Log2Space Central v 6.2 Multiple XSS Vulnerability
Monthly Archives: January 2016
Bugtraq: [SECURITY] [DSA 3457-1] iceweasel security update
[SECURITY] [DSA 3457-1] iceweasel security update
Bugtraq: [SECURITY] [DSA 3458-1] openjdk-7 security update
[SECURITY] [DSA 3458-1] openjdk-7 security update
RHSA-2016:0074-1: Moderate: bind97 security update
Red Hat Enterprise Linux: Updated bind97 packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2015-8704
RHSA-2016:0073-1: Moderate: bind security update
Red Hat Enterprise Linux: Updated bind packages that fix one security issue are now available for Red
Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2015-8704
RHSA-2016:0072-1: Important: chromium-browser security update
Red Hat Enterprise Linux: Updated chromium-browser packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2016-1612, CVE-2016-1613, CVE-2016-1614, CVE-2016-1615, CVE-2016-1616, CVE-2016-1617, CVE-2016-1618, CVE-2016-1619, CVE-2016-1620, CVE-2016-2051, CVE-2016-2052
RHSA-2015:2623-2: Moderate: grub2 security and bug fix update
Red Hat Enterprise Linux: Updated grub2 packages that fix one security issue and one bug are now
available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
[Updated 27 January 2016]
This advisory has been updated to document additional steps that need to be
performed on BIOS-based systems after installing this update. No changes
were made to the packages included in the advisory.
CVE-2015-8370
USN-2880-1: Firefox vulnerabilities
Ubuntu Security Notice USN-2880-1
27th January, 2016
firefox vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software description
- firefox
– Mozilla Open Source web browser
Details
Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman,
Carsten Book, Randell Jesup, Nicolas Pierron, Eric Rescorla, Tyson Smith,
and Gabor Krizsanits discovered multiple memory safety issues in Firefox.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1930, CVE-2016-1931)
Gustavo Grieco discovered an out-of-memory crash when loading GIF images
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could exploit this to cause a denial of
service. (CVE-2016-1933)
Aki Helin discovered a buffer overflow when rendering WebGL content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2016-1935)
It was discovered that a delay was missing when focusing the protocol
handler dialog. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to conduct
clickjacking attacks. (CVE-2016-1937)
Hanno Böck discovered that calculations with mp_div and mp_exptmod in NSS
produce incorrect results in some circumstances, resulting in
cryptographic weaknesses. (CVE-2016-1938)
Nicholas Hurley discovered that Firefox allows for control characters to
be set in cookie names. An attacker could potentially exploit this to
conduct cookie injection attacks on some web servers. (CVE-2016-1939)
It was discovered that when certain invalid URLs are pasted in to the
addressbar, the addressbar contents may be manipulated to show the
location of arbitrary websites. An attacker could potentially exploit this
to conduct URL spoofing attacks. (CVE-2016-1942)
Ronald Crane discovered three vulnerabilities through code inspection. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1944, CVE-2016-1945, CVE-2016-1946)
François Marier discovered that Application Reputation lookups didn’t
work correctly, disabling warnings for potentially malicious downloads. An
attacker could potentially exploit this by tricking a user in to
downloading a malicious file. Other parts of the Safe Browsing feature
were unaffected by this. (CVE-2016-1947)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
firefox
44.0+build3-0ubuntu0.15.10.1
- Ubuntu 15.04:
-
firefox
44.0+build3-0ubuntu0.15.04.1
- Ubuntu 14.04 LTS:
-
firefox
44.0+build3-0ubuntu0.14.04.1
- Ubuntu 12.04 LTS:
-
firefox
44.0+build3-0ubuntu0.12.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References
USN-2877-1: Oxide vulnerabilities
Ubuntu Security Notice USN-2877-1
27th January, 2016
oxide-qt vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in Oxide.
Software description
- oxide-qt
– Web browser engine library for Qt (QML plugin)
Details
A bad cast was discovered in V8. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via renderer crash or execute arbitrary code
with the privileges of the sandboxed render process. (CVE-2016-1612)
An issue was discovered when initializing the UnacceleratedImageBufferSurface
class in Blink. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to obtain sensitive
information. (CVE-2016-1614)
An issue was discovered with the CSP implementation in Blink. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to determine whether specific HSTS sites had been
visited by reading a CSP report. (CVE-2016-1617)
An issue was discovered with random number generator in Blink. An attacker
could potentially exploit this to defeat cryptographic protection
mechanisms. (CVE-2016-1618)
Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2016-1620)
Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2016-2051)
Multiple security issues were discovered in Harfbuzz. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via renderer
crash or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2016-2052)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
liboxideqtcore0
1.12.5-0ubuntu0.15.10.1
- Ubuntu 15.04:
-
liboxideqtcore0
1.12.5-0ubuntu0.15.04.1
- Ubuntu 14.04 LTS:
-
liboxideqtcore0
1.12.5-0ubuntu0.14.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2882-1: curl vulnerability
Ubuntu Security Notice USN-2882-1
27th January, 2016
curl vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
curl would incorrectly re-use credentials.
Software description
- curl
– HTTP, HTTPS, and FTP client and client libraries
Details
Isaac Boukris discovered that curl could incorrectly re-use NTLM proxy
credentials when subsequently connecting to the same host.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
libcurl3-nss
7.43.0-1ubuntu2.1
-
libcurl3-gnutls
7.43.0-1ubuntu2.1
-
libcurl3
7.43.0-1ubuntu2.1
- Ubuntu 15.04:
-
libcurl3-nss
7.38.0-3ubuntu2.3
-
libcurl3-gnutls
7.38.0-3ubuntu2.3
-
libcurl3
7.38.0-3ubuntu2.3
- Ubuntu 14.04 LTS:
-
libcurl3-nss
7.35.0-1ubuntu2.6
-
libcurl3-gnutls
7.35.0-1ubuntu2.6
-
libcurl3
7.35.0-1ubuntu2.6
- Ubuntu 12.04 LTS:
-
libcurl3-nss
7.22.0-3ubuntu4.15
-
libcurl3-gnutls
7.22.0-3ubuntu4.15
-
libcurl3
7.22.0-3ubuntu4.15
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.