Posted by Scott Arciszewski on Aug 12
Hi Tom, FD readers,
The bug you are referring to was fixed in PHP 5.3.7; this can be
solved by checking the PHP version and/or by not supporting older and
insecure versions of PHP.
See random_compat for how this should be done:
https://github.com/paragonie/random_compat/blob/master/lib/random.php#L53
Let’s quantify these numbers:
* mt_rand()
* Predictable, only up to 31 bits of entropy in the possible seed values
*…
Thomson Reuters FATCA versions below 5.2 suffer from a local file inclusion vulnerability.
Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress.
Resolved Bugs
1169700 – CVE-2014-9028 CVE-2014-8962 xmms-flac: various flaws [fedora-all]
1167236 – CVE-2014-8962 flac: Buffer read overflow when processing ID3V2 metadata
1167741 – CVE-2014-9028 flac: Heap buffer write overflow in read_residual_partitioned_rice_<br
Update flac to fix security issue in xmms-flac plugin (previously an independent subpackage that was out of date).
Resolved Bugs
1230536 – CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path [fedora-all]
1225882 – CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path
1243728 – CVE-2015-3214 qemu: qemu/kvm: i8254: out-of-bounds memory access in pit_ioport_read function [fedora-all]
1229640 – CVE-2015-3214 qemu/kvm: i8254: out-of-bounds memory access in pit_ioport_read function
1246025 – CVE-2015-5158 Qemu: scsi stack buffer overflow [fedora-all]
1244332 – CVE-2015-5158 Qemu: scsi stack buffer overflow
1247141 – CVE-2015-5154 qemu: ide: atapi: heap overflow during I/O buffer memory access [fedora-all]
1243563 – CVE-2015-5154 qemu: ide: atapi: heap overflow during I/O buffer memory access
1249755 – CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest [fedora-all]
1248760 – CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140)
1249758 – CVE-2015-5166 Qemu: BlockBackend object use after free issue [fedora-all]
1248997 – CVE-2015-5166 Qemu: BlockBackend object use after free issue (XSA-139)
1251160 – CVE-2015-5745 qemu: kernel: qemu buffer overflow in virtio-serial [fedora-all]
1251157 – CVE-2015-5745 kernel: qemu buffer overflow in virtio-serial<br
* Rebased to version 2.4.0
* Support for virtio-gpu, 2D only
* Support for virtio-based keyboard/mouse/tablet emulation
* x86 support for memory hot-unplug
* ACPI v5.1 table support for ‘virt’ board
* CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536)
* CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728)
* CVE-2015-5158: scsi stack buffer overflow (bz #1246025)
* CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141)
* CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755)
* CVE-2015-5166: BlockBackend object use after free issue (bz #1249758)
* CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160)
Resolved Bugs
1251749 – Use-after-free bug in Decoder.cpp<br
Backport upstream fixes: Use-after-free bug in Decoder.cpp
Resolved Bugs
1253250 – CVE-2015-5161 php-ZendFramework: XML external entity injection (XXE) on PHP FPM
1253252 – CVE-2015-5161 php-ZendFramework2: php-ZendFramework: XML external entity injection (XXE) on PHP FPM [fedora-all]<br
Zend Framework Upstream ChangeLog:
* [Version 2.4.7](http://framework.zend.com/changelog/2.4.7/)
* [Version 2.4.6](http://framework.zend.com/changelog/2.4.6/)
* [Version 2.4.5](http://framework.zend.com/changelog/2.4.5/)
* [Version 2.4.4](http://framework.zend.com/changelog/2.4.4/)
* [Version 2.4.3](http://framework.zend.com/changelog/2.4.3/)
* [Version 2.4.2](http://framework.zend.com/changelog/2.4.2/)
* [Version 2.4.1](http://framework.zend.com/changelog/2.4.1/)
* [Version 2.4.0](http://framework.zend.com/changelog/2.4.0/)
For list of changes see: https://www.mozilla.org/en-US/firefox/40.0/releasenotes/
Resolved Bugs
1250020 – gnutls_x509_privkey_import can no longer import some private keys
1251875 – gnutls: add support for fallback SCSV
1251904 – gnutls: double free flaw in certificate DN decoding (GNUTLS-SA-2015-3) [fedora-all]
1251902 – gnutls: double free flaw in certificate DN decoding (GNUTLS-SA-2015-3)<br
new upstream release
Debian Linux Security Advisory 3333-1 – Multiple security issues have been found in Iceweasel, Debian’s version integer overflows, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, bypass of the same-origin policy or denial of service.