Monthly Archives: November 2016

Ubuntu

USN-3122-1: NVIDIA graphics drivers vulnerabilities

Ubuntu Security Notice USN-3122-1

3rd November, 2016

nvidia-graphics-drivers-304, nvidia-graphics-drivers-340, nvidia-graphics-drivers-367 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NVIDIA graphics drivers could be made to run programs as an administrator.

Software description

  • nvidia-graphics-drivers-304
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-340
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-367
    – NVIDIA binary X.Org driver

Details

It was discovered that the NVIDIA graphics drivers incorrectly sanitized
user mode inputs. A local attacker could use this issue to possibly gain
root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
nvidia-331

340.98-0ubuntu0.16.04.1
nvidia-current

304.132-0ubuntu0.16.04.2
nvidia-340-updates

340.98-0ubuntu0.16.04.1
nvidia-340

340.98-0ubuntu0.16.04.1
nvidia-331-updates

340.98-0ubuntu0.16.04.1
nvidia-361

367.57-0ubuntu0.16.04.1
nvidia-367

367.57-0ubuntu0.16.04.1
nvidia-304-updates

304.132-0ubuntu0.16.04.2
nvidia-304

304.132-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
nvidia-331

340.98-0ubuntu0.14.04.1
nvidia-current

304.132-0ubuntu0.14.04.2
nvidia-352

367.57-0ubuntu0.14.04.1
nvidia-340-updates

340.98-0ubuntu0.14.04.1
nvidia-340

340.98-0ubuntu0.14.04.1
nvidia-331-updates

340.98-0ubuntu0.14.04.1
nvidia-304

304.132-0ubuntu0.14.04.2
nvidia-367

367.57-0ubuntu0.14.04.1
nvidia-304-updates

304.132-0ubuntu0.14.04.2
nvidia-352-updates

367.57-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
nvidia-331

340.98-0ubuntu0.12.04.1
nvidia-current

304.132-0ubuntu0.12.04.1
nvidia-340-updates

340.98-0ubuntu0.12.04.1
nvidia-340

340.98-0ubuntu0.12.04.1
nvidia-331-updates

340.98-0ubuntu0.12.04.1
nvidia-304-updates

304.132-0ubuntu0.12.04.1
nvidia-304

304.132-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-7382,

CVE-2016-7389

Ubuntu

USN-3123-1: curl vulnerabilities

Ubuntu Security Notice USN-3123-1

3rd November, 2016

curl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in curl.

Software description

  • curl
    – HTTP, HTTPS, and FTP client and client libraries

Details

It was discovered that curl incorrectly reused client certificates when
built with NSS. A remote attacker could possibly use this issue to hijack
the authentication of a TLS connection. (CVE-2016-7141)

Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain
strings. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7167)

It was discovered that curl incorrectly handled storing cookies. A remote
attacker could possibly use this issue to inject cookies for arbitrary
domains in the cookie jar. (CVE-2016-8615)

It was discovered that curl incorrect handled case when comparing user
names and passwords. A remote attacker with knowledge of a case-insensitive
version of the correct password could possibly use this issue to cause
a connection to be reused. (CVE-2016-8616)

It was discovered that curl incorrect handled memory when encoding to
base64. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-8617)

It was discovered that curl incorrect handled memory when preparing
formatted output. A remote attacker could possibly use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-8618)

It was discovered that curl incorrect handled memory when performing
Kerberos authentication. A remote attacker could possibly use this issue to
cause curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-8619)

Luật Nguyễn discovered that curl incorrectly handled parsing globs. A
remote attacker could possibly use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8620)

Luật Nguyễn discovered that curl incorrectly handled converting dates. A
remote attacker could possibly use this issue to cause curl to crash,
resulting in a denial of service. (CVE-2016-8621)

It was discovered that curl incorrectly handled URL percent-encoding
decoding. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-8622)

It was discovered that curl incorrectly handled shared cookies. A remote
server could possibly obtain incorrect cookies or other sensitive
information. (CVE-2016-8623)

Fernando Muñoz discovered that curl incorrect parsed certain URLs. A remote
attacker could possibly use this issue to trick curl into connecting to a
different host. (CVE-2016-8624)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libcurl3-nss

7.50.1-1ubuntu1.1
libcurl3-gnutls

7.50.1-1ubuntu1.1
libcurl3

7.50.1-1ubuntu1.1
Ubuntu 16.04 LTS:
libcurl3-nss

7.47.0-1ubuntu2.2
libcurl3-gnutls

7.47.0-1ubuntu2.2
libcurl3

7.47.0-1ubuntu2.2
Ubuntu 14.04 LTS:
libcurl3-nss

7.35.0-1ubuntu2.10
libcurl3-gnutls

7.35.0-1ubuntu2.10
libcurl3

7.35.0-1ubuntu2.10
Ubuntu 12.04 LTS:
libcurl3-nss

7.22.0-3ubuntu4.17
libcurl3-gnutls

7.22.0-3ubuntu4.17
libcurl3

7.22.0-3ubuntu4.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-7141,

CVE-2016-7167,

CVE-2016-8615,

CVE-2016-8616,

CVE-2016-8617,

CVE-2016-8618,

CVE-2016-8619,

CVE-2016-8620,

CVE-2016-8621,

CVE-2016-8622,

CVE-2016-8623,

CVE-2016-8624

Panda Security

New Panda Security Loyalty Program

pandasecurity-antivirus-renewal

We’ve a plan for you: Discover the New Panda Security Loyalty Program

We have good news for you. Here at Panda Security we have launched a new Customer Loyalty Program to reward our customers with more favorable renewal conditions.

The Plan includes special renewal discounts that will increase year after year to reach 50% from your third renewal onward. That is, the longer you stay with us, the more you’ll save.

How to you join the program?

It’s as easy as selecting the auto-renewal option when you first purchase your product. That way, you’ll ensure you are always protected with the latest advances in computer security and the best services to ease and protect your digital life at the best price.

It’s as easy as selecting the auto-renewal option when you first purchase your product. That way, you’ll ensure you are always protected with the latest advances in computer security and the best services to ease and protect your digital life at the best price.

pandasecurity-antivirus-renewal-2

Also do not forget to get the most out of your protection, it is much more than a simple antivirus.

Panda’s protection offers you features like:

1. Wifi monitor that helps you to control the devices that use your network, being able to block those that could be using it without permission. Goodbye neighbors!

2. Parental Control to you keep your children safe from contents that are not appropriate to their age.

3. Data protection so you can browse and shop online without fear of having your personal information stolen.

4. Devices optimization so that they always perform as if they were new.

5. Password Management to manage from a single tool the different passwords of services like email, online bank or your Netflix account.

6. Protection for mobile devices:

7. We also offer Support service to our Premium Gold Protection customers. It Will be like having a computer technician at home

Stop worrying and join our plan.

The post New Panda Security Loyalty Program appeared first on Panda Security Mediacenter.

Python

CVE-2016-9189

Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the “crafted image file” approach, related to an “Integer Overflow” issue affecting the Image.core.map_buffer in map.c component. (CVSS:4.3) (Last Update:2016-11-04)

Python

CVE-2016-9190

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the “crafted image file” approach, related to an “Insecure Sign Extension” issue affecting the ImagingNew in Storage.c component. (CVSS:6.8) (Last Update:2016-11-04)

NVD

CVE-2016-9176 (rumba)

Stack buffer overflow in the send.exe and receive.exe components of Micro Focus Rumba 9.4 and earlier could be used by local attackers or attackers able to inject arguments to these binaries to execute code.

Joomla

CVE-2016-8869

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site. (CVSS:7.5) (Last Update:2016-11-07)