Monthly Archives: June 2015

CentOS

CEBA-2015:1126 CentOS 7 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2015:1126 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1126.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
32585e406a8ae6756b86471181de5cc981b47753d4e14498710e4e0551803137  tzdata-2015e-1.el7.noarch.rpm
bed298646c5eeb57904c8b16e9b40211f9b299ff0eb02c3239cbc4dc2f8a6fcd  tzdata-java-2015e-1.el7.noarch.rpm

Source:
a76b3b67db303982dc1463f3c98c7804a50d7f85de603d5661463e090eec3d07  tzdata-2015e-1.el7.src.rpm
Security

Adobe Flash Player ShaderJob Buffer Overflow

This Metasploit module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the “width” attribute of the ShaderJob after starting the job it’s possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled.

CentOS

CEBA-2015:1126 CentOS 5 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2015:1126 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1126.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
596bab75c1ac6771017d5f5deefcd0967892b27c1577cefa63a7c2d616127037  tzdata-2015e-1.el5.i386.rpm
203a043348758e453bf969be803f5a45e20875b6fc661e29633908a890e30a0c  tzdata-java-2015e-1.el5.i386.rpm

x86_64:
e18dde468c80fb05660b9dc775b0fbeac72bfe6229eeddfaad9079c13593007d  tzdata-2015e-1.el5.x86_64.rpm
dfdfc2943f4895c1f442790e3c6eec1c06ac6bf9333ebb832d30a2955aa9a5ea  tzdata-java-2015e-1.el5.x86_64.rpm

Source:
c30989e8b0906552c9110b5c45e5f66d6a2a59b0da6becb1822d96f7651162f8  tzdata-2015e-1.el5.src.rpm
CentOS

CEBA-2015:1126 CentOS 6 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2015:1126 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1126.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
996e33c46ec463508d62e2bac1e1c8a442dece2181ac718a03569c9cb5b959af  tzdata-2015e-1.el6.noarch.rpm
50443711d1630b44ad0d8a70b12eb7c063dc0d02be1d000107bd6dd8935d130d  tzdata-java-2015e-1.el6.noarch.rpm

x86_64:
996e33c46ec463508d62e2bac1e1c8a442dece2181ac718a03569c9cb5b959af  tzdata-2015e-1.el6.noarch.rpm
50443711d1630b44ad0d8a70b12eb7c063dc0d02be1d000107bd6dd8935d130d  tzdata-java-2015e-1.el6.noarch.rpm

Source:
3b368a691a92d168489832b3eef13c18252247846a05a916adf76e00adad3a22  tzdata-2015e-1.el6.src.rpm
Security

Debian Security Advisory 3292-1

Debian Linux Security Advisory 3292-1 – Bastian Blank from credativ discovered that cinder, a storage-as-a-service system for the OpenStack cloud computing suite, contained a bug that would allow an authenticated user to read any file from the cinder server.

Security

Duo Push Timing Attack

Duo push authentications are susceptible to a low-profile timing-based attack that permits an intruder to steal an authenticated session from an end-user accessing Duo-protected resources. Specifically, when multiple push notifications arrive simultaneously (or nearly so), only the final one is shown to the user. When the user authenticates that notification, only the corresponding session will actually be authenticated. If an attacker can initiate an equivalent connection slightly after the client?s session, then the user will typically authorize the malicious session rather than his or her own. Configurations affected include Duo Security Authentication Proxy version 2.4.8 and Duo Win Login version 1.1.8.