Red Hat Enterprise Linux: Updated systemd packages that fix one bug are now available for Red Hat
Enterprise Linux 7.
Monthly Archives: October 2014
RHBA-2014:1700-1: rsh bug fix update
Red Hat Enterprise Linux: Updated rsh packages that fix two bugs are now available for Red Hat Enterprise
Linux 7.
RHBA-2014:1699-1: devtoolset-2-eclipse bug fix update
Red Hat Enterprise Linux: Updated devtoolset-2-eclipse packages that fix one bug are now available for Red
Hat Developer Toolset 2.1.
RHBA-2014:1698-1: kexec-tools bug fix update
Red Hat Enterprise Linux: Updated kexec-tools packages that fix one bug are now available for Red Hat
Enterprise Linux 7.
Free WMA MP3 Converter 1.8 Buffer Overflow
Free WMA MP3 Converter version 1.8 buffer overflow exploit.
USN-2387-1: pollinate update
Ubuntu Security Notice USN-2387-1
22nd October, 2014
pollinate update
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
The certificate bundled with pollinate has been refreshed.
Software description
- pollinate
– seed the pseudo random number generator in virtual machines
Details
The pollinate package bundles the certificate for entropy.ubuntu.com. This
update refreshes the certificate to match the one currently used on the
server.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
pollinate
4.7-0ubuntu1.2
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2388-1: OpenJDK 7 vulnerabilities
Ubuntu Security Notice USN-2388-1
22nd October, 2014
openjdk-7 vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in OpenJDK 7.
Software description
- openjdk-7
– Open Source Java implementation
Details
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to expose
sensitive data over the network. (CVE-2014-6457)
Several vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527,
CVE-2014-6558)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517,
CVE-2014-6531)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-6506, CVE-2014-6513)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.04 LTS:
-
openjdk-7-jre-lib
7u71-2.5.3-0ubuntu0.14.04.1
-
openjdk-7-jre-zero
7u71-2.5.3-0ubuntu0.14.04.1
-
icedtea-7-jre-jamvm
7u71-2.5.3-0ubuntu0.14.04.1
-
openjdk-7-jre-headless
7u71-2.5.3-0ubuntu0.14.04.1
-
openjdk-7-jre
7u71-2.5.3-0ubuntu0.14.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
This update contains known regressions in the JamVM alternative Java
Virtual Machine and a future update will correct these issues. See
https://launchpad.net/bugs/1382205 for details. We apologize for the
inconvenience.
References
ElectricCommander 4.2.4.71224 Privilege Escalation
ElectricCommander version 4.2.4.71224 suffers from a local privilege escalation vulnerability.
[ MDVSA-2014:204 ] libxml2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:204 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libxml2 Date : October 23, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in libxml2: A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior (CVE-2014-3660). The updated packages have been
[ MDVSA-2014:203 ] openssl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:203 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : openssl Date : October 23, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in openssl: OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contain