Daniel Gultsch discovered a vulnerability in Gajim, an XMPP/jabber
client. Gajim didn’t verify the origin of roster update, allowing an
attacker to spoof them and potentially allowing her to intercept messages.
Monthly Archives: February 2016
DSA-3493 xerces-c – security update
Gustavo Grieco discovered that xerces-c, a validating XML parser library
for C++, mishandles certain kinds of malformed input documents,
resulting in buffer overflows during processing and error reporting.
These flaws could lead to a denial of service in applications using the
xerces-c library, or potentially, to the execution of arbitrary code.
InstallShield DLL Hijacking
InstallShield suffers from a DLL hijacking vulnerability.
Ubuntu Security Notice USN-2905-1
Ubuntu Security Notice 2905-1 – A security issue was discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions or a sandbox protection mechanism.
Slackware Security Advisory – libgcrypt Updates
Slackware Security Advisory – New libgcrypt packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
Slackware Security Advisory – ntp Updates
Slackware Security Advisory – New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
Ubuntu Security Notice USN-2913-4
Ubuntu Security Notice 2913-4 – USN-2913-1 removed 1024-bit RSA CA certificates from the ca-certificates package. This update adds support for alternate certificate chains to the GnuTLS package to properly handle the removal. The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20160104 package, including the removal of the SPI CA and CA certificates with 1024-bit RSA keys. Various other issues were also addressed.
Ubuntu Security Notice USN-2913-1
Ubuntu Security Notice 2913-1 – The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20160104 package, including the removal of the SPI CA and CA certificates with 1024-bit RSA keys.
Debian Security Advisory 3489-1
Debian Linux Security Advisory 3489-1 – lighttpd, a small webserver, is vulnerable to the POODLE attack via the use of SSLv3. This protocol is now disabled by default.
Red Hat Security Advisory 2016-0296-01
Red Hat Security Advisory 2016-0296-01 – The rh-ror41 collection provides Ruby on Rails version 4.1. Ruby on Rails is a model-view-controller framework for web application development. The following issue was corrected in rubygem-actionpack and rubygem-actionview: A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the ‘render’ method, a remote, unauthenticated attacker could use this to render unexpected files and, possibly, execute arbitrary code.