Red Hat Enterprise Linux: Red Hat Enterprise Virtualization Manager 3.5.0 is now available.
CVE-2014-7851
Monthly Archives: February 2015
RHBA-2015:0228-1: rhevm-iso-uploader bug fix update
Red Hat Enterprise Linux: Updated rhevm-iso-uploader packages are now available.
RHBA-2015:0226-1: vdsm-jsonrpc-java ASYNC – bug fix and enhancement update
Red Hat Enterprise Linux: Updated vdsm-jsonrpc-java package is now available.
RHBA-2015:0225-1: rhevm-dwh 3.5.0 bug fix update
Red Hat Enterprise Linux: An updated rhevm-dwh package that fixes a blocker bug is now available.
USN-2500-1: X.Org X server vulnerabilities
Ubuntu Security Notice USN-2500-1
17th February, 2015
xorg-server, xorg-server-lts-trusty, xorg-server-lts-utopic vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in the X.Org X server.
Software description
- xorg-server
– X.Org X11 server - xorg-server-lts-trusty
– X.Org X11 server - xorg-server-lts-utopic
– X.Org X11 server
Details
Olivier Fourdan discovered that the X.Org X server incorrectly handled
XkbSetGeometry requests resulting in an information leak. An attacker able
to connect to an X server, either locally or remotely, could use this issue
to possibly obtain sensitive information. (CVE-2015-0255)
It was discovered that the X.Org X server incorrectly handled certain
trapezoids. An attacker able to connect to an X server, either locally or
remotely, could use this issue to possibly crash the server. This issue
only affected Ubuntu 12.04 LTS. (CVE-2013-6424)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
xserver-xorg-core
2:1.16.0-1ubuntu1.3
- Ubuntu 14.04 LTS:
-
xserver-xorg-core
2:1.15.1-0ubuntu2.7
-
xserver-xorg-core-lts-utopic
2:1.16.0-1ubuntu1.2~trusty2
- Ubuntu 12.04 LTS:
-
xserver-xorg-core
2:1.11.4-0ubuntu10.17
-
xserver-xorg-core-lts-trusty
2:1.15.1-0ubuntu2~precise5
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
USN-2501-1: PHP vulnerabilities
Ubuntu Security Notice USN-2501-1
17th February, 2015
php5 vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in PHP.
Software description
- php5
– HTML-embedded scripting language interpreter
Details
Stefan Esser discovered that PHP incorrectly handled unserializing objects.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2014-8142,
CVE-2015-0231)
Brian Carpenter discovered that the PHP CGI component incorrectly handled
invalid files. A local attacker could use this issue to obtain sensitive
information, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)
It was discovered that PHP incorrectly handled certain pascal strings in
the fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652)
Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG
images. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0232)
It was discovered that the PHP opcache component incorrectly handled
memory. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-1351)
It was discovered that the PHP PostgreSQL database extension incorrectly
handled certain pointers. A remote attacker could possibly use this issue
to cause PHP to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and
Ubuntu 14.10. (CVE-2015-1352)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
php5-cli
5.5.12+dfsg-2ubuntu4.2
-
php5-cgi
5.5.12+dfsg-2ubuntu4.2
-
libapache2-mod-php5
5.5.12+dfsg-2ubuntu4.2
-
php5-fpm
5.5.12+dfsg-2ubuntu4.2
-
php5-pgsql
5.5.12+dfsg-2ubuntu4.2
- Ubuntu 14.04 LTS:
-
php5-cli
5.5.9+dfsg-1ubuntu4.6
-
php5-cgi
5.5.9+dfsg-1ubuntu4.6
-
libapache2-mod-php5
5.5.9+dfsg-1ubuntu4.6
-
php5-fpm
5.5.9+dfsg-1ubuntu4.6
-
php5-pgsql
5.5.9+dfsg-1ubuntu4.6
- Ubuntu 12.04 LTS:
-
php5-cli
5.3.10-1ubuntu3.16
-
php5-cgi
5.3.10-1ubuntu3.16
-
libapache2-mod-php5
5.3.10-1ubuntu3.16
-
php5-fpm
5.3.10-1ubuntu3.16
-
php5-pgsql
5.3.10-1ubuntu3.16
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2502-1: unzip vulnerabilities
Ubuntu Security Notice USN-2502-1
17th February, 2015
unzip vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
unzip could be made to run programs if it opened a specially crafted file.
Software description
- unzip
– De-archiver for .zip files
Details
William Robinet discovered that unzip incorrectly handled certain
malformed zip archives. If a user or automated system were tricked into
processing a specially crafted zip archive, an attacker could possibly
execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
unzip
6.0-12ubuntu1.3
- Ubuntu 14.04 LTS:
-
unzip
6.0-9ubuntu1.3
- Ubuntu 12.04 LTS:
-
unzip
6.0-4ubuntu2.3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Agora Marketplace Cross Site Request Forgery
Agora Marketplace suffers from cross site request forgery vulnerabilities.
Are you making it easy for hackers to hack you?
Simply put, it all comes down to social media. Many of us feel free to communicate openly on social media platforms, and while you may be sharing content with the intention of reaching your friends, you might also be reaching people who don’t have good intentions. For example, what kinds of personal details do you openly tell others about on Twitter? Information about your life, location, preferences, and even the people you communicate with might seem innocent on its own, but for a motivated hacker, combining these elements together can bring about a pretty complete profile of who you are, which could then be used to try to steal your identity and break in to your accounts.
Text isn’t the only content that hackers can parse, either. In many ways and with certain demographics, photo sharing networks like Instagram are even more popular than standard social networks like Facebook and Twitter. Is your life an open book on Instagram? Can your followers describe everything about who you are and what you like just based on the images that you post?
This might be fine for family and friends, but it’s important to spend some time thinking about how others may view this content and what they might be able to do with what you reveal. In an extreme example, it was recently reported that hackers can even copy your fingerprints from pictures of your fingers.
While having someone steal your fingerprints from a picture isn’t something that’s realistic to be concerned about right now, on a smaller scale, it does highlight why it’s good to be more mindful about what you’re putting out there in the world. Hackers might be known for exploiting weaknesses in computer systems, but they can also exploit weaknesses in your social media habits, especially if you’re an attractive target.
The post Are you making it easy for hackers to hack you? appeared first on Avira Blog.
[RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite
Posted by RedTeam Pentesting GmbH on Feb 18
Advisory: Directory Traversal and Arbitrary File Disclosure in hybris
Commerce Software Suite
During a penetration test, RedTeam Pentesting discovered a Directory
Traversal vulnerability in hybris Commerce software suite. This
vulnerability allows attackers to download arbitrary files of any size
from the affected system.
Details
=======
Product: hybris Commerce Software Suite
Affected Versions:
Release 5.3: <= 5.3.0.1…