Fedora 20 Security Update: openssl-1.0.1e-41.fc20

January 14, 2015 007admin

Resolved Bugs
1180234 – CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record
1180239 – CVE-2015-0205 openssl: DH client certificates accepted without verification
1180189 – CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites [fedora-all]
1180187 – CVE-2014-8275 openssl: Fix various certificate fingerprint issues
1181013 – CVE-2014-3571 CVE-2014-3570 CVE-2015-0205 CVE-2015-0206 openssl: various flaws [fedora-all]
1180235 – CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record
1180240 – CVE-2014-3570 openssl: Bignum squaring may produce incorrect results<br
Multiple low and moderate impact security issues fixed.

Redhat

RHSA-2015:0047-1: Important: thunderbird security update

January 14, 2015 007admin

Red Hat Enterprise Linux: An updated thunderbird package that fixes three security issues is now
available for Red Hat Enterprise Linux 5 and 6.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2014-8634, CVE-2014-8638, CVE-2014-8639

Redhat

RHSA-2015:0046-1: Critical: firefox security and bug fix update

January 14, 2015 007admin

Red Hat Enterprise Linux: Updated firefox packages that fix multiple security issues and one bug are
now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2014-8634, CVE-2014-8638, CVE-2014-8639, CVE-2014-8641

Redhat

RHSA-2015:0044-1: Moderate: openstack-neutron security update

January 14, 2015 007admin

Red Hat Enterprise Linux: Updated openstack-neutron packages that fix one security issue are now
available for Red Hat Enterprise Linux OpenStack Platform 4.0

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-7821

Redhat

RHSA-2015:0043-1: Important: kernel security and bug fix update

January 14, 2015 007admin

Red Hat Enterprise Linux: Updated kernel packages that fix three security issues and several bugs are
now available for Red Hat Enterprise Linux 6.4 Extended Update Support.

Redhat

RHSA-2015:0042-1: Low: cloud-init security, bug fix, and enhancement update

January 14, 2015 007admin

Red Hat Enterprise Linux: Updated cloud-init packages that fix one security issue, several bugs, and
add various enhancements are now available for Red Hat Common for Red Hat
Enterprise Linux 6.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2013-2099

Redhat

RHBA-2015:0037-1: systemd bug fix update

January 14, 2015 007admin

Red Hat Enterprise Linux: Updated systemd packages that fix two bugs are now available for Red Hat
Enterprise Linux 7.

Ubuntu

USN-2462-1: Linux kernel vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2462-1

13th January, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest user can exploit this flaw to cause a denial of service (kernel
panic) on the host. (CVE-2014-3610)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:: linux-image-2.6.32-71-powerpc-smp

2.6.32-71.138; linux-image-2.6.32-71-versatile

2.6.32-71.138; linux-image-2.6.32-71-server

2.6.32-71.138; linux-image-2.6.32-71-powerpc64-smp

2.6.32-71.138; linux-image-2.6.32-71-lpia

2.6.32-71.138; linux-image-2.6.32-71-386

2.6.32-71.138; linux-image-2.6.32-71-generic-pae

2.6.32-71.138; linux-image-2.6.32-71-sparc64-smp

2.6.32-71.138; linux-image-2.6.32-71-preempt

2.6.32-71.138; linux-image-2.6.32-71-sparc64

2.6.32-71.138; linux-image-2.6.32-71-ia64

2.6.32-71.138; linux-image-2.6.32-71-virtual

2.6.32-71.138; linux-image-2.6.32-71-generic

2.6.32-71.138; linux-image-2.6.32-71-powerpc

2.6.32-71.138

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3610,

CVE-2014-3611

Ubuntu

USN-2463-1: Linux kernel vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2463-1

13th January, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

A race condition with MMIO and PIO transactions in the KVM (Kernel Virtual
Machine) subsystem of the Linux kernel was discovered. A guest OS user
could exploit this flaw to cause a denial of service (guest OS crash) via a
specially crafted application. (CVE-2014-7842)

The KVM (kernel virtual machine) subsystem of the Linux kernel
miscalculates the number of memory pages during the handling of a mapping
failure. A guest OS user could exploit this to cause a denial of service
(host OS page unpinning) or possibly have unspecified other impact by
leveraging guest OS privileges. (CVE-2014-8369)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-75-generic-pae

3.2.0-75.110; linux-image-3.2.0-75-powerpc64-smp

3.2.0-75.110; linux-image-3.2.0-75-virtual

3.2.0-75.110; linux-image-3.2.0-75-omap

3.2.0-75.110; linux-image-3.2.0-75-generic

3.2.0-75.110; linux-image-3.2.0-75-powerpc-smp

3.2.0-75.110; linux-image-3.2.0-75-highbank

3.2.0-75.110

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-7842,

CVE-2014-8369

Ubuntu

USN-2464-1: Linux kernel (OMAP4) vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2464-1

13th January, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)

An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)

Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register on the x86
architecture. A local attacker could exploit this flaw to cause a denial of
service (panic). (CVE-2014-9090)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1458-omap4

3.2.0-1458.78

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

007 Software

Monthly Archives: January 2015

Fedora 20 Security Update: openssl-1.0.1e-41.fc20

RHSA-2015:0047-1: Important: thunderbird security update

RHSA-2015:0046-1: Critical: firefox security and bug fix update

RHSA-2015:0044-1: Moderate: openstack-neutron security update

RHSA-2015:0043-1: Important: kernel security and bug fix update

RHSA-2015:0042-1: Low: cloud-init security, bug fix, and enhancement update

RHBA-2015:0037-1: systemd bug fix update

USN-2462-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2462-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

USN-2463-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2463-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

USN-2464-1: Linux kernel (OMAP4) vulnerabilities

Ubuntu Security Notice USN-2464-1

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information