This update prevents `python-cjson` from crashing when attempting to parse heavily nested JSON structures (which could be exploited for denial of service purposes, against any application that uses `python-cjson` to parse arbitrary input).
Monthly Archives: February 2017
USN-3195-1: Nova-LXD vulnerability
Ubuntu Security Notice USN-3195-1
9th February, 2017
nova-lxd vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.04 LTS
Summary
Nova-LXD could allow unintended access to LXD instances over the network.
Software description
- nova-lxd
– Openstack Compute – LXD container hypervisor support
Details
James Page discovered that Nova-LXD incorrectly set up virtual network devices
when creating LXD instances. This could result in an unintended firewall
configuration.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.04 LTS:
-
python-nova-lxd
13.2.0-0ubuntu1.16.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes for
new instances. However, existing instances will still be affected and must be
manually updated.
References
Gentoo Linux Security Advisory 201702-06
Gentoo Linux Security Advisory 201702-6 – Multiple vulnerabilities have been found in Graphviz and the extent of these vulnerabilities are unspecified. Versions less than 2.36.0 are affected.
Gentoo Linux Security Advisory 201702-05
Gentoo Linux Security Advisory 201702-5 – A vulnerability in Lsyncd allows execution of arbitrary code. Versions less than 2.1.6 are affected.
Gentoo Linux Security Advisory 201702-04
Gentoo Linux Security Advisory 201702-4 – Multiple vulnerabilities have been found in GnuTLS, the worst of which may allow execution of arbitrary code. Versions less than 3.3.26 are affected.
nagios-4.2.4-4.el6
We find out that RHEL-6 does not like non-UTF so removed German translation
—-
Major update to Nagios to address outstanding Security needs.
—-
nagios-4.0.8-1.fc21
nagios-4.0.8-1.fc22
nagios-4.0.8-1.el6
nagios-4.0.8-1.el7
nagios-4.0.8-1.fc23
– update to 4.0.8
Ticketbleed F5 TLS Information Disclosure
Ticketbleed is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker the ability to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.
HP Smart Storage Administrator 2.30.6.0 Remote Command Injection
This Metasploit module exploits a vulnerability found in HP Smart Storage Administrator. By supplying a specially crafted HTTP request, it is possible to control the ‘command’ variable in function isDirectFileAccess (found in ipcelmclient.php), which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.
CVE-2016-8713
A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10.5.9.9. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.
CVE-2016-8709
A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.