A security issue affects these releases of Ubuntu and its
derivatives:
Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Summary
A same-origin-policy bypass was discovered in Firefox.
Software description
firefox
– Mozilla Open Source web browser
Details
Jason Pang discovered that service workers intercept responses to plugin network requests made through the browser. An attacker could potentially exploit this to bypass same origin restrictions using the Flash plugin. (CVE-2016-1949)
Update instructions
The problem can be corrected by updating your system to the following
package version:
A pair of new security vulnerabilities has been discovered in the framework used by a wide variety of Mac apps leaves them open to Man-in-the-Middle (MitM) attacks.
The framework in question is Sparkle that a large number of third-party OS X apps, including Camtasia, uTorrent, Duet Display and Sketch, use to facilitate automatic updates in the background.
Integer overflow in the asf_write_packet function in libavformat/asfenc.c in FFmpeg before 2.8.5 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PTS (aka presentation timestamp) value in a .mov file.
libavcodec/pngenc.c in FFmpeg before 2.8.5 uses incorrect line sizes in certain row calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .avi file, related to the apng_encode_frame and encode_apng functions.
libswscale/swscale_unscaled.c in FFmpeg before 2.8.6 does not validate certain height values, which allows remote attackers to cause a denial of service (out-of-bounds array read access) or possibly have unspecified other impact via a crafted .cine file, related to the bayer_to_rgb24_wrapper and bayer_to_yv12_wrapper functions.
libavcodec/tiff.c in FFmpeg before 2.8.6 does not properly validate RowsPerStrip values and YCbCr chrominance subsampling factors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted TIFF file, related to the tiff_decode_tag and decode_frame functions.
libavcodec/gif.c in FFmpeg before 2.8.6 does not properly calculate a buffer size, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .tga file, related to the gif_image_write_image, gif_encode_init, and gif_encode_close functions.
The Mozilla Foundation has released security updates to address vulnerabilities in Firefox and Firefox ESR. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.
Available updates include:
Firefox 44.0.2
Firefox ESR 38.6.1
US-CERT encourages users and administrators to review the Security Advisory for Firefox and Firefox ESR and apply the necessary updates.
EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and obtain sensitive repository information by appending a query to a REST request.
EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to read arbitrary files via a POST request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
