Google to Publish Research on Browser Ad Injectors

Google is preparing to release new research on the prevalence of ad injectors, the often-unwanted browser extensions that inject ads onto Web pages, and the numbers will show just how widespread and problematic the software is. Ad injectors belong to that great, amorphous pile of applications that aren’t necessarily classed as malware but exhibit behavior that is […]

USN-2551-1: Apache Standard Taglibs vulnerability

Ubuntu Security Notice USN-2551-1

30th March, 2015

jakarta-taglibs-standard vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Apache Standard Taglibs loaded external XML entities.

Software description

  • jakarta-taglibs-standard
    – Implementation of JSP Standard Tag Library (JSTL)

Details

David Jorm discovered that the Apache Standard Taglibs incorrectly handled
external XML entities. A remote attacker could possibly use this issue to
execute arbitrary code or perform other external XML entity attacks.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libjakarta-taglibs-standard-java

1.1.2-2ubuntu1.14.10.1
libjstl1.1-java

1.1.2-2ubuntu1.14.10.1
Ubuntu 14.04 LTS:
libjakarta-taglibs-standard-java

1.1.2-2ubuntu1.14.04.1
libjstl1.1-java

1.1.2-2ubuntu1.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-0254

Release for CentOS Linux 7 (1503 ) on x86_64

We would like to announce the general availability of CentOS Linux 7
(1503) for 64 bit x86 compatible machines.

This is the second major release for CentOS-7 and is tagged as 1503.
This build is derived from Red Hat Enterprise Linux 7.1

As always, read through the Release Notes at :
http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 - these notes
contain important information about the release and details about some
of the content inside the release from the CentOS QA team. These notes
are updated constantly to include issues and incorporate feedback from
the users.

----------
Updates, Sources, and DebugInfos

This merges in all base, updates, and CR (continuous release) components
released in the month of March 2015. If you have been using the CR repos
on your previous CentOS Linux 7 install, you already have all the
components used to compose this new release.

As with all CentOS Linux 7 components, this release was built from
sources hosted at git.centos.org. In addition, SRPMs that are a
byproduct of the build (and also considered critical in the code and
buildsys process) are being published to match every binary RPM we
release. Sources will be available from vault.centos.org in their own
dedicated directories to match the corresponding binary RPMs. Since
there is far less traffic to the CentOS source RPMs compared with the
binary RPMs, we are not putting this content on the main mirror network.
If users wish to mirror this content they can do so using the reposync
command available in the yum-utils package. All CentOS source RPMs are
signed with the same key used to sign their binary counterparts.
Developers and end users looking at inspecting and contributing patches
to the CentOS Linux distro will find the code hosted at git.centos.org
far simpler to work against. Details on how to best consume those are
documented along with a quick start at : http://wiki.centos.org/Sources

Debuginfo packages are also being signed and pushed. Yum configs shipped
in the new release file will have all the context required for debuginfo
to be available on every CentOS Linux install.

This release supersedes all previously released content for CentOS Linux
7, and therefore we highly encourage all users to upgrade their
machines. Information on different upgrade strategies and how to handle
stale content is included in the Release Notes.

For the CentOS-7 build and release process we adopted a very open
process. The output of the entire buildsystem is made available, as it
is built, at http://buildlogs.centos.org/ - we hope to continue with
that process for the life of CentOS Linux 7, and hope to attempt
bringing CentOS-5 and CentOS-6 builds into the same system.

----------
Release file handling

This release splits the /etc/centos-release from /etc/redhat-release to
better indicate the relationship between the two distributions. There
are also changes to the /etc/os-release file to incorporate changes
needed by the new abrt stack.

----------
Download

In order to conserve donor bandwidth, and to make it possible to get
the mirror content sync'd out as soon as possible, we recommend using
torrents to get your initial installer images:

Details on the images are available on the mirrors at
http://mirror.centos.org/centos/7/isos/x86_64/0_README.txt - that file
clearly highlights the difference in the images, and when one might be
more suitable than the others.

The sizes, sha256 sums and torrents for the ISO files:

* CentOS-7-x86_64-Minimal-1503.iso
  Size: 591396864
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1503.torrent
  sha256sum:
0b8482dc7e3076749f7fd914487ec6280539d3ba1f10c5b73c94b632f987f011

* CentOS-7-x86_64-DVD-1503.iso
  Size: 4236247040
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1503.torrent
  sha256sum:
1817a1689b3c646a6473c93012e06307c6b659000ccffd188a3f4d0a0b531ba9

* CentOS-7-x86_64-Everything-1503.iso
  Size: 7517241344
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1503.torrent
  sha256sum:
3cef58a3a03aff3ea194e63fdc95f03548b292e6f57e4a931a8d5453a6697661

* CentOS-7-x86_64-LiveGNOME-1503.iso
  Size: 1124073472
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-LiveGNOME-1503.torrent
  sha256sum:
2cfc9fab2edb0be51b75ee63528b61cad79489129d2aad1713eeed1b4117ab47

* CentOS-7-x86_64-LiveKDE-1503.iso
  Size: 1310720000
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-LiveKDE-1503.torrent
  sha256sum:
6b2cd1c30092e9a141a458d40d0fcba74207b6c80e4f68dc7f800fbe1d7bae1b

* CentOS-7-x86_64-LiveCD-1503.iso
  Size: 729808896
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-LiveCD-1503.torrent
  sha256sum:
96ee805573d0617ee11704e7973b55387adef13c6efdc82d50d287dba00dfaf1

* CentOS-7-x86_64-NetInstall-1503.iso
  Size: 377487360
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-NetInstall-1503.torrent
  sha256sum:
498bb78789ddc7973fe14358822eb1b48521bbaca91c17bd132c7f8c903d79b3

The iso files are also available for direct download from
http://mirror.centos.org/centos/7/isos/x86_64

* CentOS 7 1503 Docker Container:  ' docker pull centos' will now give
you the 1503 container image. You can see the official CentOS
Linuxcontainer tags at : https://registry.hub.docker.com/_/centos/

----------
Special Interest Groups

The CentOS Linux distribution is built, managed, and released by the
CentOS Core SIG. In addition, we also have the following SIGs that are
doing an amazing job expanding and building on the base Linux platform:

* Cloud SIG < at > http://wiki.centos.org/SpecialInterestGroup/Cloud is
working to deliver various cloud controller infrastructure including
OpenStack. They have a fully functional, feature complete RDO stack now
available for testing with CentOS Linux 7 at
http://buildlogs.centos.org/centos/7/cloud/openstack-rdo/

* Cloud Instance SIG < at >
http://wiki.centos.org/SpecialInterestGroup/CloudInstance aims to
deliver VM images for use in various cloud and virtualised ecosystems
including AWS
(https://aws.amazon.com/marketplace/seller-profile?id=16cb8b03-256e-4dde-8f34-1b0f377efe89)
and Docker ( https://registry.hub.docker.com/_/centos/ )

 * Virtualization SIG < at >
http://wiki.centos.org/SpecialInterestGroup/Virtualization includes
upstream virtualization and hypervisor related projects including Xen
http://www.xenproject.org ), oVirt ( http://www.ovirt.org/ ), and Docker
( http://docker.io ). They also work to build and release
support tools around these virtualization technologies.

* Storage SIG < at > http://wiki.centos.org/SpecialInterestGroup/Storage
includes the Gluster Project ( http://www.gluster.org/ ), Ceph
(http://ceph.com ), OpenAFS ( http://www.openafs.org ) and the SCST
project ( http://scst.sourceforge.net/ ). Gluster builds for CentOS,
that track upstream community code are available for testing now at
http://buildlogs.centos.org/centos/7/storage/gluster/

* Software Collections SIG < at >
http://wiki.centos.org/SpecialInterestGroup/SCLo is working on
documenting and then delivering software collections built for newer
versions of in-distro content. Their aim is to deliver a community and
contributor friendly mechanism for SCL's in an easy to consume format.

* Atomic SIG < at > http://wiki.centos.org/SpecialInterestGroup/Atomic is
working on building, maintaining, and delivering a CentOS Atomic host (
http://projectatomic.io ). Testing and development builds including AWS
EC2 instances and Vagrant boxes are now available at
http://wiki.centos.org/SpecialInterestGroup/Atomic/Download

In addition to these, the CentOS Artwork and CentOS Promo SIGs help with
promo content and helping organise Dojos around the world.

SIGs are a great way for people to come together and deliver content
around a specific area into the wider CentOS ecosystem and we welcome
groups to come together with low barriers to entry and plenty of
resources to offer the groups. Details on the process can be found at
http://wiki.centos.org/SpecialInterestGroup

----------
Dojo

We try and organise Dojos in various parts of the world as a one day
event, to bring together people who use CentOS and others who are keen
to learn about CentOS. The day's focus is on sharing technical knowledge
and success stories. It's also a great place to meet and talk about
upcoming technologies and learn how others are using them on CentOS Linux.

In the coming months we hope to host events in London, Bangalore,Sweden,
Germany, Spain, and in many parts of the USA. If you would like to help
organise a Dojo, do drop by the centos-promo list at
http://lists.centos.org/mailman/listinfo/centos-promo

----------
Getting Help

The CentOS ecosystem is sustained by community driven help and guidance.
The best place to start for new users is at
http://wiki.centos.org/GettingHelp

----------
Contributors

This release was made possible due to the hard work of many people,
foremost on that list are the Red Hat Engineers for producing a great
distribution, without them CentOS Linux would look very different.

We are also looking for people to get involved with the QA process in
CentOS, if you would like to join this please introduce yourself on the
centos-devel list (http://lists.centos.org/mailman/listinfo/centos-devel ).


----------
Thanks

I would also like to thank our donors and sponsors for their continued
support for the project. And to everyone who contributed with ideas,
code, test feedback, and promoting CentOS Linux into the ecosystem.

Enjoy!

Release for CentOS Linux 7 (1503 ) on x86_64

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We would like to announce the general availability of CentOS Linux 7
(1503) for 64 bit x86 compatible machines.

This is the second major release for CentOS-7 and is tagged as 1503.
This build is derived from Red Hat Enterprise Linux 7.1

As always, read through the Release Notes at :
http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 - these notes
contain important information about the release and details about some
of the content inside the release from the CentOS QA team. These notes
are updated constantly to include issues and incorporate feedback from
the users.

- ----------
Updates, Sources, and DebugInfos

This merges in all base, updates, and CR (continuous release)
components released in the month of March 2015. If you have been using
the CR repos on your previous CentOS Linux 7 install, you already have
all the components used to compose this new release.

As with all CentOS Linux 7 components, this release was built from
sources hosted at git.centos.org. In addition, SRPMs that are a
byproduct of the build (and also considered critical in the code and
buildsys process) are being published to match every binary RPM we
release. Sources will be available from vault.centos.org in their own
dedicated directories to match the corresponding binary RPMs. Since
there is far less traffic to the CentOS source RPMs compared with the
binary RPMs, we are not putting this content on the main mirror
network. If users wish to mirror this content they can do so using the
reposync command available in the yum-utils package. All CentOS source
RPMs are signed with the same key used to sign their binary
counterparts. Developers and end users looking at inspecting and
contributing patches to the CentOS Linux distro will find the code
hosted at git.centos.org far simpler to work against. Details on how
to best consume those are documented along with a quick start at :
http://wiki.centos.org/Sources

Debuginfo packages are also being signed and pushed. Yum configs
shipped in the new release file will have all the context required for
debuginfo to be available on every CentOS Linux install.

This release supersedes all previously released content for CentOS
Linux 7, and therefore we highly encourage all users to upgrade their
machines. Information on different upgrade strategies and how to
handle stale content is included in the Release Notes.

For the CentOS-7 build and release process we adopted a very open
process. The output of the entire buildsystem is made available, as it
is built, at http://buildlogs.centos.org/ - we hope to continue with
that process for the life of CentOS Linux 7, and hope to attempt
bringing CentOS-5 and CentOS-6 builds into the same system.

- ----------
Release file handling

This release splits the /etc/centos-release from /etc/redhat-release
to better indicate the relationship between the two distributions.
There are also changes to the /etc/os-release file to incorporate
changes needed by the new abrt stack.

- ----------
Download

In order to conserve donor bandwidth, and to make it possible to get
the mirror content sync'd out as soon as possible, we recommend using
torrents to get your initial installer images:

Details on the images are available on the mirrors at
http://mirror.centos.org/centos/7/isos/x86_64/0_README.txt - that file
clearly highlights the difference in the images, and when one might be
more suitable than the others.

The sizes, sha256 sums and torrents for the ISO files:

* CentOS-7-x86_64-Minimal-1503.iso
  Size: 591396864
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-15
03.torrent
  sha256sum:
0b8482dc7e3076749f7fd914487ec6280539d3ba1f10c5b73c94b632f987f011

* CentOS-7-x86_64-DVD-1503.iso
  Size: 4236247040
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1503.t
orrent
  sha256sum:
1817a1689b3c646a6473c93012e06307c6b659000ccffd188a3f4d0a0b531ba9

* CentOS-7-x86_64-Everything-1503.iso
  Size: 7517241344
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything
- -1503.torrent
  sha256sum:
3cef58a3a03aff3ea194e63fdc95f03548b292e6f57e4a931a8d5453a6697661

* CentOS-7-x86_64-LiveGNOME-1503.iso
  Size: 1124073472
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-LiveGNOME-
1503.torrent
  sha256sum:
2cfc9fab2edb0be51b75ee63528b61cad79489129d2aad1713eeed1b4117ab47

* CentOS-7-x86_64-LiveKDE-1503.iso
  Size: 1310720000
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-LiveKDE-15
03.torrent
  sha256sum:
6b2cd1c30092e9a141a458d40d0fcba74207b6c80e4f68dc7f800fbe1d7bae1b

* CentOS-7-x86_64-LiveCD-1503.iso
  Size: 729808896
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-LiveCD-150
3.torrent
  sha256sum:
96ee805573d0617ee11704e7973b55387adef13c6efdc82d50d287dba00dfaf1

* CentOS-7-x86_64-NetInstall-1503.iso
  Size: 377487360
  Torrent:
http://mirror.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-NetInstall
- -1503.torrent
  sha256sum:
498bb78789ddc7973fe14358822eb1b48521bbaca91c17bd132c7f8c903d79b3

The iso files are also available for direct download from
http://mirror.centos.org/centos/7/isos/x86_64

* CentOS 7 1503 Docker Container:  ' docker pull centos' will now give
you the 1503 container image. You can see the official CentOS Linux
container tags at : https://registry.hub.docker.com/_/centos/

- ----------
Special Interest Groups

The CentOS Linux distribution is built, managed, and released by the
CentOS Core SIG. In addition, we also have the following SIGs that are
doing an amazing job expanding and building on the base Linux platform:

* Cloud SIG < at > http://wiki.centos.org/SpecialInterestGroup/Cloud is
working to deliver various cloud controller infrastructure including
OpenStack. They have a fully functional, feature complete RDO stack
now available for testing with CentOS Linux 7 at
http://buildlogs.centos.org/centos/7/cloud/openstack-rdo/

* Cloud Instance SIG < at >
http://wiki.centos.org/SpecialInterestGroup/CloudInstance aims to
deliver VM images for use in various cloud and virtualised ecosystems
including AWS (
https://aws.amazon.com/marketplace/seller-profile?id=16cb8b03-256e-4dde-
8f34-1b0f377efe89
) and Docker ( https://registry.hub.docker.com/_/centos/ )

 * Virtualization SIG < at >
http://wiki.centos.org/SpecialInterestGroup/Virtualization includes
upstream virtualization and hypervisor related projects including Xen
( http://www.xenproject.org ), oVirt ( http://www.ovirt.org/ ), and
Docker ( http://docker.io ). They also work to build and release
support tools around these virtualization technologies.

* Storage SIG < at > http://wiki.centos.org/SpecialInterestGroup/Storage
includes the Gluster Project ( http://www.gluster.org/ ), Ceph (
http://ceph.com ), OpenAFS ( http://www.openafs.org ) and the SCST
project ( http://scst.sourceforge.net/ ). Gluster builds for CentOS,
that track upstream community code are available for testing now at
http://buildlogs.centos.org/centos/7/storage/gluster/

* Software Collections SIG < at >
http://wiki.centos.org/SpecialInterestGroup/SCLo is working on
documenting and then delivering software collections built for newer
versions of in-distro content. Their aim is to deliver a community and
contributor friendly mechanism for SCL's in an easy to consume format.

* Atomic SIG < at > http://wiki.centos.org/SpecialInterestGroup/Atomic is
working on building, maintaining, and delivering a CentOS Atomic host
( http://projectatomic.io ). Testing and development builds including
AWS EC2 instances and Vagrant boxes are now available at
http://wiki.centos.org/SpecialInterestGroup/Atomic/Download

In addition to these, the CentOS Artwork and CentOS Promo SIGs help
with promo content and helping organise Dojos around the world.

SIGs are a great way for people to come together and deliver content
around a specific area into the wider CentOS ecosystem and we welcome
groups to come together with low barriers to entry and plenty of
resources to offer the groups. Details on the process can be found at
http://wiki.centos.org/SpecialInterestGroup

- ----------
Dojo

We try and organise Dojos in various parts of the world as a one day
event, to bring together people who use CentOS and others who are keen
to learn about CentOS. The day's focus is on sharing technical
knowledge and success stories. It's also a great place to meet and
talk about upcoming technologies and learn how others are using them
on CentOS Linux.

In the coming months we hope to host events in London, Bangalore,
Sweden, Germany, Spain, and in many parts of the USA. If you would
like to help organise a Dojo, do drop by the centos-promo list at
http://lists.centos.org/mailman/listinfo/centos-promo

- ----------
Getting Help

The CentOS ecosystem is sustained by community driven help and
guidance. The best place to start for new users is at
http://wiki.centos.org/GettingHelp

- ----------
Contributors

This release was made possible due to the hard work of many people,
foremost on that list are the Red Hat Engineers for producing a great
distribution, without them CentOS Linux would look very different.

We are also looking for people to get involved with the QA process in
CentOS, if you would like to join this please introduce yourself on
the centos-devel list (
http://lists.centos.org/mailman/listinfo/centos-devel ).


- ----------
Thanks

I would also like to thank our donors and sponsors for their continued
support for the project. And to everyone who contributed with ideas,
code, test feedback, and promoting CentOS Linux into the ecosystem.

Enjoy!

- -- 
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0094455 | http://www.centos.org/ | twitter.com/CentOS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJVGsvBAAoJEI3Oi2Mx7xbt1xAH/0ZoWz65f/O8URzsleO4DaiD
Wy8YMWaPVTlLDnik7EukYSueT1bE9ziB3DxycQJVXz8HTABdjNugN6Ouy83bCY2a
17t6F0VGY0ZRZe6Uqv8rb2xiFnFR/ssy9s921vJVcpzaSLgKl2/D5ed1aSsLaxLw
CdpYcC7t/8xbkpnCtoyQ2nko0Jzj8fYPr8wCUKTgnf0BXyXYYcuNsi+J6HKzlExc
KXHuvLDjXCjOVi4X7BLbn2F5N7bwBcmjYWC/hX1oAlD2uvbbNg/+mDbAu9QtWmeC
RthUq5uwpA05i9MvyMU5/ODS1NpIg3f+JybPLTp9zaFU6hXmJSvOR679wZbFdUc=
=Z60w
-----END PGP SIGNATURE-----