Severity Rating: Important
Revision Note: V1.0 (January 13, 2015): V1.0 (January 13, 2015): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass by unintentionally relaxing the firewall policy and/or configuration of certain services when an attacker on the same network as the victim spoofs responses to DNS and LDAP traffic initiated by the victim.
Monthly Archives: January 2015
MS15-002 – Critical: Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393) – Version: 1.0
Severity Rating: Critical
Revision Note: V1.0 (January 13, 2015): V1.0 (January 13, 2015): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to an affected Windows server. Only customers who enable this service are vulnerable. By default, Telnet is installed but not enabled on Windows Server 2003. Telnet is not installed by default on Windows Vista and later operating systems.
MS15-007 – Important: Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (January 13, 2015): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service on an Internet Authentication Service (IAS) or Network Policy Server (NPS) if an attacker sends specially crafted username strings to the IAS or NPS. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights; however, it could prevent RADIUS authentication on the IAS or NPS.
MS15-004 – Important: Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (January 13, 2015): V1.0 (January 13, 2015): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker convinces a user to run a specially crafted application. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS15-001 – Important: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (January 13, 2015): V1.0 (January 13, 2015): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could bypass existing permission checks that are performed during cache modification in the Microsoft Windows Application Compatibility component and execute arbitrary code with elevated privileges.
MDVA-2015:002: mariadb
This is a maintenance and bugfix release that upgrades MariaDB to
the latest 5.5.41 version which resolves various upstream bugs.
MDVSA-2015:022: wireshark
Updated wireshark packages fix security vulnerabilities:
The DEC DNA Routing Protocol dissector could crash (CVE-2015-0562).
The SMTP dissector could crash (CVE-2015-0563).
Wireshark could crash while decypting TLS/SSL sessions (CVE-2015-0564).
MDVSA-2015:021: curl
Updated curl packages fix security vulnerability:
When libcurl sends a request to a server via a HTTP proxy, it copies
the entire URL into the request and sends if off. If the given URL
contains line feeds and carriage returns those will be sent along to
the proxy too, which allows the program to for example send a separate
HTTP request injected embedded in the URL (CVE-2014-8150).
MDVSA-2015:020: libssh
Updated libssh packages fix security vulnerability:
Double free vulnerability in the ssh_packet_kexinit function in kex.c
in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to
cause a denial of service via a crafted kexinit packet (CVE-2014-8132).
RHSA-2015:0036-1: Important: condor security update
Red Hat Enterprise Linux: Updated condor packages that fix one security issue are now available for
Red Hat Enterprise MRG 2.5 for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-8126