RHN Satellite and Proxy: Updated cobbler and spacewalk-java packages that fix several bugs are now
available for Red Hat Satellite 5.7.
Monthly Archives: January 2016
RHBA-2016:0022-1: libcanberra bug fix update
Red Hat Enterprise Linux: Updated libcanberra packages that fix two bugs are now available for Red Hat
Enterprise Linux 6.
RHBA-2016:0021-1: freeipmi bug fix update
Red Hat Enterprise Linux: Updated freeipmi packages that fix one bug are now available for Red Hat
Enterprise Linux 6.
RHBA-2016:0020-1: logwatch bug fix update
Red Hat Enterprise Linux: An updated logwatch package that fixes one bug is now available for Red Hat
Enterprise Linux 6.
USN-2860-1: Oxide vulnerabilities
Ubuntu Security Notice USN-2860-1
11th January, 2016
oxide-qt vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in Oxide.
Software description
- oxide-qt
– Web browser engine library for Qt (QML plugin)
Details
A race condition was discovered in the MutationObserver implementation in
Blink. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to cause a denial of service
via renderer crash, or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-6789)
An issue was discovered with the page serializer in Blink. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to inject arbitrary script or HTML.
(CVE-2015-6790)
Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-6791)
Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-8548)
An integer overflow was discovered in the WebCursor::Deserialize function
in Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-8664)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
liboxideqtcore0
1.11.4-0ubuntu0.15.10.1
- Ubuntu 15.04:
-
liboxideqtcore0
1.11.4-0ubuntu0.15.04.1
- Ubuntu 14.04 LTS:
-
liboxideqtcore0
1.11.4-0ubuntu0.14.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
TrendMicro Node.js HTTP Server Command Execution
When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup. This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
CVE-2015-8769
SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows attackers to execute arbitrary SQL commands via unspecified vectors. (CVSS:7.5) (Last Update:2016-01-15)
Vuln: Xen CVE-2015-8338 Denial of Service Vulnerability
Xen CVE-2015-8338 Denial of Service Vulnerability
Vuln: Google Chrome Prior to 47.0.2526.73 Multiple Security Vulnerabilities
Google Chrome Prior to 47.0.2526.73 Multiple Security Vulnerabilities
Ubuntu Security Notice USN-2860-1
Ubuntu Security Notice 2860-1 – A race condition was discovered in the MutationObserver implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process. An issue was discovered with the page serializer in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to inject arbitrary script or HTML. Various other issues were also addressed.