Monthly Archives: October 2015

Redhat

RHSA-2015:1920-1: Critical: java-1.7.0-openjdk security update

Red Hat Enterprise Linux: Updated java-1.7.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911

Redhat

RHSA-2015:1919-1: Important: java-1.8.0-openjdk security update

Red Hat Enterprise Linux: Updated java-1.8.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4903, CVE-2015-4911

US-CERT

Vulnerabilities Identified in Network Time Protocol Daemon (ntpd)

Original release date: October 21, 2015 | Last revised: October 22, 2015

The Network Time Foundation’s NTP Project has released an update addressing multiple vulnerabilities in ntpd. Exploitation of some of these vulnerabilities may allow an attacker to cause a denial of service (DoS) condition.

Users and administrators are encouraged to review NTP Security Notice Page for more details and US-CERT Security Tip ST04-015 for information on DoS attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

AVG

Protecting your wallet in the digital age

In days gone by, keeping your wallet safe while out and about just meant making sure it was still in your pocket. But with a variety of new payment technologies such as contactless payment or Chip and PIN being developed and rolled out, and hackers becoming increasingly creative about how they access and use your information, times are changing fast.

While we all want speedier, more convenient payment options, have you stopped to consider the level of personal information you now carry around about yourself, and whether you are still doing such a good job of keeping your wallet safe in today’s digital age?

As National Cyber Security Awareness month continues, I’ve jotted down a few of my top tips:

When is a wallet, not a wallet?

There has been much talk of the ‘digital wallet’ in recent years, but with NFC payments now enabled through schemes such as Apple Pay and Android Pay, your smartphone could now be considered a wallet on its own. As such, you’ll need to consider both its physical and cyber security. This means taking steps such as considering where you’re carrying and using your phone, making sure you have software to protect it from malware, and ensuring you only use it at trusted locations for sensitive transactions such as money transfers.

Does you wallet speak for itself?

With contactless payment systems becoming more popular, especially in Europe, even cards in your wallet could speak without you knowing. If you card has the ‘contactless’ Wi-Fi type symbol on it then it most likely has RFID technology that allows details to be read from the card without the need to swipe or insert into a chip and pin reader. This also means that if a cybercriminal can get close enough to your card then they might be able to read some of the data from it. Wallet manufacturers are now producing wallets that add pockets of protection for you to store cards of this type. I recently purchased one and now it stores both my driver’s licence and contactless cards in the protected zone.

Putting a PIN in your security

With the increase in payment technologies such as Chip and PIN and contactless, the contents of your traditional wallets are also more vulnerable than ever before. So what steps should you take here?

Just as you wouldn’t leave your house keys in your front door, your card or phone’s PIN number should never be written down and certainly not left with the card or phone itself. If you have trouble remembering the PIN provided by your bank, you should change it to a number that’s easier for you to remember – but not so easy that others could guess it. When entering your PIN, you should also hide it from anyone who might be looking!

While not yet mainstream in the U.S., ‘touch and go’ NFC payment from a phone or ‘contactless’ RFID from a credit card is already common in Europe. Making a payment in seconds is appealing to many of us, but this convenience comes with a number of other security considerations. In the UK, there is currently a cap of $45 (£30) on such purchases – minimising the risk of significant purchases being made on a stolen card or phone. For anyone still feeling nervous, it is possible to ‘opt out’ and request a simple Chip and PIN card.

Beyond these more ‘high-tech’ tips, there are other points of best practice that should always be observed in protecting your financial security.

Check what you’re paying for

As cashless payment becomes the norm, it’s easy to lose track of what you’re spending, and even if you’re the one spending it! Always make sure to check your bank statement, even if online, for any ‘rogue’ payments. Many of us have the attitude that ‘it won’t happen to me’, but fraudsters will often start with small amounts that may go unnoticed to those who aren’t vigilant.

Bin those receipts

Is your wallet bulging with six months’ worth of receipts? If so, de-clutter! Receipts can carry a whole host of valuable information including your credit card details or signature. Keep any important receipts for returns, warranties or business expenses, at home and make sure to shred the rest. Expired cards should also be cleared out of your wallet. While you can’t use them anymore, your information could still be of use to a potential fraudster.

Having taken my wallet with me on various travels abroad recently, I know I’ve kept these tips in mind, and fingers crossed, remained fraud free! Hopefully they will help you do the same!

CentOS

CESA-2015:1919 Important CentOS 7java-1.8.0-openjdk Security Update

CentOS Errata and Security Advisory 2015:1919 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1919.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
fc1d78f8fbdd55837a77e54915ceed26b916b85834ebfb9457ec153b1a40309a  java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.x86_64.rpm
88300297b48c26c73023f0e9592202bae019244f9386e62b1fce66a8265fbba4  java-1.8.0-openjdk-accessibility-1.8.0.65-2.b17.el7_1.x86_64.rpm
b4ee076fe89b4c03f9a27adc2ab09d242924ddbc52028cb473aed21b80af346d  java-1.8.0-openjdk-demo-1.8.0.65-2.b17.el7_1.x86_64.rpm
0ca829e2fa8e41cc21b986052018237a264536c61e246f78f585539dc43bc465  java-1.8.0-openjdk-devel-1.8.0.65-2.b17.el7_1.x86_64.rpm
adcf8842049a55bdf370857e875b42bc803f170ee594660f97581004ea143fb0  java-1.8.0-openjdk-headless-1.8.0.65-2.b17.el7_1.x86_64.rpm
3fc3d79d30601dab4335761b29a97157f9238636ecbbc77c3d8598a92b5a9bea  java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.el7_1.noarch.rpm
b533526fd6d3a382cd62fb5f1c983b1e7cb4c1794cece5cf10968c7aef61d1f8  java-1.8.0-openjdk-src-1.8.0.65-2.b17.el7_1.x86_64.rpm

Source:
78aa5064e82314dc93f46cad65f69a89d82e70881811c19fe34bc68079056108  java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.src.rpm
CentOS

CESA-2015:1920 Critical CentOS 7java-1.7.0-openjdk Security Update

CentOS Errata and Security Advisory 2015:1920 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1920.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
826d53b513a6bb5b067028561c663245b39634e764ac64008a09ffdfb26711b6  java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
43556ec3d4af6b5efae46bed907e81e3b5f69b33cd25b2e1992504685f69dda5  java-1.7.0-openjdk-accessibility-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
a9813ff0692254f9d70a49ec9cef8514706b533836619591967a03f306d146f3  java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
138f0282b13a511bbe2cc21a1e2a61543255bc767b654f13e7c27cacdd5fdd83  java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
a34323f74e4423d38d298a06cdd26788851b6ac5d9c5787b6f6a2c4144f816bd  java-1.7.0-openjdk-headless-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm
f8a71a52a20f34d1d0db714c399308561280441a5dfa886fb96de692b41c2bf8  java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.1.el7_1.noarch.rpm
0cd7e499729498b74f1898eef23578299a97ab004992d0f6dea78b12e4d86302  java-1.7.0-openjdk-src-1.7.0.91-2.6.2.1.el7_1.x86_64.rpm

Source:
494032ee883593af2f18afc2992d5afd2da7bfd02f3aa9b015b441496ad8546a  java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.src.rpm
NVD

CVE-2015-4901

Unspecified vulnerability in Oracle Java SE 8u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.

NVD

CVE-2015-4903

Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to RMI.

NVD

CVE-2015-4904

Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld.