Multiple stack-based buffer overflows have been found in OpenSC, allowing attackers to execute arbitrary code.
|
|
(Jan 21) |
|
A vulnerability in PCSC-Lite could result in execution of arbitrary code or Denial of Service.
|
|
(Jan 21) |
|
A vulnerability in CCID could result in execution of arbitrary code.
|
|
(Jan 20) |
|
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code.
|
|
(Jan 20) |
|
Multiple vulnerabilities have been found in cURL, allowing attackers to execute arbitrary code or cause Denial of Service.
|
|
(Jan 20) |
|
Multiple vulnerabilities have been found in VirtualBox, allowing local attackers to escalate their privileges or cause a Denial of Service condition.
|
|
(Jan 20) |
|
Multiple vulnerabilities have been found in GNUstep Base library, the worst of which allow execution of arbitrary code.
|
|
(Jan 19) |
|
Multiple vulnerabilities have been found in Perl and Locale::Maketext Perl module, the worst of which could allow a context-dependent attacker to execute arbitrary code.
|
|
(Jan 19) |
|
Multiple vulnerabilities have been found in libexif and exif, some of which may allow execution of arbitrary code.
|
|
(Jan 18) |
|
A vulnerability in Openswan could result in execution of arbitrary code or Denial of Service.
|
|
|
|
Mandriva: 2014:020: x11-server (Jan 22) |
|
Updated x11-server package fixes security vulnerability: Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code (CVE-2013-6424). [More...]
|
|
Mandriva: 2014:019: elinks (Jan 22) |
|
Updated elinks package fixes security vulnerability: When verifying SSL certificates, elinks fails to warn the user if the hostname of the certificate does not match the hostname of the website. [More...]
|
|
Mandriva: 2014:018: net-snmp (Jan 22) |
|
Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, [More...]
|
|
Mandriva: 2014:017: net-snmp (Jan 22) |
|
Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, [More...]
|
|
Mandriva: 2014:016: spice (Jan 22) |
|
Updated spice packages fix security vulnerability: A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able [More...]
|
|
Mandriva: 2014:015: cups (Jan 22) |
|
Updated cups packages fix security vulnerability: Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, [More...]
|
|
Mandriva: 2014:014: php (Jan 21) |
|
Multiple vulnerabilities has been discovered and corrected in php: The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field [More...]
|
|
Mandriva: 2014:013: libxfont (Jan 21) |
|
A vulnerability has been discovered and corrected in libxfont: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute [More...]
|
|
Mandriva: 2014:012: nss (Jan 20) |
|
A vulnerability has been discovered and corrected in Mozilla NSS: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof [More...]
|
|
Mandriva: 2014:011: java-1.7.0-openjdk (Jan 20) |
|
Multiple vulnerabilities has been discovered and corrected in java-1.7.0-openjdk: An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java [More...]
|
|
Mandriva: 2014:010: memcached (Jan 17) |
|
Multiple vulnerabilities has been discovered and corrected in memcached: The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows [More...]
|
|
Mandriva: 2014:009: librsvg (Jan 17) |
|
Updated librsvg and gtk+3.0 packages fix security vulnerability: librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference (CVE-2013-1881). [More...]
|
|
Mandriva: 2014:008: openjpeg (Jan 17) |
|
Updated openjpeg package fixes security vulnerabilities: Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, [More...]
|
|
Mandriva: 2014:007: openssl (Jan 17) |
|
A vulnerability has been discovered and corrected in openssl: The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle [More...]
|
|
Mandriva: 2014:006: libxslt (Jan 16) |
|
A vulnerability has been discovered and corrected in ejabberd: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. [More...]
|
|
Mandriva: 2014:005: ejabberd (Jan 16) |
|
A vulnerability has been discovered and corrected in ejabberd: The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack (CVE-2013-6169). [More...]
|
|
Mandriva: 2014:004: nagios (Jan 16) |
|
Multiple vulnerabilities has been discovered and corrected in nagios: Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from [More...]
|
|
Mandriva: 2014:003: nrpe (Jan 16) |
|
A vulnerability has been discovered and corrected in nrpe: Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via $() shell metacharacters, which are [More...]
|
|
Mandriva: 2014:002: bind (Jan 16) |
|
A vulnerability has been discovered and corrected in ISC BIND: The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause [More...]
|
|
|
|
Red Hat: 2014:0091-01: openstack-neutron: Moderate Advisory (Jan 22) |
|
Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]
|
|
Red Hat: 2014:0090-01: openstack-heat: Moderate Advisory (Jan 22) |
|
Updated openstack-heat packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]
|
|
Red Hat: 2014:0089-01: openstack-keystone: Moderate Advisory (Jan 22) |
|
Updated openstack-keystone packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2014:0044-01: augeas: Moderate Advisory (Jan 20) |
|
Updated augeas packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
Red Hat: 2014:0043-01: bind: Moderate Advisory (Jan 20) |
|
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
|
|
|
|
Ubuntu: 2089-1: openjdk-7 vulnerabilities (Jan 23) |
|
Several security issues were fixed in OpenJDK 7.
|
|
Ubuntu: 2088-1: NSS vulnerability (Jan 23) |
|
NSS could be made to expose sensitive information over the network.
|
|
Ubuntu: 2087-1: NSPR vulnerability (Jan 23) |
|
NSPR could be made to crash or run programs if it received a speciallycrafted certificate.
|
|
Ubuntu: 2084-1: devscripts vulnerability (Jan 21) |
|
devscripts could be made to run programs if it opened a specially craftedfile.
|
|
Ubuntu: 2085-1: HPLIP vulnerabilities (Jan 21) |
|
Several security issues were fixed in HPLIP.
|
|
Ubuntu: 2086-1: MySQL vulnerabilities (Jan 21) |
|
Several security issues were fixed in MySQL.
|
|
Ubuntu: 2083-1: Graphviz vulnerabilities (Jan 16) |
|
Graphviz could be made to crash or run programs as your login if it openeda specially crafted file.
|
