Red Hat Enterprise Linux: Updated OpenStack Image Service packages that resolve various issues are
now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno)
for RHEL 7.
Monthly Archives: January 2016
USN-2869-1: OpenSSH vulnerabilities
Ubuntu Security Notice USN-2869-1
14th January, 2016
openssh vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
OpenSSH could be made to expose sensitive information over the network.
Software description
- openssh
– secure shell (SSH) for secure access to remote machines
Details
It was discovered that the OpenSSH client experimental support for resuming
connections contained multiple security issues. A malicious server could
use this issue to leak client memory to the server, including private
client user keys.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
openssh-client
1:6.9p1-2ubuntu0.1
- Ubuntu 15.04:
-
openssh-client
1:6.7p1-5ubuntu1.4
- Ubuntu 14.04 LTS:
-
openssh-client
1:6.6p1-2ubuntu2.4
- Ubuntu 12.04 LTS:
-
openssh-client
1:5.9p1-5ubuntu1.8
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
CVE-2015-3943
Advantech WebAccess before 8.1 allows remote attackers to read sensitive cleartext information about e-mail project accounts via unspecified vectors.
CVE-2015-3946
Cross-site request forgery (CSRF) vulnerability in Advantech WebAccess before 8.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2015-3947
SQL injection vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-3948
Cross-site scripting (XSS) vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-5007
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 8 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
CVE-2015-6314
Cisco Wireless LAN Controller (WLC) devices with software 7.6.x, 8.0 before 8.0.121.0, and 8.1 before 8.1.131.0 allow remote attackers to change configuration settings via unspecified vectors, aka Bug ID CSCuw06153.
CVE-2015-6320
The IP ingress packet handler on Cisco Aironet 1800 devices with software 8.1(112.3) and 8.1(112.4) allows remote attackers to cause a denial of service via a crafted header in an IP packet, aka Bug ID CSCuv63138.
CVE-2015-6323
The Admin portal in Cisco Identity Services Engine (ISE) 1.1.x, 1.2.0 before patch 17, 1.2.1 before patch 8, 1.3 before patch 5, and 1.4 before patch 4 allows remote attackers to obtain administrative access via unspecified vectors, aka Bug ID CSCuw34253.