Security

The DISH Anywhere (aka com.sm.SlingGuide.Dish) application 3.5.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Stéphane Graber and Tavis Ormandy independently discovered that Apport incorrectly handled the crash reporting feature. A local attacker could use this issue to gain elevated privileges.

Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

CVE-2015-1821: Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code.

CVE-2015-1822: When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code.

CVE-2015-1853: When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers.

Adam Sampson discovered a buffer overflow in the handling of the XAUTHORITY environment variable in das-watchdog, a watchdog daemon to ensure a realtime process won't hang the machine. A local user can exploit this flaw to escalate his privileges and execute arbitrary code as root.

From the Debian advisory:

Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (.dsc). Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive.

Update to drupal7-webform 4.7 (notes) that may or may not include a security fix. The Fedora advisory includes a bug report reference from the 4.4 series. Whether the update fixes this older bug or another from the 4.7 release cycle is not specified.

From the Red Hat bug report:

echoping segfaults all the time.

[ Which is evidently due to a bad build back in 2013. ]

From the CVE entries:

CVE-2015-0798: The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, and Desktop Firefox pre-release, does not properly handle privileged URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy.

CVE-2015-0799: The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header.

The bug can only be triggered if "stream_auth" is being used. This means, that all installations that use a default configuration are NOT affected.The default configuration only uses <source-password>. Neither are simple mountpoints affected that use <password>. A workaround, if installing an updated package is not possible, is to disable "stream_auth"and use <password> instead. As far as we understand the bug only leads to a simple remote denial of service. The underlying issue is a null pointer dereference. For clarity: No remote code execution should be possible, server just segfaults.

An attacker could kill, with triggering the server with a special URL, the icecast-server due to a null pointer dereference.

The problem has been fixed upstream in version 2.4.2.

CVE-2005-1080: A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.

CVE-2015-0460: A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.

CVE-2015-0469: An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.

CVE-2015-0477: A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.

CVE-2015-0478: It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.

CVE-2015-0480: A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.

CVE-2015-0488: A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly.

From the Ubuntu advisory:

An information leak was discovered in the Linux kernel's handling of userspace configuration of the link layer control (LLC). A local user could exploit this flaw to read data from other sysctl settings.

Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird, a Perl DBI driver for the Firebird RDBMS, in certain error conditions, due to the use of the sprintf() function to write to a fixed-size memory buffer.

Abhishek Arya discovered a buffer overflow in the MakeBigReq macro provided by libx11, which could result in denial of service or the execution of arbitrary code.

From the Arch Linux advisory:

CVE-2015-2931 (cross-side scripting) It was discovered that MIME types were not properly restricted, allowing a way to circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in a SVG file.

CVE-2015-2932 (cross-side scripting) The SVG filter to prevent injecting JavaScript using animate elements was incorrect. The list of dangerous parts of HTML5 is supposed to include all uses of 'animate attributename="xlink:href"' in SVG documents.

CVE-2015-2933 (cross-side scripting) A persistent XSS vulnerability was discovered due to the way attributes were expanded in MediaWiki's HTML class, in combination with LanguageConverter substitutions.

CVE-2015-2934 (cross-side scripting) It was discovered that MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript.

CVE-2015-2935 (external resource loading) A way was discovered to bypass the style filtering for SVG files to load external resource. This could violate the anonymity of users viewing the SVG. This issue exists because of an incomplete fix for CVE-2014-7199.

CVE-2015-2936 (denial of service) It was discovered that MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords.

CVE-2015-2937 (denial of service) It was discovered that MediaWiki is vulnerable to "Quadratic Blowup" denial of service attacks.

CVE-2015-2938 (cross-side scripting) It was discovered that the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation. This feature has been removed.

CVE-2015-2939 (cross-side scripting) It was discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS.

CVE-2015-2940 (cross-side request forgery) It was discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users. Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise.

CVE-2015-2941 (cross-side scripting) It was discovered that XSS is possible in the way api errors were reflected under HHVM versions before 3.6.1. MediaWiki now detects and mitigates this issue on older versions of HHVM.

CVE-2015-2942 (denial of service) It was discovered that MediaWiki's SVG and XMP parsing running under HHVM was susceptible to "Billion Laughs" DoS attacks.

Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. (CVE-2015-0385)

Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2015-0409)

From the CVE entry:

scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.

It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU.

After reviewing RFC 6125 and RFC 5280, multiple violations were found of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.

This change will take affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.

Specifically:

• Only one wildcard character in the left-most part of the hostname is allowed.
• IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
• Subject/SAN should be limited to ASCII characters only.

A remote attacker can make use of the overly permissive hostname matching during certificate verifications to perform a man-in-the-middle attack by spoofing SSL servers via a crafted certificate.

In socat before 2.0.0-b8, signal handler implementations are not async-signal-safe and can cause crash or freeze of socat processes. Mostly this issue occurs when socat is in listening mode with fork option and a couple of child processes terminate at the same time

A heap-based buffer overflow flaw was reported (including a reproducer) in varnish, a high-performance HTTP accelerator:

http://seclists.org/oss-sec/2015/q1/776

Ignacio R. Morelle discovered that missing path restrictions in the "Battle of Wesnoth" game could result in the disclosure of arbitrary files in the user's home directory if malicious campaigns/maps are loaded.

The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). (CVE-2015-2752)

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. (CVE-2015-2756)

Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. (CVE-2015-2751)

From the Red Hat bug report:

Buffer overflow leading to application crash.