Red Hat Enterprise Linux: New kmod-bnx2x packages are now available for Red Hat Enterprise Linux 7.
Monthly Archives: December 2014
RHBA-2014:1957-1: resource-agents enhancement update
Red Hat Enterprise Linux: Updated resource-agents packages that add one enhancement are now available for
Red Hat Enterprise Linux 7.
Apple Releases Security Updates for Safari
Original release date: December 04, 2014 | Last revised: December 05, 2014
Apple has released security updates for Safari to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial of service or execute arbitrary code on an affected system.
Updates include:
- Safari 8.0.1 for OS X Yosemite v10.10.1
- Safari 7.1.1 for OS X Mavericks v10.9.5
- Safari 6.2.1 for OS X Mountain Lion v10.8.5
US-CERT encourages users and administrators to review Apple security update HT6596 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
USN-2433-1: tcpdump vulnerabilities
Ubuntu Security Notice USN-2433-1
4th December, 2014
tcpdump vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
Several security issues were fixed in tcpdump.
Software description
- tcpdump
– command-line network traffic analyzer
Details
Steffen Bauch discovered that tcpdump incorrectly handled printing OSLR
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-8767)
Steffen Bauch discovered that tcpdump incorrectly handled printing GeoNet
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-8768)
Steffen Bauch discovered that tcpdump incorrectly handled printing AODV
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, reveal sensitive information, or possibly
execute arbitrary code. (CVE-2014-8769)
It was discovered that tcpdump incorrectly handled printing PPP packets. A
remote attacker could use this issue to cause tcpdump to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2014-9140)
In the default installation, attackers would be isolated by the tcpdump
AppArmor profile.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
tcpdump
4.6.2-1ubuntu1.1
- Ubuntu 14.04 LTS:
-
tcpdump
4.5.1-2ubuntu1.1
- Ubuntu 12.04 LTS:
-
tcpdump
4.2.1-1ubuntu2.1
- Ubuntu 10.04 LTS:
-
tcpdump
4.0.0-6ubuntu3.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2431-2: MAAS regression
Ubuntu Security Notice USN-2431-2
4th December, 2014
maas regression
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
USN-2431-1 caused a regression in the MAAS package.
Software description
- maas
– Ubuntu MAAS Server
Details
USN-2431-1 fixed vulnerabilities in mod_wsgi. The security update exposed
an issue in the MAAS package, causing a regression. This update fixes the
problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that mod_wsgi incorrectly handled errors when setting up
the working directory and group access rights. A malicious application
could possibly use this issue to cause a local privilege escalation when
using daemon mode.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
maas-region-controller-min
1.7.0~beta8+bzr3272-0ubuntu1.2
- Ubuntu 14.04 LTS:
-
maas-region-controller-min
1.5.4+bzr2294-0ubuntu1.2
- Ubuntu 12.04 LTS:
-
maas-region-controller
1.2+bzr1373+dfsg-0ubuntu1~12.04.6
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Sony Kept Thousands Of Passwords In A Folder Named "Password"
Packet Storm Exploit 2014-1204-1 – Offset2lib: Bypassing Full ASLR On 64bit Linux
Proof of concept code that demonstrates an ASLR bypass of PIE compiled 64bit Linux.
Packet Storm Advisory 2014-1204-1 – Offset2lib: Bypassing Full ASLR On 64bit Linux
The release of this advisory provides exploitation details in relation a weakness in the Linux ASLR implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community.
Fedora 21 Security Update: kde-plasma-nm-0.9.3.5-2.fc21
Fedora 21 Security Update: phpMyAdmin-4.2.13.1-1.fc21
Resolved Bugs
1170597 – CVE-2014-9218 phpMyAdmin: Denial of Service with long passwords
1170598 – CVE-2014-9218 phpMyAdmin: Denial of Service with long passwords [fedora-all]
1170604 – CVE-2014-9219 phpMyAdmin: XSS vulnerability in redirection mechanism
1170605 – CVE-2014-9219 phpMyAdmin: XSS vulnerability in redirection mechanism [fedora-all]<br
phpMyAdmin 4.2.13.1 (2014-12-03)
================================
– [security] XSS vulnerability in redirection mechanism
– [security] DOS attack with long passwords