RHSA-2016:0708-1: Critical: java-1.6.0-ibm security update

Red Hat Enterprise Linux: An update for java-1.6.0-ibm is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-0264, CVE-2016-0363, CVE-2016-0376, CVE-2016-0686, CVE-2016-0687, CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449

RHSA-2016:0707-1: Important: chromium-browser security update

Red Hat Enterprise Linux: An update for chromium-browser is now available for Red Hat Enterprise Linux 6
Supplementary.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-1660, CVE-2016-1661, CVE-2016-1662, CVE-2016-1663, CVE-2016-1664, CVE-2016-1665, CVE-2016-1666

RHSA-2016:0706-1: Important: mercurial security update

Red Hat Enterprise Linux: An update for mercurial is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-3068, CVE-2016-3069

RHSA-2016:0705-1: Critical: rh-mysql56-mysql security update

Red Hat Enterprise Linux: An update for rh-mysql56-mysql is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2015-4792, CVE-2015-4800, CVE-2015-4802, CVE-2015-4815, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4862, CVE-2015-4870, CVE-2015-4890, CVE-2015-4910, CVE-2015-4913, CVE-2016-0503, CVE-2016-0504, CVE-2016-0505, CVE-2016-0546, CVE-2016-0595, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0605, CVE-2016-0606, CVE-2016-0607, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0611, CVE-2016-0639, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0655, CVE-2016-0661, CVE-2016-0665, CVE-2016-0666, CVE-2016-0668, CVE-2016-2047

USN-2957-1: Libtasn1 vulnerability

Ubuntu Security Notice USN-2957-1

2nd May, 2016

libtasn1-3, libtasn1-6 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Libtasn1 could be made to hang if it processed specially crafted data.

Software description

  • libtasn1-3
    – Library to manage ASN.1 structures

  • libtasn1-6
    – Library to manage ASN.1 structures

Details

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled
certain malformed DER certificates. A remote attacker could possibly use
this issue to cause applications using Libtasn1 to hang, resulting in a
denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
libtasn1-6

4.5-2ubuntu0.1
Ubuntu 14.04 LTS:
libtasn1-6

3.4-3ubuntu0.4
Ubuntu 12.04 LTS:
libtasn1-3

2.10-1ubuntu1.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-4008

USN-2958-1: poppler vulnerabilities

Ubuntu Security Notice USN-2958-1

2nd May, 2016

poppler vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

poppler could be made to crash or run programs if it opened a specially
crafted file.

Software description

  • poppler
    – PDF rendering library

Details

It was discovered that the poppler pdfseparate tool incorrectly handled
certain filenames. A local attacker could use this issue to cause the tool
to crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 12.04 LTS. (CVE-2013-4473,
CVE-2013-4474)

It was discovered that poppler incorrectly parsed certain malformed PDF
documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial of service or possibly
execute arbitrary code with privileges of the user invoking the program.
(CVE-2015-8868)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
poppler-utils

0.33.0-0ubuntu3.1
libpoppler-cpp0

0.33.0-0ubuntu3.1
libpoppler-glib8

0.33.0-0ubuntu3.1
libpoppler-qt5-1

0.33.0-0ubuntu3.1
libpoppler-qt4-4

0.33.0-0ubuntu3.1
libpoppler52

0.33.0-0ubuntu3.1
Ubuntu 14.04 LTS:
poppler-utils

0.24.5-2ubuntu4.4
libpoppler-qt4-4

0.24.5-2ubuntu4.4
libpoppler44

0.24.5-2ubuntu4.4
libpoppler-glib8

0.24.5-2ubuntu4.4
libpoppler-cpp0

0.24.5-2ubuntu4.4
libpoppler-qt5-1

0.24.5-2ubuntu4.4
Ubuntu 12.04 LTS:
libpoppler-glib8

0.18.4-1ubuntu3.2
libpoppler-cpp0

0.18.4-1ubuntu3.2
libpoppler-qt4-3

0.18.4-1ubuntu3.2
libpoppler19

0.18.4-1ubuntu3.2
poppler-utils

0.18.4-1ubuntu3.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-4473,

CVE-2013-4474,

CVE-2015-8868

USN-2957-2: Libtasn1 vulnerability

Ubuntu Security Notice USN-2957-2

2nd May, 2016

libtasn1-6 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

Libtasn1 could be made to hang if it processed specially crafted data.

Software description

  • libtasn1-6
    – Library to manage ASN.1 structures

Details

USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the
corresponding update for Ubuntu 16.04 LTS.

Original advisory details:

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled
certain malformed DER certificates. A remote attacker could possibly use
this issue to cause applications using Libtasn1 to hang, resulting in a
denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libtasn1-6

4.7-3ubuntu0.16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-4008

USN-2936-2: Oxygen-GTK3 update

Ubuntu Security Notice USN-2936-2

2nd May, 2016

oxygen-gtk3 update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

USN-2936-1 caused Firefox to crash on startup with the Oxygen GTK theme

Software description

  • oxygen-gtk3
    – Oxygen widget theme for GTK3-based applications

Details

USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox to
crash on startup with the Oxygen GTK theme due to a pre-existing bug in
the Oxygen-GTK3 theme engine. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman,
Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup,
Andrew McCreight, and Steve Fink discovered multiple memory safety issues
in Firefox. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2804, CVE-2016-2806,
CVE-2016-2807)

An invalid write was discovered when using the JavaScript .watch() method in
some circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2808)

Looben Yang discovered a use-after-free and buffer overflow in service
workers. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2016-2811, CVE-2016-2812)

Sascha Just discovered a buffer overflow in libstagefright in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2814)

Muneaki Nishimura discovered that CSP is not applied correctly to web
content sent with the multipart/x-mixed-replace MIME type. An attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks when they would otherwise be prevented. (CVE-2016-2816)

Muneaki Nishimura discovered that the chrome.tabs.update API for web
extensions allows for navigation to javascript: URLs. A malicious
extension could potentially exploit this to conduct cross-site scripting
(XSS) attacks. (CVE-2016-2817)

Mark Goodwin discovered that about:healthreport accepts certain events
from any content present in the remote-report iframe. If another
vulnerability allowed the injection of web content in the remote-report
iframe, an attacker could potentially exploit this to change the user’s
sharing preferences. (CVE-2016-2820)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
gtk3-engines-oxygen

1.0.2-0ubuntu3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1575781