Red Hat Enterprise Linux: Updated subscription-manager packages that fix one bug are now available for Red
Hat Enterprise Linux 6.
Monthly Archives: January 2015
RHBA-2015:0055-1: subscription-manager bug fix update
Red Hat Enterprise Linux: Updated subscription-manager packages that fix one bug are now available for Red
Hat Enterprise Linux 7.
USN-2477-1: libevent vulnerability
Ubuntu Security Notice USN-2477-1
19th January, 2015
libevent vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
libevent could be made to crash or run programs if it processed specially
crafted data.
Software description
- libevent
– Asynchronous event notification library
Details
Andrew Bartlett discovered that libevent incorrectly handled large inputs
to the evbuffer API. A remote attacker could possibly use this issue with
an application that uses libevent to cause a denial of service, or possibly
execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
libevent-2.0-5
2.0.21-stable-1ubuntu1.14.10.1
- Ubuntu 14.04 LTS:
-
libevent-2.0-5
2.0.21-stable-1ubuntu1.14.04.1
- Ubuntu 12.04 LTS:
-
libevent-2.0-5
2.0.16-stable-1ubuntu0.1
- Ubuntu 10.04 LTS:
-
libevent-1.4-2
1.4.13-stable-1ubuntu0.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2478-1: libssh vulnerability
Ubuntu Security Notice USN-2478-1
19th January, 2015
libssh vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
libssh could be made to crash if it received specially crafted network
traffic.
Software description
- libssh
– A tiny C SSH library
Details
It was discovered that libssh incorrectly handled certain kexinit packets.
A remote attacker could possibly use this issue to cause libssh to crash,
resulting in a denial of service.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
libssh-4
0.6.3-2ubuntu1.1
- Ubuntu 14.04 LTS:
-
libssh-4
0.6.1-0ubuntu3.1
- Ubuntu 12.04 LTS:
-
libssh-4
0.5.2-1ubuntu0.12.04.4
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2479-1: RPM vulnerabilities
Ubuntu Security Notice USN-2479-1
19th January, 2015
rpm vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in RPM.
Software description
- rpm
– package manager for RPM
Details
Florian Weimer discovered that RPM incorrectly handled temporary files. A
local attacker could use this issue to execute arbitrary code.
(CVE-2013-6435)
Florian Weimer discovered that RPM incorrectly handled certain CPIO
headers. If a user or automated system were tricked into installing a
malicious package file, a remote attacker could use this issue to cause RPM
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2014-8118)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
rpm
4.11.2-3ubuntu0.1
- Ubuntu 14.04 LTS:
-
rpm
4.11.1-3ubuntu0.1
- Ubuntu 12.04 LTS:
-
rpm
4.9.1.1-1ubuntu0.3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2460-1: Thunderbird vulnerabilities
Ubuntu Security Notice USN-2460-1
19th January, 2015
thunderbird vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in Thunderbird.
Software description
- thunderbird
– Mozilla Open Source mail and newsgroup client
Details
Christian Holler and Patrick McManus discovered multiple memory safety
issues in Thunderbird. If a user were tricked in to opening a specially
crafted message with scripting enabled, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-8634)
Muneaki Nishimura discovered that requests from navigator.sendBeacon()
lack an origin header. If a user were tricked in to opening a specially
crafted message with scripting enabled, an attacker could potentially
exploit this to conduct cross-site request forgery (XSRF) attacks.
(CVE-2014-8638)
Xiaofeng Zheng discovered that a web proxy returning a 407 response
could inject cookies in to the originally requested domain. If a user
connected to a malicious web proxy, an attacker could potentially exploit
this to conduct session-fixation attacks. (CVE-2014-8639)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
thunderbird
1:31.4.0+build1-0ubuntu0.14.10.1
- Ubuntu 14.04 LTS:
-
thunderbird
1:31.4.0+build1-0ubuntu0.14.04.1
- Ubuntu 12.04 LTS:
-
thunderbird
1:31.4.0+build1-0ubuntu0.12.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References
Sites Powered By INVEM SQL Injection
Sites “Powered by INVEM” suffer from a remote SQL injection vulnerability. Note that this finding houses site-specific data.
Cybercrime deterrence: 6 important steps
Cybercrime: there’s too much of it, and we need to do more to deter it. With the President of the United States now making frequent references to “doing more about cybercrime” now is a good time to look at what steps must be taken.
The post Cybercrime deterrence: 6 important steps appeared first on We Live Security.
GCHQ Snags Journalist Messages Amongst 70,000 E-Mails
Tor-ramdisk i686 UClibc-based Linux Distribution x86 20150114
Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. Security is enhanced by employing a monolithically compiled GRSEC/PAX patched kernel and hardened system tools. Privacy is enhanced by turning off logging at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key which may be exported/imported by FTP. x86_64 version.