OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
Monthly Archives: April 2015
Fedora 22 Security Update: ruby-2.2.2-11.fc22
Resolved Bugs
1209982 – CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125 [fedora-all]<br
Fixes CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125
Fedora 22 Security Update: cherokee-1.2.103-6.fc22
Resolved Bugs
1114461 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [fedora-all]
1094901 – cherokee: script and/or trigger should not directly enable systemd units<br
Resolves bz 1114461 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
Fedora 22 Security Update: php-5.6.8-1.fc22
Resolved Bugs
1185897 – CVE-2015-1351 CVE-2015-1352 CVE-2015-1353 php: various flaws [fedora-all]
1185900 – CVE-2015-1351 php: use after free in opcache extension
1185904 – CVE-2015-1352 php: NULL pointer dereference in pgsql extension<br
16 Apr 2015, **PHP 5.6.8**
Core:
* Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence)
* Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk)
* Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)
* Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)
* Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas)
* Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso)
* Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/… arg passing). (Nikita)
* Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita)
* Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas)
* Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas)
Apache2handler:
* Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema)
cURL:
* Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)
* Fixed bug #68739 (Missing break / control flow). (Laruence)
* Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)
Date:
* Fixed bug #69336 (Issues with “last day of “). (Derick Rethans)
Enchant:
* Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol)
Ereg:
* Fixed bug #68740 (NULL Pointer Dereference). (Laruence)
Fileinfo:
* Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)
Filter:
* Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch)
* Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn’t strip ASCII 127). (Jeff Welch)
OPCache:
* Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence)
* Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)
* Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)
OpenSSL
* Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)
* Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)
* Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)
* Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)
Phar:
* Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike)
* Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)
* Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)
* Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing “.tar”). (Mike)
* Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)
* Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas)
Postgres:
* Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)
SPL:
* Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
SOAP:
* Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence)
Sqlite3:
* Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd)
* Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)
* Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)
UPDATE : VMSA-2015-0003.4 – VMware product updates address critical information disclosure issue in JRE.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0003.4
Synopsis: VMware product updates address critical information
disclosure issue in JRE.
Issue date: 2015-04-02
Updated on: 2015-04-17
CVE number: CVE-2014-6593, for other CVEs see JRE reference
- ------------------------------------------------------------------------
1. Summary
VMware product updates address critical information disclosure
issue in JRE.
2. Relevant Releases
Horizon View 6.x or 5.x
Horizon Workspace Portal Server 2.1 or 2.0
Horizon DaaS Platform 6.1.4 or 5.4.5
vCloud Connector 2.7
vCloud Usage Meter 3.3
vCenter Site Recovery Manager prior to 5.5.1.5
vCenter Server 6.0 and 5.5
vRealize Operations Manager 6.0
vCenter Operations Manager 5.8.x or 5.7.x
vRealize Application Services 6.2 or 6.1
vCloud Application Director 6.0
vRealize Automation 6.2 or 6.1
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vCenter Chargeback Manager 2.7 or 2.6
vRealize Business Adv/Ent 8.1 or 8.0
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor prior to 4.2.4
vCloud Director prior to 5.5.3
vCloud Director Service Providers prior to 5.6.4.1
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8 or 5.7
vRealize Log Insight 2.5, 2.0, 1.5 or 1.0
vSphere Update Manager 6.0 or 5.5
3. Problem Description
a. Oracle JRE Update
Oracle JRE is updated in VMware products to address a
critical security issue that existed in earlier releases of
Oracle JRE.
VMware products running JRE 1.7 Update 75 or newer and
JRE 1.6 Update 91 or newer are not vulnerable to CVE-2014-6593,
as documented in the Oracle Java SE Critical Patch Update
Advisory of January 2015.
This advisory also includes the other security issues that
are addressed in JRE 1.7 Update 75 and JRE 1.6 Update 91. The
References section provides a link to the JRE advisory.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-6593 to this issue. This
issue is also known as "SKIP" or "SKIP-TLS".
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch**
============= ======= ======= =================
Horizon View 6.x any 6.1
Horizon View 5.x any 5.3.4
Horizon Workspace Portal 2.1 ,2.0 any 2.1.1
Server
Horizon DaaS Platform 6.1 any 6.1.4
Horizon DaaS Platform 6.0 any patch pending
Horizon DaaS Platform 5.4 any 5.4.5
vCloud Networking and Security 5.5 any patch pending*
vCloud Connector 2.7 any 2.7.1*
vCloud Usage Meter 3.3 any 3.3.3*
vCenter Site Recovery Manager 5.5.x any 5.5.1.5***
vCenter Site Recovery Manager 5.1.x any patch pending***
vCenter Site Recovery Manager 5.0.x any patch pending***
vCenter Server 6.0 any 6.0.0a
vCenter Server 5.5 any Update 2e
vCenter Server 5.1 any patch pending
vCenter Server 5.0 any patch pending
vRealize Operations Manager 6.0 any KB2112028
vCenter Operations Manager 5.8.x any KB2111172
vCenter Operations Manager 5.7.x any KB2111172
vCenter Support Assistant 5.5.1.x any patch pending
vRealize Application Services 6.2 any KB2111981
vRealize Application Services 6.1 any KB2111981
vCloud Application Director 6.0 any KB2111981
vCloud Application Director 5.2 any KB2111981
vRealize Automation 6.2 any KB2111658
vRealize Automation 6.1 any KB2111658
vCloud Automation Center 6.0.1 any KB2111658
vRealize Code Stream 1.1 any KB2111658
vRealize Code Stream 1.0 any KB2111658
vPostgres 9.3.x any patch pending
vPostgres 9.2.x any patch pending
vPostgres 9.1.x any patch pending
vSphere Replication 5.8.1 any patch pending
vSphere Replication 5.8.0 any 5.8.0.2
vSphere Replication 5.6.0 any 5.6.0.3
vSphere Replication 5.1 any patch pending
vSphere Storage Appliance 5.x any patch pending*
vRealize Hyperic 5.8 any KB2111337
vRealize Hyperic 5.7 any KB2111337
vRealize Hyperic 5.0 any KB2111337
vSphere AppHA 1.1 any KB2111336
vSphere Big Data Extensions 2.1 any patch pending*
vSphere Big Data Extensions 2.0 any patch pending*
vSphere Data Protection 6.0 any patch pending*
vSphere Data Protection 5.8 any patch pending*
vSphere Data Protection 5.5 any patch pending*
vSphere Data Protection 5.1 any patch pending*
vCenter Chargeback Manager 2.7 any KB2112011*
vCenter Chargeback Manager 2.6 any KB2113178*
vRealize Business Adv/Ent 8.1 any KB2112258*
vRealize Business Adv/Ent 8.0 any KB2112258*
vRealize Business Standard 6.0 any KB2111802
vRealize Business Standard 1.1 any KB2111802
vRealize Business Standard 1.0 any KB2111802
NSX for vSphere 6.1 any patch pending*
NSX for Multi-Hypervisor 4.2 any 4.2.4*
vCloud Director 5.5.x any 5.5.3*
vCloud Director For 5.6.4 any 5.6.4.1*
Service Providers
vCenter Application Discovery 7.0 any patch pending*
Manager
vRealize Configuration Manager 5.7.x any KB2111670
vRealize Configuration Manager 5.6 any KB2111670
vRealize Infrastructure 5.8 any 5.8.4
Navigator
vRealize Infrastructure 5.7 any KB2111334*
Navigator
vRealize Orchestrator 6.0 any patch pending*
vRealize Orchestrator 5.2 any patch pending*
vRealize Orchestrator 5.1 any patch pending*
vShield 5.5 any patch pending*
vRealize Log Insight 2.5 any KB2113235*
vRealize Log Insight 2.0 any KB2113235*
vRealize Log Insight 1.5 any KB2113235*
vRealize Log Insight 1.0 any KB2113235*
vSphere Management Assistant 5.x any patch pending
vSphere Update Manager 6.0 any 6.0.0a*
vSphere Update Manager 5.5 any Update 2e*
vSphere Update Manager 5.1 any patch pending*
vSphere Update Manager 5.0 any patch pending*
* The severity of critical is lowered to important for this product
as is not considered Internet facing
** Knowledge Base (KB) articles provides details of the patches and
how to install them.
*** vCenter Site Recovery Manager 5.0, 5.1, and 5.5 itself do not
include JRE but they include the vSphere Replication appliance
which has JRE. vCenter Site Recovery 5.8 and 6.0 do not include
JRE nor the vSphere Replication appliance.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
Horizon View 6.1, 5.3.4:
========================
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productI
d=492
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&pro
ductId=396
VMware Workspace Portal 2.1.1
=============================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HZNWS211&productId=5
01&rPId=7586
Documentation:
https://www.vmware.com/support/horizon_workspace/doc/wp_release_notes_211.h
tml
Horizon DaaS Platform 6.1.4
===========================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-610-BIN
&productId=405&rPId=6527
Horizon DaaS Platform 5.4.5
===========================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=HORIZON-DAAS-ONPREM-
540&productId=398&rPId=5214
vCloud Connector 2.7.1
======================
Downloads and Documentation:
http://www.vmware.com/support/hybridcloud/doc/hybridcloud_271_rel_notes.htm
l
vCloud Usage Meter 3.3.3
========================
Downloads:
https://my.vmware.com/en/group/vmware/get-download?downloadGroup=UMSV333
vCenter Site Recovery Manager 5.5.1.5
======================================
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM5515&productId=35
7&rPId=7774
Documentation:
https://www.vmware.com/support/srm/srm-releasenotes-5-5-1.html
vCenter Server 6.0, 5.5
=======================
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vRealize Operations Manager 6.0.1
=================================
Downloads and Documentation: http://kb.vmware.com/kb/2112028
vRealize Application Services 6.2, 6.1
======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111981
vCloud Application Director 6.0
======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111981
vCloud Director for Service Providers 5.6.4.1
=============================================
Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_sp_pubs.html
vCenter Operations Manager 6.0, 5.8.5, 5.7.4
=======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111172
vCloud Automation Center 6.0.1.2
================================
Downloads and Documentation: http://kb.vmware.com/kb/2111685
vSphere Replication 5.8.0.2, 5.6.0.3
====================================
Downloads:
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5802
https://my.vmware.com/web/vmware/get-download?downloadGroup=VR5603
Documentation:
http://kb.vmware.com/kb/2112025
http://kb.vmware.com/kb/2112022
vRealize Automation 6.2.1, 6.1.1
================================
Downloads and Documentation: http://kb.vmware.com/kb/2111658
vRealize Code Stream 1.1, 1.0
=============================
Downloads and Documentation: http://kb.vmware.com/kb/2111685
vRealize Hyperic 5.8.4, 5.7.2, 5.0.3
====================================
Downloads and Documentation: http://kb.vmware.com/kb/KB2111337
vSphere AppHA 1.1.1
===================
Downloads and Documentation: http://kb.vmware.com/kb/2111336
vCenter Chargeback Manager 2.7
====================================
Downloads and Documentation: http://kb.vmware.com/kb/2112011
vCenter Chargeback Manager 2.6
====================================
Downloads and Documentation: http://kb.vmware.com/kb/2113178
vRealize Business Adv/Ent 8.1, 8.0
====================================
Downloads and Documentation: http://kb.vmware.com/kb/2112258
vRealize Business Standard 6.0, 1.1 , 1.0
=======================================
Downloads and Documentation: http://kb.vmware.com/kb/2111802
vRealize Configuration Manager 5.7.3
===================================
Downloads and Documentation: http://kb.vmware.com/kb/2111670
vRealize Infrastructure Navigator 5.8.4
=======================================
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VIN_584&productId=47
6
vRealize Infrastructure Navigator 5.7
=====================================
Downloads and Documentation: http://kb.vmware.com/kb/2111334
vSphere Update Manager 6.0, 5.5
===============================
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593
JRE
Oracle Java SE Critical Patch Update Advisory of January 2015
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- ------------------------------------------------------------------------
6. Change log
2015-04-02 VMSA-2015-0003
Initial security advisory in conjunction with the release of VMware
Horizon View 6.1, 5.3.4; vCenter Operations Manager 5.8.5;
vCenter Operations Manager 5.7.4; vCloud Automation Center
6.0.1.2; vSphere Replication 5.8.0.2, 5.6.0.3; vRealize
Automation 6.2.1, 6.1.1; vRealize Code Stream 1.1, 1.0;
vRealize Hyperic 5.8.4, 5.7.2, 5.0.3; vSphere AppHA 1.1.1;
vRealize Business Standard 1.1.1, 1.0.1; vRealize Configuration
Manager prior to 5.7.3; vRealize Infrastructure 5.7, 5.8.4 Patches
released on 2015-04-02.
2015-04-09 VMSA-2015-0003.1
Updated Security advisory in conjunction with the release of VMware
Horizon DaaS Platform 6.1.4, 5.4.5; vRealize Operations Manager 6.0;
vRealize Application Services 6.2; vRealize Application Services 6.1;
vCloud Application Director 6.0; vCenter Chargeback Manager 2.7, 2.6;
vCloud Director For Service Providers 5.6.4.1;
vRealize Log Insight 2.5, 2.0, 1.5, 1.0 Patches
released on 2015-04-09.
2015-04-13 VMSA-2015-0003.2
Updated Security advisory in conjunction with the release of
vRealize Business Adv/Ent 8.1, 8.0 Patches released
on 2015-04-13.
2015-04-16 VMSA-2015-0003.3
Updated Security advisory in conjunction with the release of
vCloud Connector 2.7.1; vCloud Usage Meter 3.3.3;
vCenter Server 6.0, 5.5; vSphere Update Manager 6.0, 5.5 patches
released on 2015-04-16.
2015-04-17 VMSA-2015-0003.4
Updated Security advisory in conjunction with the release of
vCenter Site Recovery Manager 5.5.1.5 patches released on 2015-04-16.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFVMTloDEcm8Vbi9kMRAiWqAJ98wvHOIm7HBnnGqXA5WZ9GIFdSTACZAa5i
oXl9cykDdoiQXiDgplPQMJ4=
=Wacd
-----END PGP SIGNATURE-----
Fedora EPEL 6 Security Update: cherokee-1.2.103-6.el6
Resolved Bugs
1114460 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
1114463 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [epel-all]<br
Resolves bz 1114463 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
Fedora EPEL 6 Security Update: mod_proxy_fcgi-2.4.10-1.20150415gitd45a11f.el6
Resolved Bugs
1163555 – CVE-2014-3583 httpd: mod_proxy_fcgi handle_headers() buffer over read
1182770 – Review Request: mod_proxy_fcgi – FastCGI support module for mod_proxy 2.2<br
Initial release of mod_proxy_fcgi for EPEL 6. This update also fixes CVE-2014-3583 which was present in earlier unreleased builds.
Fedora EPEL 5 Security Update: cherokee-1.2.103-6.el5
Resolved Bugs
1114461 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [fedora-all]
1094901 – cherokee: script and/or trigger should not directly enable systemd units<br
Resolves bz 1114461 – CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
Fedora EPEL 7 Security Update: mingw-gnutls-3.3.14-1.el7,mingw-libtasn1-4.4-1.el7,mingw-p11-kit-0.20.7-1.el7
Google Moving Toward Encrypted Ad Services
Google engineers have spent the last several years moving many of the company’s online services to encrypted links. Gmail is HTTPS by default, and Google search is done over SSL for much of the world. Now the company is working to move its ad-serving and ad-buying platforms to HTTPS, as well. Google’s ad networks are pervasive […]