Linux Advisory Watch: March 17th, 2017

Security Report Summary

Security Report Summary

Security Report Summary

Security Report Summary

Security Report Summary

Security Report Summary

Security fix for CVE-2016-9422, CVE-2016-9423, CVE-2016-9424, CVE-2016-9425,CVE-2016-9428, CVE-2016-9426, CVE-2016-9429, CVE-2016-9430, CVE-2016-9431,CVE-2016-9432, CVE-2016-9433, CVE-2016-9434, CVE-2016-9435, CVE-2016-9436,CVE-2016-9437, CVE-2016-9438, CVE-2016-9439, CVE-2016-9440, CVE-2016-9441,CVE-2016-9442, CVE-2016-9443, CVE-2016-9622, CVE-2016-9623, CVE-2016-9624,CVE-2016-9625, CVE-2016-9626, CVE-2016-9627, CVE-2016-9628, CVE-2016-9629,CVE-2016-9631, CVE-2016-9630, CVE-2016-9632, CVE-2016-9633 And new upstream20170102 as well

Security fix for integer underflow

This update fixes a possible heap buffer overflow.

For changes see: https://www.thunderbird.net/en-US/thunderbird/45.8.0/releasenotes/

Security update for integer underflow

* various security relevant flaws

This update fixes a possible heap buffer overflow.

For changes see: https://www.thunderbird.net/en-US/thunderbird/45.8.0/releasenotes/

Security fix for

This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues:* CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary systemlocations * CVE-2017-6410 (kio): Information Leak when accessing https whenusing a malicious PAC file for the KDE 3 compatibility libraries. (Securityupdates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4compatibility libraries (kdelibs 4) have already been submitted.) In addition,the KDE 3 compatibility version of KCrash was modified to use the DrKonqi fromPlasma 5 rather than from kde-runtime 4. (The original KDE 3 DrKonqi was alreadydropped years ago.) The kde-runtime 4 DrKonqi is not installed by default andwill be removed entirely in future Fedora versions, the Plasma 5 version ofDrKonqi can also be used for legacy applications.

This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues:* CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary systemlocations * CVE-2017-6410 (kio): Information Leak when accessing https whenusing a malicious PAC file for the KDE 3 compatibility libraries. (Securityupdates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4compatibility libraries (kdelibs 4) have already been submitted.) In addition,the KDE 3 compatibility version of KCrash was modified to use the DrKonqi fromPlasma 5 rather than from kde-runtime 4. (The original KDE 3 DrKonqi was alreadydropped years ago.) The kde-runtime 4 DrKonqi is not installed by default andwill be removed entirely in future Fedora versions, the Plasma 5 version ofDrKonqi can also be used for legacy applications.

This is an update containing several CVE and other bug fixes,

Security fix for CVE-2017-6410

This is an update containing several CVE and other misc fixes

Backport fixes for multiple security vulnerabilities.

**Version 2.8.1** * This release contains a fix for a security advisory relatedto the improper handling of shell commands * Uses of shell_exec() and exec()were not escaping filenames and configuration settings in most cases * Aproperly crafted filename or configuration option would allow for arbitrary codeexecution when using some features * All users are encouraged to upgrade tothis version, especially if you are checking 3rd-party code * e.g., yourun PHPCS over libraries that you did not write * e.g., you provide aweb service that runs PHPCS over user-uploaded files or 3rd-party repositories* e.g., you allow external tool paths to be set by user-defined values * Ifyou are unable to upgrade but you check 3rd-party code, ensure you are not usingthe following features: * The diff report * The notify-sendreport * The Generic.PHP.Syntax sniff * TheGeneric.Debug.CSSLint sniff * The Generic.Debug.ClosureLinter sniff* The Generic.Debug.JSHint sniff * The Squiz.Debug.JSLint sniff* The Squiz.Debug.JavaScriptLint sniff * The Zend.Debug.CodeAnalyzersniff * Thanks to Klaus Purer for the report * The PHP-suppliedT_COALESCE_EQUAL token has been replicated for PHP versions before 7.2 *PEAR.Functions.FunctionDeclaration now reports an error for blank lines foundinside a function declaration * PEAR.Functions.FunctionDeclaration no longerreports indent errors for blank lines in a function declaration *Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blanklines in a function declaration * It would previously report that only oneargument is allowed per line * Squiz.Commenting.FunctionComment now correctsmulti-line param comment padding more accurately *Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types *Squiz.Commenting.FunctionComment now works correctly when function return typesalso contain a comment * Thanks to Juliette Reinders Folmer for the patch *Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator* As this is not a real PHP operator, it enforces no spaces between ? and : whenthe THEN statement is empty * Squiz.ControlStructures.InlineIfDeclaration is nowable to fix the spacing errors it reports * Fixed bug #1340 : STDIN filecontents not being populated in some cases * Thanks to David Bi?ovec for thepatch * Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws errorfor blank comment lines * Fixed bug #1347 : PSR2.Methods.FunctionCallSignaturestrips some comments during fixing * Thanks to Algirdas Gurevicius for thepatch * Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message isbadly formatted when string contains a CR newline char * Thanks to AlgirdasGurevicius for the patch * Fixed bug #1350 : InvalidSquiz.Formatting.OperatorBracket error when using namespaces * Fixed bug #1369 :Empty line in multi-line function declaration cause infinite loop

CVE-2017-6188: Upstream PR 797: Fix wrong parameter expansion in CGI

- new upstream version (52.0)

**Version 2.8.1** * This release contains a fix for a security advisory relatedto the improper handling of shell commands * Uses of shell_exec() and exec()were not escaping filenames and configuration settings in most cases * Aproperly crafted filename or configuration option would allow for arbitrary codeexecution when using some features * All users are encouraged to upgrade tothis version, especially if you are checking 3rd-party code * e.g., yourun PHPCS over libraries that you did not write * e.g., you provide aweb service that runs PHPCS over user-uploaded files or 3rd-party repositories* e.g., you allow external tool paths to be set by user-defined values * Ifyou are unable to upgrade but you check 3rd-party code, ensure you are not usingthe following features: * The diff report * The notify-sendreport * The Generic.PHP.Syntax sniff * TheGeneric.Debug.CSSLint sniff * The Generic.Debug.ClosureLinter sniff* The Generic.Debug.JSHint sniff * The Squiz.Debug.JSLint sniff* The Squiz.Debug.JavaScriptLint sniff * The Zend.Debug.CodeAnalyzersniff * Thanks to Klaus Purer for the report * The PHP-suppliedT_COALESCE_EQUAL token has been replicated for PHP versions before 7.2 *PEAR.Functions.FunctionDeclaration now reports an error for blank lines foundinside a function declaration * PEAR.Functions.FunctionDeclaration no longerreports indent errors for blank lines in a function declaration *Squiz.Functions.MultiLineFunctionDeclaration no longer reports errors for blanklines in a function declaration * It would previously report that only oneargument is allowed per line * Squiz.Commenting.FunctionComment now correctsmulti-line param comment padding more accurately *Squiz.Commenting.FunctionComment now properly fixes pipe-separated param types *Squiz.Commenting.FunctionComment now works correctly when function return typesalso contain a comment * Thanks to Juliette Reinders Folmer for the patch *Squiz.ControlStructures.InlineIfDeclaration now supports the elvis operator* As this is not a real PHP operator, it enforces no spaces between ? and : whenthe THEN statement is empty * Squiz.ControlStructures.InlineIfDeclaration is nowable to fix the spacing errors it reports * Fixed bug #1340 : STDIN filecontents not being populated in some cases * Thanks to David Bi?ovec for thepatch * Fixed bug #1344 : PEAR.Functions.FunctionCallSignatureSniff throws errorfor blank comment lines * Fixed bug #1347 : PSR2.Methods.FunctionCallSignaturestrips some comments during fixing * Thanks to Algirdas Gurevicius for thepatch * Fixed bug #1349 : Squiz.Strings.DoubleQuoteUsage.NotRequired message isbadly formatted when string contains a CR newline char * Thanks to AlgirdasGurevicius for the patch * Fixed bug #1350 : InvalidSquiz.Formatting.OperatorBracket error when using namespaces * Fixed bug #1369 :Empty line in multi-line function declaration cause infinite loop

CVE-2017-6188: Upstream PR 797: Fix wrong parameter expansion in CGI

- new upstream version (52.0)

Backport fixes for multiple security vulnerabilities.

* [7.x-3.15](https://www.drupal.org/project/views/releases/7.x-3.15) *[Moderately Critical - Access Bypass - SA-CONTRIB-2017-022](https://www.drupal.org/node/2854980)

Knot Resolver 1.2.3 (2017-02-23) ================================ Bugfixes-------- - Disable storing GLUE records into the cache even in the (non-default) QUERY_PERMISSIVE mode - iterate: skip answer RRs that don't match thequery - layer/iterate: some additional processing for referrals - lib/resolve:zonecut fetching error was fixed Knot Resolver 1.2.2 (2017-02-10)================================ Bugfixes: --------- - Fix -k argumentprocessing to avoid out-of-bounds memory accesses - lib/resolve: fix zonecutfetching for explicit DS queries - hints: more NULL checks - Fix TAbootstrapping for multiple TAs in the IANA XML file Testing: -------- - Updatetests to run tests with and without QNAME minimization Knot Resolver 1.2.1(2017-02-01) ==================================== Security: --------- - Undercertain conditions, a cached negative answer from a CD query would be reusedto construct response for non-CD queries, resulting in Insecure status insteadof Bogus. Only 1.2.0 release was affected. Documentation ------------- -Update the typo in the documentation: The query trace policy is namedpolicy.QTRACE (and not policy.TRACE) Bugfixes: --------- - lua: make the mapcommand check its arguments Knot DNS 2.4.1 (2017-02-10)=========================== Bugfixes: -------- - Transfer of a huge rrset goesinto an infinite loop - Huge response over TCP contains useless TC bit insteadof SERVFAIL - Failed to build utilities with disabled daemon - Memory leaksduring keys removal - Rough TSIG packet reservation causes early truncation -Minor out-of-bounds string termination write in rrset dump - Server crashduring stop if failed to open timers DB - Poor minimum UDP-max-sizeconfiguration check - Failed to receive one-record-per-message IXFR-style AXFR- Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer messageImprovements: ------------- - Speed-up of rdata addition into a huge rrset -Introduce check of minumum timeout for next refresh - Dnsproxy module canforward all queries without local resolving ---- Latest upstream release.Includes bugfixes for DNSSEC key management. ---- Latest upstream versionswith bunch of impotant bugfixes.

Knot Resolver 1.2.3 (2017-02-23) ================================ Bugfixes-------- - Disable storing GLUE records into the cache even in the (non-default) QUERY_PERMISSIVE mode - iterate: skip answer RRs that don't match thequery - layer/iterate: some additional processing for referrals - lib/resolve:zonecut fetching error was fixed Knot Resolver 1.2.2 (2017-02-10)================================ Bugfixes: --------- - Fix -k argumentprocessing to avoid out-of-bounds memory accesses - lib/resolve: fix zonecutfetching for explicit DS queries - hints: more NULL checks - Fix TAbootstrapping for multiple TAs in the IANA XML file Testing: -------- - Updatetests to run tests with and without QNAME minimization Knot Resolver 1.2.1(2017-02-01) ==================================== Security: --------- - Undercertain conditions, a cached negative answer from a CD query would be reusedto construct response for non-CD queries, resulting in Insecure status insteadof Bogus. Only 1.2.0 release was affected. Documentation ------------- -Update the typo in the documentation: The query trace policy is namedpolicy.QTRACE (and not policy.TRACE) Bugfixes: --------- - lua: make the mapcommand check its arguments Knot DNS 2.4.1 (2017-02-10)=========================== Bugfixes: -------- - Transfer of a huge rrset goesinto an infinite loop - Huge response over TCP contains useless TC bit insteadof SERVFAIL - Failed to build utilities with disabled daemon - Memory leaksduring keys removal - Rough TSIG packet reservation causes early truncation -Minor out-of-bounds string termination write in rrset dump - Server crashduring stop if failed to open timers DB - Poor minimum UDP-max-sizeconfiguration check - Failed to receive one-record-per-message IXFR-style AXFR- Kdig timeouts when receiving RCODE != NOERROR on subsequent transfer messageImprovements: ------------- - Speed-up of rdata addition into a huge rrset -Introduce check of minumum timeout for next refresh - Dnsproxy module canforward all queries without local resolving ---- Latest upstream release.Includes bugfixes for DNSSEC key management. ---- Latest upstream versionswith bunch of impotant bugfixes.

* [7.x-3.15](https://www.drupal.org/project/views/releases/7.x-3.15) *[Moderately Critical - Access Bypass - SA-CONTRIB-2017-022](https://www.drupal.org/node/2854980)

An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which [More...]

An update for rabbitmq-server is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7. Red Hat Product Security has rated this update as having a security impact [More...]

An update for policycoreutils is now available for Red Hat Enterprise Linux 7.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact [More...]

An update for policycoreutils is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact [More...]

An update for rabbitmq-server is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6. Red Hat Product Security has rated this update as having a security impact [More...]

An update for rabbitmq-server is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7. Red Hat Product Security has rated this update as having a security impact [More...]

An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact [More...]

An update for rabbitmq-server is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7. Red Hat Product Security has rated this update as having a security impact [More...]

An update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact [More...]

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact [More...]

New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue. [More Info...]

LXC could be made to create arbitrary virtual network interfaces as anadministrator.