Ubuntu Security Notice 3119-1 – Tony Finch and Marco Davids discovered that Bind incorrectly handled certain responses containing a DNAME answer. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
Monthly Archives: November 2016
Ubuntu Security Notice USN-3117-1
Ubuntu Security Notice 3117-1 – Ibrahim El-Sayed discovered that the GD library incorrectly handled certain malformed Tiff images. If a user or automated system were tricked into processing a specially crafted Tiff image, an attacker could cause a denial of service. Ke Liu discovered that the GD library incorrectly handled certain integers when processing WebP images. If a user or automated system were tricked into processing a specially crafted WebP image, an attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. Various other issues were also addressed.
Ubuntu Security Notice USN-3115-1
Ubuntu Security Notice 3115-1 – Marti Raudsepp discovered that Django incorrectly used a hardcoded password when running tests on an Oracle database. A remote attacker could possibly connect to the database while the tests are running and prevent the test user with the hardcoded password from being removed. Aymeric Augustin discovered that Django incorrectly validated hosts when being run with the debug setting enabled. A remote attacker could possibly use this issue to perform DNS rebinding attacks. Various other issues were also addressed.
Ubuntu Security Notice USN-3116-1
Ubuntu Security Notice 3116-1 – It was discovered that DBus incorrectly validated the source of ActivationFailure signals. A local attacker could use this issue to cause a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. It was discovered that DBus incorrectly handled certain format strings. A local attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue is only exposed to unprivileged users when the fix for CVE-2015-0245 is not applied, hence this issue is only likely to affect Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04 LTS and Ubuntu 16.10 have been updated as a preventative measure in the event that a new attack vector for this issue is discovered. Various other issues were also addressed.
Ubuntu Security Notice USN-3118-1
Ubuntu Security Notice 3118-1 – It was discovered that the Mailman administrative web interface did not protect against cross-site request forgery attacks. If an authenticated user were tricked into visiting a malicious website while logged into Mailman, a remote attacker could perform administrative actions. This issue only affected Ubuntu 12.04 LTS. Nishant Agarwala discovered that the Mailman user options page did not protect against cross-site request forgery attacks. If an authenticated user were tricked into visiting a malicious website while logged into Mailman, a remote attacker could modify user options. Various other issues were also addressed.
Researchers Claim Wickr Patched Flaws But Didn't Pay Rewards
CVE-2016-7855 (flash_player)
Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.
Microsoft Says Russian APT Group Behind Zero-Day Attacks
Microsoft said Russian APT group Sofacy, which has ties to the country’s military intelligence operations, has been using Windows kernel and Adobe Flash zero day vulnerabilities in targeted attacks.
Freefloat FTP Server 1.0 ABOR Buffer Overflow
Freefloat FTP server version 1.0 ABOR command buffer overflow exploit.
ISC Releases Security Updates for BIND
Original release date: November 01, 2016
The Internet Systems Consortium (ISC) has released updates that address a vulnerability in BIND. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition.
Available updates include:
- BIND 9 version 9.9.9-P4
- BIND 9 version 9.10.4-P4
- BIND 9 version 9.11.0-P1
- BIND 9 version 9.9.9-S6
Users and administrators are encouraged to review ISC Knowledge Base Article AA-01434 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.