Monthly Archives: January 2015

CentOS

CESA-2015:0102 Important CentOS 7 kernel SecurityUpdate

CentOS Errata and Security Advisory 2015:0102 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-0102.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
5953bcabb2801ceddffe79684dbef64022546b17d1cebb24a2151e0b2778a04a  kernel-3.10.0-123.20.1.el7.x86_64.rpm
584521ddf9d103e9e869e22f50953f6232f9de6ea0a78ade5e9bdb081e7f17a9  kernel-abi-whitelists-3.10.0-123.20.1.el7.noarch.rpm
cafb58042763975693af60cce298fd9d28aae34ba75e2d92b98d0eb94ae1ad82  kernel-debug-3.10.0-123.20.1.el7.x86_64.rpm
535b053dda66e67f163dc0dc05398d5ee0b8aecbc7192071cdf13f3f2f0075c1  kernel-debug-devel-3.10.0-123.20.1.el7.x86_64.rpm
81bc8dc435ff275160c5e3d63180924af1a96dd14307df2c6e7ea2232d86d3fe  kernel-devel-3.10.0-123.20.1.el7.x86_64.rpm
39171964cd2f7baa878b6033d5b14d06d3251dd058f92b2237de3dcb3609b5a5  kernel-doc-3.10.0-123.20.1.el7.noarch.rpm
a88bfde708df6f4c0e4a8f894c52812b50d4323e5e1f3912af163fc18a5245ce  kernel-headers-3.10.0-123.20.1.el7.x86_64.rpm
36fe40c396d283c429e74204458da5883a5dc1047f4ed39c6395d44693c7f70a  kernel-tools-3.10.0-123.20.1.el7.x86_64.rpm
05aeaf149987da5bc8e8fd927c4517f93cdb3df7519a48ada13363d944f836f1  kernel-tools-libs-3.10.0-123.20.1.el7.x86_64.rpm
755f49173741b2c38925cf6eeeae21f0aacfbe03257002af866f6114cb10a710  kernel-tools-libs-devel-3.10.0-123.20.1.el7.x86_64.rpm
e4fbd51094a12cb9e44cc2c279e6415aa87bc6198eb794cb2cb18f6b586c6228  perf-3.10.0-123.20.1.el7.x86_64.rpm
98a1598f025b8c3c2029a7d30bbcfaabca3121562c5a64a5fb81c5875a910dac  python-perf-3.10.0-123.20.1.el7.x86_64.rpm

Source:
c8c549348d11f6a676976c6a81ba1551b382f8bfd1cae8d1cd25cd2df6e754be  kernel-3.10.0-123.20.1.el7.src.rpm
VMWare

NEW: VMSA-2015-0002 VMware vSphere Data Protection product update addresses a certificate validation vulnerability



 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0002
Synopsis:    VMware vSphere Data Protection product update addresses a
             certificate validation vulnerability.
Issue date:  2015-01-29
Updated on:  2015-01-29 (Initial Advisory)
CVE number:  CVE-2014-4632

- ------------------------------------------------------------------------

1. Summary

    VMware vSphere Data Protection product update addresses a certificate
    validation vulnerability.

2. Relevant releases
   
   VMware vSphere Data Protection 5.8
   VMware vSphere Data Protection 5.5 prior to 5.5.9
   VMware vSphere Data Protection 5.1 all versions

3. Problem Description

   a. VMware vSphere Data Protection certificate validation vulnerability

   VMware vSphere Data Protection (VDP) does not fully validate SSL
   certificates coming from vCenter Server. This issue may allow a
   Man-in-the-Middle attack that enables the attacker to perform
   unauthorized backup and restore operations.

   VMware would like to thank Thorsten Tüllmann of the Steinbuch Centre
   for Computing, KIT, Germany for reporting this issue to VMware and
   the EMC Product Security Response Center for working with us on the
   issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the identifier CVE-2014-4632 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running Replace with/
      Product        Version    on            Apply Patch
      =============  =======    ======= =================
      VDP            5.8        any        5.8.1
      VDP            5.5        any        5.5.9
      VDP            5.1        any        no patch planned
                                           update to 5.5.9 or 5.8.1
 
4. Solution
   
   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware vSphere Data Protection
   ----------
   Downloads:
   
   5.8.1:
   https://my.vmware.com/group/vmware/get-download?downloadGroup=VDP58_1

   5.5.9:
   https://my.vmware.com/group/vmware/get-download?downloadGroup=VDP55_9
 
 
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4632

- ------------------------------------------------------------------------

6. Change log

   2015-01-29 VMSA-2015-0002
   Initial security advisory for VDP 5.8.1 and 5.5.9 which were on released
   on 2015-01-29.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFUyruEDEcm8Vbi9kMRAjxUAKD+x2KVIAq6DftmWv1zIGNldH7q5QCgwLyV
ZruDEwM5kdlMe0ddzVgR41w=
=cT7H
-----END PGP SIGNATURE-----
CentOS

CEBA-2015:0110 CentOS 6 nss-softokn BugFix Update

CentOS Errata and Bugfix Advisory 2015:0110 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0110.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
77c7dfa9cdac123d789f1d1a65b8ecb22bd02cf70cf0d74cca4aedcb873be103  nss-softokn-3.14.3-22.el6_6.i686.rpm
845a74c34377474614a69035b2741c8e2e420bfd98b37676cdbed09534fd84c4  nss-softokn-devel-3.14.3-22.el6_6.i686.rpm
c7de3e40ada40624174bd4aea2b3903b3f1dd71ab6ad16ed3a05e9d5574b2bc0  nss-softokn-freebl-3.14.3-22.el6_6.i686.rpm
027aeee015b2281bebdb09ff87b34933380e3bfd79a40f28d14fd3983c730458  nss-softokn-freebl-devel-3.14.3-22.el6_6.i686.rpm

x86_64:
77c7dfa9cdac123d789f1d1a65b8ecb22bd02cf70cf0d74cca4aedcb873be103  nss-softokn-3.14.3-22.el6_6.i686.rpm
fb22476443aa77b1ec969dc09416a9cabde6e652e4712a6a33266a9140c2b7d9  nss-softokn-3.14.3-22.el6_6.x86_64.rpm
845a74c34377474614a69035b2741c8e2e420bfd98b37676cdbed09534fd84c4  nss-softokn-devel-3.14.3-22.el6_6.i686.rpm
cb9d3dbde5a336160083312dc033ded182f2f811c1c2aa9ae5fe98dd5f59f0cf  nss-softokn-devel-3.14.3-22.el6_6.x86_64.rpm
c7de3e40ada40624174bd4aea2b3903b3f1dd71ab6ad16ed3a05e9d5574b2bc0  nss-softokn-freebl-3.14.3-22.el6_6.i686.rpm
1078c1194369da908b57512aa6f76655b26694f00106756e290852deda12742b  nss-softokn-freebl-3.14.3-22.el6_6.x86_64.rpm
027aeee015b2281bebdb09ff87b34933380e3bfd79a40f28d14fd3983c730458  nss-softokn-freebl-devel-3.14.3-22.el6_6.i686.rpm
2dae21d39a4658bc2977f6119f177ec587af385a16b193c1da012d27bcb81849  nss-softokn-freebl-devel-3.14.3-22.el6_6.x86_64.rpm

Source:
db139757d5d628729ad254de68e45d8595c2727159d991388a93296e221b2c81  nss-softokn-3.14.3-22.el6_6.src.rpm
Security

Asterisk Project Security Advisory – AST-2015-002

Asterisk Project Security Advisory – CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150.

NVD

CVE-2014-8370

VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

NVD

CVE-2015-1043

The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

NVD

CVE-2015-1044

vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.