Monthly Archives: January 2015

Redhat

RHSA-2015:0016-1: Moderate: glibc security and bug fix update

Leave a comment

Red Hat Enterprise Linux: Updated glibc packages that fix two security issues and two bugs are now
available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2014-6040, CVE-2014-7817

Ubuntu

USN-2452-1: NSS vulnerability

Leave a comment

Ubuntu Security Notice USN-2452-1

7th January, 2015

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

NSS could be made to expose sensitive information over the network.

Software description

  • nss
    – Network Security Service library

Details

It was discovered that NSS incorrectly handled certain ASN.1 lengths. A
remote attacker could possibly use this issue to perform a data-smuggling
attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libnss3

2:3.17.1-0ubuntu1.1
Ubuntu 14.04 LTS:
libnss3

2:3.17.1-0ubuntu0.14.04.2
Ubuntu 12.04 LTS:
libnss3

3.17.1-0ubuntu0.12.04.2
Ubuntu 10.04 LTS:
libnss3-1d

3.17.1-0ubuntu0.10.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

CVE-2014-1569

Ubuntu

USN-2453-1: mime-support vulnerability

Leave a comment

Ubuntu Security Notice USN-2453-1

7th January, 2015

mime-support vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

run-mailcap could be made to run programs as your login if it opened a
specially crafted file.

Software description

  • mime-support
    – MIME support programs

Details

Timothy D. Morgan discovered that the run-mailcap tool incorrectly filtered
certain shell metacharacters in filenames. If a user or automated system
were tricked into opening a file with a specially-crafted filename, a
remote attacker could possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
mime-support

3.55ubuntu1.1
Ubuntu 14.04 LTS:
mime-support

3.54ubuntu1.1
Ubuntu 12.04 LTS:
mime-support

3.51-1ubuntu1.1
Ubuntu 10.04 LTS:
mime-support

3.48-1ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7209

Ubuntu

USN-2454-1: Exiv2 vulnerability

Leave a comment

Ubuntu Security Notice USN-2454-1

7th January, 2015

exiv2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10

Summary

Exiv2 could be made to crash if it opened a specially crafted file.

Software description

  • exiv2
    – EXIF/IPTC metadata manipulation tool

Details

It was discovered that Exiv2 incorrectly handled certain tag values in
video files. If a user or automated system were tricked into opening a
specially-crafted video file, a remote attacker could cause Exiv2 to crash,
resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libexiv2-13

0.24-2ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9449

Ubuntu

USN-2455-1: bsd-mailx vulnerability

Leave a comment

Ubuntu Security Notice USN-2455-1

7th January, 2015

bsd-mailx vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

bsd-mailx could be made to run programs if it parsed a specially crafted
email address.

Software description

  • bsd-mailx
    – simple mail user agent

Details

It was discovered that bsd-mailx contained a feature that allowed
syntactically valid email addresses to be treated as shell commands. A
remote attacker could possibly use this issue with a valid email address to
execute arbitrary commands.

This functionality has now been disabled by default, and can be re-enabled
with the “expandaddr” configuration option. This update alone does not
remove all possibilities of command execution. In environments where
scripts use mailx to process arbitrary email addresses, it is recommended
to modify them to use a “–” separator before the address to properly
handle those that begin with “-“.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
bsd-mailx

8.1.2-0.20131005cvs-1ubuntu0.14.10.1
Ubuntu 14.04 LTS:
bsd-mailx

8.1.2-0.20131005cvs-1ubuntu0.14.04.1
Ubuntu 12.04 LTS:
bsd-mailx

8.1.2-0.20111106cvs-1ubuntu0.1
Ubuntu 10.04 LTS:
bsd-mailx

8.1.2-0.20090911cvs-2ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7844