Slackware Security Advisory – New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.

Slackware Security Advisory – New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

Slackware Security Advisory – New mailx packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

WordPress Bulk Delete plugin version 5.5.3 suffers from a privilege escalation vulnerability.

Cisco Security Advisory – On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. A total of eight Common Vulnerabilities and Exposures (CVEs) were assigned. Of the eight CVEs, three relate to the DROWN attack. The remaining CVEs track low severity vulnerabilities. DROWN is a cross-protocol attack that actively exploits weaknesses in SSL version 2 (SSLv2) to decrypt passively collected Transport Layer Security (TLS) sessions. DROWN does not exploit a vulnerability in the TLS protocol or any specific implementation of the protocol. To execute a successful DROWN attack, the attacker must identify a server that supports both SSLv2 and TLS, and uses the same RSA key pair for both protocols. The attacker must also be able to collect TLS traffic for the server.

Ubuntu Security Notice 2918-1 – Vincent LE GARREC discovered an integer underflow in pixman. If a user were tricked into opening a specially crafted file, a remote attacker could cause pixman to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice 2919-1 – Jacob Baines discovered that JasPer incorrectly handled ICC color profiles in JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash or possibly execute arbitrary code with user privileges. Tyler Hicks discovered that JasPer incorrectly handled memory when processing JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote attacker could cause JasPer to consume memory, resulting in a denial of service. Various other issues were also addressed.

Red Hat Security Advisory 2016-0351-01 – OpenShift Enterprise by Red Hat is the company’s cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to gain additional access to resources such as RAM and disk space. An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain build configuration strategies. A remote attacker could create build configurations with strategies that violate policy. Although the attacker could not launch the build themselves, if the build configuration files were later launched by other privileged services, user privileges could be bypassed allowing attacker escalation.

HP Security Bulletin HPSBHF03436 1 – A potential security vulnerability has been identified with certain HP Thin Clients running ThinPro OS. The vulnerability could be exploited exploited locally resulting in elevated privileges. Revision 1 of this advisory.