Linux Advisory Watch: April 24th, 2015

Security Report Summary

Security Report Summary

Security Report Summary

Security Report Summary

16 Apr 2015, **PHP 5.6.8**Core:* Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence)* Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk)* Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)* Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)* Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas)* Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso)* Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita)* Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita)* Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas)* Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas)Apache2handler:* Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema)cURL:* Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)* Fixed bug #68739 (Missing break / control flow). (Laruence)* Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)Date:* Fixed bug #69336 (Issues with "last day of "). (Derick Rethans)Enchant:* Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol)Ereg:* Fixed bug #68740 (NULL Pointer Dereference). (Laruence)Fileinfo:* Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)Filter:* Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch)* Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch)OPCache:* Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence)* Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)* Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)OpenSSL* Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)* Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)* Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)* Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)Phar:* Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike)* Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)* Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)* Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike)* Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)* Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas)Postgres:* Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)SPL:* Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)SOAP:* Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence)Sqlite3:* Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd)* Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)* Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)

Fixes CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125

Security fix for CVE-2015-1859, CVE-2015-1858, CVE-2015-1860

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

* apply patch for CVE-2013-4276 * apply patch for "Use of uninitialized values on 64 bit machines."

Update to latest upstream release, Linux v4.0

Security fix for CVE-2015-1799, CVE-2015-1798, #1210324

Updated to upstream 0.16.0Fix issue introduced by a samba subpackage split resulting in realmd failing to join Active Directory domains.

Security fix for CVE-2015-1799, CVE-2015-1798, #1210324

The 3.19.4 stable release contains a number of important fixes across the tree.

Updated package from upstream fixing minor security issues.

Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

16 Apr 2015, **PHP 5.6.8**Core:* Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence)* Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk)* Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)* Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)* Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas)* Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso)* Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita)* Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita)* Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas)* Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas)Apache2handler:* Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema)cURL:* Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)* Fixed bug #68739 (Missing break / control flow). (Laruence)* Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)Date:* Fixed bug #69336 (Issues with "last day of "). (Derick Rethans)Enchant:* Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol)Ereg:* Fixed bug #68740 (NULL Pointer Dereference). (Laruence)Fileinfo:* Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)Filter:* Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch)* Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch)OPCache:* Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence)* Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)* Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)OpenSSL* Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)* Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)* Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)* Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)Phar:* Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike)* Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)* Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)* Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike)* Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)* Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas)Postgres:* Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)SPL:* Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)SOAP:* Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence)Sqlite3:* Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd)* Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)* Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)

Updated to security update u45

Updated to security update u45

Security fix for CVE-2014-5353(this was fixed in an older build but the announcement was lost)

Updated to security icedtea-forest7 2.5.5

The 3.19.4 stable release contains a number of important fixes across the tree.

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Security fix for CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib following fixes (which all relates to this CVE) are in this patch: * ftplib: Limit amount of data read by limiting the call to readline(). #16038 * imaplib: limit line length in imaplib readline calls. #16039 * nntplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. #16040 * poplib: limit maximum line length that we read from the network #16041 * smtplib: limit amount read from the network #16042

Resolves bz 1114461 - CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds

Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

Updated package from upstream fixing minor security issues.

* Fixing arbitrary code execution

Changes since 1.24.1* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.* (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

Update to ceph-deploy 1.5.23. This fixes CVE-2015-3010 (keyring permissions are world readable in ~ceph). See [upstream changelog]( ) for detailed changes.

CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)

Update to latest release, which includes security fixes.Update to 2.1.6, per changes described at: enable json-c for postigs, but disable it for upgrade partRebuild for Proj 4.9.1

Security fix for CVE-2013-1752 and update to latest upstream release of jython.

Security fix for CVE-2013-1752 and update to latest upstream release of jython.

Security fix for CVE-2013-1752 and update to latest upstream release of jython.

Fix CVE-2015-1806 (SECURITY-125)

Fix CVE-2015-1806 (SECURITY-125)

Fix CVE-2015-1806 (SECURITY-125)

Update to ceph-deploy 1.5.23. This fixes CVE-2015-3010 (keyring permissions are world readable in ~ceph). See [upstream changelog]( ) for detailed changes.

Update to upstream 1.7 release for security fixes

Small specfile improvements to confirm to updated packaging guidelines. Thx to mschwendt.Updated to latest SVN, fixing various bugs.

libtasn1 4.4 release, fixing CVE-2015-2806.GnuTLS 3.3.14 release

libtasn1 4.4 release, fixing CVE-2015-2806.GnuTLS 3.3.14 release

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

Security fix for CVE-2015-2806.

update to 1.8 finalmodernize spec for python3

Multiple vulnerabilities were found in Qt image format handling of BMP, ICO and GIF files. The issues exposed included denial of service and buffer overflows leading to heap corruption. It is possible the latter could be used to perform remote code execution.See also https://lists.qt-project.org/pipermail/announce/2015-April/000067.html Drop backported Qt 5.5 XCB patches, the rebase is incomplete and does not work properly with Qt 5.4

new upstream release

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

This update provides the new release 7.0.5, which resolves currently undisclosed security vulnerabilities in ownCloud.It is a minor version update and should apply without any issues or special handling, but as usual, we recommend backing up your data, configuration, and database before updating.We have also backported a post-7.0.5 fix for a 'critical' issue: https://github.com/owncloud/core/issues/14843 .

DBD::Firebird 1.19 [2015-03-22]=============================== * Fix $VERSION in Firebird.pm * Fix typo in ISC_PASSWORD spelling * Positive logic and early return * Allow re-executing/fetch on prepared sth [RT#92810, Tux] * Add rests for $dbh->{Name} and others * Implement $dbh->{Name} * Fix attributions to Mike Pomraning * use strict and warnings in all modules * add a test for inserting/fetching float and double numbers as an attempt to reproduce RT#101650 * fix File::Which configure prerequisite declaration [RT#101672, dmn] * 03-dbh-attr.t: plan tests after creating the TestFirebird object * Buffer Overflow in dbdimp.c * use snprintf instead of sprintf everywhere

Changes since 1.24.1* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.* (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

Update to upstream release 0.2.5.12.

new upstream release (#1206968)

Contains security fix for CVE-2015-0261, CVE-2015-2154, CVE-2015-2153, CVE-2015-2155.

Fix CVE-2015-1806 (SECURITY-125)

Fix CVE-2015-1806 (SECURITY-125)

Fix CVE-2015-1806 (SECURITY-125)

CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Security fix for CVE-2013-1752multiple unbound readline() DoS flaws in python stdlibfollowing fixes (which all relates to this CVE) are in this patch:* poplib: limit maximum line length that we read from the network #16041* smtplib: limit amount read from the network #16042

Updated package from upstream fixing minor security issues.

Update to upstream release 0.2.5.12.

This update provides the new release 7.0.5, which resolves currently undisclosed security vulnerabilities in ownCloud.It is a minor version update and should apply without any issues or special handling, but as usual, we recommend backing up your data, configuration, and database before updating.We have also backported a post-7.0.5 fix for a 'critical' issue: https://github.com/owncloud/core/issues/14843 .

new upstream release

backported fix for stack overflow in DER decoder

new upstream release

Changes since 1.23.8* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

**2.5.11** (2015-04-01)* security #14167 CVE-2015-2308 (nicolas-grekas)* security #14166 CVE-2015-2309 (neclimdul)

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

Update to latest release, which includes security fixes.Update to 2.1.6, per changes described at: enable json-c for postigs, but disable it for upgrade partRebuild for Proj 4.9.1

DBD::Firebird 1.19 [2015-03-22]=============================== * Fix $VERSION in Firebird.pm * Fix typo in ISC_PASSWORD spelling * Positive logic and early return * Allow re-executing/fetch on prepared sth [RT#92810, Tux] * Add rests for $dbh->{Name} and others * Implement $dbh->{Name} * Fix attributions to Mike Pomraning * use strict and warnings in all modules * add a test for inserting/fetching float and double numbers as an attempt to reproduce RT#101650 * fix File::Which configure prerequisite declaration [RT#101672, dmn] * 03-dbh-attr.t: plan tests after creating the TestFirebird object * Buffer Overflow in dbdimp.c * use snprintf instead of sprintf everywhere

**2.5.11** (2015-04-01)* security #14167 CVE-2015-2308 (nicolas-grekas)* security #14166 CVE-2015-2309 (neclimdul)

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)

New upstream version - 37.0.1

Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.

Multiple vulnerabilities have been found in X.Org X Server, allowing attackers to execute arbitrary code or cause a Denial of Service condition.

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 4.0. Red Hat Product Security has rated this update as having Moderate security [More...]

Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]

Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.9 Long Life. Red Hat Product Security has rated this update as having Important security [More...]

Updated glibc packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]

Updated OpenStack Compute (nova) packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Updated OpenStack Compute (nova) packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

An updated redhat-access-plugin-openstack package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

An updated redhat-access-plugin-openstack package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Updated Red Hat Enterprise Linux OpenStack Platform Installer packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]

New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]

New ppp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

New libssh packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

New mutt packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]

New qt packages are available for Slackware 14.1, and -current to fix security issues. [More Info...]

New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]

Firefox could be made to crash or run programs as your login if itopened a malicious website.

wpa_supplicant could be made to crash, expose memory, or run programs if itreceived specially crafted network traffic.

usb-creator could be tricked into running programs as an administrator.

usb-creator could be tricked into running programs as an administrator.

Several security issues were fixed in PHP.

Apport could be tricked into running programs as an administrator.