Red Hat Security Advisory 2014-1339-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. It was discovered that the openstack-neutron package in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6 was released with a sudoers file containing a configuration error. This error caused OpenStack Networking to be vulnerable to the CVE-2013-6433 issue.
bff2f168207f16748a9471e409d1309c41d63ced215838936fe0a973dc0a5b32Red Hat Security Advisory 2014-1338-01 - OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service.
f177fb1c8e6430ce1a57ea004a7e4940022f0075aa05c108ce92e8f63be8418aRed Hat Security Advisory 2014-1337-01 - OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service.
d0852ef434c7e2862d722a5b793ea19f253b9c1b248cfef89282acc344965e2eRed Hat Security Advisory 2014-1340-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 5.9 will be retired as of March 31, 2015, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 5.9 EUS after March 31, 2015. In addition, technical support through Red Hat's Global Support Services will no longer be provided after this date. We encourage customers to plan their migration from Red Hat Enterprise Linux 5.9 to a more recent version of Red Hat Enterprise Linux. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on any currently supported Red Hat Enterprise Linux release.
5b12f7a290ae0e7660690f81388f22031352628e1ef9d543f14d44d9b7ccba9fRed Hat Security Advisory 2014-1335-01 - OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A persistent cross-site scripting flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user.
a575bb471a1906d5d85b6e187c16d39615daade3d959d131ea5d7f03ef1d6817Red Hat Security Advisory 2014-1336-01 - OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A persistent cross-site scripting flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user.
1271e2967ba63c6cc6c8f8bd1e589f316acff78246e6cbd79b866aad9c595c1dUbuntu Security Notice 2366-1 - Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly handled XML documents containing XML external entity declarations. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service on all affected releases, or possibly read arbitrary files if fine grained access control was enabled on Ubuntu 14.04 LTS. Luyao Huang discovered that libvirt incorrectly handled certain blkiotune queries. An attacker could use this issue to cause libvirtd to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Various other issues were also addressed.
02dbf1264d90f9aa14f459ed2d1774ac83a6b77b75e361cb24f526417195c704Slackware Security Advisory - New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
be6f6a9e5104d41f7402944c82e83177992bfeb1f8b70d5018ff4ca22b9460e4Slackware Security Advisory - New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
cf51b50e9624204660d6c978242197701c4ef1a44063f4b6d5d6347fe405215eSlackware Security Advisory - New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues.
d4caf9f0e8a25e45e20d1cec68f49e8eebddab6521b4c5d08d00b90998dda089Red Hat Security Advisory 2014-1327-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP's fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. A buffer overflow flaw was found in the way the File Information extension processed certain Pascal strings. A remote attacker able to make a PHP application using fileinfo convert a specially crafted Pascal string provided by an image file could cause that application to crash. Multiple flaws were found in the File Information extension regular expression rules for detecting various files. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to consume an excessive amount of CPU.
6a71101f9027da35ad2d54fca7f225499970b35424f7287f9634bd7f550538a2Mandriva Linux Security Advisory 2014-191 - The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file.
1cf9c6f1fe3daede8b43bab97142f9d19a3b4444639c60766d3b82d501a4862dRed Hat Security Advisory 2014-1326-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. PHP's fileinfo module provides functions used to identify a particular file according to the type of data contained by the file. It was found that the fix for CVE-2012-1571 was incomplete; the File Information extension did not correctly parse certain Composite Document Format files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. A NULL pointer dereference flaw was found in the gdImageCreateFromXpm() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application using gd via a specially crafted X PixMap file.
5c6f1e4eaec50602108e7360a8250b3b39234096dade279768f0a35c5149024dDebian Linux Security Advisory 3038-1 - Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library.
1a4a88bcc37a4dfcaefe8151a6a76a58d64abfb087ff4bbc6d0d4dbe95432653Debian Linux Security Advisory 3037-1 - Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Icedove), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
4acb09686b97b7299d7b15ee86526511323b29697f34fc6d95d0c6d451ac0093Red Hat Security Advisory 2014-1323-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
92df1e73009a4ef231fc9d81ad37190a44c9a141705134e0c72db689b03d346fRed Hat Security Advisory 2014-1321-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
0c20556b21ba57e1ddda02e0d395e7b90f5dbc9f1b48ce29319a38ae23838089Red Hat Security Advisory 2014-1322-01 - Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
2666c14c949bd578b89f6c32a38338e01e6137e4e5ed3e34fb2373fed0fcc34dRed Hat Security Advisory 2014-1319-01 - Apache Xerces for Java is a high performance, standards compliant, validating XML parser written in Java. The xerces-j2 packages provide Xerces-J version 2. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. All xerces-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Xerces-J must be restarted for this update to take effect.
4058cb095c8209c2ee11a1b06772f806178d0cf764c81c11e855712fe7628d58Red Hat Security Advisory 2014-1320-01 - Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
d70d4f10e9a0cc9227e3a369e6438680f3daad0e07480ac9d4c01d03d0f2cdb1Red Hat Security Advisory 2014-1318-01 - Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Realtime provides the highest levels of predictability for consistent low-latency response times to meet the needs of time-sensitive workloads. MRG Realtime also provides new levels of determinism by optimizing lengthy kernel code paths to ensure that they do not become bottlenecks. This allows for better prioritization of applications, resulting in consistent, predictable response times for high-priority applications.
0a77ae165e92c2af80d046f9c03d5956b16c1925f2c276662095049b6e85164dUbuntu Security Notice 2365-1 - Nicolas Ruff discovered that LibVNCServer incorrectly handled memory when being advertised large screen sizes by the server. If a user were tricked into connecting to a malicious server, an attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. Nicolas Ruff discovered that LibVNCServer incorrectly handled large ClientCutText messages. A remote attacker could use this issue to cause a server to crash, resulting in a denial of service. Various other issues were also addressed.
1012981752e63e94c1b4254f2082d30c69adc29f080cd07e6da7f2ca9de5b136Slackware Security Advisory - New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues.
0917f66c6c86aacb81e1186d5ecefe5c23031aa1b7b13f74aa857355b9b7d6b2Debian Linux Security Advisory 3039-1 - Several vulnerabilities were discovered in the chromium web browser.
9d7dce82ec560fe8e43f44a49daa9e855df5ce9cc144ec3e17f25f65486f5adcUbuntu Security Notice 2364-1 - Florian Weimer and Todd Sabin discovered that the Bash parser incorrectly handled memory. An attacker could possibly use this issue to bypass certain environment restrictions and execute arbitrary code. In addition, this update introduces a hardening measure which adds prefixes and suffixes around environment variable names which contain shell functions. Various other issues were also addressed.
ae34017a4da371e3957cf29ab3e4223ae8d46bc125d31af4b5a3d909728c3d3f
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed