A regression with the MDVSA-2014:179 advisory was discovered. This
advisory solves the problem by adding the missing get_random_string
function.
Monthly Archives: October 2014
MDVSA-2014:193: xerces-j2
A resource consumption issue was found in the way Xerces-J handled
XML declarations. A remote attacker could use an XML document with
a specially crafted declaration using a long pseudo-attribute name
that, when parsed by an application using Xerces-J, would cause that
application to use an excessive amount of CPU (CVE-2013-4002).
MDVSA-2014:192: perl-Email-Address
Updated perl-Email-Address package fixes security vulnerability:
The parse function in Email::Address module before 1.905 for Perl
uses an inefficient regular expression, which allows remote attackers
to cause a denial of service (CPU consumption) via an empty quoted
string in an RFC 2822 address (CVE-2014-0477).
The Email::Address module before 1.904 for Perl uses an inefficient
regular expression, which allows remote attackers to cause a denial
of service (CPU consumption) via vectors related to backtracking into
the phrase (CVE-2014-4720).
MDVA-2014:018: timezone
This is a maintenance and bugfix release that upgrades the timezone
data packages to the 2014g version.
MDVSA-2014:195: libvirt
Multiple vulnerabilities has been discovered and corrected in libvirt:
An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).
A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used
domains. A remote attacker able to establish a read-only connection
to libvirtd could use this flaw to make any domain operations within
libvirt unresponsive (CVE-2014-3657).
The updated libvirt packages have been upgraded to the 1.1.3.6 version
and patched to resolve these security flaws.
MDVSA-2014:194: phpmyadmin
A vulnerability has been discovered and corrected in phpmyadmin:
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages (CVE-2014-7217).
This upgrade provides the latest phpmyadmin version (4.2.9.1) to
address this vulnerability.
RHBA-2014:1360-1: systemtap bug fixes
Red Hat Enterprise Linux: Updated systemtap packages that fix two bugs are now available for Red Hat
Enterprise Linux 7.
RHBA-2014:1356-1: dhcp bug fix update
Red Hat Enterprise Linux: Updated dhcp packages that fix one bug are now available for Red Hat Enterprise
Linux 7.
RHSA-2014:1365-1: Important: kernel security and bug fix update
Red Hat Enterprise Linux: Updated kernel packages that fix one security issue and several bugs are
now available for Red Hat Enterprise Linux 6.4 Extended Update Support.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-0205
RHEA-2014:1364-1: RHN Tools sat5to6 transition tooling release
Red Hat Enterprise Linux: The new sat5to6 transition tool and supporting packages are now available.