Red Hat Enterprise Linux: An update for samba is now available for Red Hat Enterprise Linux 5.6 Long Life
and Red Hat Enterprise Linux 5.9 Long Life.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
[Updated 13 April 2016]
This advisory previously incorrectly listed the CVE-2015-5370 issue as addressed
by this update. However, this issue did not affect the samba packages on Red Hat
Enterprise Linux 5.6 and 5.9 Long Life. No changes have been made to the
packages.
CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2115, CVE-2016-2118
This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.
The module doesn’t prevent form cache from leaking between anonymous users which could result in information disclosure, where one user sees form data generated for another.
This vulnerability is mitigated by the fact that it only affects AJAX forms which expose sensitive data to anonymous users.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Boost 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Boost module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Boost module for Drupal 7.x, upgrade to Boost 7.x-1.1
The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet.
The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.
dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the “<!DOCTYPE html” substring in a crafted HTML document.