Security

A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server. (CVE-2015-1854)

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.

- CVE-2015-1243 (use-after-free): Use-after-free in DOM. Credit to Saif El-Sherei.

- CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives.

Dovecot <= 2.2.14 does not correctly handle SSL/TLS handshake failure in the login process, asking OpenSSL to flush a connection that has already been aborted. This results in a crash with some versions of OpenSSL (most likely >= 1.0.2).

Linux kernel built with the IPv6 networking support(CONFIG_IPV6) is vulnerable to setting its 'hop_limit' too low, via the neighbour discovery protocol. It could result in thwarting the IPv6 functionality. An unprivileged user on a local network could use this flaw to cause DoS to a remote system.

CVE-2014-9715: It was found that the netfilter connection tracking subsystem used too small a type as an offset within each connection's data structure, following a bug fix in Linux 3.2.33 and 3.6. In some configurations, this would lead to memory corruption and crashes (even without malicious traffic). This could potentially also result in violation of the netfilter policy or remote code execution.

This can be mitigated by disabling connection tracking accounting: sysctl net.netfilter.nf_conntrack_acct=0

CVE-2015-2830: Andrew Lutomirski discovered that when a 64-bit task on an amd64 kernel makes a fork(2) or clone(2) system call using int $0x80, the 32-bit compatibility flag is set (correctly) but is not cleared on return. As a result, both seccomp and audit will misinterpret the following system call by the task(s), possibly leading to a violation of security policy.

CVE-2015-3331: Stephan Mueller discovered that the optimised implementation of RFC4106 GCM for x86 processors that support AESNI miscalculated buffer addresses in some cases. If an IPsec tunnel is configured to use this mode (also known as AES-GCM-ESP) this can lead to memory corruption and crashes (even without malicious traffic). This could potentially also result in remote code execution.

CVE-2015-3332: Ben Hutchings discovered that the TCP Fast Open feature regressed in Linux 3.16.7-ckt9, resulting in a kernel BUG when it is used. This can be used as a local denial of service.

CVE-2015-3339: It was found that the execve(2) system call can race with inode attribute changes made by chown(2). Although chown(2) clears the setuid/setgid bits of a file if it changes the respective owner ID, this race condition could result in execve(2) setting effective uid/gid to the new owner ID, a privilege escalation.

From the Mageia bug report:

Now returns an error instead of terminating the process for certain bad BER encodings.

It was discovered that missing input sanitising in Libreoffice's filter for HWP documents may result in the execution of arbitrary code if a malformed document is opened.

Tavis Ormandy discovered that NetworkManager incorrectly filtered paths when requested to read modem device contexts. A local attacker could possibly use this issue to bypass privileges and manipulate modem device configuration or read arbitrary files.

A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server.

If the lowest byte of the temp variable is outside of the printable characters range (between 0x20 and 0x7f), the ntp-keygen utility enters an infinite loop. However, if the temp variable is within the aforementioned range, the generated MD5 key will consist of 20 identical characters, meaning only 93 possible keys can be generated.

A use-after-free was discovered in the file picker implementation. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program.

From the Arch Linux advisory:

A bug was discovered in our label decompression code, making it possible for names to refer to themselves, thus causing a loop during decompression. This loop is capped at a 1000 iterations by a failsafe, making the issue harmless on most platforms. However, on specific platforms, the recursion involved in these 1000 steps causes memory corruption leading to a quick crash, presumably because the default stack is too small.

Remote attackers could cause a denial of service using specially crafted image files via IcnsImagePlugin

[ 1 ] Bug #1212353 - sqlite: use of uninitialized memory when parsing collation sequences in src/where.c https://bugzilla.redhat.com/show_bug.cgi?id=1212353
[ 2 ] Bug #1212356 - sqlite: invalid free() in src/vdbe.c https://bugzilla.redhat.com/show_bug.cgi?id=1212356
[ 3 ] Bug #1212357 - sqlite: stack buffer overflow in src/printf.c https://bugzilla.redhat.com/show_bug.cgi?id=1212357

According to the Mageia bug report, t1utils prior to version 1.39 was subject to three separate bugs that could result in a denial of service: a buffer overrun, an infinite loop, and a stack overflow in t1disasm.

From the Ubuntu advisory:

Tavis Ormandy discovered that usb-creator was missing an authentication check. A local attacker could use this issue to gain elevated privileges.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

• In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
• In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
• Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

From the Ubuntu advisory:

It was discovered that wpa_supplicant incorrectly handled SSID information when creating or updating P2P peer entries. A remote attacker could use this issue to cause wpa_supplicant to crash, resulting in a denial of service, expose memory contents, or possibly execute arbitrary code.

Cross-site scripting (XSS) vulnerability in the administrator panel in Yourls 1.7 allows remote attackers to inject arbitrary web script or HTML via a URL that is processed by the Shorten functionality.