Monthly Archives: May 2015

Redhat

RHSA-2015:1023-1: Important: chromium-browser security update

Red Hat Enterprise Linux: Updated chromium-browser packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-1251, CVE-2015-1252, CVE-2015-1253, CVE-2015-1254, CVE-2015-1255, CVE-2015-1256, CVE-2015-1257, CVE-2015-1258, CVE-2015-1259, CVE-2015-1260, CVE-2015-1261, CVE-2015-1262, CVE-2015-1263, CVE-2015-1264, CVE-2015-1265

NVD

CVE-2015-1008

SQL injection vulnerability in Emerson AMS Device Manager before 13 allows remote authenticated users to gain privileges via malformed input.

NVD

CVE-2015-1013

OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements.

Ubuntu

USN-2621-1: PostgreSQL vulnerabilities

Ubuntu Security Notice USN-2621-1

25th May, 2015

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PostgreSQL.

Software description

  • postgresql-9.1
    – Object-relational SQL database

  • postgresql-9.3
    – Object-relational SQL database

  • postgresql-9.4
    – Object-relational SQL database

Details

Benkocs Norbert Attila discovered that PostgreSQL incorrectly handled
authentication timeouts. A remote attacker could use this flaw to cause the
unauthenticated session to crash, possibly leading to a security issue.
(CVE-2015-3165)

Noah Misch discovered that PostgreSQL incorrectly handled certain standard
library function return values, possibly leading to security issues.
(CVE-2015-3166)

Noah Misch discovered that the pgcrypto function could return different
error messages when decrypting using an incorrect key, possibly leading to
a security issue. (CVE-2015-3167)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
postgresql-9.4

9.4.2-0ubuntu0.15.04
Ubuntu 14.10:
postgresql-9.4

9.4.2-0ubuntu0.14.10
Ubuntu 14.04 LTS:
postgresql-9.3

9.3.7-0ubuntu0.14.04
Ubuntu 12.04 LTS:
postgresql-9.1

9.1.16-0ubuntu0.12.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2015-3165,

CVE-2015-3166,

CVE-2015-3167

NVD

CVE-2014-8146

The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.

NVD

CVE-2014-8147

The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.