Red Hat Enterprise Linux: New kmod-sfc packages are now available for Red Hat Enterprise Linux 7.
Monthly Archives: September 2016
RHEA-2016:1976-1: new packages: kmod-bnxt_en
Red Hat Enterprise Linux: New kmod-bnxt_en packages are now available for Red Hat Enterprise Linux 7.
RHEA-2016:1975-1: new packages: kmod-lpfc
Red Hat Enterprise Linux: New kmod-lpfc packages are now available for Red Hat Enterprise Linux 7.
RHBA-2016:1971-1: cockpit-ovirt for RHV 4.0.4
Red Hat Enterprise Linux: Bugfixes for cockpit-ovirt 4.0.4
USN-3094-1: Systemd vulnerability
Ubuntu Security Notice USN-3094-1
29th September, 2016
systemd vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.04 LTS
Summary
The system could be made unavailable under certain conditions.
Software description
- systemd
– system and service manager
Details
Andrew Ayer discovered that Systemd improperly handled zero-length
notification messages. A local unprivileged attacker could use
this to cause a denial of service (init crash leading to system
unavailability).
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.04 LTS:
-
systemd
229-4ubuntu10
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
CVE-2016-6636
The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.1; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 mishandles redirect_uri subdomains, which allows remote attackers to obtain implicit access tokens via a modified subdomain.
CVE-2016-6637
Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allow remote attackers to hijack the authentication of unspecified victims for requests that approve or deny a scope via a profile or authorize approval page.
CVE-2016-6647
Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-6651
The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime before 1.6.40, 1.7.x before 1.7.21, and 1.8.x before 1.8.2; and Ops Manager 1.7.x before 1.7.13 and 1.8.x before 1.8.1 allows remote authenticated users to gain privileges by leveraging possession of a token.
DSA-3682 c-ares – security update
Gzob Qq discovered that the query-building functions in c-ares, an
asynchronous DNS request library would not correctly process crafted
query names, resulting in a heap buffer overflow and potentially
leading to arbitrary code execution.