Monthly Archives: December 2015

Ubuntu

USN-2840-2: Linux kernel (OMAP4) vulnerability

Ubuntu Security Notice USN-2840-2

17th December, 2015

linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux-ti-omap4
    – Linux kernel for OMAP4

Details

Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1475-omap4

3.2.0-1475.97

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7872

US-CERT

IRS Releases Fourth Tax Security Tip

Original release date: December 17, 2015

The Internal Revenue Service (IRS) has released the fourth in a series of tips intended to help the public protect personal and financial data online and at home. This tip focuses on protecting your passwords. Recommendations include creating longer and more complex passwords, not using the same passwords for multiple accounts, and changing your passwords on a regular basis.

US-CERT encourages users and administrators to review the IRS Security Awareness Tax Tip Number 4 and the US-CERT Tip Choosing and Protecting Passwords for additional information.

This product is provided subject to this Notification and this Privacy & Use policy.

NVD

CVE-2015-4027

The AcuWVSSchedulerv10 service in Acunetix Web Vulnerability Scanner (WVS) before 10 build 20151125 allows local users to gain privileges via a command parameter in the reporttemplate property in a params JSON object to api/addScan.

NVD

CVE-2015-5204

CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file.

NVD

CVE-2015-5277

The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.

NVD

CVE-2015-7518

Multiple cross-site scripting (XSS) vulnerabilities in information popups in Foreman before 1.10.0 allow remote attackers to inject arbitrary web script or HTML via (1) global parameters, (2) smart class parameters, or (3) smart variables in the (a) host or (b) hostgroup edit forms.