From eren at pardus.org.tr Tue Mar 9 09:07:46 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Tue, 9 Mar 2010 09:07:46 +0200 (EET) Subject: [Pardus-security] [PLSA 2010-38] Sudo: Privilege Escalation Message-ID: <20100309070746.C4B0CA7ABCD@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-38 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-09 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A security issue has been fixed in sudo, which can be exploited by malicious, local users to gain escalated privileges. Description =========== CVE-2010-0426: Sudo, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory. Affected packages: Pardus 2009: sudo, all before 1.7.1-25-6 Resolution ========== There are update(s) for sudo. You can update them via Package Manager or with a single command from console: pisi up sudo References ========== * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426 * http://bugs.pardus.org.tr/show_bug.cgi?id=12352 ------------------------------------------------------------------------ From eren at pardus.org.tr Tue Mar 9 09:07:47 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Tue, 9 Mar 2010 09:07:47 +0200 (EET) Subject: [Pardus-security] [PLSA 2010-39] Firefox: Multiple Vulnerabilities Message-ID: <20100309070747.040D3A7ABCD@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-39 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-09 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= Multiple vulnerabilities have been fixed in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user's system. Description =========== MFSA 2010-05 XSS hazard using SVG document and binary Content-Type MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain MFSA 2010-03 Use-after-free crash in HTML parser MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18) Affected packages: Pardus 2009: xulrunner, all before 1.9.1.8-27-21 firefox, all before 3.5.8-122-23 Resolution ========== There are update(s) for xulrunner, firefox. You can update them via Package Manager or with a single command from console: pisi up xulrunner firefox References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12316 * http://www.mozilla.org/security/known-vulnerabilities/firefox35.html ------------------------------------------------------------------------ From eren at pardus.org.tr Mon Mar 29 22:10:45 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Mon, 29 Mar 2010 22:10:45 +0300 (EEST) Subject: [Pardus-security] [PLSA 2010-40] Pango: Denial of Service Message-ID: <20100329191045.5574DA7ABD5@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-40 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-29 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A vulnerability was fixed in Pango, which can allow remote or local user to cause denial of service conditions Description =========== CVE-2010-0421: Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database. Affected packages: pango-1.26.2-34-10, all before 2009 pango-1.21.3-28-8, all before 2008 Resolution ========== There are update(s) for pango-1.26.2-34-10, pango-1.21.3-28-8. You can update them via Package Manager or with a single command from console: pisi up pango-1.26.2-34-10 pango-1.21.3-28-8 References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12381 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0421 ------------------------------------------------------------------------ From eren at pardus.org.tr Mon Mar 29 22:10:45 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Mon, 29 Mar 2010 22:10:45 +0300 (EEST) Subject: [Pardus-security] [PLSA 2010-41] Libpng: Denial of Service Message-ID: <20100329191045.89631A7ABD5@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-41 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-29 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). Description =========== The png_decompress_chunk function in pngrutil.c in libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. Affected packages: libpng-1.2.43-21-6, all before 2009 libpng-1.2.43-20-10, all before 2008 Resolution ========== There are update(s) for libpng-1.2.43-21-6, libpng-1.2.43-20-10. You can update them via Package Manager or with a single command from console: pisi up libpng-1.2.43-21-6 libpng-1.2.43-20-10 References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12384 * http://www.kb.cert.org/vuls/id/576029 * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0205 ------------------------------------------------------------------------ From eren at pardus.org.tr Mon Mar 29 22:10:45 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Mon, 29 Mar 2010 22:10:45 +0300 (EEST) Subject: [Pardus-security] [PLSA 2010-42] tar/cpio: Buffer Overflow Message-ID: <20100329191045.BD199A7ABD5@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-42 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-29 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A vulnerability has been fixed in GNU tar, which can potentially be exploited by malicious people to compromise a vulnerable system. Description =========== CVE-2010-0624: Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. Affected packages: tar-1.21-18-4, all before 2009 cpio-2.9-9-5, all before 2009 cpio-2.9-9-4, all before 2008 tar-1.20-17-4, all before 2008 Resolution ========== There are update(s) for tar-1.21-18-4, cpio-2.9-9-5, cpio-2.9-9-4, tar-1.20-17-4. You can update them via Package Manager or with a single command from console: pisi up tar-1.21-18-4 cpio-2.9-9-5 cpio-2.9-9-4 tar-1.20-17-4 References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12435 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624 * https://bugzilla.redhat.com/show_bug.cgi?id=564368 ------------------------------------------------------------------------ From eren at pardus.org.tr Mon Mar 29 22:10:45 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Mon, 29 Mar 2010 22:10:45 +0300 (EEST) Subject: [Pardus-security] [PLSA 2010-43] Curl: Excessive Data Length in Callback Function Message-ID: <20100329191045.F306DA7ABD5@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-43 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-29 Severity: 3 Type: Local ------------------------------------------------------------------------ Summary ======= A security issue has been fixed in cURL / libcURL, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library Description =========== When downloading data, libcurl hands it over to the application using a callback that is registered by the client software. libcurl will then call that function repeatedly with data until the transfer is complete. The callback is documented to receive a maximum data size of 16K (CURL_MAX_WRITE_SIZE). Using the affected libcurl version to download compressed content over HTTP, an application can ask libcurl to automatically uncompress data. When doing so, libcurl can wrongly send data up to 64K in size to the callback which thus is much larger than the documented maximum size. An application that blindly trusts libcurl's max limit for a fixed buffer size or similar is then a possible target for a buffer overflow vulnerability. Affected packages: curl-7.19.6-18-6, all before 2009 curl-7.19.6-18-8, all before 2008 Resolution ========== There are update(s) for curl-7.19.6-18-6, curl-7.19.6-18-8. You can update them via Package Manager or with a single command from console: pisi up curl-7.19.6-18-6 curl-7.19.6-18-8 References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12439 * http://curl.haxx.se/docs/adv_20100209.html ------------------------------------------------------------------------ From eren at pardus.org.tr Mon Mar 29 22:10:46 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Mon, 29 Mar 2010 22:10:46 +0300 (EEST) Subject: [Pardus-security] [PLSA 2010-44] Php: Multiple Vulnerabilities Message-ID: <20100329191046.325A0A7ABD4@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-44 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-29 Severity: 3 Type: Remote ------------------------------------------------------------------------ Summary ======= Multiple vulnerabilities have been fixed in PHP, which can be exploited by malicious users to bypass certain security restrictions. Description =========== Fixed safe_mode validation inside tempnam() when the directory path does not end with a /). (Martin Jansen) Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak. (Ilia) Improved LCG entropy. (Rasmus, Samy Kamkar) Affected packages: mod_php-5.2.13-76-11, all before 2009 php-cli-5.2.13-76-11, all before 2009 mod_php-5.2.13-75-15, all before 2008 php-cli-5.2.13-75-15, all before 2008 Resolution ========== There are update(s) for mod_php-5.2.13-76-11, php-cli-5.2.13-76-11, mod_php-5.2.13-75-15, php-cli-5.2.13-75-15. You can update them via Package Manager or with a single command from console: pisi up mod_php-5.2.13-76-11 php-cli-5.2.13-76-11 mod_php-5.2.13-75-15 php-cli-5.2.13-75-15 References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12363 * http://www.php.net/ ------------------------------------------------------------------------ From eren at pardus.org.tr Mon Mar 29 22:10:46 2010 From: eren at pardus.org.tr (Eren Turkay) Date: Mon, 29 Mar 2010 22:10:46 +0300 (EEST) Subject: [Pardus-security] [PLSA 2010-45] Apache: Multiple Vulnerabilities Message-ID: <20100329191046.667DEA7ABD4@lider.pardus.org.tr> ------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-45 security at pardus.org.tr ------------------------------------------------------------------------ Date: 2010-03-29 Severity: 4 Type: Remote ------------------------------------------------------------------------ Summary ======= Multiple vulnerabilities have been fixed in Apache, where one has unknown impacts and others can be exploited by malicious people to gain access to potentially sensitive information or cause a DoS (Denial of Service). Description =========== CVE-2009-3555: mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] CVE-2009-3555: mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using OpenSSL >= 0.9.8l. [Joe Orton, Ruediger Pluem, Hartmut Keil ] CVE-2010-0408: mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ] CVE-2010-0425: mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni , Jeff Trawick] CVE-2010-0434: Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] Affected packages: apache-2.2.15-36-11, all before 2009 apache-2.2.15-34-12, all before 2008 Resolution ========== There are update(s) for apache-2.2.15-36-11, apache-2.2.15-34-12. You can update them via Package Manager or with a single command from console: pisi up apache-2.2.15-36-11 apache-2.2.15-34-12 References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12387 * http://www.apache.org/dist/httpd/CHANGES_2.2.15 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0408 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434 ------------------------------------------------------------------------ From eren at pardus.org.tr Wed Mar 31 16:10:38 2010 From: eren at pardus.org.tr (Eren =?utf-8?q?T=C3=BCrkay?=) Date: Wed, 31 Mar 2010 16:10:38 +0300 Subject: [Pardus-security] Announcement about wrong package versions in last 6 advisories Message-ID: <201003311610.38245.eren@pardus.org.tr> Hello, Due to the error in our advisory releasing software, the last 6 advisories contained wrong package versions. The erroneous advisories which included wrong package versions are: [PLSA-2010-40] Pango: Denial of Service [PLSA-2010-41] Libpng: Denial of Service [PLSA-2010-42] tar/cpio: Buffer Overflow [PLSA-2010-43] Curl: Excessive Data Length in Callback Function [PLSA-2010-44] Php: Multiple Vulnerabilities [PLSA-2010-45] Apache: Multiple Vulnerabilities Our advisories contain package information for each Pardus release. Normally, you would see "Affected packages" section as: Pardus 2009: pango, all before 1.26.2-34-10 However, in the last advisories, the section was written as: pango-1.26.2-34-10, all before 2009 pango-1.21.3-28-8, all before 2008 To get correct package version, the version string after the package name should be taken into account. Additionally, "solution" section was wrongly created. Please only enter package names while using "pisi up". The version string is not accepted for pisi. We are really sorry for this inconvenience and we apologize for it. -- Eren