Red Hat Security Advisory 2016-1223-01 – Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat OpenStack Platform. Security Fix: An issue was discovered in the image build process for the overcloud images, as used by director, resulting in all previous images to have a default root password of “rootpw”. Remote root access via SSH is disabled by default.
Monthly Archives: June 2016
Red Hat Security Advisory 2016-1224-01
Red Hat Security Advisory 2016-1224-01 – KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Security Fix: An out-of-bounds read/write access flaw was found in the way QEMU’s VGA emulation with VESA BIOS Extensions support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host’s QEMU process.
Red Hat Security Advisory 2016-1222-01
Red Hat Security Advisory 2016-1222-01 – Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat OpenStack Platform. Security Fix: An issue was discovered in the image build process for the overcloud images, as used by director, resulting in all previous images to have a default root password of “rootpw”. Remote root access via SSH is disabled by default.
Let’s Encrypt Accidentally Spills 7,600 User Emails
Certificate authority Let’s Encrypt blamed a bug for accidentally disclosing the email addresses of a couple thousand of its users this weekend.
Samsung SW Update 2.2.7.22 Insecure ACLs
Samsung’s SW Update versions 2.2.7.22 and below suffer from having insecure ACLs on its directory allowing any authenticated user to escalate their privileges.
CVE-2014-9773
modules/chanserv/flags.c in Atheme before 7.2.7 allows remote attackers to modify the Anope FLAGS behavior by registering and dropping the (1) LIST, (2) CLEAR, or (3) MODIFY keyword nicks.
CVE-2015-8869
OCamel before 4.03.0 does not properly handle sign extensions, which allows remote attackers to conduct buffer overflow attacks or obtain sensitive information as demonstrated by a long string to the String.copy function.
CVE-2016-3698
libndp before 1.6, as used in NetworkManager, does not properly validate the origin of Neighbor Discovery Protocol (NDP) messages, which allows remote attackers to conduct man-in-the-middle attacks or cause a denial of service (network connectivity disruption) by advertising a node as a router from a non-local network.
CVE-2016-4353
ber-decoder.c in Libksba before 1.3.3 does not properly handle decoder stack overflows, which allows remote attackers to cause a denial of service (abort) via crafted BER data.
CVE-2016-4354
ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.