Red Hat Security Advisory 2015-2023-01 – The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin APSB15-28 listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.
Monthly Archives: November 2015
Google drops Chrome support for old operating systems
Are you still running an old PC operating system like Windows XP or Vista?
There are some risks running an unsupported operating system — the biggest is falling behind with security updates and fixes.
As years roll by it’s necessary for companies to “deprecate” (a fancy way of saying “make obsolete”) older versions of their software. This becomes necessary because it’s hard coordinating and supporting many different versions.
Google has announced that from April 2016 they will no longer be supporting their popular Chrome web browser for certain older operating systems.
The operating systems affected are:
- Windows XP
- Windows Vista
- Mac OS X 10.6 (Snow Leopard)
- Mac OS X 10.7 (Lion)
- Mac OS X 10.8 (Mountain Lion)
How does this affect me?
Chrome will continue to work on the operating systems mentioned above, but will no longer receive updates and security fixes.
If you continue to use an old operating system, and software that is no longer supported, then you will likely be more vulnerable to new and emerging security threats.
What can I do?
To avoid vulnerabilities and the risk of infection from malware and viruses, we recommend that you always keep your operating system and all your software up-to-date.
Consider upgrading your operating system where possible for the best protection and productivity, and if this means upgrading your old computer, it may well be worth exploring. Think about it, the cost of data loss from a security breach could be costlier than the price of new hardware.
And while you’re at it, installing an effective antivirus and security suite is worth it for peace of mind — PC users can download AVG AntiVirus Free, and Mac users can download our free AVG AntiVirus for Mac.
Microsoft .NET Framework XSS / Privilege Escalation
Microsoft .NET Framework suffers from cross site scripting and elevation of privilege vulnerabilities.
Checkpoint Cross Site Scripting
Multiple Checkpoint.com subdomains suffered from cross site scripting vulnerabilities.
CEBA-2015:2025 CentOS 5 kernel BugFix Update
CentOS Errata and Bugfix Advisory 2015:2025 Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-2025.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 887770aa4046fa2f6af649c22c12f61316e1382c5f2322d8217c5bae1f6e74cd kernel-2.6.18-407.el5.i686.rpm 077cc52dfd7b1048b2113f9b57294561b2aa6c396d236102f6b370365820182a kernel-debug-2.6.18-407.el5.i686.rpm c4fbd75c5eee98ebacf3a734982c6a0f4d270b594a03e68349bfda60d17faab6 kernel-debug-devel-2.6.18-407.el5.i686.rpm d720b06557dedb9d446ad44070b15317591af32ca3a9fa994a6a851fd74b9906 kernel-devel-2.6.18-407.el5.i686.rpm 928882e71d6eac010f5a24adb610a4896408ad655cd911d523985d0f3a8c7970 kernel-doc-2.6.18-407.el5.noarch.rpm 3d7fbf63fed6328af8b13c72902bb28c82325054f29cb7d5563261d2deaecf23 kernel-headers-2.6.18-407.el5.i386.rpm 01a18d1efd8b80502ae6c8db700a9778e12e211a07509f3e6e53e6a149b02baa kernel-PAE-2.6.18-407.el5.i686.rpm a0cf66b4bfa4c26b12fb2a61d9618298b7afb7d11ef6bbcad7a782844abbcfdd kernel-PAE-devel-2.6.18-407.el5.i686.rpm 9b853120d30a0c190573e309b08d7de6a98ef4b80f0a0da7b344d68eb5d8f87b kernel-xen-2.6.18-407.el5.i686.rpm d820bc62dddc6cbf3904023ae22158867bf51e28d342273beab69d757cfee01d kernel-xen-devel-2.6.18-407.el5.i686.rpm x86_64: f16ee14d40775c7a309b09c8f9feb406ea07d996ddc362e010d52ab00cfd2ac0 kernel-2.6.18-407.el5.x86_64.rpm 380e137458d82272c8b2579019bee46ebbd12c8fd4471f64120a93eee29059df kernel-debug-2.6.18-407.el5.x86_64.rpm e47d6f3764cabfdb6ab1468ef34db663f2eb1fc47cc2d0c4cbf93fcc8d483b49 kernel-debug-devel-2.6.18-407.el5.x86_64.rpm 9d6d0fda814a9f4b9d9fc9114ec5c996df9c74de28dd54f0416f10acb46b4651 kernel-devel-2.6.18-407.el5.x86_64.rpm 928882e71d6eac010f5a24adb610a4896408ad655cd911d523985d0f3a8c7970 kernel-doc-2.6.18-407.el5.noarch.rpm cabbcb6db7f8aa1d5314f3296222ac5305771d1e7e534385deb01c442610fd03 kernel-headers-2.6.18-407.el5.x86_64.rpm 49494290b6d1b8a3ec1350642b69d8c7e85a29c24b6fbe7c63729728d5221560 kernel-xen-2.6.18-407.el5.x86_64.rpm c3d17a1d6f9ae7f40f452141e43eecc4ff8fc698b3a392353a644d14f9f89cdc kernel-xen-devel-2.6.18-407.el5.x86_64.rpm Source: bbeccf0d9031a2205c8fcf2920db2380d977f4088fee15b489841056dec4001a kernel-2.6.18-407.el5.src.rpm
Announcing release for Vagrant 1.7.4 on CentOSLinux 7 x86_64 SCL
I am pleased to announce the immediate availability of Vagrant 1.7.4 on CentOS Linux 7 x86_64, delivered via a Software Collection (SCL) built by the SCLo Special Interest Group (https://wiki.centos.org/SpecialInterestGroup/SCLo). QuickStart ---------- You can get started in three easy steps: $ sudo yum install centos-release-scl $ sudo yum install sclo-vagrant1 $ scl enable sclo-vagrant1 bash At this point you should be able to use vagrant just as a normal application. An example work-flow might be: $ vagrant init centos/7 $ vagrant up $ vagrant ssh In order to view the individual components included in this collection, including additional vagrant plugins, you can run : $ sudo yum list sclo-vagrant* About Software Collections -------------------------- Software Collections give you the power to build, install, and use multiple versions of software on the same system, without affecting system-wide installed packages. Each collection is delivered as a group of RPMs, with the grouping being done using the name of the collection as a prefix of all packages that are part of the software collection. The collection sclo-vagrant1 delivers a Vagrant tool in version 1.x that allows to create and configure virtual development environments. Some of the most common plugins are also included in the collection as RPMs. The sclo-vagrant1 collection relies on the following additional collections which will also be installed: rh-ruby22, rh-ror41 For more on the Vagrant tool and other plugins, see https://www.vagrantup.com. The SCLo SIG in CentOS ---------------------- The Software Collections SIG group is an open community group co-ordinating the development of the SCL technology, and helping curate a reference set of collections. In addition to the Vagrant collection being released here, we also build and deliver databases, web servers, and language stacks including multiple versions of PostgreSQL, MariaDB, Apache HTTP Server, Ruby, NodeJS, Python and others. Software Collections SIG release was announced at https://lists.centos.org/pipermail/centos-announce/2015-October/021446.html You can learn more about Software Collections concepts at: http://softwarecollections.org/ You can find information on the SIG at https://wiki.centos.org/SpecialInterestGroup/SCLo ; this includes howto get involved and help with the effort. We meet every Wednesday at 16:00 UTC in #centos-devel (ref: https://www.centos.org/community/calendar), for an informal open forum open to anyone who might have comments, concerns or wants to get started with SCL's in CentOS. Enjoy! Honza SCLo SIG member
Google Releases Security Updates for Chrome and Chrome OS
Original release date: November 11, 2015
Google has released security updates to address vulnerabilities in Chrome and Chrome OS. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.
Updates available include:
- Chrome 46.0.2490.86 for Windows, Mac and Linux
- Chrome 46.0.2490.82 for all OS devices
Users and administrators are encouraged to review the Chrome page and Chrome OS page and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
UC Profile – Moderately Critical – Information Disclosure – SA-CONTRIB-2015-165
- Advisory ID: DRUPAL-SA-CONTRIB-2015-165
- Project: UC Profile (third-party module)
- Version: 6.x
- Date: 2015-November-11
- Security risk: 11/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
- Vulnerability: Information Disclosure
Description
UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane.
The module doesn’t sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed.
This vulnerability is mitigated by the fact that only sites that store data to the anonymous user’s profile are affected.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- UC Profile 6.x-1.x versions prior to 6.x-1.3
Drupal core is not affected. If you do not use the contributed UC Profile module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the UC Profile module for Drupal 6.x, upgrade to UC Profile 6.x-1.3
Also see the UC Profile project page.
Reported by
Fixed by
- Chris Wells, module maintainer
- Patrick Corbett, module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
MAYO theme – Moderately Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-164
- Advisory ID: DRUPAL-SA-CONTRIB-2015-164
- Project: MAYO (third-party theme)
- Version: 7.x
- Date: 2015-November-11
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
MAYO theme enables you to change certain theme settings via the administration interface.
Some theme settings aren’t sufficiently sanitized.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer themes”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- All MAYO 7.x-2.x versions prior to 7.x-2.6
- All MAYO 7.x-1.x versions prior to 7.x-1.4
Drupal core is not affected. If you do not use the contributed MAYO theme, there is nothing you need to do.
Solution
Install the latest version:
- If you use the MAYO theme for Drupal 7.x-2.x, upgrade to MAYO 7.x-2.6
- If you use the MAYO theme for Drupal 7.x-1.x, upgrade to MAYO 7.x-1.4
Also see the MAYO project page.
Reported by
- Kisugi Ai of the Drupal Security Team
Fixed by
- John Powell the theme maintainer
- Kisugi Ai of the Drupal Security Team
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version: