Red Hat Enterprise Linux: Updated ntp packages that fix several security issues are now available for
Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-9293, CVE-2014-9294, CVE-2014-9295
Red Hat Enterprise Linux: Updated ntp packages that fix several security issues are now available
for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
Resolved Bugs
1168977 – CVE-2014-8120 thermostat: local JMX URL disclosure<br
Update to latest maintenance release. It was discovered that, in certain configurations, the Thermostat agent disclosed JMX management URLs of all local Java virtual machines to any local user. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-8120)
Resolved Bugs
1168977 – CVE-2014-8120 thermostat: local JMX URL disclosure<br
Update to latest maintenance release. It was discovered that, in certain configurations, the Thermostat agent disclosed JMX management URLs of all local Java virtual machines to any local user. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-8120)
Resolved Bugs
1176191 – CVE-2014-9296 CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all]
1176032 – CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 – CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 – CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 – CVE-2014-9296 ntp: receive() missing return on error<br
Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296
Dmitry Kovalenko discovered that the Firebird database server is prone
to a denial of service vulnerability. An unauthenticated remote attacker
could send a malformed network packet to a firebird server, which would
cause the server to crash.
Original release date: December 20, 2014
Broadband routers employing the Allegro RomPager firmware prior to versions 4.34 contain a vulnerability in HTTP cookie processing code. Exploitation of this vulnerability could allow a remote attacker to take control of an affected device.
Users and administrators are encouraged to review Vulnerability Note VU#561444, the Allegro Press Release, and Check Point’s Security Advisory for additional information and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.