Security

ceph-deploy versions before 1.5.23 had an issue where keyring permissions were world readable.

Multiple unspecified vulnerabilities in Google V8 before 4.2.77.14, as used in Google Chrome before 42.0.2311.90, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2015-3333)

browser/ui/website_settings/website_settings.cc in Google Chrome before 42.0.2311.90 does not always display "Media: Allowed by you" in a Permissions table after the user has granted camera permission to a web site, which might make it easier for user-assisted remote attackers to obtain sensitive video data from a device's physical environment via a crafted web site that turns on the camera at a time when the user believes that camera access is prohibited. (CVE-2015-3334)

The NaClSandbox::InitializeLayerTwoSandbox function in components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc in Google Chrome before 42.0.2311.90 does not have RLIMIT_AS and RLIMIT_DATA limits for Native Client (aka NaCl) processes, which might make it easier for remote attackers to conduct row-hammer attacks or have unspecified other impact by leveraging the ability to run a crafted program in the NaCl sandbox. (CVE-2015-3335)

Google Chrome before 42.0.2311.90 does not always ask the user before proceeding with CONTENT_SETTINGS_TYPE_FULLSCREEN and CONTENT_SETTINGS_TYPE_MOUSELOCK changes, which allows user-assisted remote attackers to cause a denial of service (UI disruption) by constructing a crafted HTML document containing JavaScript code with requestFullScreen and requestPointerLock calls, and arranging for the user to access this document with a file: URL. (CVE-2015-3336)

Bugs fixed (https://bugzilla.redhat.com/):
1211919 - CVE-2015-1235 chromium-browser: Cross-origin-bypass in HTML parser
1211920 - CVE-2015-1236 chromium-browser: Cross-origin-bypass in Blink
1211921 - CVE-2015-1237 chromium-browser: Use-after-free in IPC
1211922 - CVE-2015-1238 chromium-browser: Out-of-bounds write in Skia
1211923 - CVE-2015-1240 chromium-browser: Out-of-bounds read in WebGL
1211924 - CVE-2015-1241 chromium-browser: tap-jacking vulnerability
1211925 - CVE-2015-1242 chromium-browser: Type confusion in V8
1211926 - CVE-2015-1244 chromium-browser: HSTS bypass in WebSockets
1211927 - CVE-2015-1245 chromium-browser: Use-after-free in PDFium
1211928 - CVE-2015-1246 chromium-browser: Out-of-bounds read in Blink
1211929 - CVE-2015-1247 chromium-browser: Scheme issues in OpenSearch
1211930 - CVE-2015-1248 chromium-browser: SafeBrowsing bypass
1211932 - CVE-2015-1249 chromium-browser: Various fixes from internal audits, fuzzing and other initiatives

CVE-2015-3143: NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user. This is similar to the issue fixed in DSA-2849-1.

CVE-2015-3144: When parsing URLs with a zero-length hostname (such as "http://:80"), libcurl would try to read from an invalid memory address. This could allow remote attackers to cause a denial of service (crash). This issue only affects the upcoming stable (jessie) and unstable (sid) distributions.

CVE-2015-3145: When parsing HTTP cookies, if the parsed cookie's "path" element consists of a single double-quote, libcurl would try to write to an invalid heap memory address. This could allow remote attackers to cause a denial of service (crash). This issue only affects the upcoming stable (jessie) and unstable (sid) distributions.

CVE-2015-3148: When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user.

James P. Turk discovered that the ReST renderer in django-markupfield, a custom Django field for easy use of markup in text fields, didn't disable the ..raw directive, allowing remote attackers to include arbitrary files.

Mozilla developer Robert Kaiser reported that a specially crafted HTML, when loaded by the target user, will trigger a use-after-free race condition when a plugin fails to initialize, which may lead to a memory corruption error in AsyncPaintWaitEvent::AsyncPaintWaitEvent() and arbitrary code execution on the target system.

A remote attacker is able to use a specially crafted HTML that, when loaded by the target user, will trigger a race condition leading to memory corruption and arbitrary code execution.

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.

Double-free issue was reported in gnupg2:

in scd/command.c 'cert' is freed twice on ksba_cert_new() failure:

...
 778   rc = ksba_cert_new (&kc);
 779   if (rc)
 780     {
 781       xfree (cert);
 782       goto leave;
 783     }
...
 803  leave:
 804   ksba_cert_release (kc);
 805   xfree (cert);

This vulnerability allows users with the job configuration privilege to escalate his privileges, resulting in arbitrary code execution to the master.

Aki Helin discovered a buffer overflow in the GStreamer plugin for MP4 playback, which could lead in the execution of arbitrary code.

It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker able to continuously spawn new processes within a single memory-constrained cgroup during an OOM event could use this flaw to lock up the system.

- new upstream release:

• fix: performance drop for NSEC-signed zones
• fix: proper handling of TCP short-writes
• fix: possible out-of-bound reads in zone parser and packet parser
• feature: CDS and CDNSKEY support in zone parser
• improvement: add defaults for TCP config options into documentation
• improvement: detailed error message if zone reload fails

Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)

From the CVE entries:

CVE-2015-0458 - Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

CVE-2015-0459 - Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JavaFX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0491.

CVE-2015-0484 - Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and Java FX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-0492.

CVE-2015-0486 - Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.

CVE-2015-0491 - Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and Java FX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0459.

CVE-2015-0492 - Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and JavaFX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-0484.

CVE-2015-1812, CVE-2015-1813: An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls from outside so long as the location of Jenkins is known to the attacker.

CVE-2015-1814: The part of Jenkins that issues a new API token was not adequately protected against anonymous attackers. This allows an attacker to escalate privileges on Jenkins.

CVE-2015-1807: This vulnerability allows users with the job configuration privilege or users with commit access to the build script to access arbitrary files/directories on the master, resulting in the exposure of sensitive information, such as encryption keys.

CVE-2015-1808: This vulnerability allows authenticated users to disrupt the operation of Jenkins by feeding malicious update center data into Jenkins, affecting plugin installation and tool installation.

CVE-2015-1809: This vulnerability allows users with the read access to Jenkins to retrieve arbitrary XML document on the server, resulting in the exposure of sensitive information inside/outside Jenkins.

CVE-2015-1810: For users using "'Jenkins' own user database" setting, Jenkins doesn't refuse reserved names, thus allowing privilege escalation.

CVE-2015-1811: This vulnerability allows attackers to create malicious XML documents and feed that into Jenkins, which causes Jenkins to retrieve arbitrary XML document on the server, resulting in the exposure of sensitive information inside/outside Jenkins.

Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED. (CVE-2014-6474)

Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect integrity and availability via vectors related to SERVER:SP. (CVE-2014-6489)

Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx_serialize_value function. (CVE-2014-9714)

John Lightsey discovered a format string injection vulnerability in the localisation of templates in Movable Type, a blogging system. An unauthenticated remote attacker could take advantage of this flaw to execute arbitrary code as the web server user.

Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via vectors related to InnoDB : DML. (CVE-2015-0433)

Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Encryption. (CVE-2015-0441)

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Federated. (CVE-2015-0499)

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Compiling. (CVE-2015-0501)

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. (CVE-2015-0505)

Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote attackers to affect availability via unknown vectors related to Server : Security : Privileges. (CVE-2015-2568)

Unspecified vulnerability in Oracle MySQL Server 5.5.42 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. (CVE-2015-2571)

Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. (CVE-2015-2573)

From the openSUSE advisory:

Lack of filtering in the title parameter of links to rrdPlugin allowed cross-site-scripting (XSS) attacks against users of the web interface.

From the Red Hat advisory:

A denial of service flaw was found in the way OpenStack Compute (nova) looked up VM instances based on an IP address filter. An attacker with sufficient privileges on an OpenStack installation with a large amount of VMs could use this flaw to cause the main nova process to block for an extended amount of time. (CVE-2014-3708)

A flaw was found in the OpenStack Compute (nova) VMWare driver, which could allow an authenticated user to delete an instance while it was in the resize state, causing the instance to remain on the back end. A malicious user could use this flaw to cause a denial of service by exhausting all available resources on the system. (CVE-2014-8333)

From the Red Hat advisory:

A flaw was found in the metadata constraints in OpenStack Object Storage (swift). By adding metadata in several separate calls, a malicious user could bypass the max_meta_count constraint, and store more metadata than allowed by the configuration. (CVE-2014-7960)

* Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.

* When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test".

* Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.

* Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC.

From the Arch Linux advisory:

The vulnerability can be triggered when parsing a PHAR file at phar.c:623. The "buf_len" is obtained from the phar file and passed into php_var_unserialize() as the max argument. Under normal php_var_unserialize() circumstances, YYCURSOR will always be <= max. This however can be bypassed when processing a malform phar with a buf_len that is shorter then the string to be unserialized resulting in a memory info leak.

It was discovered that PHP incorrectly handled cleanup when used with Apache 2.4. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3330)

It was discovered that PHP incorrectly handled opening tar, zip or phar archives through the PHAR extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3329)

- Update to 2.5.11

- security fix for CVE-2015-2308 and CVE-2015-2309

Bug Fixes

• #2941, allow geography columns with SRID other than 4326
• #3069, small objects getting inappropriately fluffed up w/ boxes
• #3068, Have postgis_typmod_dims return NULL for unconstrained dims
• #3061, Allow duplicate points in JSON, GML, GML ST_GeomFrom* functions
• #3058, Fix ND-GiST picksplit method to split on the best plane
• #3052, Make operators <-> and <#> available for PostgreSQL < 9.1
• #3045, Fix dimensionality confusion in &&& operator
• #3016, Allow unregistering layers of corrupted topologies
• #3015, Avoid exceptions from TopologySummary
• #3020, ST_AddBand out-db bug where height using width value
• #3031, Allow restore of Geometry(Point) tables dumped with empties in them

Emanuele Rocca discovered that ppp, a daemon implementing the Point-to-Point Protocol, was subject to a buffer overflow when communicating with a RADIUS server. This would allow unauthenticated users to cause a denial-of-service by crashing the daemon.

Patched an issue where mod_copy allowed unauthenticated copying of files via SITE CPFR/CPTO.

The mirroring support (-M, --use-mirrors) was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed.

Fixed issues with BMP, ICO, and GIF handling that could lead to a denial of service or the execution of arbitrary code when processing malformed images.

It was reported that the OAuth implementation in librest, a helper library for RESTful services part of the GNOME project, incorrectly truncates the pointer returned by the rest_proxy_call_get_url function call, leading to an application crash, or worse.

REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information.

A vulnerability was discovered in print-wb.c that is leading to a segmentation fault triggered through feeding into tcpdump a crafted packet, either from a live network interface or from a .pcap file.

A remote attacker is able to send specially crafted packets to cause a segmentation fault leading to denial of service.