Slackware Security Advisory – New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
Monthly Archives: May 2016
RHSA-2016:0708-1: Critical: java-1.6.0-ibm security update
Red Hat Enterprise Linux: An update for java-1.6.0-ibm is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-0264, CVE-2016-0363, CVE-2016-0376, CVE-2016-0686, CVE-2016-0687, CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449
RHSA-2016:0707-1: Important: chromium-browser security update
Red Hat Enterprise Linux: An update for chromium-browser is now available for Red Hat Enterprise Linux 6
Supplementary.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-1660, CVE-2016-1661, CVE-2016-1662, CVE-2016-1663, CVE-2016-1664, CVE-2016-1665, CVE-2016-1666
RHSA-2016:0706-1: Important: mercurial security update
Red Hat Enterprise Linux: An update for mercurial is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-3068, CVE-2016-3069
RHSA-2016:0705-1: Critical: rh-mysql56-mysql security update
Red Hat Enterprise Linux: An update for rh-mysql56-mysql is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4870, CVE-2015-4890, CVE-2015-4910, CVE-2015-4913, CVE-2016-0503, CVE-2016-0504, CVE-2016-0505, CVE-2016-0546, CVE-2016-0595, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0605, CVE-2016-0606, CVE-2016-0607, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0611, CVE-2016-0639, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0655, CVE-2016-0661, CVE-2016-0665, CVE-2016-0666, CVE-2016-0668, CVE-2016-2047
USN-2957-1: Libtasn1 vulnerability
Ubuntu Security Notice USN-2957-1
2nd May, 2016
libtasn1-3, libtasn1-6 vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Libtasn1 could be made to hang if it processed specially crafted data.
Software description
- libtasn1-3
– Library to manage ASN.1 structures - libtasn1-6
– Library to manage ASN.1 structures
Details
Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled
certain malformed DER certificates. A remote attacker could possibly use
this issue to cause applications using Libtasn1 to hang, resulting in a
denial of service.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
libtasn1-6
4.5-2ubuntu0.1
- Ubuntu 14.04 LTS:
-
libtasn1-6
3.4-3ubuntu0.4
- Ubuntu 12.04 LTS:
-
libtasn1-3
2.10-1ubuntu1.5
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2958-1: poppler vulnerabilities
Ubuntu Security Notice USN-2958-1
2nd May, 2016
poppler vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
poppler could be made to crash or run programs if it opened a specially
crafted file.
Software description
- poppler
– PDF rendering library
Details
It was discovered that the poppler pdfseparate tool incorrectly handled
certain filenames. A local attacker could use this issue to cause the tool
to crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 12.04 LTS. (CVE-2013-4473,
CVE-2013-4474)
It was discovered that poppler incorrectly parsed certain malformed PDF
documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial of service or possibly
execute arbitrary code with privileges of the user invoking the program.
(CVE-2015-8868)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
poppler-utils
0.33.0-0ubuntu3.1
-
libpoppler-cpp0
0.33.0-0ubuntu3.1
-
libpoppler-glib8
0.33.0-0ubuntu3.1
-
libpoppler-qt5-1
0.33.0-0ubuntu3.1
-
libpoppler-qt4-4
0.33.0-0ubuntu3.1
-
libpoppler52
0.33.0-0ubuntu3.1
- Ubuntu 14.04 LTS:
-
poppler-utils
0.24.5-2ubuntu4.4
-
libpoppler-qt4-4
0.24.5-2ubuntu4.4
-
libpoppler44
0.24.5-2ubuntu4.4
-
libpoppler-glib8
0.24.5-2ubuntu4.4
-
libpoppler-cpp0
0.24.5-2ubuntu4.4
-
libpoppler-qt5-1
0.24.5-2ubuntu4.4
- Ubuntu 12.04 LTS:
-
libpoppler-glib8
0.18.4-1ubuntu3.2
-
libpoppler-cpp0
0.18.4-1ubuntu3.2
-
libpoppler-qt4-3
0.18.4-1ubuntu3.2
-
libpoppler19
0.18.4-1ubuntu3.2
-
poppler-utils
0.18.4-1ubuntu3.2
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2957-2: Libtasn1 vulnerability
Ubuntu Security Notice USN-2957-2
2nd May, 2016
libtasn1-6 vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.04 LTS
Summary
Libtasn1 could be made to hang if it processed specially crafted data.
Software description
- libtasn1-6
– Library to manage ASN.1 structures
Details
USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the
corresponding update for Ubuntu 16.04 LTS.
Original advisory details:
Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled
certain malformed DER certificates. A remote attacker could possibly use
this issue to cause applications using Libtasn1 to hang, resulting in a
denial of service.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.04 LTS:
-
libtasn1-6
4.7-3ubuntu0.16.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2936-2: Oxygen-GTK3 update
Ubuntu Security Notice USN-2936-2
2nd May, 2016
oxygen-gtk3 update
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 12.04 LTS
Summary
USN-2936-1 caused Firefox to crash on startup with the Oxygen GTK theme
Software description
- oxygen-gtk3
– Oxygen widget theme for GTK3-based applications
Details
USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox to
crash on startup with the Oxygen GTK theme due to a pre-existing bug in
the Oxygen-GTK3 theme engine. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman,
Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup,
Andrew McCreight, and Steve Fink discovered multiple memory safety issues
in Firefox. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2804, CVE-2016-2806,
CVE-2016-2807)
An invalid write was discovered when using the JavaScript .watch() method in
some circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2808)
Looben Yang discovered a use-after-free and buffer overflow in service
workers. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2016-2811, CVE-2016-2812)
Sascha Just discovered a buffer overflow in libstagefright in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2814)
Muneaki Nishimura discovered that CSP is not applied correctly to web
content sent with the multipart/x-mixed-replace MIME type. An attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks when they would otherwise be prevented. (CVE-2016-2816)
Muneaki Nishimura discovered that the chrome.tabs.update API for web
extensions allows for navigation to javascript: URLs. A malicious
extension could potentially exploit this to conduct cross-site scripting
(XSS) attacks. (CVE-2016-2817)
Mark Goodwin discovered that about:healthreport accepts certain events
from any content present in the remote-report iframe. If another
vulnerability allowed the injection of web content in the remote-report
iframe, an attacker could potentially exploit this to change the user’s
sharing preferences. (CVE-2016-2820)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 12.04 LTS:
-
gtk3-engines-oxygen
1.0.2-0ubuntu3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Ansvif 1.4.2
Ansvif is “A Not So Very Intelligent Fuzzer”. It feeds garbage arguments and data into programs trying to induce a fault.