Monthly Archives: October 2015

Ubuntu

USN-2771-1: Click vulnerability

Ubuntu Security Notice USN-2771-1

15th October, 2015

click vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

Click could be made to allow malicious apps unintended access to the
system.

Software description

  • click
    – Click package manager

Details

It was discovered that click did not properly perform input sanitization
during click package installation. If a user were tricked into installing a
crafted click package, a remote attacker could exploit this to escalate
privileges by tricking click into installing lenient security policy for
the installed application.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
python3-click

0.4.38.5ubuntu0.2
Ubuntu 14.04 LTS:
python3-click

0.4.21.1ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes. A
corresponding update will be provided to Ubuntu Phone users soon.

For more information, please see:
https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/

References

LP: 1506467

Full Disclosure

Qualys Security Advisory – LibreSSL (CVE-2015-5333 and CVE-2015-5334)

Posted by Qualys Security Advisory on Oct 15

Qualys Security Advisory

LibreSSL (CVE-2015-5333 and CVE-2015-5334)

========================================================================
Contents
========================================================================

Summary
Memory Leak (CVE-2015-5333)
Buffer Overflow (CVE-2015-5334)
Acknowledgments

========================================================================
Summary…

NVD

CVE-2013-7445

The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated by JavaScript code that creates many CANVAS elements for rendering by Chrome or Firefox.

NVD

CVE-2015-5660

Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

NVD

CVE-2015-6003

Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

NVD

CVE-2015-6333

Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

NVD

CVE-2015-6334

Cisco ASR 5000 and 5500 devices with software 18.0.0.57828 and 19.0.M0.61045 allow remote attackers to cause a denial of service (vpnmgr process restart) via a crafted header in a TACACS packet, aka Bug ID CSCuw01984.