Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
200
security advisorymoderatecode executionSciLinux: SLSA-2013:0753-1 Moderate: icedtea-web Security Update
Moderate: icedtea-web security update. Date: Wed, 17 Apr 2013 20:52:09 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Moderate: icedtea-web on SL6.x i386/x86_64 MIME-Version: 1.0 Synopsis: Moderate: icedtea-web security update Advisory ID: SLSA-2013:0753-1 Issue Date: 2013-04-17 CVE Numbers: CVE-2013-1927 CVE-2013-1926 -- It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains. A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser. (CVE-2013-1926) The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive (JAR) files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of web sites that allow uploads of specific file types, known as a GIFAR attack. (CVE-2013-1927) This erratum also upgrades IcedTea-Web to version 1.2.3. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. -- SL6 x86_64 icedtea-web-1.2.3-2.el6_4.x86_64.rpm icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm i386 icedtea-web-1.2.3-2.el6_4.i686.rpm icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm - Scientific Linux Development Team . Uncover the details surrounding the icedtea-web enhancement that addresses security loopholes in Scientific Linux, along with the associated dangers.. icedtea-web Update, Scientific Linux Security, Java Archive Exploit, Browser Plugin Risks. . LinuxSecurity.com Team
Apr 17, 2013
Scientific Linux
172
security advisoryubunturegressionUbuntu 11.04 & 11.10 USN-1505-2 Critical: IcedTea-Web Regression Fix
USN 1505-1 introduced a regression in the IcedTea-Web Java web browserplugin that prevented it from working with the Chromium web browser.. =========================================================================Ubuntu Security Notice USN-1505-2 August 30, 2012 icedtea-web regression ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 Summary: USN 1505-1 introduced a regression in the IcedTea-Web Java web browser plugin that prevented it from working with the Chromium web browser. Software Description: - icedtea-web: A web browser plugin to execute Java applets Details: USN-1505-1 fixed vulnerabilities in OpenJDK 6. As part of the update, IcedTea-Web packages were upgraded to a new version. That upgrade introduced a regression which prevented the IcedTea-Web plugin from working with the Chromium web browser in Ubuntu 11.04 and Ubuntu 11.10. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that multiple flaws existed in the CORBA (Common Object Request Broker Architecture) implementation in OpenJDK. An attacker could create a Java application or applet that used these flaws to bypass Java sandbox restrictions or modify immutable object data. (CVE-2012-1711, CVE-2012-1719) It was discovered that multiple flaws existed in the OpenJDK font manager's layout lookup implementation. A attacker could specially craft a font file that could cause a denial of service through crashing the JVM (Java Virtual Machine) or possibly execute arbitrary code. (CVE-2012-1713) It was discovered that the SynthLookAndFeel class from Swing in OpenJDK did not properly prevent access to certain UI elements from outside the current application context. An attacker could create a Java application or applet that used this flaw to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions.(CVE-2012-1716) It was discovered that OpenJDK runtime library classes could create temporary files with insecure permissions. A local attacker could use this to gain access to sensitive information. (CVE-2012-1717) It was discovered that OpenJDK did not handle CRLs (Certificate Revocation Lists) properly. A remote attacker could use this to gain access to sensitive information. (CVE-2012-1718) It was discovered that the OpenJDK HotSpot Virtual Machine did not properly verify the bytecode of the class to be executed. A remote attacker could create a Java application or applet that used this to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions. (CVE-2012-1723, CVE-2012-1725) It was discovered that the OpenJDK XML (Extensible Markup Language) parser did not properly handle some XML documents. An attacker could create an XML document that caused a denial of service in a Java application or applet parsing the document. (CVE-2012-1724) As part of this update, the IcedTea web browser applet plugin was updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: icedtea-6-plugin 1.2-2ubuntu0.11.10.3 Ubuntu 11.04: icedtea-6-plugin 1.2-2ubuntu0.11.04.3 After a standard system update you need to restart your web browser to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1505-2 https://ubuntu.com/security/notices/USN-1505-1 https://bugs.launchpad.net/ubuntu/+source/icedtea-web/+bug/1025553 Package Information: https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.3 https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.3 . Ubuntu Security Announcement USN-1506-3 addresses a regression in IcedTea-Web impacting the Firefox browser.. IcedTea-Web, Ubuntu Update, Java Plugin, Security Fix, Web Browser. . Severity: Critical.LinuxSecurity.com Team
Aug 30, 2012
•Critical
Ubuntu
98
security advisorymoderatesecurity issueRed Hat 6: RHSA-2011:0426-01 Moderate: spice-xpi Remote Code Execution
An updated spice-xpi package that fixes two security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: spice-xpi security update Advisory ID: RHSA-2011:0426-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2011:0426.html Issue date: 2011-04-07 CVE Names: CVE-2011-0012 CVE-2011-1179 ==================================================================== 1. Summary: An updated spice-xpi package that fixes two security issues is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor, or on Red Hat Enterprise Virtualization Hypervisor. The spice-xpi package provides a plug-in that allows the SPICE client to run from within Mozilla Firefox. An uninitialized pointer use flaw was found in the SPICE Firefox plug-in. If a user were tricked into visiting a malicious web page with Firefox while the SPICE plug-in was enabled, it could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-1179) Itwas found that the SPICE Firefox plug-in used a predictable name for one of its log files. A local attacker could use this flaw to conduct a symbolic link attack, allowing them to overwrite arbitrary files accessible to the user running Firefox. (CVE-2011-0012) Users of spice-xpi should upgrade to this updated package, which contains backported patches to correct these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 639869 - CVE-2011-0012 spice-xpi: symlink attack on usbrdrctl log file 689931 - CVE-2011-1179 spice-xpi: unitialized pointer writes possible when getting plugin properties 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: i386: spice-xpi-2.4-1.el6_0.2.i686.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.i686.rpm x86_64: spice-xpi-2.4-1.el6_0.2.x86_64.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: x86_64: spice-xpi-2.4-1.el6_0.2.x86_64.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: i386: spice-xpi-2.4-1.el6_0.2.i686.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.i686.rpm x86_64: spice-xpi-2.4-1.el6_0.2.x86_64.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: i386: spice-xpi-2.4-1.el6_0.2.i686.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.i686.rpm x86_64: spice-xpi-2.4-1.el6_0.2.x86_64.rpm spice-xpi-debuginfo-2.4-1.el6_0.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7.References: https://access.redhat.com/security/cve/CVE-2011-0012 https://access.redhat.com/security/cve/CVE-2011-1179 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2011 Red Hat, Inc. . Investigate the recently released moderate spice-xpi security patch for Red Hat, which tackles two critical vulnerabilities affecting user security.. spice-xpi update, Red Hat security, browser plugin flaws, Linux security advisory. . LinuxSecurity.com Team
Apr 07, 2011
Red Hat
98
security advisorysecurity updateRed HatRed Hat: RHSA-2006:0674-01 Critical: Flash Player Malicious Code Threat
An updated Adobe Flash Player package that fixes security issues is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team.. - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2006:0674-01 Advisory URL: https://access.redhat.com/errata/RHSA-2006:0674.html Issue date: 2006-09-12 Updated on: 2006-09-12 Product: Red Hat Enterprise Linux Extras CVE Names: CVE-2006-3311 CVE-2006-3587 CVE-2006-3588 - ---------------------------------------------------------------------1. Summary: An updated Adobe Flash Player package that fixes security issues is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 Extras - i386 Red Hat Desktop version 3 Extras - i386 Red Hat Enterprise Linux ES version 3 Extras - i386 Red Hat Enterprise Linux WS version 3 Extras - i386 Red Hat Enterprise Linux AS version 4 Extras - i386 Red Hat Desktop version 4 Extras - i386 Red Hat Enterprise Linux ES version 4 Extras - i386 Red Hat Enterprise Linux WS version 4 Extras - i386 3. Problem description: The flash-plugin package contains a Firefox-compatible Adobe Flash Player browser plug-in. Security issues were discovered in the Adobe Flash Player. It may be possible to execute arbitrary code on a victim's machine if the victim opens a malicious Adobe Flash file. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588) Users of Adobe Flash Player should upgrade to this updated package, which contains version 7.0.68 and is not vulnerable to this issue. Red Hat would like to thank Adobe for notifying us of these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your systemhave been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 205983 - CVE-2006-3311 Multiple flash-plug flaws (CVE-2006-3587 CVE-2006-3588) 6. RPMs required: Red Hat Enterprise Linux AS version 3 Extras: i386: e499c9e86a4f9bb37aaba7354984118a flash-plugin-7.0.68-1.el3.i386.rpm Red Hat Desktop version 3 Extras: i386: e499c9e86a4f9bb37aaba7354984118a flash-plugin-7.0.68-1.el3.i386.rpm Red Hat Enterprise Linux ES version 3 Extras: i386: e499c9e86a4f9bb37aaba7354984118a flash-plugin-7.0.68-1.el3.i386.rpm Red Hat Enterprise Linux WS version 3 Extras: i386: e499c9e86a4f9bb37aaba7354984118a flash-plugin-7.0.68-1.el3.i386.rpm Red Hat Enterprise Linux AS version 4 Extras: i386: f6e5fb516fc4edc28ca5c79fa2581f8f flash-plugin-7.0.68-1.el4.i386.rpm Red Hat Desktop version 4 Extras: i386: f6e5fb516fc4edc28ca5c79fa2581f8f flash-plugin-7.0.68-1.el4.i386.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: f6e5fb516fc4edc28ca5c79fa2581f8f flash-plugin-7.0.68-1.el4.i386.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: f6e5fb516fc4edc28ca5c79fa2581f8f flash-plugin-7.0.68-1.el4.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are availablefrom https://access.redhat.com/security/team/key#package 7. References: https://www.cve.org/CVERecord?id=CVE-2006-3311 https://www.cve.org/CVERecord?id=CVE-2006-3587 https://www.cve.org/CVERecord?id=CVE-2006-3588 https://access.redhat.com/security/updates/classification#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2006 Red Hat, Inc. . The latest security patch for Adobe Flash Player released by Red Hat tackles significant vulnerabilities, enhancing overall system protection.. Adobe Flash Update, Red Hat Enterprise, Flash Security, Update Advisory. . Severity: Critical. LinuxSecurity.com Team
Sep 12, 2006
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!