Monthly Archives: January 2016

Debian

DSA-3455 curl – security update

Isaac Boukris discovered that cURL, an URL transfer library, reused
NTLM-authenticated proxy connections without properly making sure that
the connection was authenticated with the same credentials as set for
the new transfer. This could lead to HTTP requests being sent over the
connection authenticated as a different user.

US-CERT

Mozilla Releases Security Updates

Original release date: January 26, 2016

Mozilla has released security updates to address multiple vulnerabilities in Firefox. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 44
  • Firefox ESR 38.6

US-CERT encourages users and administrators to review Mozilla Security Advisories for Firefox and Firefox ESR and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

NVD

CVE-2015-7974

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a “skeleton key.”

NVD

CVE-2016-0869

Heap-based buffer overflow in MICROSYS PROMOTIC before 8.3.11 allows remote authenticated users to cause a denial of service via a malformed HTML document.

NVD

CVE-2016-1233

An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character device, which allows local users to gain privileges via a character device in /dev, related to an ioctl.