Updated graphviz packages fix security vulnerability:
Format string vulnerability in the yyerror function in
lib/cgraph/scan.l in Graphviz allows remote attackers to have
unspecified impact via format string specifiers in unknown vector,
which are not properly handled in an error string (CVE-2014-9157).
Additionally the gtkglarea2 and gtkglext packages were missing and
was required for graphviz to build, these packages are also being
provided with this advisory.
Updated icu packages fix security vulnerabilities:
The Regular Expressions package in International Components for Unicode
(ICU) 52 before SVN revision 292944 allows remote attackers to cause
a denial of service (memory corruption) or possibly have unspecified
other impact via vectors related to a zero-length quantifier or
look-behind expression (CVE-2014-7923, CVE-2014-7926).
The collator implementation in i18n/ucol.cpp in International
Components for Unicode (ICU) 52 through SVN revision 293126 does not
initialize memory for a data structure, which allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via a crafted character sequence (CVE-2014-7940).
It was discovered that ICU incorrectly handled memory operations
when processing fonts. If an application using ICU processed crafted
data, an attacker could cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program
(CVE-2014-6585, CVE-2014-6591).
Update:
Packages for Mandriva Business Server 1 are now being provided.
Red Hat Enterprise Linux: A valid erratum for the yum-rhn-plugin package is now available for Red Hat
Enterprise Linux 6. This is an erratum for an already released version of
yum-rhn-plugin which was accidentally co-released with Red Hat Enterprise Linux
6.5 Global Availability.
Resolved Bugs
1205615 – CVE-2015-1812 CVE-2015-1813 jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
1205620 – CVE-2015-1806 jenkins: Combination filter Groovy script unsecured (SECURITY-125)
1205623 – CVE-2015-1808 jenkins: update center metadata retrieval DoS attack (SECURITY-163)
1205627 – CVE-2015-1810 jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)
1205637 – CVE-2015-1806 CVE-2015-1807 CVE-2015-1813 CVE-2015-1812 CVE-2015-1811 CVE-2015-1810 CVE-2015-1808 CVE-2015-1809 CVE-2015-1814 jenkins: various flaws [fedora-all]
1205616 – CVE-2015-1814 jenkins: forced API token change (SECURITY-180)
1205622 – CVE-2015-1807 jenkins: directory traversal from artifacts via symlink (SECURITY-162)
1205625 – CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
1205632 – CVE-2015-1811 jenkins: External entity processing in XML can reveal sensitive local files (SECURITY-167)<br
Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811
1st April, 2015
A security issue affects these releases of Ubuntu and its
derivatives:
USN-2553-1 introduced a regression in LibTIFF.
USN-2553-1 fixed vulnerabilities in LibTIFF. One of the security fixes
caused a regression when saving certain TIFF files with a Predictor tag.
The problematic patch has been temporarily backed out until a more complete
fix is available.
We apologize for the inconvenience.
Original advisory details:
William Robinet discovered that LibTIFF incorrectly handled certain
malformed images. If a user or automated system were tricked into opening a
specially crafted image, a remote attacker could crash the application,
leading to a denial of service, or possibly execute arbitrary code with
user privileges. (CVE-2014-8127, CVE-2014-8128, CVE-2014-8129,
CVE-2014-8130)
Paris Zoumpouloglou discovered that LibTIFF incorrectly handled certain
malformed BMP images. If a user or automated system were tricked into
opening a specially crafted BMP image, a remote attacker could crash the
application, leading to a denial of service. (CVE-2014-9330)
Michal Zalewski discovered that LibTIFF incorrectly handled certain
malformed images. If a user or automated system were tricked into opening a
specially crafted image, a remote attacker could crash the application,
leading to a denial of service, or possibly execute arbitrary code with
user privileges. (CVE-2014-9655)
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
2nd April, 2015
A security issue affects these releases of Ubuntu and its
derivatives:
Several security issues were fixed in Thunderbird.
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit this to bypass same-origin policy restrictions.
(CVE-2015-0801)
Christoph Kerschbaumer discovered that CORS requests from
navigator.sendBeacon() followed 30x redirections after preflight. If a
user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to conduct
cross-site request forgery (XSRF) attacks. (CVE-2015-0807)
Aki Helin discovered a use-after-free when playing MP3 audio files using
the Fluendo MP3 GStreamer plugin in certain circumstances. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2015-0813)
Christian Holler, Steve Fink, and Byron Campen discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2015-0815)
Mariusz Mlynski discovered that documents loaded via resource: URLs (such
as PDF.js) could load privileged chrome pages. If a user were tricked in
to opening a specially crafted message with scripting enabled, an attacker
could potentially exploit this in combination with another flaw, in order
to execute arbitrary script in a privileged context. (CVE-2015-0816)
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
Google’s first Android Security Report puts some hard data behind the effectiveness of the security enhancements it has put into the OS.
Update to 1.19.24
A Russian security researcher discovered that he could delete any video on YouTube by sending a simple POST request in YouTube’s Creator Studio.
I recently called my friend Mary to wish her a happy 83rd birthday. She was having a fine day, but had just received a disturbing phone message from the IRS requesting that she call back urgently to settle a tax debt, and that she could use her credit card to do so.
Thankfully, Mary was too smart to trust a blind call from a purported IRS representative – because the call was a one of the “imposter” tax fraud scams making the rounds. In this case, a con artist impersonates a government official and tries to bilk trusting taxpayers for un-owed back taxes. (This type of scam also happened to me last year, though not at tax time!)
Of the 2.5 million consumer complaints received by the Federal Trade Commission last year received, the imposter scams were the third most common. Debt collection scams ranked second. But at the very top of the list is identity theft. (You can see the full list here.)
In tax identity theft, scammers steal Social Security numbers to file for a tax refund before the real taxpayer can. In many cases, victims may not even learn about the fraud until they file a return, at which point IRS notifies them that the return has already been filed and paid!
The IRS announced that the number of tax identity theft cases has doubled each year in recent years. It estimated it has paid out $5.8 billion in fraudulent tax refunds in 2013 because of identity theft. The IRS also reported it also was able to stop another 5 million attempts to get fraudulent refunds, which saved taxpayers another $20 billion.
Many tax fraud cases involve stolen social security numbers. CNNMoney reports that hackers stole more than 6.5 million Social Security numbers last year, with up to 80 million more at risk this year as part of the Anthem data breach alone.
2014 is sometimes called the year of the hack and it is clear that while large-scale breaches continue we will surely see elevated rates of identity theft, especially in the tax season.
All is not lost though, by following a few steps you can help keep all your credentials in the right place:
Here’s wishing you many happy returns!
