An updated Red Hat Enterprise Linux Atomic Kubernetes apiserver container image
is now available for Red Hat Enterprise Linux Atomic Host.
Monthly Archives: March 2016
RHBA-2016:0334-1: Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image Update
An updated Red Hat Enterprise Linux Atomic Kubernetes scheduler container image
is now available for Red Hat Enterprise Linux Atomic Host.
RHBA-2016:0333-1: Red Hat Enterprise Linux Atomic cockpit-ws Container Image Update
An updated Red Hat Enterprise Linux Atomic cockpit-ws container image is now
available for Red Hat Enterprise Linux Atomic Host.
IRS issues warning to HR professionals over phishing scam
Less than a month after it “renewed a consumer alert” for phishing scams, the Internal Revenue Service (IRS) in the US has delivered another warning aimed this time at payroll and human resources professionals.
The post IRS issues warning to HR professionals over phishing scam appeared first on We Live Security.
USN-2914-1: OpenSSL vulnerabilities
Ubuntu Security Notice USN-2914-1
1st March, 2016
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in OpenSSL.
Software description
- openssl
– Secure Socket Layer (SSL) cryptographic library and tools
Details
Yuval Yarom, Daniel Genkin, and Nadia Heninger discovered that OpenSSL was
vulnerable to a side-channel attack on modular exponentiation. On certain
CPUs, a local attacker could possibly use this issue to recover RSA keys.
This flaw is known as CacheBleed. (CVE-2016-0702)
Adam Langley discovered that OpenSSL incorrectly handled memory when
parsing DSA private keys. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-0705)
Guido Vranken discovered that OpenSSL incorrectly handled hex digit
calculation in the BN_hex2bn function. A remote attacker could use this
issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-0797)
Emilia Käsper discovered that OpenSSL incorrectly handled memory when
performing SRP user database lookups. A remote attacker could possibly use
this issue to cause OpenSSL to consume memory, resulting in a denial of
service. (CVE-2016-0798)
Guido Vranken discovered that OpenSSL incorrectly handled memory when
printing very long strings. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-0799)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
libssl1.0.0
1.0.2d-0ubuntu1.4
- Ubuntu 14.04 LTS:
-
libssl1.0.0
1.0.1f-1ubuntu2.18
- Ubuntu 12.04 LTS:
-
libssl1.0.0
1.0.1-4ubuntu5.35
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
USN-2915-1: Django vulnerabilities
Ubuntu Security Notice USN-2915-1
1st March, 2016
python-django vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in Django.
Software description
- python-django
– High-level Python web development framework
Details
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.10:
-
python3-django
1.7.9-1ubuntu5.2
-
python-django
1.7.9-1ubuntu5.2
- Ubuntu 14.04 LTS:
-
python-django
1.6.1-2ubuntu0.12
- Ubuntu 12.04 LTS:
-
python-django
1.3.1-4ubuntu1.20
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
CVE-2016-0703
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVE-2016-0704
An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
CVE-2016-2278
Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.
CVE-2016-2279
Cross-site scripting (XSS) vulnerability in the web server in Rockwell Automation Allen-Bradley CompactLogix 1769-L* before 28.011+ allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.