Resolved Bugs
1196750 – drupal7-entity-1.6 is available<br
## 7.x-1.6
See [SA-CONTRIB-2015-053 – Entity API – Cross Site Scripting (XSS)](https://www.drupal.org/node/2437905)
Changes since 7.x-1.5:
– by klausi: Sanitize field labels before passing them to the Token API.
– Issue #2264079 by Amitaibu, fago: Fixed $wrapper->access() might be wrong for single entity reference field.
– Issue #2039601 by DuaelFr, fago: Added Ease EntityMetadataWrapper usage with a getter.
– Issue #2160355 by wodenx, gmercer, fgm, jgullstr: Fixed Trying to get property of non-object in entity_metadata_user_access().
– Issue #1651824 by meatsack | joachim: Fixed ‘entity_test’ table has incorrect declaration of foreign keys.
– Issue #2309697 by kristiaanvandeneynde; joachim: Fixed variable mistake in entity_views_handler_relationship_by_bundle.
– Issue #2003826 by greenmother, stella, jazzdrive3, fago: Fixed template_preprocess_entity does not check for existing ‘path’ index.
– Issue #1104286: Support generating database schema for date properties.
– Issue #2013473 by fietserwin: Title attribute of image field not listed as possible token.
Fedora EPEL 6 Security Update: drupal7-entity-1.6-1.el6
Resolved Bugs
1196750 – drupal7-entity-1.6 is available<br
## 7.x-1.6
See [SA-CONTRIB-2015-053 – Entity API – Cross Site Scripting (XSS)](https://www.drupal.org/node/2437905)
Changes since 7.x-1.5:
– by klausi: Sanitize field labels before passing them to the Token API.
– Issue #2264079 by Amitaibu, fago: Fixed $wrapper->access() might be wrong for single entity reference field.
– Issue #2039601 by DuaelFr, fago: Added Ease EntityMetadataWrapper usage with a getter.
– Issue #2160355 by wodenx, gmercer, fgm, jgullstr: Fixed Trying to get property of non-object in entity_metadata_user_access().
– Issue #1651824 by meatsack | joachim: Fixed ‘entity_test’ table has incorrect declaration of foreign keys.
– Issue #2309697 by kristiaanvandeneynde; joachim: Fixed variable mistake in entity_views_handler_relationship_by_bundle.
– Issue #2003826 by greenmother, stella, jazzdrive3, fago: Fixed template_preprocess_entity does not check for existing ‘path’ index.
– Issue #1104286: Support generating database schema for date properties.
– Issue #2013473 by fietserwin: Title attribute of image field not listed as possible token.
Fedora EPEL 6 Security Update: libpng10-1.0.63-1.el6
Resolved Bugs
1196912 – libpng10-1.0.63 is available
1179186 – CVE-2014-9495 libpng: buffer overflow in png_combine_row
1177327 – CVE-2015-0973 libpng: Heap-buffer overflow png_combine_row() with very wide interlaced images<br
This update addresses a couple of buffer overflows that might allow context-dependent attackers to execute arbitrary code via very wide PNG images.
Apache Standard Taglibs 1.2.1 XXE / Remote Command Execution
Apache Standard Taglibs version 1.2.1 suffers from XXE and remote command execution vulnerabilities via the XSL extension in JSTL XML tags.
Tcl 1.16 Cross Site Scripting
Tcl versions 1.0.0 through 1.16 suffer from a cross site scripting vulnerability.
Fedora 22 Security Update: drupal7-entity-1.6-1.fc22
Resolved Bugs
1196750 – drupal7-entity-1.6 is available<br
## 7.x-1.6
See [SA-CONTRIB-2015-053 – Entity API – Cross Site Scripting (XSS)](https://www.drupal.org/node/2437905)
Changes since 7.x-1.5:
– by klausi: Sanitize field labels before passing them to the Token API.
– Issue #2264079 by Amitaibu, fago: Fixed $wrapper->access() might be wrong for single entity reference field.
– Issue #2039601 by DuaelFr, fago: Added Ease EntityMetadataWrapper usage with a getter.
– Issue #2160355 by wodenx, gmercer, fgm, jgullstr: Fixed Trying to get property of non-object in entity_metadata_user_access().
– Issue #1651824 by meatsack | joachim: Fixed ‘entity_test’ table has incorrect declaration of foreign keys.
– Issue #2309697 by kristiaanvandeneynde; joachim: Fixed variable mistake in entity_views_handler_relationship_by_bundle.
– Issue #2003826 by greenmother, stella, jazzdrive3, fago: Fixed template_preprocess_entity does not check for existing ‘path’ index.
– Issue #1104286: Support generating database schema for date properties.
– Issue #2013473 by fietserwin: Title attribute of image field not listed as possible token.
Fedora 22 Security Update: suricata-2.0.7-1.fc22
This release fixes a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn’t clear, but it could certainly lead to crashes. CVE-2015-0928 is assigned for this. The second issue is certain characters in the URI could confuse the parsing of the HTTP request line, leading to possible detection bypass for ‘http_uri’ and to incomplete logging of the URI. Upgrading is recommended.
Fedora 22 Security Update: libpng10-1.0.63-1.fc22
Resolved Bugs
1196912 – libpng10-1.0.63 is available
1179186 – CVE-2014-9495 libpng: buffer overflow in png_combine_row
1177327 – CVE-2015-0973 libpng: Heap-buffer overflow png_combine_row() with very wide interlaced images<br
This update addresses a couple of buffer overflows that might allow context-dependent attackers to execute arbitrary code via very wide PNG images.
Pharming Attack Targets Home Router DNS Settings
A pharming attack has been detected targeting home routers distributed from Brazil’s largest telco, a rare instance of a web-based attack changing DNS settings in order to redirect traffic.