HP Security Bulletin HPSBUX03102 SSRT101681 – Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These vulnerabilities could be exploited remotely to execute arbitrary code, create a Denial of Service (DoS), or other vulnerabilities. Revision 1 of this advisory.

Slackware Security Advisory – New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues.

Slackware Security Advisory – New php packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

Red Hat Security Advisory 2014-1165-01 – Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application.

Ubuntu Security Notice 2341-1 – Salvatore Bonaccorso discovered that the CUPS web interface incorrectly validated permissions and incorrectly handled symlinks. An attacker could possibly use this issue to bypass file permissions and read arbitrary files, possibly leading to a privilege escalation.

Slackware Security Advisory – New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues.

Ubuntu Security Notice 2306-3 – USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS, the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This update fixes the problem. Maksymilian Arciemowicz discovered that the GNU C Library incorrectly handled the getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS. It was discovered that the GNU C Library incorrectly handled the getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. Stephane Chazelas discovered that the GNU C Library incorrectly handled locale environment variables. An attacker could use this issue to possibly bypass certain restrictions such as the ForceCommand restrictions in OpenSSH. David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C Library incorrectly handled posix_spawn_file_actions_addopen() path arguments. An attacker could use this issue to cause a denial of service. Various other issues were also addressed.

Mandriva Linux Security Advisory 2014-179 – Updated python-django packages fix security vulnerabilities. These releases address an issue with reverse() generating external URLs, a denial of service involving file uploads, a potential session hijacking issue in the remote-user middleware, and a data leak in the administrative interface.

Mandriva Linux Security Advisory 2014-175 – When converting IBM930 code with iconv(), if IBM930 code which includes invalid multibyte character 0xffff is specified, then iconv() segfaults. Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library allows context-dependent attackers to cause a denial of service or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. Crashes were reported in the IBM code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364). The updated packages have been patched to correct these issues.

Mandriva Linux Security Advisory 2014-176 – The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL side-channel attack.