Red Hat Enterprise Linux: Updated OpenStack Block Storage packages that resolve various issues
are now available for Red Hat Enterprise Linux OpenStack Platform 5.0
(Icehouse) for RHEL 6.
Monthly Archives: December 2014
RHBA-2014:1926-1: openstack-cinder bug fix advisory
Red Hat Enterprise Linux: Updated OpenStack Block Storage packages that resolve various issues
are now available for Red Hat Enterprise Linux OpenStack Platform 5.0
(Icehouse) for RHEL 7.
RHBA-2014:1925-1: openstack-ceilometer bug fix advisory
Red Hat Enterprise Linux: Updated OpenStack Telemetry packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse)
for RHEL 6.
RHBA-2014:1923-1: rhevm-branding-rhev bug fix update
Red Hat Enterprise Linux: An updated rhevm-branding-rhev package that fixes one bug is now available.
RHBA-2014:1922-1: ovirt-host-deploy bug fix and enhancements update
Red Hat Enterprise Linux: Updated ovirt-host-deploy packages are now available.
RHBA-2014:1921-1: kernel bug fix update
Red Hat Enterprise Linux: Updated kernel packages that fix several bugs are now available for Red Hat
Enterprise Linux 6.5 Extended Update Support.
USN-2430-1: OpenVPN vulnerability
Ubuntu Security Notice USN-2430-1
2nd December, 2014
openvpn vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
OpenVPN could be made to crash if it received specially crafted network
traffic.
Software description
- openvpn
– virtual private network software
Details
Dragana Damjanovic discovered that OpenVPN incorrectly handled certain
control channel packets. An authenticated attacker could use this issue to
cause an OpenVPN server to crash, resulting in a denial of service.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
openvpn
2.3.2-9ubuntu1.1
- Ubuntu 14.04 LTS:
-
openvpn
2.3.2-7ubuntu3.1
- Ubuntu 12.04 LTS:
-
openvpn
2.2.1-8ubuntu1.4
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2424-1: Firefox vulnerabilities
Ubuntu Security Notice USN-2424-1
2nd December, 2014
firefox vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software description
- firefox
– Mozilla Open Source web browser
Details
Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max Jonas
Werner, Christian Holler, Jon Coppeard, Eric Rahm, Byron Campen, Eric
Rescorla, and Xidorn Quan discovered multiple memory safety issues in
Firefox. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2014-1587, CVE-2014-1588)
Cody Crews discovered a way to trigger chrome-level XBL bindings from web
content in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
bypass security restrictions. (CVE-2014-1589)
Joe Vennix discovered a crash when using XMLHttpRequest in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service. (CVE-2014-1590)
Muneaki Nishimura discovered that CSP violation reports did not remove
path information in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit this to obtain sensitive information. (CVE-2014-1591)
Berend-Jan Wever discovered a use-after-free during HTML parsing. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1592)
Abhishek Arya discovered a buffer overflow when parsing media content. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1593)
Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in the
compositor. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause undefined
behaviour, a denial of service via application crash or execute abitrary
code with the privileges of the user invoking Firefox. (CVE-2014-1594)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
firefox
34.0+build2-0ubuntu0.14.10.2
- Ubuntu 14.04 LTS:
-
firefox
34.0+build2-0ubuntu0.14.04.1
- Ubuntu 12.04 LTS:
-
firefox
34.0+build2-0ubuntu0.12.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References
CVE-2014-3988
Cross-site scripting (XSS) vulnerability in index.php in SunHater KCFinder 3.11 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) file or (2) directory (folder) name of an uploaded file.
CVE-2014-9141
The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program.