Linux Advisory Watch: April 24th, 2015

Advisories

Linux Advisory Watch: April 24th, 2015

Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


Debian: 3232-1: curl: Summary (Apr 22)

Security Report Summary

Debian: 3230-1: django-markupfield: Summary (Apr 20)

Security Report Summary

Debian: 3229-1: mysql-5.5: Summary (Apr 19)

Security Report Summary

Debian: 3228-1: ppp: Summary (Apr 16)

Security Report Summary


Fedora 21 php-5.6.8-1.fc21 (Apr 23)

16 Apr 2015, **PHP 5.6.8**Core:* Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence)* Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk)* Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)* Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)* Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas)* Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso)* Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita)* Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita)* Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas)* Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas)Apache2handler:* Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema)cURL:* Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)* Fixed bug #68739 (Missing break / control flow). (Laruence)* Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)Date:* Fixed bug #69336 (Issues with "last day of "). (Derick Rethans)Enchant:* Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol)Ereg:* Fixed bug #68740 (NULL Pointer Dereference). (Laruence)Fileinfo:* Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)Filter:* Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch)* Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch)OPCache:* Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence)* Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)* Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)OpenSSL* Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)* Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)* Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)* Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)Phar:* Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike)* Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)* Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)* Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike)* Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)* Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas)Postgres:* Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)SPL:* Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)SOAP:* Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence)Sqlite3:* Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd)* Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)* Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)

Fedora 22 ruby-2.2.2-11.fc22 (Apr 23)

Fixes CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125

Fedora 22 qt-4.8.6-28.fc22 (Apr 23)

Security fix for CVE-2015-1859, CVE-2015-1858, CVE-2015-1860

Fedora 22 spatialite-tools-4.2.0-10.fc22 (Apr 23)

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Fedora 22 sqlite-3.8.9-1.fc22 (Apr 23)

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Fedora 20 lcms-1.19-13.fc20 (Apr 23)

* apply patch for CVE-2013-4276 * apply patch for "Use of uninitialized values on 64 bit machines."

Fedora 22 kernel-4.0.0-1.fc22 (Apr 23)

Update to latest upstream release, Linux v4.0

Fedora 22 ntp-4.2.6p5-30.fc22 (Apr 22)

Security fix for CVE-2015-1799, CVE-2015-1798, #1210324

Fedora 22 realmd-0.16.0-1.fc22 (Apr 22)

Updated to upstream 0.16.0Fix issue introduced by a samba subpackage split resulting in realmd failing to join Active Directory domains.

Fedora 20 ntp-4.2.6p5-22.fc20 (Apr 22)

Security fix for CVE-2015-1799, CVE-2015-1798, #1210324

Fedora 21 kernel-3.19.4-200.fc21 (Apr 22)

The 3.19.4 stable release contains a number of important fixes across the tree.

Fedora 22 gnupg2-2.1.2-2.fc22 (Apr 22)

Updated package from upstream fixing minor security issues.

Fedora 21 chrony-1.31.1-1.fc21 (Apr 22)

Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

Fedora 22 php-5.6.8-1.fc22 (Apr 22)

16 Apr 2015, **PHP 5.6.8**Core:* Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence)* Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 characters). (Tjerk)* Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai)* Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)* Additional fix for bug #69152 (Type confusion vulnerability in exception::getTraceAsString). (Stas)* Fixed bug #69210 (serialize function return corrupted data when sleep has non-string values). (Juan Basso)* Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita)* Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita)* Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability). (Stas)* Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions). (Stas)Apache2handler:* Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Gerrit Venema)cURL:* Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)* Fixed bug #68739 (Missing break / control flow). (Laruence)* Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)Date:* Fixed bug #69336 (Issues with "last day of "). (Derick Rethans)Enchant:* Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol)Ereg:* Fixed bug #68740 (NULL Pointer Dereference). (Laruence)Fileinfo:* Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)Filter:* Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch)* Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff Welch)OPCache:* Fixed bug #69297 (function_exists strange behavior with OPCache on disabled function). (Laruence)* Fixed bug #69281 (opcache_is_script_cached no longer works). (danack)* Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence)OpenSSL* Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling in stream_select() contexts) (Chris Wright)* Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) (Daniel Lowrey)* Fixed bug #69215 (Crypto servers should send client CA list) (Daniel Lowrey)* Add a check for RAND_egd to allow compiling against LibreSSL (Leigh)Phar:* Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). (Mike)* Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike)* Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike)* Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike)* Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas)* Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode). (Stas)Postgres:* Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence)SPL:* Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)SOAP:* Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader (bisected, regression)). (Laruence)Sqlite3:* Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). (Dan Ackroyd)* Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol)* Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan)

Fedora 21 java-1.8.0-openjdk-1.8.0.45-31.b13.fc21 (Apr 22)

Updated to security update u45

Fedora 22 java-1.8.0-openjdk-1.8.0.45-31.b13.fc22 (Apr 22)

Updated to security update u45

Fedora 22 krb5-1.13.1-2.fc22 (Apr 22)

Security fix for CVE-2014-5353(this was fixed in an older build but the announcement was lost)

Fedora 20 java-1.7.0-openjdk-1.7.0.79-2.5.5.0.fc20 (Apr 22)

Updated to security icedtea-forest7 2.5.5

Fedora 20 kernel-3.19.4-100.fc20 (Apr 22)

The 3.19.4 stable release contains a number of important fixes across the tree.

Fedora 21 spatialite-tools-4.2.0-10.fc21 (Apr 22)

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Fedora 21 sqlite-3.8.9-1.fc21 (Apr 22)

Update of sqlite to latest upstream version, with spatialite-tools rebuild.

Fedora 20 python-2.7.5-16.fc20 (Apr 22)

Security fix for CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib following fixes (which all relates to this CVE) are in this patch: * ftplib: Limit amount of data read by limiting the call to readline(). #16038 * imaplib: limit line length in imaplib readline calls. #16039 * nntplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. #16040 * poplib: limit maximum line length that we read from the network #16041 * smtplib: limit amount read from the network #16042

Fedora 22 cherokee-1.2.103-6.fc22 (Apr 22)

Resolves bz 1114461 - CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds

Fedora 22 chrony-2.0-0.3.pre2.fc22 (Apr 22)

Security fix for CVE-2015-1853, CVE-2015-1821, CVE-2015-1822

Fedora 20 gnupg2-2.0.27-1.fc20 (Apr 22)

Updated package from upstream fixing minor security issues.

Fedora 22 powerpc-utils-python-1.2.1-7.fc22 (Apr 21)

* Fixing arbitrary code execution

Fedora 22 mediawiki-1.24.2-1.fc22 (Apr 21)

Changes since 1.24.1* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.* (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

Fedora 21 ceph-deploy-1.5.23-1.fc21 (Apr 21)

Update to ceph-deploy 1.5.23. This fixes CVE-2015-3010 (keyring permissions are world readable in ~ceph). See [upstream changelog](https://ceph.com/ceph-deploy/docs/changelog.html) for detailed changes.

Fedora 21 libzip-0.11.2-5.fc21 (Apr 21)

CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)

Fedora 22 postgis-2.1.7-1.fc22 (Apr 21)

Update to latest release, which includes security fixes.Update to 2.1.6, per changes described at:https://postgis.net/2015/03/20/postgis-2.1.6enable json-c for postigs, but disable it for upgrade partRebuild for Proj 4.9.1

Fedora 22 jython-2.7-0.7.rc2.fc22 (Apr 21)

Security fix for CVE-2013-1752 and update to latest upstream release of jython.

Fedora 22 jline-2.12.1-1.fc22 (Apr 21)

Security fix for CVE-2013-1752 and update to latest upstream release of jython.

Fedora 22 jnr-posix-3.0.9-3.fc22 (Apr 21)

Security fix for CVE-2013-1752 and update to latest upstream release of jython.

Fedora 22 groovy-sandbox-1.8-1.fc22 (Apr 21)

Fix CVE-2015-1806 (SECURITY-125)

Fedora 22 Update: jenkins-matrix-project-plugin-1.4.1-1.fc22 (Apr 21)

Fix CVE-2015-1806 (SECURITY-125)

Fedora 22 Update: jenkins-script-security-plugin-1.13-2.fc22 (Apr 21)

Fix CVE-2015-1806 (SECURITY-125)

Fedora 22 ceph-deploy-1.5.23-1.fc22 (Apr 21)

Update to ceph-deploy 1.5.23. This fixes CVE-2015-3010 (keyring permissions are world readable in ~ceph). See [upstream changelog](https://ceph.com/ceph-deploy/docs/changelog.html) for detailed changes.

Fedora 22 drupal7-ctools-1.7-1.fc22 (Apr 21)

Update to upstream 1.7 release for security fixes

Fedora 22 echoping-6.1-0.1.beta.r434svn.fc22 (Apr 21)

Small specfile improvements to confirm to updated packaging guidelines. Thx to mschwendt.Updated to latest SVN, fixing various bugs.

Fedora 21 mingw-gnutls-3.3.14-1.fc21 (Apr 21)

libtasn1 4.4 release, fixing CVE-2015-2806.GnuTLS 3.3.14 releasehttps://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8077

Fedora 21 mingw-libtasn1-4.4-1.fc21 (Apr 21)

libtasn1 4.4 release, fixing CVE-2015-2806.GnuTLS 3.3.14 releasehttps://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8077

Fedora 20 qt5-qtwebkit-5.4.1-4.fc20 (Apr 21)

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

Fedora 20 qtwebkit-2.3.4-6.fc20 (Apr 21)

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

Fedora 20 mingw-libtasn1-3.8-2.fc20 (Apr 21)

Security fix for CVE-2015-2806.

Fedora 22 python-django-1.8-1.fc22 (Apr 21)

update to 1.8 finalmodernize spec for python3

Fedora 22 qt5-qtbase-5.4.1-9.fc22 (Apr 21)

Multiple vulnerabilities were found in Qt image format handling of BMP, ICO and GIF files. The issues exposed included denial of service and buffer overflows leading to heap corruption. It is possible the latter could be used to perform remote code execution.See also https://lists.qt-project.org/pipermail/announce/2015-April/000067.htmlDrop backported Qt 5.5 XCB patches, the rebase is incomplete and does not work properly with Qt 5.4

Fedora 22 knot-1.6.3-1.fc22 (Apr 21)

new upstream release

Fedora 22 jffi-1.2.7-5.fc22 (Apr 21)

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Fedora 22 jenkins-1.606-1.fc22 (Apr 21)

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Fedora 22 jenkins-executable-war-1.29-4.fc22 (Apr 21)

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Fedora 21 owncloud-7.0.5-2.fc21 (Apr 18)

This update provides the new release 7.0.5, which resolves currently undisclosed security vulnerabilities in ownCloud.It is a minor version update and should apply without any issues or special handling, but as usual, we recommend backing up your data, configuration, and database before updating.We have also backported a post-7.0.5 fix for a 'critical' issue: https://github.com/owncloud/core/issues/14843 .

Fedora 21 perl-DBD-Firebird-1.19-1.fc21 (Apr 18)

DBD::Firebird 1.19 [2015-03-22]=============================== * Fix $VERSION in Firebird.pm * Fix typo in ISC_PASSWORD spelling * Positive logic and early return * Allow re-executing/fetch on prepared sth [RT#92810, Tux] * Add rests for $dbh->{Name} and others * Implement $dbh->{Name} * Fix attributions to Mike Pomraning * use strict and warnings in all modules * add a test for inserting/fetching float and double numbers as an attempt to reproduce RT#101650 * fix File::Which configure prerequisite declaration [RT#101672, dmn] * 03-dbh-attr.t: plan tests after creating the TestFirebird object * Buffer Overflow in dbdimp.c * use snprintf instead of sprintf everywhere

Fedora 21 mediawiki-1.24.2-1.fc21 (Apr 18)

Changes since 1.24.1* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.* (bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.* Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.* (bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.

Fedora 21 rest-0.7.93-1.fc21 (Apr 18)

CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url

Fedora 20 perl-Test-Signature-1.11-1.fc20 (Apr 18)

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

Fedora 20 perl-Module-Signature-0.78-1.fc20 (Apr 18)

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

Fedora 20 tor-0.2.5.12-1.fc20 (Apr 18)

Update to upstream release 0.2.5.12.

Fedora 21 libtasn1-4.4-1.fc21 (Apr 18)

new upstream release (#1206968)

Fedora 20 tcpdump-4.5.1-4.fc20 (Apr 18)

Contains security fix for CVE-2015-0261, CVE-2015-2154, CVE-2015-2153, CVE-2015-2155.

Fedora 21 jenkins-matrix-project-plugin-1.4-3.fc21 (Apr 18)

Fix CVE-2015-1806 (SECURITY-125)

Fedora 21 Update: jenkins-script-security-plugin-1.13-2.fc21 (Apr 18)

Fix CVE-2015-1806 (SECURITY-125)

Fedora 21 groovy-sandbox-1.8-1.fc21 (Apr 18)

Fix CVE-2015-1806 (SECURITY-125)

Fedora 20 rest-0.7.93-1.fc20 (Apr 18)

CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url

Fedora 21 jenkins-1.590-3.fc21 (Apr 18)

Security fix for CVE-2015-1806, CVE-2015-1807, CVE-2015-1813, CVE-2015-1812, CVE-2015-1810, CVE-2015-1808, CVE-2015-1809, CVE-2015-1814, CVE-2015-1811

Fedora 21 python-2.7.8-8.fc21 (Apr 18)

Security fix for CVE-2013-1752multiple unbound readline() DoS flaws in python stdlibfollowing fixes (which all relates to this CVE) are in this patch:* poplib: limit maximum line length that we read from the network #16041* smtplib: limit amount read from the network #16042

Fedora 21 gnupg2-2.0.27-1.fc21 (Apr 18)

Updated package from upstream fixing minor security issues.

Fedora 21 tor-0.2.5.12-1.fc21 (Apr 18)

Update to upstream release 0.2.5.12.

Fedora 20 owncloud-7.0.5-2.fc20 (Apr 18)

This update provides the new release 7.0.5, which resolves currently undisclosed security vulnerabilities in ownCloud.It is a minor version update and should apply without any issues or special handling, but as usual, we recommend backing up your data, configuration, and database before updating.We have also backported a post-7.0.5 fix for a 'critical' issue: https://github.com/owncloud/core/issues/14843 .

Fedora 21 knot-1.6.3-1.fc21 (Apr 18)

new upstream release

Fedora 20 libtasn1-3.8-3.fc20 (Apr 18)

backported fix for stack overflow in DER decoder

Fedora 20 knot-1.6.3-1.fc20 (Apr 18)

new upstream release

Fedora 20 mediawiki-1.23.9-1.fc20 (Apr 18)

Changes since 1.23.8* (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.* (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.* (bug T88310) SECURITY: Always expand xml entities when checking SVG's.* (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.* (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.* (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.* (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

Fedora 21 perl-Module-Signature-0.78-1.fc21 (Apr 18)

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

Fedora 21 php-symfony-2.5.11-1.fc21 (Apr 18)

**2.5.11** (2015-04-01)* security #14167 CVE-2015-2308 (nicolas-grekas)* security #14166 CVE-2015-2309 (neclimdul)

Fedora 21 perl-Test-Signature-1.11-1.fc21 (Apr 18)

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would executeautomatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a maliciousmodule so that they would load from the '.' path in @INC.

Fedora 21 postgis-2.1.7-1.fc21 (Apr 18)

Update to latest release, which includes security fixes.Update to 2.1.6, per changes described at:https://postgis.net/2015/03/20/postgis-2.1.6enable json-c for postigs, but disable it for upgrade partRebuild for Proj 4.9.1

Fedora 20 perl-DBD-Firebird-1.19-1.fc20 (Apr 18)

DBD::Firebird 1.19 [2015-03-22]=============================== * Fix $VERSION in Firebird.pm * Fix typo in ISC_PASSWORD spelling * Positive logic and early return * Allow re-executing/fetch on prepared sth [RT#92810, Tux] * Add rests for $dbh->{Name} and others * Implement $dbh->{Name} * Fix attributions to Mike Pomraning * use strict and warnings in all modules * add a test for inserting/fetching float and double numbers as an attempt to reproduce RT#101650 * fix File::Which configure prerequisite declaration [RT#101672, dmn] * 03-dbh-attr.t: plan tests after creating the TestFirebird object * Buffer Overflow in dbdimp.c * use snprintf instead of sprintf everywhere

Fedora 20 php-symfony-2.5.11-1.fc20 (Apr 18)

**2.5.11** (2015-04-01)* security #14167 CVE-2015-2308 (nicolas-grekas)* security #14166 CVE-2015-2309 (neclimdul)

Fedora 22 qt5-qtwebkit-5.4.1-4.fc22 (Apr 16)

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

Fedora 22 libzip-0.11.2-5.fc22 (Apr 16)

CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)

Fedora 22 firefox-37.0.1-1.fc22 (Apr 16)

New upstream version - 37.0.1


Gentoo: 201504-07 Adobe Flash Player: Multiple vulnerabilities (Apr 17)

Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.

Gentoo: 201504-06 X.Org X Server: Multiple vulnerabilities (Apr 17)

Multiple vulnerabilities have been found in X.Org X Server, allowing attackers to execute arbitrary code or cause a Denial of Service condition.


Red Hat: 2015:0884-01: novnc: Moderate Advisory (Apr 23)

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 4.0. Red Hat Product Security has rated this update as having Moderate security [More...]

Red Hat: 2015:0869-01: kvm: Important Advisory (Apr 22)

Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]

Red Hat: 2015:0870-01: kernel: Important Advisory (Apr 22)

Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 5.9 Long Life. Red Hat Product Security has rated this update as having Important security [More...]

Red Hat: 2015:0863-01: glibc: Moderate Advisory (Apr 21)

Updated glibc packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]

Red Hat: 2015:0857-01: java-1.7.0-oracle: Critical Advisory (Apr 20)

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]

Red Hat: 2015:0858-01: java-1.6.0-sun: Important Advisory (Apr 20)

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]

Red Hat: 2015:0854-01: java-1.8.0-oracle: Critical Advisory (Apr 17)

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]

Red Hat: 2015:0844-01: openstack-nova: Important Advisory (Apr 16)

Updated OpenStack Compute (nova) packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Red Hat: 2015:0835-01: openstack-swift: Moderate Advisory (Apr 16)

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Red Hat: 2015:0843-01: openstack-nova: Important Advisory (Apr 16)

Updated OpenStack Compute (nova) packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Red Hat: 2015:0834-01: novnc: Moderate Advisory (Apr 16)

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Red Hat: 2015:0838-01: openstack-glance: Low Advisory (Apr 16)

Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Red Hat: 2015:0833-01: novnc: Moderate Advisory (Apr 16)

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Red Hat: 2015:0841-01: redhat-access-plugin: Important Advisory (Apr 16)

An updated redhat-access-plugin-openstack package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Red Hat: 2015:0836-01: openstack-swift: Moderate Advisory (Apr 16)

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Red Hat: 2015:0837-01: openstack-glance: Low Advisory (Apr 16)

Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Red Hat: 2015:0840-01: redhat-access-plugin: Important Advisory (Apr 16)

An updated redhat-access-plugin-openstack package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]

Red Hat: 2015:0830-01: openstack-foreman-installer: Important Advisory (Apr 16)

Updated Red Hat Enterprise Linux OpenStack Platform Installer packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

Red Hat: 2015:0816-01: chromium-browser: Important Advisory (Apr 16)

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]


Slackware: 2015-111-05: mozilla-firefox: Security Update (Apr 24)

New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]

Slackware: 2015-111-09: openssl: Security Update (Apr 22)

New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-03: httpd: Security Update (Apr 22)

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-01: bind: Security Update (Apr 22)

New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-02: gnupg: Security Update (Apr 22)

New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-08: ntp: Security Update (Apr 22)

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-12: proftpd: Security Update (Apr 22)

New proftpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]

Slackware: 2015-111-11: ppp: Security Update (Apr 22)

New ppp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-10: php: Security Update (Apr 22)

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-14: seamonkey: Security Update (Apr 22)

New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-04: libssh: Security Update (Apr 22)

New libssh packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-07: mutt: Security Update (Apr 22)

New mutt packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]

Slackware: 2015-111-13: qt: Security Update (Apr 22)

New qt packages are available for Slackware 14.1, and -current to fix security issues. [More Info...]

Slackware: 2015-111-06: mozilla-thunderbird: Security Update (Apr 22)

New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]


Ubuntu: 2571-1: Firefox vulnerability (Apr 24)

Firefox could be made to crash or run programs as your login if itopened a malicious website.

Ubuntu: 2577-1: wpa_supplicant vulnerability (Apr 23)

wpa_supplicant could be made to crash, expose memory, or run programs if itreceived specially crafted network traffic.

Ubuntu: 2576-2: usb-creator vulnerability (Apr 23)

usb-creator could be tricked into running programs as an administrator.

Ubuntu: 2576-1: usb-creator vulnerability (Apr 23)

usb-creator could be tricked into running programs as an administrator.

Ubuntu: 2572-1: PHP vulnerabilities (Apr 20)

Several security issues were fixed in PHP.

Ubuntu: 2569-2: Apport vulnerability (Apr 16)

Apport could be tricked into running programs as an administrator.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.