A NULL pointer dereference flaw was found in the way mod_dav_svn
handled REPORT requests. A remote, unauthenticated attacker could
use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580).
A NULL pointer dereference flaw was found in the way mod_dav_svn
handled URIs for virtual transaction names. A remote, unauthenticated
attacker could send a request for a virtual transaction name that
does not exist, causing mod_dav_svn to crash (CVE-2014-8108).
A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).
PHP has been updated to version 5.5.20, which fixes these issues and
other bugs.
If no authentication key is defined in the ntp.conf file, a
cryptographically-weak default key is generated (CVE-2014-9293).
ntp-keygen before 4.2.7p230 uses a non-cryptographic random number
generator with a weak seed to generate symmetric keys (CVE-2014-9294).
A remote unauthenticated attacker may craft special packets that
trigger buffer overflows in the ntpd functions crypto_recv() (when
using autokey authentication), ctl_putdata(), and configure(). The
resulting buffer overflows may be exploited to allow arbitrary
malicious code to be executed with the privilege of the ntpd process
(CVE-2014-9295).
A section of code in ntpd handling a rare error is missing a return
statement, therefore processing did not stop when the error was
encountered. This situation may be exploitable by an attacker
(CVE-2014-9296).
The ntp package has been patched to fix these issues.
A flaw was found in the way PCRE handled certain malformed regular
expressions. This issue could cause an application linked against PCRE
to crash while parsing malicious regular expressions (CVE-2014-8964).
Several vulnerabilities were found in c-icap, which could allow a
remote attacker to cause c-icap to crash, or have other, unspecified
impacts (CVE-2013-7401, CVE-2013-7402).
Red Hat Enterprise Linux: Updated kernel packages that fix one security issue are now available for
Red Hat Enterprise Linux 4 Extended Life Cycle Support.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-9322
Red Hat Enterprise Linux: Updated libvirt packages that fix one security issue and three bugs are now
available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-7823
Red Hat Enterprise Linux: Updated qemu-kvm-rhev packages that add one enhancement are now available for
Red Hat Enterprise Virtualization Hypervisor 6.