|
|
Subscribe / Log in / New account

Security

Lenovo and Superfish

By Jake Edge
February 25, 2015

While it doesn't directly affect Linux users, Lenovo's bundling of the Superfish adware—malware is probably more accurate—is serious enough to warrant a look. It is a blunder that has been compared with the Sony rootkit scandal of the mid-2000s and, in truth, is probably worse. Due to the bundling, users of Windows on certain Lenovo laptop models have had both their privacy and their security imperiled—sacrificed on the altar of ad delivery. It's not terribly surprising that Lenovo and Superfish have tried to downplay the severity of the incident, but that narrative seems unlikely to prevail.

Web browsers use a collection of root certificates (called the root store) to identify certificate authorities (CAs) and their keys. The public keys in those certificates are trusted to verify the TLS/SSL certificates for other web sites. Attackers who have access to the private key associated with a certificate in the root store can sign a certificate that purports to be from any domain on the internet. That certificate will be accepted by browsers without any questions or warnings. So a user visiting their bank might get an attacker-controlled certificate from a "man in the middle", who could proxy the traffic to the actual bank site while capturing passwords and other sensitive information.

Lenovo pre-installed Superfish to serve ads in the web browser on some of its laptop models; a list can be found at the end of Lenovo's first response to the incident. The company said that it stopped bundling Superfish in January after customer complaints. For those concerned that they might be affected, there is a site that they can visit to determine if Superfish (or some other forms of ad-malware) are running on their systems.

When it was installed by Lenovo, Superfish placed a root certificate into the Windows system root store; it also added the certificate to Firefox's (and Thunderbird's) separate root store. The intention is to be able to intercept the user's encrypted traffic so that ads can be shown; these will even show up on TLS-protected sites (i.e. HTTPS).

As it turns out, the Superfish ad serving proxy uses an "SSL hijacker" from Komodia [Wayback Machine link due to a denial of service attack against Komodia] to actually perform the man-in-the-middle attack. The Komodia hijacker intercepts the server certificate presented by the remote site, replaces the public key in the certificate with its own, then signs the certificate with the private portion of the public key placed into the root store.

The Komodia private key is protected by a password, but the password (which is the super-secure string "komodia") is the same on all of the installations. In fact, all of the Superfish-infected Lenovo laptops share the same key, but other Komodia-using applications get their own key. All appear to use the same password, however. Anyone with access to the keys can use them to sign any certificate they want, which will be accepted without complaint by the Komodia/Superfish-infected systems.

Unfortunately for Komodia, Superfish, Lenovo, and others, it gets worse than that. A man-in-the-middle attacker doesn't even need to use the easily available keys because the Komodia proxy will re-sign any bad certificate that it receives with its own key. It effectively launders bad certificates, turning them into valid certificates. It does actually change the domain name on the bad certificate, which will lead to a warning from the browser—except when it doesn't.

While it is likely that many users will just click past the warning, changing a self-signed certificate for example.com to verify_fail.example.com (as Komodia hijacker does) at least gives the user some warning. But the Komodia code doesn't handle any alternate names in the certificate, so an attacker can just put the real domain name they want to spoof in the alternate name field, Komodia will re-sign the certificate, and the browser will accept it without any questions. It makes exploiting the Komodia hijacker all that much easier.

The reaction from the players has ranged from nearly comical ("Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk", Superfish said) and Lenovo's since-removed original response ("We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns") to a slowly evolving recognition that there is a real problem at hand (Lenovo's second and third statements on the uproar). So far, Komodia has not put out a statement at all.

While this "attack" targeted Windows, there is nothing that makes it an inherent problem for that operating system. A rogue application could certainly interfere with the root store(s) on a Linux system. It might be aimed at delivering ads, as this was, or perhaps as some kind of anti-cheating mechanism for a game or a DRM measure for some kind of media. In any of those cases, or other, similar scenarios, it would be hard to see that action as anything other than a man-in-the-middle attack.

But, in essence, the mechanism used is no different from what some network administrators do to the machines on their network: add a root certificate that provides a local trust anchor so that they can decrypt TLS traffic. That is why the certificate pinning feature that originated in Chrome/Chromium and has been added to Firefox does not thwart root certificates that have been installed locally. Thus the current implementations of certificate pinning are no defense against the Superfish/Komodia software. If pinning were to ignore local trust anchors, it would take away local administrators' ability to install their own certificates, either for snooping on traffic or simply to enable a separate company-controlled signing authority to avoid the expense of CAs. On the other hand, recent Android systems do warn users about certificates that have been added to the root store.

The real lesson from this horrendous security botch by Lenovo—beyond the idea of simply listening to security researchers rather than trying to bluster your way around them—is yet another reminder that the certificates stored on your systems need to be jealously guarded. Whether a rogue root certificate comes from a CA with inadequate safeguards or from a company that thinks it is a good idea to inject ads into your supposedly secure browsing hardly matters. The end result is the same: degradation or elimination of your privacy and security.

Comments (16 posted)

Brief items

Security quotes of the week

We can laugh at proprietary vendors engaging in dreadful security practices. We can feel smug about giving users the tools to choose their own level of security. But until we're actually making it straightforward for users to choose freedom without giving up security, we're not providing something meaningfully better - we're just providing the same shit sandwich on different bread.
Matthew Garrett

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
Jeremy Scahill and Josh Begley on SIM card encryption key theft, as revealed by Edward Snowden, in The Intercept

It would be nice to see that the revelation of the NSA undermining one use of encryption led people to realize the stupidity of undermining other forms of encryption, but somehow, it seems likely that our law enforcement community won't quite comprehend that message.
Mike Masnick

We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can.
Bruce Schneier in The Register

Comments (6 posted)

EFF: Lenovo is breaking HTTPS security on its recent laptops

Here is a statement from the Electronic Frontier Foundation on the revelation that Lenovo has been shipping insecure man-in-the-middle malware on its laptops. "Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users. The use of a single certificate for all of the MITM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken." For additional amusement, see Lenovo's statement on the issue.

There are a lot of Lenovo users in LWN's audience. Presumably most of them have long since done away with the original software, but those who might have kept it around would be well advised to look into the issue; this site can evidently indicate whether a machine is vulnerable or not.

Comments (144 posted)

Green: Another update on the Truecrypt audit

On his blog, Matthew Green gives an update on the plans to audit the TrueCrypt disk encryption tool. Green led an effort in 2013 to raise money for an audit of the TrueCrypt source code, which sort of ran aground when TrueCrypt abruptly shut down in May 2014. "It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet."

Comments (5 posted)

Remote code execution vulnerability in Samba

The Samba 4.1.17, 4.0.25 and 3.6.25 releases are available; they fix an unpleasant code-execution vulnerability. See this Red Hat security blog entry for more information. "CVE-2015-0240 is a security flaw in the smbd file server daemon. It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. No [authentication] is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root."

Comments (68 posted)

New vulnerabilities

apache-poi: denial of service

Package(s):apache-poi CVE #(s):CVE-2014-9527
Created:February 23, 2015 Updated:February 26, 2015
Description: From the Red Hat bugzilla:

A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely.

Alerts:
Mageia MGASA-2015-0087 apache-poi 2015-02-26
Fedora FEDORA-2015-2090 apache-poi 2015-02-23

Comments (none posted)

bind9: denial of service

Package(s):bind9 CVE #(s):CVE-2015-1349
Created:February 19, 2015 Updated:April 1, 2015
Description: From the Debian advisory:

Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator's part, or due to interference with network traffic by an attacker. This issue affects configurations with the directives "dnssec-validation auto;" (as enabled in the Debian default configuration) or "dnssec-lookaside auto;".

Alerts:
Gentoo 201510-01 bind 2015-10-18
openSUSE openSUSE-SU-2015:1326-1 bind 2015-07-31
openSUSE openSUSE-SU-2015:1250-2 bind 2015-07-16
openSUSE openSUSE-SU-2015:1250-1 bind 2015-07-16
SUSE SUSE-SU-2015:1205-1 bind 2015-07-08
Slackware SSA:2015-111-01 bind 2015-04-21
CentOS CESA-2015:0672 bind 2015-04-01
Mandriva MDVSA-2015:165 bind 2015-03-29
Scientific Linux SLSA-2015:0672-1 bind 2015-03-11
Mageia MGASA-2015-0082 bind 2015-02-21
Oracle ELSA-2015-0672 bind 2015-03-10
CentOS CESA-2015:0672 bind 2015-03-11
Ubuntu USN-2503-1 bind9 2015-02-18
Debian DSA-3162-1 bind9 2015-02-18
Red Hat RHSA-2015:0672-01 bind 2015-03-11
Fedora FEDORA-2015-2548 bind 2015-03-05
Fedora FEDORA-2015-2543 bind 2015-03-05
Mandriva MDVSA-2015:054 bind 2015-03-04
Debian-LTS DLA-163-1 bind9 2015-03-01

Comments (none posted)

drupal6-views: multiple vulnerabilities

Package(s):drupal6-views CVE #(s):
Created:February 23, 2015 Updated:February 25, 2015
Description: From the Drupal advisory:

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

Open redirect vulnerability: The module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Access bypass vulnerability: The module does not protect the default Views configurations that ship with the module sufficiently, thereby exposing possibly protected information to unprivileged users.

This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

Alerts:
Fedora FEDORA-2015-1936 drupal6-views 2015-02-23
Fedora FEDORA-2015-1953 drupal6-views 2015-02-23

Comments (none posted)

drupal7-path_breadcrumbs: access restriction bypass

Package(s):drupal7-path_breadcrumbs CVE #(s):
Created:February 19, 2015 Updated:February 25, 2015
Description: From the Drupal advisory:

The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access control in Path Breadcrumbs items with “Selection Rules” from the UI.

Alerts:
Fedora FEDORA-2015-1881 drupal7-path_breadcrumbs 2015-02-19
Fedora FEDORA-2015-1882 drupal7-path_breadcrumbs 2015-02-19

Comments (none posted)

e2fsprogs: code execution

Package(s):e2fsprogs CVE #(s):CVE-2015-1572
Created:February 23, 2015 Updated:June 5, 2015
Description: From the Debian advisory:

CVE-2015-0247 fixed a buffer overflow in in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file systems. This issue can possibly lead to arbitrary code execution if a malicious device is plugged in, the system is configured to automatically mount it, and the mounting process chooses to run fsck on the device's malicious filesystem. That fix was incomplete.

Alerts:
Gentoo 201507-22 e2fsprogs 2015-07-23
SUSE SUSE-SU-2015:1103-1 e2fsprogs 2015-06-23
openSUSE openSUSE-SU-2015:1002-1 e2fsprogs 2015-06-05
Arch Linux ASA-201503-8 e2fsprogs 2015-03-12
openSUSE openSUSE-SU-2015:1006-1 e2fsprogs 2015-06-05
Mandriva MDVSA-2015:068 e2fsprogs 2015-03-27
Mandriva MDVSA-2015:067 e2fsprogs 2015-03-27
Mageia MGASA-2015-0088 e2fsprogs 2015-02-26
Ubuntu USN-2507-1 e2fsprogs 2015-02-23
Debian DSA-3166-1 e2fsprogs 2015-02-22
Fedora FEDORA-2015-2516 e2fsprogs 2015-03-04
Fedora FEDORA-2015-2511 e2fsprogs 2015-03-04
Debian-LTS DLA-162-1 e2fsprogs 2015-02-28

Comments (none posted)

freetype: many vulnerabilities

Package(s):freetype CVE #(s):CVE-2014-9656 CVE-2014-9657 CVE-2014-9658 CVE-2014-9675 CVE-2014-9660 CVE-2014-9661 CVE-2014-9662 CVE-2014-9663 CVE-2014-9664 CVE-2014-9665 CVE-2014-9666 CVE-2014-9667 CVE-2014-9668 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9672 CVE-2014-9673 CVE-2014-9674
Created:February 20, 2015 Updated:February 1, 2016
Description: From the Fedora advisory: 
- Fixes CVE-2014-9656
   - Check `p' before `num_glyphs'.
- Fixes CVE-2014-9657
   - Check minimum size of `record_size'.
- Fixes CVE-2014-9658
   - Use correct value for minimum table length test.
- Fixes CVE-2014-9675
   - New macro that checks one character more than `strncmp'.
- Fixes CVE-2014-9660
   - Check `_BDF_GLYPH_BITS'.
- Fixes CVE-2014-9661
   - Initialize `face->ttf_size'.
   - Always set `face->ttf_size' directly.
   - Exclusively use the `truetype' font driver for loading
     the font contained in the `sfnts' array.
- Fixes CVE-2014-9662
   - Handle return values of point allocation routines.
- Fixes CVE-2014-9663
   - Fix order of validity tests.
- Fixes CVE-2014-9664
   - Add another boundary testing.
   - Fix boundary testing.
- Fixes CVE-2014-9665
   - Protect against too large bitmaps.
- Fixes CVE-2014-9666
   - Protect against addition and multiplication overflow.
- Fixes CVE-2014-9667
   - Protect against addition overflow.
- Fixes CVE-2014-9668
   - Protect against addition overflow.
- Fixes CVE-2014-9669
   - Protect against overflow in additions and multiplications.
- Fixes CVE-2014-9670
   - Add sanity checks for row and column values.
- Fixes CVE-2014-9671
   - Check `size' and `offset' values.
- Fixes CVE-2014-9672
   - Prevent a buffer overrun caused by a font including too many (> 63)
     strings to store names[] table.
- Fixes CVE-2014-9673
   - Fix integer overflow by a broken POST table in resource-fork.
- Fixes CVE-2014-9674
   - Fix integer overflow by a broken POST table in resource-fork.
   - Additional overflow check in the summation of POST fragment lengths.
Alerts:
Debian DSA-3461-1 freetype 2016-01-31
Ubuntu USN-2739-1 freetype 2015-09-10
Debian-LTS DLA-185-1 freetype 2015-04-01
CentOS CESA-2015:0696 freetype 2015-04-01
openSUSE openSUSE-SU-2015:0627-1 freetype2 2015-03-30
Mandriva MDVSA-2015:089 freetype2 2015-03-28
Scientific Linux SLSA-2015:0696-1 freetype 2015-03-25
CentOS CESA-2015:0696 freetype 2015-03-18
Oracle ELSA-2015-0696 freetype 2015-03-17
Oracle ELSA-2015-0696 freetype 2015-03-17
Red Hat RHSA-2015:0696-01 freetype 2015-03-18
Gentoo 201503-05 freetype 2015-03-08
Ubuntu USN-2510-1 freetype 2015-02-24
Mageia MGASA-2015-0083 freetype2 2015-02-24
Debian DSA-3188-1 freetype 2015-03-15
Fedora FEDORA-2015-2216 freetype 2015-02-20
Fedora FEDORA-2015-2237 freetype 2015-02-19
Mandriva MDVSA-2015:055 freetype2 2015-03-04

Comments (none posted)

glibc: sends DNS queries to random file descriptors

Package(s):glibc CVE #(s):CVE-2013-7423
Created:February 23, 2015 Updated:June 7, 2016
Description: From the SUSE bug report:

Under high load, getaddrinfo() starts sending DNS queries to random file descriptors, e.g. some unrelated socket connected to a remote service.

Alerts:
Red Hat RHSA-2016:1207-01 glibc 2016-06-07
Gentoo 201602-02 glibc 2016-02-17
Scientific Linux SLSA-2015:2199-7 glibc 2015-12-21
Red Hat RHSA-2015:2589-01 glibc 2015-12-09
Oracle ELSA-2015-2199 glibc 2015-11-25
Red Hat RHSA-2015:2199-07 glibc 2015-11-19
Mageia MGASA-2015-0195 glibc 2015-05-06
Mandriva MDVSA-2015:218 glibc 2015-04-30
Oracle ELSA-2015-0863 glibc 2015-04-21
Scientific Linux SLSA-2015:0863-1 glibc 2015-04-21
CentOS CESA-2015:0863 glibc 2015-04-21
Red Hat RHSA-2015:0863-01 glibc 2015-04-21
openSUSE openSUSE-SU-2015:0351-1 glibc 2015-02-23
Debian-LTS DLA-165-1 eglibc 2015-03-06
Ubuntu USN-2519-1 eglibc, glibc 2015-02-26

Comments (none posted)

glibc: code execution

Package(s):eglibc glibc CVE #(s):CVE-2013-7424
Created:February 23, 2015 Updated:August 18, 2015
Description: From the Debian advisory:

An invalid free flaw was found in glibc's getaddrinfo() function when used with the AI_IDN flag. A remote attacker able to make an application call this function could use this flaw to execute arbitrary code with the permissions of the user running the application. Note that this flaw only affected applications using glibc compiled with libidn support.

Alerts:
Scientific Linux SLSA-2015:1627-1 glibc 2015-08-17
Oracle ELSA-2015-1627 glibc 2015-08-17
CentOS CESA-2015:1627 glibc 2015-08-17
Red Hat RHSA-2015:1627-01 glibc 2015-08-17
Debian DSA-3169-1 eglibc 2015-02-23
Debian-LTS DLA-165-1 eglibc 2015-03-06

Comments (none posted)

java: unspecified vulnerability

Package(s):java-1_7_0-openjdk CVE #(s):CVE-2015-0421
Created:February 20, 2015 Updated:February 25, 2015
Description: From the CVE entry:

Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process.

Alerts:
Gentoo 201507-14 oracle-jre-bin 2015-07-10
SUSE SUSE-SU-2015:0336-1 java-1_7_0-openjdk 2015-02-20

Comments (none posted)

kernel: two vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2014-8160 CVE-2015-1593
Created:February 19, 2015 Updated:March 20, 2015
Description: From the Debian LTS advisory:

CVE-2014-8160: It was found that a netfilter (iptables or ip6tables) rule accepting packets to a specific SCTP, DCCP, GRE or UDPlite port/endpoint could result in incorrect connection tracking state. If only the generic connection tracking module (nf_conntrack) was loaded, and not the protocol-specific connection tracking module, this would allow access to any port/endpoint of the specified protocol.

CVE-2015-1593: It was found that address randomisation for the initial stack in 64-bit processes was limited to 20 rather than 22 bits of entropy. A local unprivileged user could potentially use this flaw to bypass the ASLR protection mechanism.

Alerts:
Oracle ELSA-2015-2152 kernel 2015-11-25
Oracle ELSA-2015-3064 kernel 3.8.13 2015-07-31
Oracle ELSA-2015-3064 kernel 3.8.13 2015-07-31
Scientific Linux SLSA-2015:1221-1 kernel 2015-07-15
CentOS CESA-2015:1221 kernel 2015-07-15
Oracle ELSA-2015-1221 kernel 2015-07-14
Red Hat RHSA-2015:1221-01 kernel 2015-07-14
Scientific Linux SLSA-2015:1137-1 kernel 2015-06-25
Oracle ELSA-2015-3047 kernel 2015-06-25
Oracle ELSA-2015-3047 kernel 2015-06-25
Oracle ELSA-2015-3045 kernel 2015-06-24
Oracle ELSA-2015-3045 kernel 2015-06-24
Oracle ELSA-2015-3046 kernel 2015-06-24
Oracle ELSA-2015-3046 kernel 2015-06-24
Oracle ELSA-2015-1137 kernel 2015-06-23
CentOS CESA-2015:1137 kernel 2015-06-24
Red Hat RHSA-2015:1138-01 kernel-rt 2015-06-23
Red Hat RHSA-2015:1139-01 kernel-rt 2015-06-23
Red Hat RHSA-2015:1137-01 kernel 2015-06-23
Mageia MGASA-2015-0219 kernel-tmb 2015-05-13
Mageia MGASA-2015-0221 kernel-linus 2015-05-13
Mageia MGASA-2015-0210 kernel 2015-05-11
Mageia MGASA-2015-0172 kernel-linus 2015-04-30
Mageia MGASA-2015-0171 kernel 2015-04-30
SUSE SUSE-SU-2015:0736-1 Real Time Linux Kernel 2015-04-20
openSUSE openSUSE-SU-2015:0714-1 kernel 2015-04-13
openSUSE openSUSE-SU-2015:0713-1 kernel 2015-04-13
Ubuntu USN-2561-1 linux-ti-omap4 2015-04-08
Ubuntu USN-2564-1 linux-lts-utopic 2015-04-09
Ubuntu USN-2562-1 linux-lts-trusty 2015-04-08
Ubuntu USN-2565-1 kernel 2015-04-09
Ubuntu USN-2563-1 kernel 2015-04-08
Ubuntu USN-2560-1 kernel 2015-04-08
SUSE SUSE-SU-2015:0652-1 Linux kernel 2015-04-02
Scientific Linux SLSA-2015:0290-1 kernel 2015-03-25
SUSE SUSE-SU-2015:0581-1 kernel 2015-03-24
Oracle ELSA-2015-3012 kernel 2015-03-19
Oracle ELSA-2015-3012 kernel 2015-03-19
SUSE SUSE-SU-2015:0529-1 the Linux Kernel 2015-03-18
Mandriva MDVSA-2015:058 kernel 2015-03-13
Red Hat RHSA-2015:0674-01 kernel 2015-03-11
Ubuntu USN-2514-1 linux-ti-omap4 2015-02-26
Ubuntu USN-2517-1 linux-lts-utopic 2015-02-26
Ubuntu USN-2515-1 linux-lts-trusty 2015-02-26
Ubuntu USN-2513-1 kernel 2015-02-26
Ubuntu USN-2516-1 kernel 2015-02-26
Ubuntu USN-2518-1 kernel 2015-02-26
Debian DSA-3160-1 kernel 2015-02-23
Oracle ELSA-2015-0674 kernel 2015-03-11
Red Hat RHSA-2015:0290-01 kernel 2015-03-05
Ubuntu USN-2516-2 kernel 2015-02-28
Debian-LTS DLA-155-1 linux-2.6 2015-02-18
Mandriva MDVSA-2015:057 kernel 2015-03-10
Ubuntu USN-2515-2 linux-lts-trusty 2015-03-04
Red Hat RHSA-2015:0284-01 kernel 2015-03-03
Fedora FEDORA-2015-3594 kernel 2015-03-14
CentOS CESA-2015:0674 kernel 2015-03-12
Scientific Linux SLSA-2015:0674-1 kernel 2015-03-12
Fedora FEDORA-2015-3011 kernel 2015-03-09
Ubuntu USN-2516-3 kernel 2015-03-04

Comments (none posted)

kernel: two vulnerabilities

Package(s):kernel CVE #(s):CVE-2014-9683 CVE-2015-1420
Created:February 24, 2015 Updated:July 30, 2015
Description: From the Debian advisory:

CVE-2014-9683: Dmitry Chernenkov discovered that eCryptfs writes past the end of the allocated buffer during encrypted filename decoding, resulting in local denial of service.

CVE-2015-1420: It was discovered that the open_by_handle_at() system call reads the handle size from user memory a second time after validating it. A local user with the CAP_DAC_READ_SEARCH capability could use this flaw for privilege escalation.

Alerts:
Oracle ELSA-2017-3516 kernel 2.6.39 2017-02-10
Oracle ELSA-2017-3516 kernel 2.6.39 2017-02-10
openSUSE openSUSE-SU-2016:0301-1 kernel 2016-02-01
SUSE SUSE-SU-2015:1611-1 kernel 2015-09-23
SUSE SUSE-SU-2015:1592-1 kernel 2015-09-22
openSUSE openSUSE-SU-2015:1382-1 kernel 2015-08-14
SUSE SUSE-SU-2015:1376-1 kernel-rt 2015-08-12
Scientific Linux SLSA-2015:1272-1 kernel 2015-08-03
Oracle ELSA-2015-3055 kernel 2.6.32 2015-08-01
Oracle ELSA-2015-3055 kernel 2.6.32 2015-08-01
Oracle ELSA-2015-3054 kernel 2.6.39 2015-08-01
Oracle ELSA-2015-3054 kernel 2.6.39 2015-08-01
SUSE SUSE-SU-2015:1478-1 kernel 2015-09-02
Oracle ELSA-2015-3053 kernel 3.8.13 2015-07-29
Oracle ELSA-2015-3053 kernel 3.8.13 2015-07-29
Oracle ELSA-2015-1272 kernel 2015-07-29
Red Hat RHSA-2015:1272-01 kernel 2015-07-22
SUSE SUSE-SU-2015:1224-1 kernel 2015-07-10
Ubuntu USN-2661-1 linux-ti-omap4 2015-07-07
Ubuntu USN-2665-1 linux-lts-vivid 2015-07-07
Ubuntu USN-2664-1 linux-lts-utopic 2015-07-07
Ubuntu USN-2662-1 linux-lts-trusty 2015-07-07
Ubuntu USN-2660-1 kernel 2015-07-07
Ubuntu USN-2663-1 kernel 2015-07-07
Ubuntu USN-2666-1 kernel 2015-07-07
Ubuntu USN-2667-1 kernel 2015-07-07
Fedora FEDORA-2015-9704 kernel 2015-06-20
Fedora FEDORA-2015-9712 kernel 2015-06-21
Debian-LTS DLA-246-1 linux-2.6 2015-06-17
Debian-LTS DLA-246-2 linux-2.6 2015-06-17
Ubuntu USN-2542-1 linux-ti-omap4 2015-03-24
Ubuntu USN-2541-1 kernel 2015-03-24
Mandriva MDVSA-2015:058 kernel 2015-03-13
Ubuntu USN-2517-1 linux-lts-utopic 2015-02-26
Ubuntu USN-2515-1 linux-lts-trusty 2015-02-26
Ubuntu USN-2516-1 kernel 2015-02-26
Ubuntu USN-2518-1 kernel 2015-02-26
Debian DSA-3160-1 kernel 2015-02-23
Ubuntu USN-2516-2 kernel 2015-02-28
Ubuntu USN-2515-2 linux-lts-trusty 2015-03-04
Ubuntu USN-2516-3 kernel 2015-03-04

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox thunderbird seamonkey CVE #(s):CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836
Created:February 25, 2015 Updated:September 4, 2015
Description: From the Red Hat advisory:

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-0836, CVE-2015-0831, CVE-2015-0827)

An information leak flaw was found in the way Firefox implemented autocomplete forms. An attacker able to trick a user into specifying a local file in the form could use this flaw to access the contents of that file. (CVE-2015-0822)

Alerts:
Gentoo 201701-15 firefox 2017-01-03
Slackware SSA:2015-246-01 seamonkey 2015-09-03
openSUSE openSUSE-SU-2015:1266-1 firefox, thunderbird 2015-07-18
Gentoo 201504-01 firefox 2015-04-07
Mageia MGASA-2015-0126 iceape 2015-04-03
CentOS CESA-2015:0642 thunderbird 2015-04-01
openSUSE openSUSE-SU-2015:0567-1 firefox 2015-03-22
openSUSE openSUSE-SU-2015:0570-1 seamonkey 2015-03-23
Fedora FEDORA-2015-4148 seamonkey 2015-03-21
openSUSE openSUSE-SU-2015:0448-1 thunderbird 2015-03-07
Red Hat RHSA-2015:0629-01 firefox 2015-03-05
Ubuntu USN-2505-1 firefox 2015-02-25
Slackware SSA:2015-056-01 firefox 2015-02-25
Slackware SSA:2015-056-02 thunderbird 2015-02-25
Scientific Linux SLSA-2015:0266-1 thunderbird 2015-02-25
Scientific Linux SLSA-2015:0265-1 firefox 2015-02-25
Oracle ELSA-2015-0266 thunderbird 2015-02-25
Oracle ELSA-2015-0265 firefox 2015-02-25
Mageia MGASA-2015-0089 firefox, thunderbird 2015-02-26
Debian DSA-3174-1 iceweasel 2015-02-25
CentOS CESA-2015:0266 thunderbird 2015-02-25
CentOS CESA-2015:0266 thunderbird 2015-02-25
Oracle ELSA-2015-0265 firefox 2015-02-25
Oracle ELSA-2015-0265 firefox 2015-02-25
CentOS CESA-2015:0265 firefox 2015-02-25
CentOS CESA-2015:0265 firefox 2015-02-25
CentOS CESA-2015:0265 firefox 2015-02-25
Red Hat RHSA-2015:0266-01 thunderbird 2015-02-25
Red Hat RHSA-2015:0265-01 firefox 2015-02-24
Oracle ELSA-2015-0642 thunderbird 2015-03-12
Debian DSA-3179-1 icedove 2015-03-03
Red Hat RHSA-2015:0642-01 thunderbird 2015-03-05
SUSE SUSE-SU-2015:0412-1 firefox 2015-03-03
Ubuntu USN-2505-2 firefox 2015-03-09
SUSE SUSE-SU-2015:0447-1 firefox 2015-03-07
SUSE SUSE-SU-2015:0446-1 firefox 2015-03-07
Ubuntu USN-2506-1 thunderbird 2015-03-03
openSUSE openSUSE-SU-2015:0404-1 firefox, nss 2015-03-01

Comments (none posted)

openstack-glance: access restriction bypass

Package(s):openstack-glance CVE #(s):CVE-2014-9493
Created:February 20, 2015 Updated:May 26, 2015
Description: From the Red Hat advisory:

It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw. (CVE-2014-9493)

Alerts:
Fedora FEDORA-2015-6169 openstack-glance 2015-05-26
Red Hat RHSA-2015:0246-01 openstack-glance 2015-02-19

Comments (none posted)

php5: code execution

Package(s):php5 CVE #(s):CVE-2014-9426
Created:February 19, 2015 Updated:February 25, 2015
Description: From the openSUSE advisory:

CVE-2014-9426: The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempted to perform a free operation on a stack-based character array, which allowed remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors

Alerts:
openSUSE openSUSE-SU-2015:0325-1 php5 2015-02-19

Comments (none posted)

php: use after free

Package(s):php CVE #(s):CVE-2015-0273
Created:February 24, 2015 Updated:March 4, 2015
Description: From the PHP bug report:

Use after free vulnerability in unserialize() with DateTimeZone.

Alerts:
SUSE SUSE-SU-2016:1638-1 php53 2016-06-21
Gentoo 201606-10 php 2016-06-19
Scientific Linux SLSA-2015:1218-1 php 2015-07-09
Oracle ELSA-2015-1218 php 2015-07-09
CentOS CESA-2015:1218 php 2015-07-09
Red Hat RHSA-2015:1218-01 php 2015-07-09
Scientific Linux SLSA-2015:1135-1 php 2015-06-24
Oracle ELSA-2015-1135 php 2015-06-23
CentOS CESA-2015:1135 php 2015-06-24
Red Hat RHSA-2015:1135-01 php 2015-06-23
Red Hat RHSA-2015:1053-01 php55 2015-06-04
Red Hat RHSA-2015:1066-01 php54 2015-06-04
Mandriva MDVSA-2015:080 php 2015-03-28
Mandriva MDVSA-2015:079 php 2015-03-28
Ubuntu USN-2535-1 php5 2015-03-18
Debian DSA-3195-1 php5 2015-03-18
Fedora FEDORA-2015-2315 php 2015-02-23
openSUSE openSUSE-SU-2015:0440-1 php5 2015-03-06
SUSE SUSE-SU-2015:0436-1 PHP 5.3 2015-03-05
Fedora FEDORA-2015-2328 php 2015-03-04
SUSE SUSE-SU-2015:0424-1 php5 2015-03-04
Mageia MGASA-2015-0090 php 2015-03-03

Comments (none posted)

ruby-redcloth: cross-site scripting

Package(s):ruby-redcloth CVE #(s):CVE-2012-6684
Created:February 23, 2015 Updated:March 9, 2015
Description: From the Debian advisory:

Kousuke Ebihara discovered that redcloth, a Ruby module used to convert Textile markup to HTML, did not properly sanitize its input. This allowed a remote attacker to perform a cross-site scripting attack by injecting arbitrary JavaScript code into the generated HTML.

Alerts:
Debian DSA-3168-1 ruby-redcloth 2015-02-22
Debian-LTS DLA-167-1 redcloth 2015-03-07

Comments (none posted)

samba: root code execution

Package(s):samba CVE #(s):CVE-2015-0240
Created:February 23, 2015 Updated:March 29, 2015
Description: From the Red Hat errata:

An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user).

Alerts:
openSUSE openSUSE-SU-2016:1107-1 samba 2016-04-20
openSUSE openSUSE-SU-2016:1106-1 samba 2016-04-20
openSUSE openSUSE-SU-2016:1064-1 samba 2016-04-17
Mandriva MDVSA-2015:083 samba4 2015-03-28
Mandriva MDVSA-2015:082 samba 2015-03-28
Mandriva MDVSA-2015:081 samba 2015-03-28
SUSE SUSE-SU-2015:0386-1 Samba 2015-02-27
Gentoo 201502-15 samba 2015-02-25
SUSE SUSE-SU-2015:0371-1 Samba 2015-02-25
openSUSE openSUSE-SU-2015:0375-1 samba 2015-02-25
Mageia MGASA-2015-0084 samba 2015-02-24
Fedora FEDORA-2015-2519 samba 2015-02-25
Fedora FEDORA-2015-2538 samba 2015-02-25
Ubuntu USN-2508-1 samba 2015-02-23
Scientific Linux SLSA-2015:0250-1 samba4 2015-02-23
Scientific Linux SLSA-2015:0249-1 samba 2015-02-23
Scientific Linux SLSA-2015:0251-1 samba 2015-02-23
Scientific Linux SLSA-2015:0252-1 samba 2015-02-23
Oracle ELSA-2015-0250 samba4 2015-02-23
Oracle ELSA-2015-0249 samba3x 2015-02-23
Oracle ELSA-2015-0251 samba 2015-02-23
Oracle ELSA-2015-0252 samba 2015-02-23
Debian-LTS DLA-156-1 samba 2015-02-23
Red Hat RHSA-2015:0255-01 samba4 2015-02-23
Red Hat RHSA-2015:0250-01 samba4 2015-02-23
Red Hat RHSA-2015:0253-01 samba3x 2015-02-23
Red Hat RHSA-2015:0249-01 samba3x 2015-02-23
Red Hat RHSA-2015:0251-01 samba 2015-02-23
Red Hat RHSA-2015:0254-01 samba 2015-02-23
Red Hat RHSA-2015:0252-01 samba 2015-02-23
SUSE SUSE-SU-2015:0353-1 samba 2015-02-23
Debian DSA-3171-1 samba 2015-02-23
CentOS CESA-2015:0250 samba4 2015-02-23
CentOS CESA-2015:0249 samba3x 2015-02-23
CentOS CESA-2015:0251 samba 2015-02-23
CentOS CESA-2015:0252 samba 2015-02-23
Slackware SSA:2015-064-01 samba 2015-03-05

Comments (none posted)

tomcat: HTTP request smuggling

Package(s):tomcat CVE #(s):CVE-2014-0227
Created:February 20, 2015 Updated:May 14, 2015
Description: From the Mageia advisory:

In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227).

Alerts:
Debian DSA-3530-1 tomcat6 2016-03-25
Ubuntu USN-2654-1 tomcat7 2015-06-25
Ubuntu USN-2655-1 tomcat6 2015-06-25
Scientific Linux SLSA-2015:0991-1 tomcat6 2015-05-13
Scientific Linux SLSA-2015:0983-1 tomcat 2015-05-13
Oracle ELSA-2015-0991 tomcat6 2015-05-12
Oracle ELSA-2015-0983 tomcat 2015-05-12
CentOS CESA-2015:0991 tomcat6 2015-05-12
CentOS CESA-2015:0983 tomcat 2015-05-13
Red Hat RHSA-2015:0991-01 tomcat6 2015-05-12
Red Hat RHSA-2015:0983-01 tomcat 2015-05-12
Debian-LTS DLA-232-1 tomcat6 2015-05-28
Mandriva MDVSA-2015:084 tomcat 2015-03-28
Mandriva MDVSA-2015:052 tomcat 2015-03-03
Fedora FEDORA-2015-2109 tomcat 2015-02-23
Mageia MGASA-2015-0081 tomcat 2015-02-19
Mandriva MDVSA-2015:053 tomcat6 2015-03-03

Comments (none posted)

typo3-src: authentication bypass

Package(s):typo3-src CVE #(s):
Created:February 23, 2015 Updated:February 25, 2015
Description: From the TYPO3 advisory:

It has been discovered that TYPO3 CMS is vulnerable to Authentication Bypass. Frontend users can be authenticated by only knowing their username.

Alerts:
Debian DSA-3164-1 typo3-src 2015-02-21

Comments (none posted)

xdg-utils: command execution

Package(s):xdg-utils CVE #(s):CVE-2015-1877
Created:February 23, 2015 Updated:February 25, 2015
Description: From the Debian advisory:

Jiri Horner discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.

Alerts:
Debian-LTS DLA-217-1 xdg-utils 2015-05-01
Debian DSA-3165-1 xdg-utils 2015-02-22

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds