Red Hat Enterprise Linux: Updated rsync packages that fix one bug are now available for Red Hat Enterprise
Linux 5 Extended Update Support.
Monthly Archives: October 2014
USN-2373-1: Thunderbird vulnerabilities
Ubuntu Security Notice USN-2373-1
15th October, 2014
thunderbird vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in Thunderbird.
Software description
- thunderbird
– Mozilla Open Source mail and newsgroup client
Details
Bobby Holley, Christian Holler, David Bolter, Byron Campen and Jon
Coppeard discovered multiple memory safety issues in Thunderbird. If a
user were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1574)
Atte Kettunen discovered a buffer overflow during CSS manipulation. If a
user were tricked in to opening a specially crafted message, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Thunderbird. (CVE-2014-1576)
Holger Fuhrmannek discovered an out-of-bounds read with Web Audio. If a
user were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit this to steal sensitive
information. (CVE-2014-1577)
Abhishek Arya discovered an out-of-bounds write when buffering WebM video
in some circumstances. If a user were tricked in to opening a specially
crafted message with scripting enabled, an attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1578)
A use-after-free was discovered during text layout in some circumstances.
If a user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2014-1581)
Eric Shepherd and Jan-Ivar Bruaroey discovered issues with video sharing
via WebRTC in iframes, where video continues to be shared after being
stopped and navigating to a new site doesn’t turn off the camera. An
attacker could potentially exploit this to access the camera without the
user being aware. (CVE-2014-1585, CVE-2014-1586)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
thunderbird
1:31.2.0+build2-0ubuntu0.14.04.1
- Ubuntu 12.04 LTS:
-
thunderbird
1:31.2.0+build2-0ubuntu0.12.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References
USN-2384-1: MySQL vulnerabilities
Ubuntu Security Notice USN-2384-1
15th October, 2014
mysql-5.5 vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in MySQL.
Software description
- mysql-5.5
– MySQL database
Details
Multiple security issues were discovered in MySQL and this update includes
a new upstream MySQL version to fix these issues. MySQL has been updated to
5.5.40.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
mysql-server-5.5
5.5.40-0ubuntu0.14.04.1
- Ubuntu 12.04 LTS:
-
mysql-server-5.5
5.5.40-0ubuntu0.12.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Mobile Device Encryption Could Lead to a ‘Very, Very Dark Place’, FBI Director Says
FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law […]
[CORE-2014-0007] -SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
Posted by CORE Advisories Team on Oct 16
Core Security – Corelabs Advisory
http://corelabs.coresecurity.com/
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
1. **Advisory Information**
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last…
Fedora 21 Security Update: rubygem-httpclient-2.4.0-2.fc21
Updated to 2.4.0 which stops hard-coding ssl v3 and allows ssl negotiation
Fedora 21 Security Update: php-5.6.2-1.fc21
16 Oct 2014, PHP 5.6.2
Core:
* Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669) (Stas)
cURL:
* Fixed bug #68089 (NULL byte injection – cURL lib). (Stas)
EXIF:
* Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670) (Stas)
XMLRPC:
* Fixed bug #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668) (Stas)
Fedora 21 Security Update: deluge-1.3.10-1.fc21
Resolved Bugs
1153456 – deluge-web is vulnerable to POODLE<br
update to 1.3.10
Fedora 21 Security Update: devscripts-2.14.10-1.fc21
Resolved Bugs
1059947 – CVE-2014-1833 devscripts: directory traversal flaw in uupdate
1059948 – devscripts: directory traversal flaw in uupdate [fedora-20]<br
Update to version 2.14.10, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.10_changelog for details.
Update to version 2.14.9, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.9_changelog for details.
Update to version 2.14.8, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.8_changelog for details. Fixes CVE-2014-1833.
Update to version 2.14.9, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.9_changelog for details.
Update to version 2.14.8, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.8_changelog for details. Fixes CVE-2014-1833.
Fedora 21 Security Update: openssl-1.0.1j-1.fc21
Resolved Bugs
1152850 – CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack [fedora-all]<br
Update fixing three moderate security issues.