Monthly Archives: May 2015

Security

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Original release date: May 12, 2015

The Mozilla Foundation has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. Exploitation of one of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition or steal sensitive information.

Available updates include:

  • Firefox 38
  • Firefox ESR 31.7
  • Thunderbird 31.7

US-CERT encourages users and administrators to review the Security Advisories for Firefox, Firefox ESR, and Thunderbird and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Debian

DSA-3260 iceweasel – security update

Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors,
buffer overflows and use-after-frees may lead to the execution of
arbitrary code, privilege escalation or denial of service.

Ubuntu

USN-2606-1: OpenSSL update

Ubuntu Security Notice USN-2606-1

12th May, 2015

openssl update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

OpenSSL TLSv1.2 client support has been enabled in Ubuntu 12.04 LTS.

Software description

  • openssl
    – Secure Socket Layer (SSL) cryptographic library and tools

Details

For compatibility reasons, Ubuntu 12.04 LTS shipped OpenSSL with TLSv1.2
disabled when being used as a client.

This update re-enables TLSv1.2 by default now that the majority of
problematic sites have been updated to fix compatibility issues.

For problematic environments, TLSv1.2 can be disabled again by setting the
OPENSSL_NO_CLIENT_TLS1_2 environment variable before library
initialization.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libssl1.0.0

1.0.1-4ubuntu5.27

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1442970

Ubuntu

USN-2607-1: Module::Signature vulnerabilities

Ubuntu Security Notice USN-2607-1

12th May, 2015

libmodule-signature-perl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu (vivid)
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Module::Signature.

Software description

  • libmodule-signature-perl
    – module to manipulate CPAN SIGNATURE files

Details

John Lightsey discovered that Module::Signature incorrectly handled PGP
signature boundaries. A remote attacker could use this issue to trick
Module::Signature into parsing the unsigned portion of the SIGNATURE file
as the signed portion. (CVE-2015-3406)

John Lightsey discovered that Module::Signature incorrectly handled files
that were not listed in the SIGNATURE file. A remote attacker could use
this flaw to execute arbitrary code when tests were run. (CVE-2015-3407)

John Lightsey discovered that Module::Signature incorrectly handled
embedded shell commands in the SIGNATURE file. A remote attacker could use
this issue to execute arbitrary code during signature verification.
(CVE-2015-3408)

John Lightsey discovered that Module::Signature incorrectly handled module
loading. A remote attacker could use this issue to execute arbitrary code
during signature verification. (CVE-2015-3409)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):
libmodule-signature-perl

0.73-1ubuntu0.15.04.1
Ubuntu 14.10:
libmodule-signature-perl

0.73-1ubuntu0.14.10.1
Ubuntu 14.04 LTS:
libmodule-signature-perl

0.73-1ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libmodule-signature-perl

0.68-1ubuntu0.12.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3406,

CVE-2015-3407,

CVE-2015-3408,

CVE-2015-3409

US-CERT

Adobe Releases Security Updates for Flash Player, Reader, and Acrobat

Original release date: May 12, 2015

Adobe has released security updates to address multiple vulnerabilities in Flash Player, Reader, and Acrobat. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletins APSB15-09 and APSB15-10 and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

NVD

CVE-2015-3978

SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830.

NVD

CVE-2015-3979

Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534.

NVD

CVE-2015-3980

SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534.