Monthly Archives: April 2015

Ubuntu

USN-2556-1: Oxide vulnerabilities

Ubuntu Security Notice USN-2556-1

7th April, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt
    – Web browser engine library for Qt (QML plugin)

Details

It was discovered that Chromium did not properly handle the interaction
of IPC, the gamepad API and V8. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2015-1233)

A buffer overflow was discovered in the GPU service. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2015-1234)

It was discovered that Oxide did not correctly manage the lifetime of
BrowserContext, resulting in a potential use-after-free in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1317)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
liboxideqtcore0

1.5.6-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0

1.5.6-0ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1233,

CVE-2015-1234,

CVE-2015-1317,

LP: 1431484

Ubuntu

USN-2558-1: Mailman vulnerability

Ubuntu Security Notice USN-2558-1

7th April, 2015

mailman vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Mailman could be made to run programs if it processed a specially crafted
list name.

Software description

  • mailman
    – Powerful, web-based mailing list manager

Details

It was discovered that Mailman incorrectly handled special characters
in list names. A local attacker could use this issue to perform a path
traversal attack and execute arbitrary code as the Mailman user.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
mailman

1:2.1.18-1ubuntu0.1
Ubuntu 14.04 LTS:
mailman

1:2.1.16-2ubuntu0.1
Ubuntu 12.04 LTS:
mailman

1:2.1.14-3ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-2775

CentOS

CEBA-2015:0781 CentOS 6 shadow-utils BugFix Update

CentOS Errata and Bugfix Advisory 2015:0781 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0781.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
eba572421ae5aa17dc7e081dbb3bcbbe57fdac179f3757c85e33f257ce2913c0  shadow-utils-4.1.4.2-19.el6_6.1.i686.rpm

x86_64:
dd1ee7bd797fb52fda1586d856c51b12c06fad013e42e6346571e3bed8dcfa72  shadow-utils-4.1.4.2-19.el6_6.1.x86_64.rpm

Source:
17fa66c35c4dacbed3a25d24ffc92ef97f26fb6d8d1e7db9ea5d492c92f58b21  shadow-utils-4.1.4.2-19.el6_6.1.src.rpm
Security

TOR Virtual Network Tunneling Tool 0.2.5.12

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

Security

Ubuntu Security Notice USN-2557-1

Ubuntu Security Notice 2557-1 – Muneaki Nishimura discovered a flaw in Mozilla’s HTTP Alternative Services implementation which meant SSL certificate verification could be bypassed in some circumstances. A remote attacker could potentially exploit this to conduct a man in the middle attack.

Security

Ubuntu Security Notice USN-2556-1

Ubuntu Security Notice 2556-1 – It was discovered that Chromium did not properly handle the interaction of IPC, the gamepad API and V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking the program. A buffer overflow was discovered in the GPU service. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash. Various other issues were also addressed.