Monthly Archives: March 2017

Ubuntu

USN-3231-1: Pidgin vulnerability

Leave a comment

Ubuntu Security Notice USN-3231-1

14th March, 2017

pidgin vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Pidgin could be made to crash or run programs if it received specially
crafted network traffic.

Software description

  • pidgin
    – graphical multi-protocol instant messaging client for X

Details

Joseph Bisch discovered that Pidgin incorrectly handled certain xml
messages. A remote attacker could use this issue to cause Pidgin to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libpurple0

1:2.10.9-0ubuntu3.4
Ubuntu 12.04 LTS:
libpurple0

1:2.10.3-0ubuntu1.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References

CVE-2017-2640

Ubuntu

USN-3232-1: ImageMagick vulnerabilities

Leave a comment

Ubuntu Security Notice USN-3232-1

14th March, 2017

imagemagick vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ImageMagick.

Software description

  • imagemagick
    – Image manipulation programs and library

Details

It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu8.5
imagemagick

8:6.8.9.9-7ubuntu8.5
libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu8.5
imagemagick-6.q16

8:6.8.9.9-7ubuntu8.5
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu8.5
Ubuntu 16.04 LTS:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu5.6
imagemagick

8:6.8.9.9-7ubuntu5.6
libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu5.6
imagemagick-6.q16

8:6.8.9.9-7ubuntu5.6
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu5.6
Ubuntu 14.04 LTS:
libmagick++5

8:6.7.7.10-6ubuntu3.6
libmagickcore5-extra

8:6.7.7.10-6ubuntu3.6
libmagickcore5

8:6.7.7.10-6ubuntu3.6
imagemagick

8:6.7.7.10-6ubuntu3.6
Ubuntu 12.04 LTS:
libmagick++4

8:6.6.9.7-5ubuntu3.9
libmagickcore4

8:6.6.9.7-5ubuntu3.9
imagemagick

8:6.6.9.7-5ubuntu3.9
libmagickcore4-extra

8:6.6.9.7-5ubuntu3.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-6498,

CVE-2017-6499,

CVE-2017-6500

NVD

CVE-2017-6907

Leave a comment

An issue was discovered in Open.GL before 2017-03-13. The vulnerability exists due to insufficient filtration of user-supplied data (content) passed to the “Open.GL-master/index.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

NVD

CVE-2017-6905

Leave a comment

An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (disable_choose) passed to the “concrete5-legacy-master/web/concrete/tools/files/search_dialog.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

NVD

CVE-2017-6908

Leave a comment

An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (fID) passed to the “concrete5-legacy-master/web/concrete/tools/files/selector_data.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

NVD

CVE-2017-6909

Leave a comment

An issue was discovered in Shimmie <= 2.5.1. The vulnerability exists due to insufficient filtration of user-supplied data (log) passed to the “shimmie2-master/ext/chatbox/history/index.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

NVD

CVE-2017-6906

Leave a comment

An issue was discovered in SiberianCMS before 4.10.0. The vulnerability exists due to insufficient filtration of user-supplied data (log) passed to the the “SiberianCMS-master/errors/500.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.