Security
Original release date: October 08, 2014
Cisco has released an advisory to address multiple vulnerabilities in the Cisco Adaptive Security Appliance (ASA) Software that could result in a denial of service condition. Cisco has released free software updates that address these vulnerabilities.
Users and administrators are encouraged to review the Cisco Advisory and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using “public-restricted” under a “public” directory.
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a “buffer” function.
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
Resolved Bugs
1150283 – KDE logout never completes
1114192 – SELinux is preventing /usr/bin/sddm from ‘write’ accesses on the file .
1119777 – PrivateTmp makes files invisible for the same user
1123506 – sddm startup is slow
1125129 – SELinux is preventing sddm from ‘write’ accesses on the file /etc/sddm.conf.
1140386 – SDDM login screen is not reached.
1112841 – Cannot log into account with NFS home directory
1128463 – sddm does not open kde wallet with pam_wallet.so
1128465 – sddm does not run /etc/X11/xinit/Xsession
1149608 – CVE-2014-7271 sddm: user “sddm” can login without authentication.
1149628 – CVE-2014-7271 sddm: user “sddm” can login without authentication. [fedora-all]
1148659 – sddm: multiple flaws in SDDM display manager leading to privilege escalation to root
1148660 – sddm: multiple flaws in SDDM display manager leading to privilege escalation to root [fedora-all]
1149610 – CVE-2014-7272 sddm: several local privileges escalation issues
1149629 – CVE-2014-7272 sddm: several local privileges escalation issues [fedora-all]<br
Bump to latest upstream git (and a new release), fixes CVE-2014-7271 and CVE-2014-7272
Resolved Bugs
1151278 – php-ZendFramework2: various flaws [fedora-all]
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)<br
Contains fixes for two security relevant bugs:
* “ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte” (http://framework.zend.com/security/advisory/ZF2014-05)
* “ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte” (http://framework.zend.com/security/advisory/ZF2014-06)
Resolved Bugs
1114192 – SELinux is preventing /usr/bin/sddm from ‘write’ accesses on the file .
1119777 – PrivateTmp makes files invisible for the same user
1123506 – sddm startup is slow
1125129 – SELinux is preventing sddm from ‘write’ accesses on the file /etc/sddm.conf.
1140386 – SDDM login screen is not reached.
1112841 – Cannot log into account with NFS home directory
1128463 – sddm does not open kde wallet with pam_wallet.so
1128465 – sddm does not run /etc/X11/xinit/Xsession
1149608 – CVE-2014-7271 sddm: user “sddm” can login without authentication.
1149628 – CVE-2014-7271 sddm: user “sddm” can login without authentication. [fedora-all]
1148659 – sddm: multiple flaws in SDDM display manager leading to privilege escalation to root
1148660 – sddm: multiple flaws in SDDM display manager leading to privilege escalation to root [fedora-all]
1149610 – CVE-2014-7272 sddm: several local privileges escalation issues
1149629 – CVE-2014-7272 sddm: several local privileges escalation issues [fedora-all]
1034414 – KDE live images with sddm > 0.2.0-0.14.20130914git50ca5b20 often boot to a blank screen (SDDM fails to start)
1035939 – sddm fails at login
1035950 – SDDM hangs with auto login enabled
1036308 – sddm use 100% of CPU and do not continue after login/pass and ‘enter’
1038548 – sddm-greeter after login not closing
1045722 – [abrt] sddm: SDDM::DisplayManager::RemoveSession(): sddm killed by SIGSEGV
1045937 – sddm causes plasma-nm to not attempt to connect to any listed networks on Fedora KDE
1065715 – [abrt] sddm: _pam_free_data(): sddm killed by SIGABRT
1082229 – Cannot log in to KDE after yum update
1007067 – Empty userlist with ldap/sssd
1027711 – failed to login when try to start a new sessoin
1031745 – SDDM turns on NUM LOCK
1008951 – New KDE session starts just after Logout
1016902 – session does not grant privileges for /dev/dri/card0
1031415 – [abrt] sddm-0.2.0-0.16.20130914git50ca5b20.fc20: __memcpy_sse2_unaligned: Process /usr/bin/sddm was killed by signal 11 (SIGSEGV)
1020921 – sddm does not use full screen on two monitor system<br
Bump to latest upstream git (and a new release), fixes CVE-2014-7271 and CVE-2014-7272
Sync to the newest upstream development, fixes authentication
Resolved Bugs
1151278 – php-ZendFramework2: various flaws [fedora-all]
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)<br
Contains fixes for two security relevant bugs:
* “ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte” (http://framework.zend.com/security/advisory/ZF2014-05)
* “ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte” (http://framework.zend.com/security/advisory/ZF2014-06)