Red Hat Enterprise Linux: An updated ovirt-hosted-engine-ha package is now available.
Monthly Archives: December 2015
RHBA-2015:2526-1: ovirt-node bug fix and enhancement update for RHEV 3.5.6
Red Hat Enterprise Linux: Updated ovirt-node packages that fix several bugs and add various enhancements
are now available.
RHSA-2015:2542-1: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap update
Red Hat Enterprise Linux: Updated jboss-ec2-eap packages that fix two security issues, several bugs,
and add various enhancements are now available for Red Hat JBoss Enterprise
Application Platform 6.4.4 on Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-5304, CVE-2015-7501
RHSA-2015:2539-1: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update
Red Hat Enterprise Linux: Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.4.5 and fix two security issues, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-5304, CVE-2015-7501
RHSA-2015:2538-1: Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update
Red Hat Enterprise Linux: Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.4.5 and fix two security issues, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-5304, CVE-2015-7501
USN-2823-1: Linux kernel vulnerabilities
Ubuntu Security Notice USN-2823-1
1st December, 2015
linux vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux
– Linux kernel
Details
It was discovered that the SCTP protocol implementation in the Linux kernel
performed an incorrect sequence of protocol-initialization steps. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2015-5283)
Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
linux-image-3.13.0-71-powerpc64-emb
3.13.0-71.114
-
linux-image-3.13.0-71-powerpc-e500
3.13.0-71.114
-
linux-image-3.13.0-71-generic
3.13.0-71.114
-
linux-image-3.13.0-71-lowlatency
3.13.0-71.114
-
linux-image-3.13.0-71-powerpc64-smp
3.13.0-71.114
-
linux-image-3.13.0-71-powerpc-smp
3.13.0-71.114
-
linux-image-3.13.0-71-powerpc-e500mc
3.13.0-71.114
-
linux-image-3.13.0-71-generic-lpae
3.13.0-71.114
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
USN-2824-1: Linux kernel (Utopic HWE) vulnerability
Ubuntu Security Notice USN-2824-1
1st December, 2015
linux-lts-utopic vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
The system could be made to crash under certain conditions.
Software description
- linux-lts-utopic
– Linux hardware enablement kernel from Utopic
Details
Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
linux-image-3.16.0-55-powerpc64-smp
3.16.0-55.74~14.04.1
-
linux-image-3.16.0-55-lowlatency
3.16.0-55.74~14.04.1
-
linux-image-3.16.0-55-generic
3.16.0-55.74~14.04.1
-
linux-image-3.16.0-55-generic-lpae
3.16.0-55.74~14.04.1
-
linux-image-3.16.0-55-powerpc-e500mc
3.16.0-55.74~14.04.1
-
linux-image-3.16.0-55-powerpc64-emb
3.16.0-55.74~14.04.1
-
linux-image-3.16.0-55-powerpc-smp
3.16.0-55.74~14.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
Token Insert Entity – Moderately Critical – Access bypass and information disclosure – SA-CONTRIB-2015-171
- Advisory ID: DRUPAL-SA-CONTRIB-2015-171
- Project: Token Insert Entity (third-party module)
- Version: 7.x
- Date: 2015-December-02
- Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
- Vulnerability: Access bypass, Information Disclosure
Description
This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG (normally the body of a node).
There is a vulnerability because a user that can create or edit content and has the “insert entity token” permission can insert tokens relating to e.g. an unpublished node and allow any (including anonymous) users to see this rendered node embedded into the main node.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Token Insert Entity 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Token Insert Entity module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Token Insert Entity module for Drupal 7.x, upgrade to Token Insert Entity 7.x-1.1
Also see the Token Insert Entity project page.
Reported by
- killes of the Drupal Security Team
Fixed by
- Juampy NR the module maintainer
Coordinated by
- Peter Wolanin of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Cisco Patches WebEx App for Android, Warns of Unpatched Flaws
Cisco patched its WebEx mobile app for Android, and published advisories warning of vulnerabilities in three other products.
Apache Solr Search – Moderately Critical – Access Bypass – SA-CONTRIB-2015-170
- Advisory ID: DRUPAL-SA-CONTRIB-2015-170
- Project: Apache Solr Search (third-party module)
- Version: 6.x, 7.x
- Date: 2015-December-02
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Proof/TD:Default
- Vulnerability: Access bypass
Description
This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance.
The module doesn’t correctly check access when attempting to delete non-default search environments.
This vulnerability is mitigated by the fact that the site must have a non-default environment configured and an attacker must discover the ID of the environment.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Apache Solr Search 6.x-3.x versions prior to 6.x-3.1.
- Apache Solr Search 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Apache Solr Search module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Apache Solr Search module for Drupal 6.x, upgrade to Apache Solr Search 6.x-3.1
- If you use the Apache Solr Search module for Drupal 7.x, upgrade to Apache Solr Search 7.x-1.8
Also see the Apache Solr Search project page.
Reported by
Fixed by
- Dave Reid of the Drupal Security Team
Coordinated by
- Peter Wolanin of the Drupal Security Team, and a module maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version: