RHSA-2016:0723-1: Critical: java-1.6.0-openjdk security update

May 9, 2016 007admin

Red Hat Enterprise Linux: An update for java-1.6.0-openjdk is now available for Red Hat Enterprise Linux
5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3425, CVE-2016-3427

Redhat

RHSA-2016:0722-1: Important: openssl security update

May 9, 2016 007admin

Red Hat Enterprise Linux: An update for openssl is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2842

Ubuntu

USN-2966-1: OpenSSH vulnerabilities

May 9, 2016 007admin

Ubuntu Security Notice USN-2966-1

9th May, 2016

openssh vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenSSH.

Software description

openssh
– secure shell (SSH) for secure access to remote machines

Details

Shayan Sadigh discovered that OpenSSH incorrectly handled environment files
when the UseLogin feature is enabled. A local attacker could use this issue
to gain privileges. (CVE-2015-8325)

Ben Hawkes discovered that OpenSSH incorrectly handled certain network
traffic. A remote attacker could possibly use this issue to cause OpenSSH
to crash, resulting in a denial of service. This issue only applied to
Ubuntu 15.10. (CVE-2016-1907)

Thomas Hoger discovered that OpenSSH incorrectly handled untrusted X11
forwarding when the SECURITY extension is disabled. A connection configured
as being untrusted could get switched to trusted in certain scenarios,
contrary to expectations. (CVE-2016-1908)

It was discovered that OpenSSH incorrectly handled certain X11 forwarding
data. A remote authenticated attacker could possibly use this issue to
bypass certain intended command restrictions. (CVE-2016-3115)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: openssh-server

1:6.9p1-2ubuntu0.2
Ubuntu 14.04 LTS:: openssh-server

1:6.6p1-2ubuntu2.7
Ubuntu 12.04 LTS:: openssh-server

1:5.9p1-5ubuntu1.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

NVD

CVE-2015-5207

May 9, 2016 007admin

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods.

NVD

CVE-2015-5208

May 9, 2016 007admin

Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link.

NVD

CVE-2016-3105

May 9, 2016 007admin

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

NVD

CVE-2016-4350

May 9, 2016 007admin

Multiple SQL injection vulnerabilities in the Web Services web server in SolarWinds Storage Resource Monitor (SRM) Profiler (formerly Storage Manager (STM)) before 6.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) ScriptSchedule parameter in the ScriptServlet servlet; the (2) winEventId or (3) winEventLog parameter in the WindowsEventLogsServlet servlet; the (4) processOS parameter in the ProcessesServlet servlet; the (5) group, (6) groupName, or (7) clientName parameter in the BackupExceptionsServlet servlet; the (8) valDB or (9) valFS parameter in the BackupAssociationServlet servlet; the (10) orderBy or (11) orderDir parameter in the HostStorageServlet servlet; the (12) fileName, (13) sortField, or (14) sortDirection parameter in the DuplicateFilesServlet servlet; the (15) orderFld or (16) orderDir parameter in the QuantumMonitorServlet servlet; the (17) exitCode parameter in the NbuErrorMessageServlet servlet; the (18) udfName, (19) displayName, (20) udfDescription, (21) udfDataValue, (22) udfSectionName, or (23) udfId parameter in the UserDefinedFieldConfigServlet servlet; the (24) sortField or (25) sortDirection parameter in the XiotechMonitorServlet servlet; the (26) sortField or (27) sortDirection parameter in the BexDriveUsageSummaryServlet servlet; the (28) state parameter in the ScriptServlet servlet; the (29) assignedNames parameter in the FileActionAssignmentServlet servlet; the (30) winEventSource parameter in the WindowsEventLogsServlet servlet; or the (31) name, (32) ipOne, (33) ipTwo, or (34) ipThree parameter in the XiotechMonitorServlet servlet.

Security

GoDaddy Addresses Blind XSS Vulnerability Affecting Online Support

May 9, 2016 007admin

Domain registrar GoDaddy fixed a vulnerability affecting systems used by its customer support agents that could have been abused to take over, modify or delete accounts.

Security

Bucbi Ransomware Gets a Big Makeover

May 9, 2016 007admin

Two-year-old Bucbi ransomware is making a comeback with new capabilities added, transforming the simple malware into Swiss Army Knife for cyber crime.

CentOS

CESA-2016:0726 Important CentOS 7 ImageMagickSecurity Update

May 9, 2016 007admin

CentOS Errata and Security Advisory 2016:0726 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0726.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
b2a8db29fe7b4fed1c7b9378359d4c88a01211bed166e3ff5add087615b77df9  ImageMagick-6.7.8.9-13.el7_2.i686.rpm
d068e1c6d31b60033be4c8205309f9a5c1420019fe6bae641aa7b6c553aa127d  ImageMagick-6.7.8.9-13.el7_2.x86_64.rpm
6939732c18e646c7ba7d289d95828b3f74172e9c004d9e512310cd3e7476c23e  ImageMagick-c++-6.7.8.9-13.el7_2.i686.rpm
2e50209e93c304321cb577f7e11d44dd539118b31bca513cdf61443caba34fb4  ImageMagick-c++-6.7.8.9-13.el7_2.x86_64.rpm
554809e95be406955a731c317a6f935f4f82558532c57dccf58116fed22d26f4  ImageMagick-c++-devel-6.7.8.9-13.el7_2.i686.rpm
c578b58a366f5f381b78293dc72912c8b0b31ef9054f554658dcea653dcd6dab  ImageMagick-c++-devel-6.7.8.9-13.el7_2.x86_64.rpm
2f30e966f0ee5bf8fe62501f05c68823a8f967918ebd0ac311c40c671fbfade7  ImageMagick-devel-6.7.8.9-13.el7_2.i686.rpm
d99df1ef40cf16a8e3959a4aeeb61c344ee2e8b868354c39001113ac6b70d9c6  ImageMagick-devel-6.7.8.9-13.el7_2.x86_64.rpm
a7e225d874a23b4b8beee504b36b7ea7c4c7d11799e0eabea3a63fe0a1efcd31  ImageMagick-doc-6.7.8.9-13.el7_2.x86_64.rpm
60661e05092b8494bb876eff3e61d5b31b303890ad6713967252fb8078c5e2b8  ImageMagick-perl-6.7.8.9-13.el7_2.x86_64.rpm

Source:
e4ed13a3eb5d110d9131d65327d8190839bc22c779c472d355d0d7ce7af10cd2  ImageMagick-6.7.8.9-13.el7_2.src.rpm

007 Software

Monthly Archives: May 2016

RHSA-2016:0723-1: Critical: java-1.6.0-openjdk security update

RHSA-2016:0722-1: Important: openssl security update

USN-2966-1: OpenSSH vulnerabilities

Ubuntu Security Notice USN-2966-1

openssh vulnerabilities

Summary

Software description

Details

Update instructions

References

CVE-2015-5207

CVE-2015-5208

CVE-2016-3105

CVE-2016-4350

GoDaddy Addresses Blind XSS Vulnerability Affecting Online Support

Bucbi Ransomware Gets a Big Makeover

CESA-2016:0726 Important CentOS 7 ImageMagickSecurity Update

Software and Security Information