Security

Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly handled user-supplied input. An attacker could possibly use this to cause a denial of service or potentially execute code. (CVE-2014-9471)

Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.

Alexander Cherepanov reported that using the file command on a specially-crafted ELF binary could lead to a denial of service due to uncontrolled resource consumption while processing ELF section headers (CVE-2014-9620, CVE-2014-9621).

Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-8634, CVE-2014-8635)

Bobby Holley discovered that some DOM objects with certain properties can bypass XrayWrappers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass security restrictions. (CVE-2014-8636)

Michal Zalewski discovered a use of uninitialized memory when rendering malformed bitmap images on a canvas element. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal confidential information. (CVE-2014-8637)

Holger Fuhrmannek discovered a crash in Web Audio while manipulating timelines. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2014-8640)

Brian Smith discovered that OCSP responses would fail to verify if signed by a delegated OCSP responder certificate with the id-pkix-ocsp-nocheck extension, potentially allowing a user to connect to a site with a revoked certificate. (CVE-2014-8642)

Wolfgang Ettlinger discovered that GParted incorrectly filtered shell metacharacters when running external commands. A local attacker could use this issue with a crafted filesystem label to run arbitrary commands as the administrator.

The ia32-libs and ia32-libs-gtk packages contain 32 bit versions of various libraries for use on 64 bit systems. This update rolls in all security fixes made to these libraries since the previous update of ia32-libs and ia32-libs-gtk in Squeeze LTS.

Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-6549)

Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2015-0437)

A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. (CVE-2014-6601)

Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412, CVE-2015-0408)

A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0395)

A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410)

A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566)

It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593)

An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407)

A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587)

Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)

Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383)

Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.

CVE-2014-9584: It was found that the Linux kernel does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.

Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 allows L2 guest OS users to cause a denial of service (L1 guest OS crash) via a crafted instruction that triggers an L2 emulation failure report, a similar issue to CVE-2014-7842. (CVE-2010-5313)

The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. (CVE-2014-9585)

It was found that kwallet, a tool for managing the passwords on a KDE system, uses Blowfish to encrypt its password store, and despite an attempt at implementing CBC mode (in a file called cbc.cc no less), it's actually ECB mode. UTF-16 encoding combined with Blowfish's 64 bit block size means there are just four password characters per block. Encryption is convergent as well.

The risk is that this may enable recovery of passwords through codebook attacks.

It was reported that libhtp handling of streams in error state could lead to NULL pointer dereference, leading to caller crash. Suricata (Intrusion Detection System) embeds libhtp, and is one of the affected components.

A heap-based overflow was found in the png_combine_row() function of the libpng library, when very large interlaced images were used.

In Moodle before 2.6.7, absence of a capability check in AJAX backend script in the LTI module could allow any enrolled user to search the list of registered tools (CVE-2015-0211).

In Moodle before 2.6.7, the course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack (CVE-2015-0212).

In Moodle before 2.6.7, two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery (CVE-2015-0213).

In Moodle before 2.6.7, through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site (CVE-2015-0214).

In Moodle before 2.6.7, through web-services it was possible to get information about calendar events which user did not have enough permissions to see (CVE-2015-0215).

In Moodle before 2.6.7, non-optimal regular expression in the multimedia filter could be exploited to create extra server load or make particular page unavailable, resulting in a denial of service (CVE-2015-0217).

In Moodle before 2.6.7, it was possible to forge a request to logout users even when not authenticated through Shibboleth (CVE-2015-0218).

Owasp-Esapi-Java, a free, open source, web application security control library, was found to have a vulnerability, where it was possible to bypass the authenticity check by setting the MAC length to 0 and the MAC to null, when ESAPI symmetric crypto with CBC mode is used with PKCS#7 padding (called PKCS5Padding in Java), and an HMAC for authenticity.

The configuration could result in an exploitable vulnerability depending on the context for encryption and what degree an attacker can tamper with the serialized ciphertext, though only some ESAPI were found to be exploitable when using the default configuration. To be exploitable, an attacker would require the ability to modify ciphertext either at rest or in transit.

Because a MAC bypass is possible, authenticity of the ciphertext cannot be guaranteed with the default ESAPI configuration. Consequently, this exposure may allow a successful padding oracle attack against the default ESAPI cryptosystem configuration and hence result in an exploitable vulnerability that could result in a loss of confidentiality or a bypass of the authentication or authorization system.

Multiple use-after-frees were discovered in Privoxy, a privacy-enhancing HTTP proxy.

Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation.

A vulnerability has been discovered in the web interface of sympa, a mailing list manager. An attacker could take advantage of this flaw in the newsletter posting area, which allows sending to a list, or to oneself, any file located on the server filesystem and readable by the sympa user.

This update fixes a "NoSuchElementException" when an XML attribute has an empty string as value.

The vsftp daemon was not handling the "deny_file" option properly, allowing unauthorized access in some specific scenarios.

John Houwer discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.

Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.