Red Hat Enterprise Linux: Updated dovecot packages that fix one bug are now available for Red Hat
Enterprise Linux 6.
Monthly Archives: December 2014
RHBA-2014:1969-1: qemu-kvm bug fix update
Red Hat Enterprise Linux: Updated qemu-kvm packages that fix one bug are now available for Red Hat
Enterprise Linux 7.
USN-2435-1: Graphviz vulnerability
Ubuntu Security Notice USN-2435-1
8th December, 2014
graphviz vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
graphviz could be made to crash or run programs if it opened a specially
crafted file.
Software description
- graphviz
– rich set of graph drawing tools
Details
It was discovered that graphviz incorrectly handled parsing errors. An
attacker could use this issue to cause graphviz to crash or possibly
execute arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
graphviz
2.38.0-5ubuntu0.1
- Ubuntu 14.04 LTS:
-
graphviz
2.36.0-0ubuntu3.1
- Ubuntu 12.04 LTS:
-
graphviz
2.26.3-10ubuntu1.2
- Ubuntu 10.04 LTS:
-
graphviz
2.20.2-8ubuntu3.2
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
USN-2436-1: X.Org X server vulnerabilities
Ubuntu Security Notice USN-2436-1
9th December, 2014
xorg-server, xorg-server-lts-trusty vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in the X.Org X server.
Software description
- xorg-server
– X.Org X11 server - xorg-server-lts-trusty
– X.Org X11 server
Details
Ilja van Sprundel discovered a multitude of security issues in the X.Org X
server. An attacker able to connect to an X server, either locally or
remotely, could use these issues to cause the X server to crash or execute
arbitrary code resulting in possible privilege escalation.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
xserver-xorg-core
2:1.16.0-1ubuntu1.1
- Ubuntu 14.04 LTS:
-
xserver-xorg-core
2:1.15.1-0ubuntu2.4
- Ubuntu 12.04 LTS:
-
xserver-xorg-core
2:1.11.4-0ubuntu10.15
-
xserver-xorg-core-lts-trusty
2:1.15.1-0ubuntu2~precise3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
USN-2437-1: Bind vulnerability
Ubuntu Security Notice USN-2437-1
9th December, 2014
bind9 vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
Bind could be made to crash if it received specially crafted network
traffic.
Software description
- bind9
– Internet Domain Name Server
Details
Florian Maury discovered that Bind incorrectly handled delegation. A remote
attacker could possibly use this issue to cause Bind to consume resources
and crash, resulting in a denial of service.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
bind9
1:9.9.5.dfsg-4.3ubuntu0.1
- Ubuntu 14.04 LTS:
-
bind9
1:9.9.5.dfsg-3ubuntu0.1
- Ubuntu 12.04 LTS:
-
bind9
1:9.8.1.dfsg.P1-4ubuntu0.9
- Ubuntu 10.04 LTS:
-
bind9
1:9.7.0.dfsg.P1-1ubuntu0.12
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Mobilis 3G mobiconnect Privilege Escalation
Mobilis 3G mobiconnect 3G++ ZD Server version 1.0.1.2 suffers from a trusted path privilege escalation vulnerability.
CVE-2014-8488
Cross-site scripting (XSS) vulnerability in the administrator panel in Yourls 1.7 allows remote attackers to inject arbitrary web script or HTML via a URL that is processed by the Shorten functionality.
CVE-2014-8496
Digicom DG-5514T ADSL router with firmware 3.2 generates predictable session IDs, which allows remote attackers to gain administrator privileges via a brute force session hijacking attack.
CVE-2014-8730
The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.
VMware Releases Updates for vCAC
Original release date: December 09, 2014
VMware has released security updates to address a critical vulnerability in vCloud Automation Center (vCAC), which could allow a remote attacker to take control of a vulnerable system.
US-CERT encourages users and administrators to review VMware Security Advisory VMSA-2014-0013 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.