Monthly Archives: May 2016
Google Defeats Oracle In Java Code Copyright Case
DDoS-As-A-Service Offered For Just Five Dollars
RHSA-2016:1132-1: Important: rh-mariadb100-mariadb security update
Red Hat Enterprise Linux: An update for rh-mariadb100-mariadb is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2015-3210, CVE-2015-3217, CVE-2015-4792, CVE-2015-4802, CVE-2015-4815, CVE-2015-4816, CVE-2015-4819, CVE-2015-4826, CVE-2015-4830, CVE-2015-4836, CVE-2015-4858, CVE-2015-4861, CVE-2015-4870, CVE-2015-4879, CVE-2015-4895, CVE-2015-4913, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395, CVE-2016-0505, CVE-2016-0546, CVE-2016-0596, CVE-2016-0597, CVE-2016-0598, CVE-2016-0600, CVE-2016-0606, CVE-2016-0608, CVE-2016-0609, CVE-2016-0610, CVE-2016-0616, CVE-2016-0640, CVE-2016-0641, CVE-2016-0642, CVE-2016-0643, CVE-2016-0644, CVE-2016-0646, CVE-2016-0647, CVE-2016-0648, CVE-2016-0649, CVE-2016-0650, CVE-2016-0651, CVE-2016-0655, CVE-2016-0666, CVE-2016-0668, CVE-2016-1283, CVE-2016-2047, CVE-2016-3191
USN-2985-2: GNU C Library regression
Ubuntu Security Notice USN-2985-2
26th May, 2016
eglibc, glibc regression
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
USN-2985-1 introduced a regression in the GNU C Library.
Software description
- eglibc
– GNU C Library - glibc
– GNU C Library
Details
USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for
CVE-2014-9761 introduced a regression which affected applications that
use the libm library but were not fully restarted after the upgrade.
This update removes the fix for CVE-2014-9761 and a future update
will be provided to address this issue.
We apologize for the inconvenience.
Original advisory details:
Martin Carpenter discovered that pt_chown in the GNU C Library did not
properly check permissions for tty files. A local attacker could use this
to gain administrative privileges or expose sensitive information.
(CVE-2013-2207, CVE-2016-2856)
Robin Hack discovered that the Name Service Switch (NSS) implementation in
the GNU C Library did not properly manage its file descriptors. An attacker
could use this to cause a denial of service (infinite loop).
(CVE-2014-8121)
Joseph Myers discovered that the GNU C Library did not properly handle long
arguments to functions returning a representation of Not a Number (NaN). An
attacker could use this to cause a denial of service (stack exhaustion
leading to an application crash) or possibly execute arbitrary code.
(CVE-2014-9761)
Arjun Shankar discovered that in certain situations the nss_dns code in the
GNU C Library did not properly account buffer sizes when passed an
unaligned buffer. An attacker could use this to cause a denial of service
or possibly execute arbitrary code. (CVE-2015-1781)
Sumit Bose and Lukas Slebodnik discovered that the Name Service
Switch (NSS) implementation in the GNU C Library did not handle long
lines in the files databases correctly. A local attacker could use
this to cause a denial of service (application crash) or possibly
execute arbitrary code. (CVE-2015-5277)
Adam Nielsen discovered that the strftime function in the GNU C Library did
not properly handle out-of-range argument data. An attacker could use this
to cause a denial of service (application crash) or possibly expose
sensitive information. (CVE-2015-8776)
Hector Marco and Ismael Ripoll discovered that the GNU C Library allowed
the pointer-guarding protection mechanism to be disabled by honoring the
LD_POINTER_GUARD environment variable across privilege boundaries. A local
attacker could use this to exploit an existing vulnerability more easily.
(CVE-2015-8777)
Szabolcs Nagy discovered that the hcreate functions in the GNU C Library
did not properly check its size argument, leading to an integer overflow.
An attacker could use to cause a denial of service (application crash) or
possibly execute arbitrary code. (CVE-2015-8778)
Maksymilian Arciemowicz discovered a stack-based buffer overflow in the
catopen function in the GNU C Library when handling long catalog names. An
attacker could use this to cause a denial of service (application crash) or
possibly execute arbitrary code. (CVE-2015-8779)
Florian Weimer discovered that the getnetbyname implementation in the GNU C
Library did not properly handle long names passed as arguments. An attacker
could use to cause a denial of service (stack exhaustion leading to an
application crash). (CVE-2016-3075)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
libc-bin
2.21-0ubuntu4.3
-
libc6-dev
2.21-0ubuntu4.3
-
libc6
2.21-0ubuntu4.3
- Ubuntu 14.04 LTS:
-
libc-bin
2.19-0ubuntu6.9
-
libc6-dev
2.19-0ubuntu6.9
-
libc6
2.19-0ubuntu6.9
- Ubuntu 12.04 LTS:
-
libc-bin
2.15-0ubuntu10.15
-
libc6-dev
2.15-0ubuntu10.15
-
libc6
2.15-0ubuntu10.15
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to
make all the necessary changes.
References
DSA-3587 libgd2 – security update
Several vulnerabilities were discovered in libgd2, a library for
programmatic graphics creation and manipulation. A remote attacker can
take advantage of these flaws to cause a denial-of-service against an
application using the libgd2 library.
Microsoft Moves Against Bad Passwords
Microsoft says enterprises need to ban common passwords and rethink outdated ideas about what makes a strong password.
Raspberry Pi 3 to get official Android OS support
It’s fair to say the success of the ARM-powered Raspberry Pi computers have surpassed expectations and have been a godsend to hobbyists, hackers, and students.
If you’re one of those people looking for unofficial hacks to install Android OS on a Raspberry Pi device, then stop and wait for the official release.
Raspberry Pi computers have largely been Linux affairs, as several Linux
Google Releases Security Update for Chrome
Original release date: May 26, 2016
Google has released Chrome version 51.0.2704.63 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
US-CERT encourages users and administrators to review the Chrome Releases page and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.
CVE-2016-0718 (debian_linux, expat, ubuntu_linux)
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.