Red Hat Enterprise Linux: An updated Windows Azure Linux Agent package is now available in the Extras
channel of Red Hat Enterprise Linux 7.
Monthly Archives: March 2017
RHBA-2017:0474-1: CFME 5.6.4 bug fixes and enhancement update
Red Hat Enterprise Linux: Updated cfme packages that fix bugs and add various enhancements
are now available for Red Hat CloudForms 4.1.
USN-3223-1: KDE-Libs vulnerability
Ubuntu Security Notice USN-3223-1
9th March, 2017
kde4libs vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
KDE-Libs could be made to expose sensitive information over the network.
Software description
- kde4libs
– KDE 4 core applications and libraries
Details
Itzik Kotler, Yonatan Fridburg, and Amit Klein discovered that KDE-Libs
incorrectly handled certain PAC files. A remote attacker could possibly use
this issue to obtain sensitive information.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
kdelibs5-plugins
4:4.13.3-0ubuntu0.4
- Ubuntu 12.04 LTS:
-
kdelibs5-plugins
4:4.8.5-0ubuntu0.6
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
USN-3224-1: LXC vulnerability
Ubuntu Security Notice USN-3224-1
9th March, 2017
lxc vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
LXC could be made to create arbitrary virtual network interfaces as an
administrator.
Software description
- lxc
– Linux Containers userspace tools
Details
Jann Horn discovered that LXC incorrectly verified permissions when creating
virtual network interfaces. A local attacker could possibly use this issue to
create virtual network interfaces in network namespaces that they do not own.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.10:
-
lxc-common
2.0.7-0ubuntu1~16.10.2
- Ubuntu 16.04 LTS:
-
lxc-common
2.0.7-0ubuntu1~16.04.2
- Ubuntu 14.04 LTS:
-
lxc
1.0.9-0ubuntu3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-3225-1: libarchive vulnerabilities
Ubuntu Security Notice USN-3225-1
9th March, 2017
libarchive vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
libarchive could be made to crash, overwrite files, or run programs as your
login if it opened a specially crafted file.
Software description
- libarchive
– Library to read/write archive files
Details
It was discovered that libarchive incorrectly handled hardlink entries when
extracting archives. A remote attacker could possibly use this issue to
overwrite arbitrary files. (CVE-2016-5418)
Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that
libarchive incorrectly handled filename lengths when writing ISO9660
archives. A remote attacker could use this issue to cause libarchive to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-6250)
Alexander Cherepanov discovered that libarchive incorrectly handled
recursive decompressions. A remote attacker could possibly use this issue
to cause libarchive to hang, resulting in a denial of service. This issue
only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-7166)
It was discovered that libarchive incorrectly handled non-printable
multibyte characters in filenames. A remote attacker could possibly use
this issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2016-8687)
It was discovered that libarchive incorrectly handled line sizes when
extracting certain archives. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2016-8688)
It was discovered that libarchive incorrectly handled multiple EmptyStream
attributes when extracting certain 7zip archives. A remote attacker could
possibly use this issue to cause libarchive to crash, resulting in a denial
of service. (CVE-2016-8689)
Jakub Jirasek discovered that libarchive incorrectly handled memory when
extracting certain archives. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2017-5601)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.10:
-
libarchive13
3.2.1-2ubuntu0.1
- Ubuntu 16.04 LTS:
-
libarchive13
3.1.2-11ubuntu0.16.04.3
- Ubuntu 14.04 LTS:
-
libarchive13
3.1.2-7ubuntu2.4
- Ubuntu 12.04 LTS:
-
libarchive12
3.0.3-6ubuntu1.4
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
CVE-2015-2330
Late TLS certificate verification in WebKitGTK+ prior to 2.6.6 allows remote attackers to view a secure HTTP request, including, for example, secure cookies.
CVE-2017-5872
The TCP/IP networking module in Unisys ClearPath MCP systems with TCP-IP-SW 57.1 before 57.152, 58.1 before 58.142, or 59.1 before 59.172, when running a TLS 1.2 service, allows remote attackers to cause a denial of service (network connectivity disruption) via a client hello with a signature_algorithms extension above those defined in RFC 5246, which triggers a full memory dump.
CVE-2017-6311
gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.
CVE-2017-6312
Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.
CVE-2017-6355
Integer overflow in the vrend_create_shader function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (process crash) via crafted pkt_length and offlen values, which trigger an out-of-bounds access.