OpenSSL has released updates patching four vulnerabilities. Exploitation of one of these vulnerabilities could allow an attacker to cause a cause a Denial of Service condition. Updates available include:
OpenSSL 1.0.2e for 1.0.2 users
OpenSSL 1.0.1q for 1.0.1 users
OpenSSL 1.0.0t for 1.0.0 users
OpenSSL 0.9.8zh for 0.9.8 users
Users and administrators are encouraged to review the OpenSSL Security Advisory and apply the necessary updates.
The Internal Revenue Service (IRS) has released the second in a series of tips intended to increase public awareness of how to protect personal and financial data online and at home. A new tip will be available each Monday through the start of the tax season in January, and will continue through the April tax deadline. US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.
The second tip focuses on awareness of phishing attempts and prevention of malware infection when conducting business online. US-CERT encourages users and administrators to review IRS Security Awareness Tax Tip Number 2 for additional information.
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
EMC NetWorker contains a denial of service vulnerability that is caused by incorrect handling of malformed messages. A malicious user can construct and use malformed messages as a part of RPC authentication attempt, which can result in denial of service from critical NetWorker processes. Versions affected include 8.0.4.5 or later, 8.1.3.6 or later, 8.2.2.2 or later, and 9.0 Build 407 or higher.
Banner Student suffers from cross site scripting, information disclosure, user enumeration, and open redirect vulnerabilities. Versions affected range through 8.5.1.2 to 8.7.
A major data breach at the OPM in June was the result of cybercriminal activity that had nothing to do with state-sponsored cybercrime, China has disclosed.
Ubuntu Security Notice 2828-1 – Jason Wang discovered that QEMU incorrectly handled the virtio-net device. A remote attacker could use this issue to cause guest network consumption, resulting in a denial of service. Qinghao Tang and Ling Liu discovered that QEMU incorrectly handled the pcnet driver when used in loopback mode. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. Various other issues were also addressed.
Debian Linux Security Advisory 3411-1 – Michal Kowalczyk discovered that missing input sanitizing in the foomatic-rip print filter might result in the execution of arbitrary commands.
Ubuntu Security Notice 2826-1 – It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). Various other issues were also addressed.
