HP Security Bulletin HPSBUX03162 SSRT101767 – Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS), allow unauthorized access, or a man-in-the-middle (MitM) attack. This is the SSLv3 vulnerability known as “Padding Oracle on Downgraded Legacy Encryption” also known as “Poodle”, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.
Monthly Archives: October 2014
HP Security Bulletin HPSBPI03147
HP Security Bulletin HPSBPI03147 – A potential security vulnerability has been identified with certain HP Color LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to data or to create a Denial of Service (DoS). Revision 1 of this advisory.
HumHub Modules Mail 0.5.8 Cross Site Scripting
HumHub Modules Mail version 0.5.8 suffers from a cross site scripting vulnerability.
Debian Security Advisory 3060-1
Debian Linux Security Advisory 3060-1 – Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service.
Ubuntu Security Notice USN-2396-1
Ubuntu Security Notice 2396-1 – Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles noncanonical addresses when emulating instructions that change the rip (Instruction Pointer). A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service (system crash) of the guest. A flaw was discovered with the handling of the invept instruction in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged guest user could exploit this flaw to cause a denial of service (system crash) on the guest. Various other issues were also addressed.
DSA-3062 wget – security update
HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line
utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability
allows to create arbitrary files on the user’s system when Wget runs in
recursive mode against a malicious FTP server. Arbitrary file creation
may override content of user’s files or permit remote code execution with
the user privilege.
USN-2393-1: Wget vulnerability
Ubuntu Security Notice USN-2393-1
30th October, 2014
wget vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
Wget could be made to overwrite files.
Software description
- wget
– retrieves files from the web
Details
HD Moore discovered that Wget contained a path traversal vulnerability
when downloading symlinks using FTP. A malicious remote FTP server or a man
in the middle could use this issue to cause Wget to overwrite arbitrary
files, possibly leading to arbitrary code execution.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
wget
1.15-1ubuntu1.14.10.1
- Ubuntu 14.04 LTS:
-
wget
1.15-1ubuntu1.14.04.1
- Ubuntu 12.04 LTS:
-
wget
1.13.4-2ubuntu1.2
- Ubuntu 10.04 LTS:
-
wget
1.12-1.1ubuntu2.2
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2394-1: Linux kernel (Trusty HWE) vulnerabilities
Ubuntu Security Notice USN-2394-1
30th October, 2014
linux-lts-trusty vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux-lts-trusty
– Linux hardware enablement kernel from Trusty
Details
Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles
noncanonical addresses when emulating instructions that change the rip
(Instruction Pointer). A guest user with access to I/O or the MMIO can use
this flaw to cause a denial of service (system crash) of the guest.
(CVE-2014-3647)
A flaw was discovered with the handling of the invept instruction in the
KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged
guest user could exploit this flaw to cause a denial of service (system
crash) on the guest. (CVE-2014-3646)
Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)
Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest user can exploit this flaw to cause a denial of service (kernel
panic) on the host. (CVE-2014-3610)
Raphael Geissert reported a NULL pointer dereference in the Linux kernel’s
CIFS client. A remote CIFS server could cause a denial of service (system
crash) or possibly have other unspecified impact by deleting IPC$ share
during resolution of DFS referrals. (CVE-2014-7145)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 12.04 LTS:
-
linux-image-3.13.0-39-generic-lpae
3.13.0-39.66~precise1
-
linux-image-3.13.0-39-generic
3.13.0-39.66~precise1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
USN-2395-1: Linux kernel vulnerabilities
Ubuntu Security Notice USN-2395-1
30th October, 2014
linux vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in the kernel.
Software description
- linux
– Linux kernel
Details
Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles
noncanonical addresses when emulating instructions that change the rip
(Instruction Pointer). A guest user with access to I/O or the MMIO can use
this flaw to cause a denial of service (system crash) of the guest.
(CVE-2014-3647)
A flaw was discovered with the handling of the invept instruction in the
KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged
guest user could exploit this flaw to cause a denial of service (system
crash) on the guest. (CVE-2014-3646)
Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)
Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest user can exploit this flaw to cause a denial of service (kernel
panic) on the host. (CVE-2014-3610)
Raphael Geissert reported a NULL pointer dereference in the Linux kernel’s
CIFS client. A remote CIFS server could cause a denial of service (system
crash) or possibly have other unspecified impact by deleting IPC$ share
during resolution of DFS referrals. (CVE-2014-7145)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
linux-image-3.13.0-39-generic-lpae
3.13.0-39.66
-
linux-image-3.13.0-39-powerpc64-emb
3.13.0-39.66
-
linux-image-3.13.0-39-powerpc-smp
3.13.0-39.66
-
linux-image-3.13.0-39-lowlatency
3.13.0-39.66
-
linux-image-3.13.0-39-powerpc-e500
3.13.0-39.66
-
linux-image-3.13.0-39-generic
3.13.0-39.66
-
linux-image-3.13.0-39-powerpc-e500mc
3.13.0-39.66
-
linux-image-3.13.0-39-powerpc64-smp
3.13.0-39.66
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References
CEEA-2014:1760 CentOS 7 lpfc Enhancement Update
CentOS Errata and Enhancement Advisory 2014:1760 Upstream details at : https://rhn.redhat.com/errata/RHEA-2014-1760.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 34076a399db40f55bd0d2b86619e9799eab69d3d9e7662773914af9c2166b518 kmod-lpfc-10.2.8021.0-1.el7_0.x86_64.rpm Source: 100abb05aa8970dc0acbdfa9def77f2cf73dab89e071140b8c7c6fb617a7c84d lpfc-10.2.8021.0-1.el7_0.src.rpm