Thank you for reading the Linux Advisory Watch Security Newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's vendor security bulletins and pointers on
methods to improve the security posture of your open source system.
Vulnerabilities affect nearly every vendor virtually every week, so
be sure to read through to find the updates your distributor have
made available.
|
(Jan 15) |
|
Security Report Summary
|
|
(Jan 15) |
|
Security Report Summary
|
|
(Jan 14) |
|
Security Report Summary
|
|
(Jan 13) |
|
Security Report Summary
|
|
(Jan 12) |
|
Security Report Summary
|
|
(Jan 11) |
|
Security Report Summary
|
|
(Jan 10) |
|
Security Report Summary
|
|
(Jan 9) |
|
Security Report Summary
|
|
(Jan 8) |
|
Security Report Summary
|
|
(Jan 8) |
|
Security Report Summary
|
|
|
|
Mandriva: 2015:026: untrf (Jan 15) |
|
[More...] _______________________________________________________________________
|
|
Mandriva: 2015:025: mpfr (Jan 15) |
|
Updated mpfr packages fix security vulnerability: A buffer overflow was reported in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (CVE-2014-9474). [More...]
|
|
Mandriva: 2015:024: libsndfile (Jan 15) |
|
Updated libsndfile packages fix security vulnerabilities: libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c because it fails to properly bounds-check user supplied input, which may allow an attacker to execute arbitrary code or cause [More...]
|
|
Mandriva: 2015:023: libvirt (Jan 15) |
|
Updated libvirt packages fix security vulnerability: The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions in qemu/qemu_driver.c in libvirt do not unlock the domain when an ACL check fails, which allow local users to cause a denial of service [More...]
|
|
Mandriva: 2015:022: wireshark (Jan 12) |
|
Updated wireshark packages fix security vulnerabilities: The DEC DNA Routing Protocol dissector could crash (CVE-2015-0562). The SMTP dissector could crash (CVE-2015-0563). [More...]
|
|
Mandriva: 2015:021: curl (Jan 12) |
|
Updated curl packages fix security vulnerability: When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to [More...]
|
|
Mandriva: 2015:020: libssh (Jan 12) |
|
Updated libssh packages fix security vulnerability: Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet (CVE-2014-8132). [More...]
|
|
Mandriva: 2015:019: openssl (Jan 9) |
|
Multiple vulnerabilities has been discovered and corrected in openssl: A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack (CVE-2014-3571). [More...]
|
|
Mandriva: 2015:018: asterisk (Jan 8) |
|
Updated asterisk packages fix security vulnerability: Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2 allows remote attackers to cause a denial of service (crash) by sending a zero [More...]
|
|
Mandriva: 2015:017: libevent (Jan 8) |
|
Updated libevent packages fix security vulnerability: Andrew Bartlett of Catalyst reported a defect affecting certain applications using the Libevent evbuffer API. This defect leaves applications which pass insanely large inputs to evbuffers open [More...]
|
|
Mandriva: 2015:016: unzip (Jan 8) |
|
Updated unzip package fix security vulnerabilities: The unzip command line tool is affected by heap-based buffer overflows within the CRC32 verification (CVE-2014-8139), the test_compr_eb() (CVE-2014-8140) and the getZip64Data() (CVE-2014-8141) functions. The [More...]
|
|
Mandriva: 2015:015: sox (Jan 8) |
|
Updated sox packages fix security vulnerability: The sox command line tool is affected by two heap-based buffer overflows, respectively located in functions start_read() and AdpcmReadBlock(). A specially crafted wav file can be used to trigger [More...]
|
|
Mandriva: 2015:014: libjpeg (Jan 8) |
|
Updated libjpeg packages fix security vulnerability: Passing a specially crafted jpeg file to libjpeg-turbo could lead to stack smashing (CVE-2014-9092). [More...] _______________________________________________________________________
|
|
Mandriva: 2015:013: znc (Jan 8) |
|
Updated znc packages fix security vulnerabilities: Multiple vulnerabilities were reported in ZNC version 1.0 which can be exploited by malicious authenticated users to cause a denial of service. These flaws are due to errors when handling the editnetwork, [More...]
|
|
Mandriva: 2015:012: jasper (Jan 8) |
|
Updated jasper packages fix security vulnerabilities: A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute [More...]
|
|
Mandriva: 2015:011: nail (Jan 8) |
|
Updated nail package fixes security vulnerabilities: A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through [More...]
|
|
Mandriva: 2015:010: file (Jan 8) |
|
Updated file packages fix security vulnerabilities: Thomas Jarosch of Intra2net AG reported that using the file command on a specially-crafted ELF binary could lead to a denial of service due to uncontrolled resource consumption (CVE-2014-8116). [More...]
|
|
Mandriva: 2015:009: krb5 (Jan 8) |
|
Updated krb5 packages fix security vulnerability: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by attempting to use a named ticket policy object as a password policy [More...]
|
|
Mandriva: 2015:008: pwgen (Jan 8) |
|
Updated pwgen package fixes security vulnerabilities: Pwgen was found to generate weak non-tty passwords by default, which could be brute-forced with a commendable success rate, which could raise security concerns (CVE-2013-4440). [More...]
|
|
Mandriva: 2015:007: unrtf (Jan 8) |
|
Updated unrtf package fixes security vulnerabilities: Michal Zalewski reported an out-of-bounds memory access vulnerability in unrtf. Processing a malformed RTF file could lead to a segfault while accessing a pointer that may be under the attacker's control. [More...]
|
|
Mandriva: 2015:006: mediawiki (Jan 8) |
|
Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.8, thumb.php outputs wikitext message as raw HTML, which could lead to cross-site scripting. Permission to edit MediaWiki namespace is required to exploit this. [More...]
|
|
|
|
Red Hat: 2015:0052-01: flash-plugin: Critical Advisory (Jan 14) |
|
An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
|
|
Red Hat: 2015:0047-01: thunderbird: Important Advisory (Jan 13) |
|
An updated thunderbird package that fixes three security issues is now available for Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this update as having Important security [More...]
|
|
Red Hat: 2015:0046-01: firefox: Critical Advisory (Jan 13) |
|
Updated firefox packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
|
|
Red Hat: 2015:0043-01: kernel: Important Advisory (Jan 13) |
|
Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
|
|
Red Hat: 2015:0044-01: openstack-neutron: Moderate Advisory (Jan 13) |
|
Updated openstack-neutron packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0 Red Hat Product Security has rated this update as having Moderate security [More...]
|
|
Red Hat: 2015:0042-01: cloud-init: Low Advisory (Jan 13) |
|
Updated cloud-init packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Common for Red Hat Enterprise Linux 6. [More...]
|
|
Red Hat: 2015:0035-01: condor: Important Advisory (Jan 12) |
|
Updated condor packages that fix one security issue are now available for Red Hat Enterprise MRG 2.5 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
|
|
Red Hat: 2015:0036-01: condor: Important Advisory (Jan 12) |
|
Updated condor packages that fix one security issue are now available for Red Hat Enterprise MRG 2.5 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
|
|
Red Hat: 2015:0020-01: python-keystoneclient: Moderate Advisory (Jan 8) |
|
Updated python-keystoneclient packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. Red Hat Product Security has rated this update as having Moderate security [More...]
|
|
Red Hat: 2015:0021-01: php: Important Advisory (Jan 8) |
|
Updated php packages that fix two security issues are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
|
|
|
|
(Jan 9) |
|
New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
|
|
|
|
Ubuntu: 2475-1: GTK+ update (Jan 15) |
|
GTK+ improperly handled the menu key, possibly allowing lock screen bypass.
|
|
Ubuntu: 2474-1: curl vulnerability (Jan 15) |
|
curl could be tricked into adding arbitrary requests when following certainURLs.
|
|
Ubuntu: 2473-1: coreutils vulnerabilities (Jan 14) |
|
date and touch could be made to crash or run programs if theyhandled specially crafted input.
|
|
Ubuntu: 2458-2: Ubufox update (Jan 14) |
|
This update provides compatible packages for Firefox 35.
|
|
Ubuntu: 2458-1: Firefox vulnerabilities (Jan 14) |
|
Firefox could be made to crash or run programs as your login if itopened a malicious website.
|
|
Ubuntu: 2471-1: GParted vulnerability (Jan 14) |
|
GParted could be made to run programs as an administrator.
|
|
Ubuntu: 2472-1: unzip vulnerabilities (Jan 14) |
|
unzip could be made to crash or run programs if it opened a speciallycrafted file.
|
|
Ubuntu: 2470-1: Git vulnerability (Jan 13) |
|
Git could be made to run programs as your login if it received speciallycrafted changes from a remote repository.
|
|
Ubuntu: 2469-1: Django vulnerabilities (Jan 13) |
|
Several security issues were fixed in Django.
|
|
Ubuntu: 2466-1: Linux kernel vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2467-1: Linux kernel (Utopic HWE) vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2468-1: Linux kernel vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2465-1: Linux kernel (Trusty HWE) vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2464-1: Linux kernel (OMAP4) vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2462-1: Linux kernel vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2463-1: Linux kernel vulnerabilities (Jan 13) |
|
Several security issues were fixed in the kernel.
|
|
Ubuntu: 2461-3: PyYAML vulnerability (Jan 12) |
|
Applications using PyYAML could be made to crash if they receivedspecially crafted input.
|
|
Ubuntu: 2461-1: LibYAML vulnerability (Jan 12) |
|
Applications using LibYAML could be made to crash if they receivedspecially crafted input.
|
|
Ubuntu: 2461-2: libyaml-libyaml-perl vulnerability (Jan 12) |
|
Applications using libyaml-libyaml-perl could be made to crash ifthey received specially crafted input.
|
|
Ubuntu: 2459-1: OpenSSL vulnerabilities (Jan 12) |
|
Several security issues were fixed in OpenSSL.
|
|
Ubuntu: 2456-1: GNU cpio vulnerabilities (Jan 8) |
|
The GNU cpio program could be made to crash or run programs if itopened a specially crafted file or received specially crafted input.
|
