1. Server >
  2. Unix Server

ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese
Anzeige

Unix Server


Suchen

DSA-4117 gcc-4.9 - security update

Unix Server vom 17.02.2018 um 01:00 Uhr | Quelle debian.org

This update doesn't fix a vulnerability in GCC itself, but instead provides support for building retpoline-enabled Linux kernel updates.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4118 tomcat-native - security update

Unix Server vom 17.02.2018 um 01:00 Uhr | Quelle debian.org

Jonas Klempel reported that tomcat-native, a library giving Tomcat access to the Apache Portable Runtime (APR) library's network connection (socket) implementation and random-number generator, does not properly handle fields longer than 127 bytes when parsing the AIA-Extension field of a client certificate. If OCSP checks are used, this could result in client certificates that should have been rejected to be accepted.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3573-1: Quagga vulnerabilities

Unix Server vom 16.02.2018 um 01:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3573-1

15th February, 2018

quagga vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Quagga.

Software description

  • quagga - BGP/OSPF/RIP routing daemon

Details

It was discovered that a double-free vulnerability existed in the
Quagga BGP daemon when processing certain forms of UPDATE message.
A remote attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2018-5379)

It was discovered that the Quagga BGP daemon did not properly bounds
check the data sent with a NOTIFY to a peer. An attacker could use this
to expose sensitive information or possibly cause a denial of service.
This issue only affected Ubuntu 17.10. (CVE-2018-5378)

It was discovered that a table overrun vulnerability existed in the
Quagga BGP daemon. An attacker in control of a configured peer could
use this to possibly expose sensitive information or possibly cause
a denial of service. (CVE-2018-5380)

It was discovered that the Quagga BGP daemon in some configurations
did not properly handle invalid OPEN messages. An attacker in control
of a configured peer could use this to cause a denial of service
(infinite loop). (CVE-2018-5381)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
quagga 1.1.1-3ubuntu0.2
quagga-bgpd 1.1.1-3ubuntu0.2
Ubuntu 16.04 LTS:
quagga 0.99.24.1-2ubuntu1.4
Ubuntu 14.04 LTS:
quagga 0.99.22.4-3ubuntu1.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Quagga to make
all the necessary changes.

References

CVE-2018-5378, CVE-2018-5379, CVE-2018-5380, CVE-2018-5381


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4116 plasma-workspace - security update

Unix Server vom 16.02.2018 um 01:00 Uhr | Quelle debian.org

Krzysztof Sieluzycki discovered that the notifier for removable devices in the KDE Plasma workspace performed insufficient sanitisation of FAT/VFAT volume labels, which could result in the execution of arbitrary shell commands if a removable device with a malformed disk label is mounted.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4115 quagga - security update

Unix Server vom 15.02.2018 um 01:00 Uhr | Quelle debian.org

Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues:


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4114 jackson-databind - security update

Unix Server vom 15.02.2018 um 01:00 Uhr | Quelle debian.org

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker to perform code execution by providing maliciously crafted input.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

CentOS Seven blog: CentOS Dojo @ FOSDEM: Videos

Unix Server vom 14.02.2018 um 22:12 Uhr | Quelle seven.centos.org

For those of you who were unable to attend the CentOS Dojo in Brussels, here are all of the videos from the event.

Subscribe to our YouTube at youtube.com/TheCentOSProject 

KB's "State of CentOS"

Bert Van Vreckem - Basic troubleshooting of network services

Tomas Oulevey - Anaconda addon development

Matthias Runge - Opstools SIG

Haikel Guemar - Metrics with Gnocchi

Colin Charles - Understanding the MySQL database ecosystem

Fabian Arrotin - Content caching

Sean O'Keeffee - Foreman and Katello

Tom Callaway  - Building modern code with devtoolset

Spyros Trigazis - Practical system containers with Atomic

Kris Buytaert - Deplyong your SaaS stack OnPrem


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3572-1: FreeType vulnerability

Unix Server vom 14.02.2018 um 20:52 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3572-1

14th February, 2018

freetype vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10

Summary

FreeType could be made to crash if it opened a specially crafted file.

Software description

  • freetype - FreeType 2 is a font engine library

Details

It was discovered that FreeType incorrectly handled certain files.
An attacker could possibly use this to cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libfreetype6 2.8-0.2ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2018-6942


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3570-1: AdvanceCOMP vulnerability

Unix Server vom 14.02.2018 um 17:23 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3570-1

14th February, 2018

advancecomp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

AdvanceCOMP could be made to crash or run programs if it opened a specially crafted file.

Software description

  • advancecomp - collection of recompression utilities

Details

Joonun Jang discovered that AdvanceCOMP incorrectly handled certain
malformed zip files. If a user or automated system were tricked into
processing a specially crafted zip file, a remote attacker could cause
AdvanceCOMP to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
advancecomp 2.0-1ubuntu0.1
Ubuntu 16.04 LTS:
advancecomp 1.20-1ubuntu0.1
Ubuntu 14.04 LTS:
advancecomp 1.18-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-1056


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3571-1: Erlang vulnerabilities

Unix Server vom 14.02.2018 um 17:22 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3571-1

14th February, 2018

erlang vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Erlang.

Software description

  • erlang - Concurrent, real-time, distributed functional language

Details

It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)

It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)

It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10253)

Hanno Böck, Juraj Somorovsky and Craig Young discovered that the Erlang
otp TLS server incorrectly handled error reporting. A remote attacker could
possibly use this issue to perform a variation of the Bleichenbacher attack
and decrypt traffic or sign messages. (CVE-2017-1000385)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
erlang 1:20.0.4+dfsg-1ubuntu1.1
Ubuntu 16.04 LTS:
erlang 1:18.3-dfsg-1ubuntu3.1
Ubuntu 14.04 LTS:
erlang 1:16.b.3-dfsg-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-1693, CVE-2015-2774, CVE-2016-10253, CVE-2017-1000385


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

Devuan 2.0 »ASCII« liegt als Betaversion vor

Unix Server vom 14.02.2018 um 11:23 Uhr | Quelle google.com
Gegründet von den »Veteran Unix Admins«, sollte auf der Basis von Debian ein Betriebssystem erstellt werden, dass den Grundsätzen von UNIX entspricht und auf SysVinit anstatt auf Systemd setzt. Nach über zwei ... Beta heißt. Die Betaversion kann vom Server des Projekts heruntergeladen werden.
1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4112 xen - security update

Unix Server vom 14.02.2018 um 01:00 Uhr | Quelle debian.org

Multiple vulnerabilities have been discovered in the Xen hypervisor:


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4113 libvorbis - security update

Unix Server vom 14.02.2018 um 01:00 Uhr | Quelle debian.org

Two vulnerabilities were discovered in the libraries of the Vorbis audio compression codec, which could result in denial of service or the execution of arbitrary code if a malformed media file is processed.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3569-1: libvorbis vulnerabilities

Unix Server vom 13.02.2018 um 22:26 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3569-1

13th February, 2018

libvorbis vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in libvorbis.

Software description

  • libvorbis - The Vorbis General Audio Compression Codec

Details

It was discovered that libvorbis incorrectly handled certain sound files.
An attacker could possibly use this to execute arbitrary code.
(CVE-2017-14632)

It was discovered that libvorbis incorrectly handled certain sound files.
An attacker could use this to cause a denial of service.
(CVE-2017-14633)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libvorbis0a 1.3.5-4ubuntu0.1
Ubuntu 16.04 LTS:
libvorbis0a 1.3.5-3ubuntu0.1
Ubuntu 14.04 LTS:
libvorbis0a 1.3.2-1.3ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.

References

CVE-2017-14632, CVE-2017-14633


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3544-2: Firefox regressions

Unix Server vom 13.02.2018 um 01:01 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3544-2

12th February, 2018

firefox regressions

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

USN-3544-1 caused some regressions in Firefox.

Software description

  • firefox - Mozilla Open Source web browser

Details

USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web
compatibility regression and a tab crash during printing in some
circumstances. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, spoof the origin in audio capture prompts, trick the user in to
providing HTTP credentials for another origin, spoof the addressbar
contents, or execute arbitrary code. (CVE-2018-5089, CVE-2018-5090,
CVE-2018-5091, CVE-2018-5092, CVE-2018-5093, CVE-2018-5094, CVE-2018-5095,
CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5100, CVE-2018-5101,
CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5109, CVE-2018-5114,
CVE-2018-5115, CVE-2018-5117, CVE-2018-5122)

Multiple security issues were discovered in WebExtensions. If a user were
tricked in to installing a specially crafted extension, an attacker could
potentially exploit these to gain additional privileges, bypass
same-origin restrictions, or execute arbitrary code. (CVE-2018-5105,
CVE-2018-5113, CVE-2018-5116)

A security issue was discovered with the developer tools. If a user were
tricked in to opening a specially crafted website with the developer tools
open, an attacker could potentially exploit this to obtain sensitive
information from other origins. (CVE-2018-5106)

A security issue was discovered with printing. An attacker could
potentially exploit this to obtain sensitive information from local files.
(CVE-2018-5107)

It was discovered that manually entered blob URLs could be accessed by
subsequent private browsing tabs. If a user were tricked in to entering
a blob URL, an attacker could potentially exploit this to obtain sensitive
information from a private browsing context. (CVE-2018-5108)

It was discovered that dragging certain specially formatted URLs to the
addressbar could cause the wrong URL to be displayed. If a user were
tricked in to opening a specially crafted website and dragging a URL to
the addressbar, an attacker could potentially exploit this to spoof the
addressbar contents. (CVE-2018-5111)

It was discovered that WebExtension developer tools panels could open
non-relative URLs. If a user were tricked in to installing a specially
crafted extension and running the developer tools, an attacker could
potentially exploit this to gain additional privileges. (CVE-2018-5112)

It was discovered that ActivityStream images can attempt to load local
content through file: URLs. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this in
combination with another vulnerability that allowed sandbox protections to
be bypassed, in order to obtain sensitive information from local files.
(CVE-2018-5118)

It was discovered that the reader view will load cross-origin content in
violation of CORS headers. An attacker could exploit this to bypass CORS
restrictions. (CVE-2018-5119)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
firefox 58.0.2+build1-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
firefox 58.0.2+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 58.0.2+build1-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1749025


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3568-1: WavPack vulnerabilities

Unix Server vom 12.02.2018 um 22:30 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3568-1

12th February, 2018

wavpack vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

WavPack could be made to crash if it opened a specially crafted file.

Software description

  • wavpack - audio codec (lossy and lossless) - encoder and decoder

Details

Hanno Böck discovered that WavPack incorrectly handled certain
WV files. An attacker could possibly use this to cause a denial
of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2016-10169)

Joonun Jang discovered that WavPack incorrectly handled certain
RF64 files. An attacker could possibly use this to cause a denial
of service. This issue only affected Ubuntu 17.10. (CVE-2018-6767)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libwavpack1 5.1.0-2ubuntu0.1
wavpack 5.1.0-2ubuntu0.1
Ubuntu 16.04 LTS:
libwavpack1 4.75.2-2ubuntu0.1
wavpack 4.75.2-2ubuntu0.1
Ubuntu 14.04 LTS:
libwavpack1 4.70.0-1ubuntu0.1
wavpack 4.70.0-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-10169, CVE-2018-6767


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3565-1: Exim vulnerability

Unix Server vom 12.02.2018 um 18:25 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3565-1

12th February, 2018

exim4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Exim could be made to crash or run programs if it received specially crafted network traffic.

Software description

  • exim4 - Exim is a mail transport agent

Details

Meh Chang discovered that Exim incorrectly handled memory in certain
decoding operations. A remote attacker could use this issue to cause Exim
to crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
exim4-daemon-heavy 4.89-5ubuntu1.3
exim4-daemon-light 4.89-5ubuntu1.3
Ubuntu 16.04 LTS:
exim4-daemon-heavy 4.86.2-2ubuntu2.3
exim4-daemon-light 4.86.2-2ubuntu2.3
Ubuntu 14.04 LTS:
exim4-daemon-heavy 4.82-3ubuntu2.4
exim4-daemon-light 4.82-3ubuntu2.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-6789


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3566-1: PHP vulnerabilities

Unix Server vom 12.02.2018 um 18:25 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3566-1

12th February, 2018

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5 - HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2018-5712)

It was discovered that PHP incorrectly handled memory when unserializing
certain data. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12933)

It was discovered that PHP incorrectly handled 'front of' and 'back of'
date directives. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2017-16642)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
php5-cli 5.5.9+dfsg-1ubuntu4.23
php5-cgi 5.5.9+dfsg-1ubuntu4.23
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.23
php5-fpm 5.5.9+dfsg-1ubuntu4.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-12933, CVE-2017-16642, CVE-2018-5712


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3567-1: Puppet vulnerability

Unix Server vom 12.02.2018 um 18:25 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3567-1

12th February, 2018

puppet vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Puppet could be made to crash or run programs.

Software description

  • puppet - Centralized configuration management

Details

It was discovered that Puppet incorrectly handled permissions when
unpacking certain tarballs. A local user could possibly use this issue to
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
puppet-common 3.4.3-1ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10689


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4111 libreoffice - security update

Unix Server vom 11.02.2018 um 01:00 Uhr | Quelle debian.org

Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4110 exim4 - security update

Unix Server vom 10.02.2018 um 01:00 Uhr | Quelle debian.org

Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3564-1: PostgreSQL vulnerability

Unix Server vom 09.02.2018 um 17:36 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3564-1

9th February, 2018

postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

PostgreSQL could be made to expose sensitive information.

Software description

  • postgresql-9.3 - Object-relational SQL database
  • postgresql-9.5 - Object-relational SQL database
  • postgresql-9.6 - Object-relational SQL database

Details

It was discovered that PostgreSQL incorrectly handled certain temp files.
An attacker could possibly use this to access sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
postgresql-9.6 9.6.7-0ubuntu0.17.10
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.11-0ubuntu0.16.04
Ubuntu 14.04 LTS:
postgresql-9.3 9.3.21-0ubuntu0.14.04

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

CVE-2018-1053


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4109 ruby-omniauth - security update

Unix Server vom 09.02.2018 um 01:00 Uhr | Quelle debian.org

Lalith Rallabhandi discovered that OmniAuth, a Ruby library for implementing multi-provider authentication in web applications, mishandled and leaked sensitive information. An attacker with access to the callback environment, such as in the case of a crafted web application, can request authentication services from this module and access to the CSRF token.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4108 mailman - security update

Unix Server vom 09.02.2018 um 01:00 Uhr | Quelle debian.org

Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3563-1: Mailman vulnerability

Unix Server vom 08.02.2018 um 18:52 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3563-1

8th February, 2018

mailman vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Mailman could be made to run arbitrary code.

Software description

  • mailman - Powerful, web-based mailing list manager

Details

It was discovered that Mailman incorrectly handled certain web scripts.
An attacker could possibly use this to inject arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
mailman 1:2.1.23-1ubuntu0.2
Ubuntu 16.04 LTS:
mailman 1:2.1.20-1ubuntu0.3
Ubuntu 14.04 LTS:
mailman 1:2.1.16-2ubuntu0.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-5950


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3562-1: MiniUPnP vulnerabilities

Unix Server vom 07.02.2018 um 21:52 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3562-1

7th February, 2018

miniupnpc vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

MiniUPnP could be made to crash or run programs if it received specially crafted network traffic.

Software description

  • miniupnpc - UPnP IGD client lightweight library

Details

It was discovered that MiniUPnP incorrectly handled memory. A remote
attacker could use this issue to cause a denial of service or possibly
execute arbitrary code with privileges of the user running an application
that uses the MiniUPnP library.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libminiupnpc10 1.9.20140610-4ubuntu1.1
Ubuntu 16.04 LTS:
libminiupnpc10 1.9.20140610-2ubuntu2.16.04.2
Ubuntu 14.04 LTS:
libminiupnpc8 1.6-3ubuntu2.14.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000494


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3560-1: QEMU update

Unix Server vom 07.02.2018 um 20:22 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3560-1

7th February, 2018

qemu update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Spectre mitigations were added to QEMU.

Software description

  • qemu - Machine emulator and virtualizer

Details

It was discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. An attacker in the guest could use
this to expose sensitive guest information, including kernel memory.

This update allows QEMU to expose new CPU features added by microcode
updates to guests on amd64, i386, and s390x. On amd64 and i386, new CPU
models that match the updated microcode features were added with an -IBRS
suffix. Certain environments will require guests to be switched manually to
the new CPU models after microcode updates have been applied to the host.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
qemu-system-x86 1:2.10+dfsg-0ubuntu3.4
qemu-system 1:2.10+dfsg-0ubuntu3.4
qemu-system-s390x 1:2.10+dfsg-0ubuntu3.4
Ubuntu 16.04 LTS:
qemu-system-x86 1:2.5+dfsg-5ubuntu10.20
qemu-system 1:2.5+dfsg-5ubuntu10.20
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.20
Ubuntu 14.04 LTS:
qemu-system-x86 2.0.0+dfsg-2ubuntu1.38
qemu-system 2.0.0+dfsg-2ubuntu1.38

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2017-5715


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3561-1: libvirt update

Unix Server vom 07.02.2018 um 20:22 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3561-1

7th February, 2018

libvirt update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Spectre mitigations were added to libvirt.

Software description

  • libvirt - Libvirt virtualization toolkit

Details

It was discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. An attacker in the guest could use
this to expose sensitive guest information, including kernel memory.

This update allows libvirt to expose new CPU features added by microcode
updates to guests. On amd64 and i386, new CPU models that match the updated
microcode features were added with an -IBRS suffix. Certain environments
will require guests to be switched manually to the new CPU models after
microcode updates have been applied to the host.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libvirt0 3.6.0-1ubuntu6.2
libvirt-bin 3.6.0-1ubuntu6.2
Ubuntu 16.04 LTS:
libvirt0 1.3.1-1ubuntu10.17
libvirt-bin 1.3.1-1ubuntu10.17
Ubuntu 14.04 LTS:
libvirt0 1.2.2-0ubuntu13.1.25
libvirt-bin 1.2.2-0ubuntu13.1.25

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-5715


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3559-1: Django vulnerabilities

Unix Server vom 07.02.2018 um 16:36 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3559-1

7th February, 2018

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10

Summary

Several security issues were fixed in Django.

Software description

  • python-django - High-level Python web development framework

Details

It was discovered that Django incorrectly handled certain requests.
An attacker could possibly use this to access sensitive information.
(CVE-2017-12794, CVE-2018-6188)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
python3-django 1:1.11.4-1ubuntu1.1
python-django 1:1.11.4-1ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-12794, CVE-2018-6188


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4107 django-anymail - security update

Unix Server vom 07.02.2018 um 01:00 Uhr | Quelle debian.org

It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4106 libtasn1-6 - security update

Unix Server vom 07.02.2018 um 01:00 Uhr | Quelle debian.org

Two vulnerabilities were discovered in Libtasn1, a library to manage ASN.1 structures, allowing a remote attacker to cause a denial of service against an application using the Libtasn1 library.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

CentOS Seven blog: FOSDEM 2018

Unix Server vom 06.02.2018 um 21:25 Uhr | Quelle seven.centos.org

Another FOSDEM is history. I wanted to take a moment to thank all of the people that helped out at the CentOS table at FOSDEM, as well as at the Dojo before FOSDEM.

FOSDEM

We had about 75 people in attendance at the Dojo on Friday, with 12 presentations from various speakers. Some of these presentations are already available on YouTube, with the rest coming over the next few days.

FOSDEM

Traffic was steady at the CentOS table, from people new to Linux, all the way 15-year CentOS sysadmin veterans. A huge thank you to everyone who dropped by and chatted with us.

FOSDEM

If you missed FOSDEM and the Brussels Dojo, there's always other opportunities to meet CentOS people. This year we expect to have another 4 or 5 Dojos around the world, starting in Singapore next month, and moving on to Meyrin (Switzerland), Oak Ridge (USA), and Delhi (India). If you'd like to host a Dojo anywhere in the world, please get in touch with the Centos-Promo mailing list to see how we can help you achieve your goal. We can usually help find speakers, venues, and funding for your event.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

DSA-4105 mpv - security update

Unix Server vom 06.02.2018 um 01:00 Uhr | Quelle debian.org

It was discovered that mpv, a media player, was vulnerable to remote code execution attacks. An attacker could craft a malicious web page that, when used as an argument in mpv, could execute arbitrary code in the host of the mpv user.


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3557-1: Squid vulnerabilities

Unix Server vom 05.02.2018 um 20:54 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3557-1

5th February, 2018

squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Squid.

Software description

  • squid3 - Web proxy cache server

Details

Mathias Fischer discovered that Squid incorrectly handled certain long
strings in headers. A malicious remote server could possibly cause Squid to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2016-2569)

William Lima discovered that Squid incorrectly handled XML parsing when
processing Edge Side Includes (ESI). A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service. This issue
was only addressed in Ubuntu 16.04 LTS. (CVE-2016-2570)

Alex Rousskov discovered that Squid incorrectly handled response-parsing
failures. A malicious remote server could possibly cause Squid to crash,
resulting in a denial of service. This issue only applied to Ubuntu 16.04
LTS. (CVE-2016-2571)

Santiago Ruano Rincón discovered that Squid incorrectly handled certain
Vary headers. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-3948)

Louis Dion-Marcil discovered that Squid incorrectly handled certain Edge
Side Includes (ESI) responses. A malicious remote server could possibly
cause Squid to crash, resulting in a denial of service. (CVE-2018-1000024)

Louis Dion-Marcil discovered that Squid incorrectly handled certain Edge
Side Includes (ESI) responses. A malicious remote server could possibly
cause Squid to crash, resulting in a denial of service. (CVE-2018-1000027)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
squid3 3.5.23-5ubuntu1.1
Ubuntu 16.04 LTS:
squid3 3.5.12-1ubuntu7.5
Ubuntu 14.04 LTS:
squid3 3.3.8-1ubuntu6.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2569, CVE-2016-2570, CVE-2016-2571, CVE-2016-3948, CVE-2018-1000024, CVE-2018-1000027


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

USN-3558-1: systemd vulnerabilities

Unix Server vom 05.02.2018 um 20:54 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3558-1

5th February, 2018

systemd vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in systemd.

Software description

  • systemd - system and service manager

Details

Karim Hossen & Thomas Imbert and Nelson William Gamazo Sanchez
independently discovered that systemd-resolved incorrectly handled certain
DNS responses. A remote attacker could possibly use this issue to cause
systemd to temporarily stop responding, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-15908)

It was discovered that systemd incorrectly handled automounted volumes. A
local attacker could possibly use this issue to cause applications to hang,
resulting in a denial of service. (CVE-2018-1049)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
systemd 229-4ubuntu21.1
Ubuntu 14.04 LTS:
systemd 204-5ubuntu20.26

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15908, CVE-2018-1049


1-Klick Newsbewertung vornehmen

Weiterlesen Artikel ansehen

Seitennavigation

Seite 1 von 54 Seiten (Bei Beitrag 1 - 35)
1.879x Beiträge in dieser Kategorie

Nächste 2 Seite | Letzte Seite