** DISPUTED ** kernel/ptrace.c in the Linux kernel through 4.4.1 mishandles uid and gid mappings, which allows local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states “there is no kernel bug here.”
Monthly Archives: February 2016
CVE-2015-8767
net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call.
CVE-2015-8785
The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov.
CVE-2015-8787
The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.
CVE-2016-0723
Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
CVE-2016-0728
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
AVG‘s Winning Game Plan for “Secure†Bowl Sunday
The biggest football game of the year is a big day for being online – whether you’re traveling to Santa Clara to watch it in-person or heading to a friend’s party (or two). Either way, it’s important to protect yourself while you’re on your phone, and there is no doubt there will be a lot of social media activity from kickoff to half-time to when the clock reaches zero.
If you’re like the majority of us and don’t have a ticket to the game, you’ll most likely be watching the extravagantly funded commercials and your Twitter or Facebook feed from a friend’s house. Here are some things to keep in mind while online.
- Big events are popular among spammers: Recognize spam as spam; meaning, don’t click on video links or open any attachments from unknown senders. Only open emails from reputable vendors and people you know.
- Watch out for fake offers: Don’t think you’re going to buy a last-minute cheap ticket. They don’t exist! If you are in the market for a ticket, only buy from a reputable ticket agent.
- Be a REAL fan: You only want official NFL gear, right? Watch out for knock-off or unofficial team merchandise, as it will not look good after the first wash. Only buy from a retailer you recognize.
- Phishing for your money: AVG’s Web Threats Team found the top brands misused by scammers in phishing scams are payment systems like PayPal and American Express and logistics companies like UPS / FedEx -all companies you might expect an email from if you bought tickets or merchandise online. Do NOT reply or send personal data to these fake emails. They are trying to get your bank and other personal information. If you have ordered and want to track the package, use the tracking option directly on the retailer’s site.
For the lucky ones who were able to get a ticket to the big game, you’re going to be in one of the most high-tech stadiums in the country! It is Silicon Valley, right? Did you know that there are 1200 access points for WiFi at Levi Stadium? That’s 1 WiFi point for every 100 seats! Plenty of connection points for posting all those selfies! Here are some tips for staying safe in the crowd:
- Turn off your phone and watch the game! You paid a lot of money for that ticket, so why do you want to watch it on a small screen?
- Encrypt personal data: Access points at Levi Stadium are public but how do you know the access point you’re connecting to isn’t a criminal faking the WiFi name? Download a free VPN like Hide My Ass! and encrypt your data.
- Don’t advertise where you are to strangers: If you must post on social media, make sure you have your location settings turned off on your photos (geotagging) and don’t display your location. You don’t want a burglar in your neighborhood knowing you’re at the game. Your friends and family will know where you are when they see your photos. Just go to your phone “Settings”, find your camera app and turn off the location setting.
- In case you lose your phone: Before you head to the big game, make sure you download anti-theft software, like AVG AntiVirus Pro for Android or make sure your anti-theft settings on your iPhone are active. That way if you lose your phone or get pick-pocketed you’ll be able to disable, locate, or wipe it.
Stay safe at the game and have a great Sunday!!
CVE-2016-2048
Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the “Save as New” option when editing objects and leveraging the “change” permission. (CVSS:6.0) (Last Update:2016-02-25)
DSA-3472 wordpress – security update
Two vulnerabilities were discovered in wordpress, a web blogging tool.
The Common Vulnerabilities and Exposures project identifies the
following problems:
DSA-3469 qemu – security update
Several vulnerabilities were discovered in qemu, a full virtualization
solution on x86 hardware.