Red Hat Security Advisory 2015-1918-01 – Red Hat Gluster Storage is a software only scale-out storage solution that provides flexible and affordable unstructured data storage. It unifies data storage and infrastructure, increases performance, and improves availability and manageability to meet enterprise-level storage challenges. Red Hat Gluster Storage’s Unified File and Object Storage is built on OpenStack’s Object Storage. A flaw was found in the way swiftonfile serialized and stored metadata on disk by using Python’s pickle module. A remote, authenticated user could use this flaw to execute arbitrary code on the storage node.
Monthly Archives: October 2015
Ubuntu Security Notice USN-2778-1
Ubuntu Security Notice 2778-1 – It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel, causing a denial of service. It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges. Various other issues were also addressed.
Ubuntu Security Notice USN-2770-1
Ubuntu Security Notice 2770-1 – It was discovered that ContainerNode::parserInsertBefore in Blink would incorrectly proceed with a DOM tree insertion in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same origin restrictions. A use-after-free was discovered in the service worker implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. Various other issues were also addressed.
Ubuntu Security Notice USN-2774-1
Ubuntu Security Notice 2774-1 – It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges. It was discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel did not verify sockets were properly bound before attempting to send a message, which could cause a NULL pointer dereference. An attacker could use this to cause a denial of service (system crash). Various other issues were also addressed.
Red Hat Security Advisory 2015-1917-01
Red Hat Security Advisory 2015-1917-01 – libwmf is a library for reading and converting Windows Metafile Format vector graphics. libwmf is used by applications such as GIMP and ImageMagick. It was discovered that libwmf did not correctly process certain WMF with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application.
Ubuntu Security Notice USN-2777-1
Ubuntu Security Notice 2777-1 – It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges. Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. Various other issues were also addressed.
Let’s Encrypt Hits Another Free HTTPS Milestone
Let’s Encrypt hit a milestone last night when it received the cross-signatures necessary to render its beta-and free-certificates trusted by all browsers.
Oracle Critical Patch Update Advisory – October 2015
Ubuntu Security Notice USN-2773-1
Ubuntu Security Notice 2773-1 – It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges. It was discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel did not verify sockets were properly bound before attempting to send a message, which could cause a NULL pointer dereference. An attacker could use this to cause a denial of service (system crash). Various other issues were also addressed.
CESA-2015:1917 Important CentOS 7 libwmf SecurityUpdate
CentOS Errata and Security Advisory 2015:1917 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1917.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 5ed570d4fde8b82a8afa9e80f583c4e7b13a97082a5db055f8be2090e93715f1 libwmf-0.2.8.4-41.el7_1.i686.rpm b1c055db91f3bffa284bd70320e160b1ca033d6583fc9c7277add1320c5cbf6c libwmf-0.2.8.4-41.el7_1.x86_64.rpm 162311177b047ae561d7ad8582aeb133d495cde220d98148b845d6f95ffdccb7 libwmf-devel-0.2.8.4-41.el7_1.i686.rpm a30366fb0ea3038edbd37fbf1c5af6dbf8aa916b2a0f44c3688eb0a7483fe277 libwmf-devel-0.2.8.4-41.el7_1.x86_64.rpm 28902aad9e43c2180326989bdfdf97cce6c9e9ea6ddcd7ec8bcb199dd1af5b8f libwmf-lite-0.2.8.4-41.el7_1.i686.rpm e885f66e6535eac38beee7735af25fc953add506f2cbd11bc4d9e6c6c93b0df2 libwmf-lite-0.2.8.4-41.el7_1.x86_64.rpm Source: 13e0550e1860c4c2e933933fe633c8c9cb23c2fe8891557dbc1a0d846d08c3cd libwmf-0.2.8.4-41.el7_1.src.rpm