Monthly Archives: September 2015
CVE-2015-6812 (invision_power_board)
Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL.
Hacking Number One Consumer Fear, Others Not Worried: Kaspersky Lab – SC Magazine
VMWorld 2015 Trilogy Tech Talk – Kaspersky Lab Talks Virtualization Security
USN-2731-1: Linux kernel vulnerability
Ubuntu Security Notice USN-2731-1
3rd September, 2015
linux vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 12.04 LTS
Summary
The system could be made to expose sensitive information.
Software description
- linux
– Linux kernel
Details
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 12.04 LTS:
-
linux-image-3.2.0-90-powerpc64-smp
3.2.0-90.128
-
linux-image-3.2.0-90-powerpc-smp
3.2.0-90.128
-
linux-image-3.2.0-90-generic-pae
3.2.0-90.128
-
linux-image-3.2.0-90-virtual
3.2.0-90.128
-
linux-image-3.2.0-90-highbank
3.2.0-90.128
-
linux-image-3.2.0-90-omap
3.2.0-90.128
-
linux-image-3.2.0-90-generic
3.2.0-90.128
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
USN-2732-1: Linux kernel (OMAP4) vulnerability
Ubuntu Security Notice USN-2732-1
3rd September, 2015
linux-ti-omap4 vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 12.04 LTS
Summary
The system could be made to expose sensitive information.
Software description
- linux-ti-omap4
– Linux kernel for OMAP4
Details
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 12.04 LTS:
-
linux-image-3.2.0-1470-omap4
3.2.0-1470.91
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
USN-2733-1: Linux kernel (Trusty HWE) vulnerability
Ubuntu Security Notice USN-2733-1
3rd September, 2015
linux-lts-trusty vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 12.04 LTS
Summary
The system could be made to crash or run programs as an administrator.
Software description
- linux-lts-trusty
– Linux hardware enablement kernel from Trusty
Details
It was discovered that an integer overflow error existed in the SCSI
generic (sg) driver in the Linux kernel. A local attacker with write
permission to a SCSI generic device could use this to cause a denial of
service (system crash) or potentially escalate their privileges.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 12.04 LTS:
-
linux-image-3.13.0-63-generic
3.13.0-63.104~precise1
-
linux-image-3.13.0-63-generic-lpae
3.13.0-63.104~precise1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
USN-2734-1: Linux kernel vulnerability
Ubuntu Security Notice USN-2734-1
3rd September, 2015
linux vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
The system could be made to crash or run programs as an administrator.
Software description
- linux
– Linux kernel
Details
It was discovered that an integer overflow error existed in the SCSI
generic (sg) driver in the Linux kernel. A local attacker with write
permission to a SCSI generic device could use this to cause a denial of
service (system crash) or potentially escalate their privileges.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
linux-image-3.13.0-63-powerpc64-emb
3.13.0-63.103
-
linux-image-3.13.0-63-lowlatency
3.13.0-63.103
-
linux-image-3.13.0-63-generic
3.13.0-63.103
-
linux-image-3.13.0-63-generic-lpae
3.13.0-63.103
-
linux-image-3.13.0-63-powerpc-e500mc
3.13.0-63.103
-
linux-image-3.13.0-63-powerpc-e500
3.13.0-63.103
-
linux-image-3.13.0-63-powerpc64-smp
3.13.0-63.103
-
linux-image-3.13.0-63-powerpc-smp
3.13.0-63.103
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
DDoS Attacks on the Rise, but Consumers Remain Unaware – IT Business Edge
CVE-2014-9605 (netsweeper)
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ‘ (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.