RHN Satellite and Proxy: Updated cobbler and spacewalk-java packages that fix several bugs are now
available for Red Hat Satellite 5.7.
Monthly Archives: March 2016
USN-2935-1: PAM vulnerabilities
Ubuntu Security Notice USN-2935-1
16th March, 2016
pam vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in PAM.
Software description
- pam
– Pluggable Authentication Modules
Details
It was discovered that the PAM pam_userdb module incorrectly used a
case-insensitive method when comparing hashed passwords. A local attacker
could possibly use this issue to make brute force attacks easier. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)
Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly
performed filtering. A local attacker could use this issue to create
arbitrary files, or possibly bypass authentication. This issue only
affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)
Sebastien Macke discovered that the PAM pam_unix module incorrectly handled
large passwords. A local attacker could possibly use this issue in certain
environments to enumerate usernames or cause a denial of service.
(CVE-2015-3238)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
libpam-modules
1.1.8-3.1ubuntu3.1
- Ubuntu 14.04 LTS:
-
libpam-modules
1.1.8-1ubuntu2.1
- Ubuntu 12.04 LTS:
-
libpam-modules
1.1.3-7ubuntu2.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2935-2: PAM regression
Ubuntu Security Notice USN-2935-2
16th March, 2016
pam regression
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
USN-2935-1 introduced a regression in PAM.
Software description
- pam
– Pluggable Authentication Modules
Details
USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging
change that prevented upgrades in certain multiarch environments. This
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the PAM pam_userdb module incorrectly used a
case-insensitive method when comparing hashed passwords. A local attacker
could possibly use this issue to make brute force attacks easier. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)
Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly
performed filtering. A local attacker could use this issue to create
arbitrary files, or possibly bypass authentication. This issue only
affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)
Sebastien Macke discovered that the PAM pam_unix module incorrectly handled
large passwords. A local attacker could possibly use this issue in certain
environments to enumerate usernames or cause a denial of service.
(CVE-2015-3238)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
libpam-modules
1.1.8-3.1ubuntu3.2
- Ubuntu 14.04 LTS:
-
libpam-modules
1.1.8-1ubuntu2.2
- Ubuntu 12.04 LTS:
-
libpam-modules
1.1.3-7ubuntu2.2
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Grandstream Wave 1.0.1.26 Man-In-The-Middle
The Grandstream VoIP products deploy a remote provisioning mechanism that allows to automatically set configuration elements on phone/app startup. By default, an insecure connection to `fm.grandstream.com` is used to obtain the provisioning profile. An active attacker can redirect this request and change arbitrary values of the configuration. This allows to redirect phone calls through a malicious server, turn the phone into a bug, change passwords, and exfiltrate system logs (including the phone numbers dialed by the user).
ProjectSend r582 Cross Site Scripting
ProjectSend version r582 suffers from a persistent cross site scripting vulnerability.
Anonymous Attack On Trump Sets Off Hacker Civil War
Safari, Flash Fall at Pwn2Own 2016 Day One
Hackers took down Apple Safari and Adobe Flash earning $282,500 in prizes on Wednesday, the first day of the annual Pwn2Own hacking challenge in Vancouver.
Kaspersky Lab Named First Endpoint Security Company in the World to be Granted ISO 9001:2015 Certificate for Customer Support
Kaspersky Lab announced today its Global Support Team has been granted an ISO 9001:2015 certification
Warning — Hackers can Silently Install Malware to Non-Jailbroken iOS Devices
Hard time for mobile phone users!
Just recently, two severe vulnerabilities in Qualcomm Snapdragon chip and Stagefright were spotted on the Android platform, affecting more than a Billion and Millions of devices respectively.
And now:
Hackers have discovered a new way to install malicious apps onto your iPhone without your interaction.
Researchers at Palo Alto Networks have uncovered a
APT Attackers Flying More False Flags Than Ever
Investigators continue to focus on attack attribution, but Kaspersky researchers speaking at CanSecWest 2016 caution that attackers are manipulating data used to tie attacks to perpetrators.