Linux Advisory Watch: September 11th, 2015

Security Report Summary

Security Report Summary

Security Report Summary

Security Report Summary

Security Report Summary

Upstream release v0.7.1-1

Upstream release v0.7.1-1

Fixed https://bugzilla.redhat.com/show_bug.cgi?id=1259690

ruby-ncurses-1.3.1-16.fc23 - Fix Ruby 2.2 compatibility. rubygem-sup-0.21.0-3.fc23 - Relax rubygem-chronic dependency. - Temporary use ncurses,until rubygem-ncursesw is in Fedora. - Small cleanup.

ruby-ncurses-1.3.1-16.fc23 - Fix Ruby 2.2 compatibility. rubygem-sup-0.21.0-3.fc23 - Relax rubygem-chronic dependency. - Temporary use ncurses,until rubygem-ncursesw is in Fedora. - Small cleanup.

Fixed https://bugzilla.redhat.com/show_bug.cgi?id=1259563https://bugzilla.redhat.com/show_bug.cgi?id=1259691

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

rebase to 9.10.3rc1 due to https://bugzilla.redhat.com/show_bug.cgi?id=1259690

rebase to 9.10.3rc1 due to https://bugzilla.redhat.com/show_bug.cgi?id=1259690

rebase to 9.10.3rc1 due to https://bugzilla.redhat.com/show_bug.cgi?id=1259690

## 6.x-1.17 Fixes #2516976: Fix security issue and make release to bring backD6 releases.

## 1.20.0 (2015-08-12) * forbid access to the Twig environment from templatesand internal parts of Twig_Template * fixed limited RCEs when in sandbox mode *deprecated Twig_Template::getEnvironment() * deprecated the _self variable forusage outside of the from and import tags * added Twig_BaseNodeVisitor to easethe compatibility of node visitors between 1.x and 2.x ## 1.19.0 (2015-07-31)* fixed wrong error message when including an undefined template in a childtemplate * added support for variadic filters, functions, and tests * addedsupport for extra positional arguments in macros * added ignore_missing flag tothe source function * fixed batch filter with zero items * deprecatedTwig_Environment::clearTemplateCache() * fixed sandbox disabling when using theinclude function

Security fix for CVE-2015-4491

Security fix for CVE-2015-4491

Updated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release-notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003)

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

## 6.x-1.17 Fixes #2516976: Fix security issue and make release to bring backD6 releases.

Security fix for CVE-2015-4491

Security fix for CVE-2015-4491

Updated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release-notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003)

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

Fixed https://bugzilla.redhat.com/show_bug.cgi?id=1259563https://bugzilla.redhat.com/show_bug.cgi?id=1259691

This is an update to the set of CA certificates version 2.5 as released with NSSversion 3.19.3 However, as in previous versions of the ca-certificatespackage, the CA list has been modified to keep several legacy CAs still trustedfor compatibility reasons. Please refer to the project URL for details. Ifyou prefer to use the unchanged list provided by Mozilla, and if you accept anycompatibility issues it may cause, an administrator may configure the system byexecuting the "ca-legacy disable" command.

- oggenc: fix large alloca on bad AIFF input (CVE-2015-6749)

rolekit-0.4.0-3.rc1.fc23 - Added support for installing roles throughkickstart - Added support for providing setting values through stdin - Enableddeploying Domain Controller and Database Server with no mandatory options -New API feature: sanitize() which will remove sensitive information from thesettings output (such as autogenerated passwords once they have been recorded)rolekit-0.4.0-4.rc1.fc23 - Fix permissions on role JSON settings files to avoidleaking sensitive info

Update to 1.1.1 Security fix for CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

libwmf-0.2.8.4-46.fc23 - Related: rhbz#1227244 CVE-2015-4696 fix patchcontext

fix CVE-2015-0899

- Enable libnl3 (see rhbz#1207386, rhbz#1247566) - Remove airpcap switch(doesn't have any effect on Linux) - Backport patch no. 11 - Fixedbuilding with F24+ * Ver. 1.12.7

* CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz#1255899)

* (T94116) SECURITY: Compare API watchlist token in constant time * (T97391)SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don'tleak autoblocked IP addresses on Special:DeletedContributions * (T102562) FixInstantCommons parameters to handle the new HTTPS-only policy of WikimediaCommons. * (T100767) Setting a configuration setting for skin or extension tofalse in LocalSettings.php was not working. * (T100635) API action=opensearchjson output no longer breaks when $wgDebugToolbar is enabled. * (T102522) Usingan extension.json or skin.json file which has a "manifest_version" property for1.26 compatability will no longer trigger warnings. * (T86156) RunningupdateSearchIndex.php will not throw an error as page_restrictions has beenadded to the locked table list. * Special:Version would throw notices if usingSVN due to an incorrectly named variable. Add an additional check that an indexis defined.

* (T94116) SECURITY: Compare API watchlist token in constant time * (T97391)SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don'tleak autoblocked IP addresses on Special:DeletedContributions * Update jQueryfrom v1.11.2 to v1.11.3. * (T102562) Fix InstantCommons parameters to handlethe new HTTPS-only policy of Wikimedia Commons.

Updated python-django packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Updated python-django packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Updated libunwind packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Updated libunwind packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

An updated haproxy package that fixes one security issue is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]

Updated subversion packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

Updated openshift packages that fix one security issue are now available for Red Hat OpenShift Enterprise 3.0. Red Hat Product Security has rated this update as having Moderate security [More...]

Updated openstack-nova packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0. Red Hat Product Security has rated this update as having Moderate security [More...]

Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7. Red Hat Product Security has rated this update as having Moderate security [More...]

An updated spice package that fixes one security issue is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]

An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]

An updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]

New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

Several security issues were fixed in FreeType.

Several security issues were fixed in Oxide.

Spice could be made to crash or run programs.

The system could be made to expose sensitive information.

The system could be made to crash or run programs as an administrator.

The system could be made to crash or run programs as an administrator.

libvdpau could be made to run programs as an administrator.

OpenSLP could be made to crash if it received specially crafted networktraffic.