Resolved Bugs
1056338 – CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False
1056339 – CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False [fedora-all]<br
Fix CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False
Monthly Archives: December 2014
DSA-3091 getmail4 – security update
Several vulnerabilities have been discovered in getmail4, a mail
retriever with support for POP3, IMAP4 and SDPS, that could allow
man-in-the-middle attacks.
DSA-3092 icedove – security update
Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors, buffer overflows, use-after-frees and other implementation errors
may lead to the execution of arbitrary code, the bypass of security
restrictions or denial of service.
Vuln: cURL/libcURL CVE-2014-3613 Remote Security Bypass Vulnerability
cURL/libcURL CVE-2014-3613 Remote Security Bypass Vulnerability
CVE-2014-8651
The KDE Clock KCM policykit helper in kde-workspace before 4.11.14 and plasma-desktop before 5.1.1 allows local users to gain privileges via a crafted ntpUtility (ntp utility name) argument.
CVE-2014-9117
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as demonstrated by E4652 for the public_key value 0.
Google App Engine Java VM Sandbox Escape
In excess of 30 issues have been discovered related to the Google App Engine including a complete Java VM security sandbox escape.
Fedora EPEL 7 Security Update: pwgen-2.07-1.el7
Resolved Bugs
1020220 – CVE-2013-4440 pwgen: non-tty passwords are trivially weak by default
1020223 – CVE-2013-4440 pwgen: non-tty passwords are trivially weak by default [epel-all]
1020258 – CVE-2013-4442 pwgen: silent fallback to insecure entropy
1020261 – CVE-2013-4442 pwgen: silent fallback to insecure entropy [epel-all]<br
Update to 2.07:
* Remove backwards compatibility for no-tty mode. Addresses CVE-2013-4440
* Fail hard if /dev/urandom and /dev/random are not available. Addresses CVE-2013-4442 and Launchpad #1183213 (Closes: #767008)
* Fix pwgen -B so that it doesn’t accidentally generate passwords with ambiguous characters after changing the case of some letters. Addresses Launchpad Bugs #638418 and #1349863
* Fix potential portability bug on architectures where unsgined ints are not 4 bytes long
Fedora EPEL 6 Security Update: seamonkey-2.28-2.ESR_31.3.0.el6
Update to the codebase of Extended Support Release (ESR) 31.3.0
Fixes various security issues, see https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html and https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html for more info
Fedora EPEL 6 Security Update: pwgen-2.07-1.el6
Resolved Bugs
1020220 – CVE-2013-4440 pwgen: non-tty passwords are trivially weak by default
1020223 – CVE-2013-4440 pwgen: non-tty passwords are trivially weak by default [epel-all]
1020258 – CVE-2013-4442 pwgen: silent fallback to insecure entropy
1020261 – CVE-2013-4442 pwgen: silent fallback to insecure entropy [epel-all]<br
Update to 2.07:
* Remove backwards compatibility for no-tty mode. Addresses CVE-2013-4440
* Fail hard if /dev/urandom and /dev/random are not available. Addresses CVE-2013-4442 and Launchpad #1183213 (Closes: #767008)
* Fix pwgen -B so that it doesn’t accidentally generate passwords with ambiguous characters after changing the case of some letters. Addresses Launchpad Bugs #638418 and #1349863
* Fix potential portability bug on architectures where unsgined ints are not 4 bytes long