|
|
Subscribe / Log in / New account

Security

Proprietary vulnerabilities

By Jake Edge
August 12, 2015

A recent—and recently deleted—blog post (still available courtesy of the Wayback Machine) demonstrates some rather eye-opening opinions on how some view their customers' efforts to find and report security holes. In the almost comically inept post, Oracle's Chief Security Officer Mary Ann Davidson admonishes customers not to try to "reverse engineer" Oracle's code to find security bugs. It is an attitude that is perhaps common in the proprietary world, but is diametrically opposed to standard practice in free-software communities.

The crux of Davidson's complaint is about customers that disregard Oracle's licensing terms and run various kinds of analysis tools against the sacred binaries. That leads to reports of vulnerabilities, most of which are likely false positives, she said. Oracle evidently tries to make it difficult for customers to report these kinds of bugs by requiring separate service requests for each issue, along with a proof-of-concept attack to document it.

It is unquestionably true that there are lots of false positives from these kinds of tools, so it is not surprising or unreasonable that Oracle might be unwilling to just take a raw report. But the company evidently goes further than that:

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: "Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs..." which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

Davidson's tone throughout the post is dismissive and condescending, which doesn't help. She suggests that customers should essentially just trust Oracle to ensure the security of the software it ships. After all, Oracle and other large organizations have assurance programs and certifications that provide "Good Housekeeping seals" to show that they have "good code". Exactly how certifications such as Common Criteria and FIPS-140 ensure that good code is left as an exercise for the reader (and the Oracle customer).

Evidently there has been an upswing in the number of these kinds of reports recently, which is why Davidson wanted to address the issue. She noted that third parties cannot actually analyze the source code, so it is largely a waste of time for customers to look for these kinds of problems:

I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.

She continued with something of a non-lawyer FAQ about Oracle's license agreement and the evils of reverse engineering its code. It makes it clear that Oracle is actively hostile to its customers (or anyone else) finding bugs in its code if they have to resort to reverse engineering (which is rather loosely defined). The final question does acknowledge that others with "bad motives" may be ignoring the license agreement and doing pretty much any kind of analysis they want—probably without sharing the results with the company. To Davidson, though, the existence of these "cheaters" does not make it any more reasonable for those with "good motives" to follow suit.

No matter what the reason or the outcome—even if real bugs are found—reverse engineering is bad, mmmkay?

It would seem that Davidson went a bit too far, since the blog post was pulled a day or so after it was posted on August 10. Ars Technica reported that Oracle Executive Vice President and Chief Corporate Architect Edward Screven made an email statement about the removal: "We removed the post as it does not reflect our beliefs or our relationship with our customers." As that article notes, the statement is missing some important information: "Just how Oracle's chief security officer fell out of alignment with Oracle's core beliefs and managed to spread her heretic thoughts on customers was not addressed."

There are other posts by Davidson on her blog that have not been removed and show similar attitudes, so the post in question hardly comes completely out of left field. This particular piece may have just been over the top—or perhaps it simply had a much higher profile than the others. The company may not have liked how it came off looking based on that post, but it can't really complain too much, since much of what she said is certainly true.

In fact, as free-software users know, proprietary licenses restrict a whole raft of activities that are useful for security—or simply to add unanticipated features. Looking inside the code, running static and dynamic analysis, and finding bugs therein is all part of the "value proposition" for free software. Davidson actually makes the case—presumably unintentionally—for using free software rather than some proprietary tool. There is very little that a bad actor can do to a free-software package that those with good intentions can't also do—legally, and without worrying about a visit from Oracle's (or anyone else's) lawyers.

Some free-software projects even pro-actively invite security researchers to scrutinize their code—or even to reverse engineer it. In addition, while the number of false positives is quite high, there have been plenty of bugs found and fixed in open-source projects using tools like Coverity Scan. It would seem that even companies that want to strongly defend their code copyrights might be interested in any bugs that are found, regardless of the methods used to find them. Some companies do seem to have that attitude, which is generally shared by free-software projects, but some, like Oracle seemingly, are willing to throw the baby out with the bathwater.

Comments (23 posted)

Brief items

Security quotes of the week

Email will probably be the last to go, when the last user of it finally gives up and moves to gmail so they can continue to communicate with their contacts or maybe they give up entirely. RSS (an open content syndication protocol on top of HTTP, which I think is a nice way to illustrate that it is possible to use HTTP as a layer and play nice at the same time) is already an endangered species, XMPP support is slowly but surely being removed (just imagine a phone system where every number you call to may require a different telephone), NNTP has been ‘mostly dead’ for years (though it still has some use the real replacement of usenet for discussion purposes appears to be Reddit and mailinglists) and so on. The only protocols that are developed nowadays that are open are typically related to plumbing (moving bits of data around), not application level protocols which determine how a whole class of applications around a similar theme can talk to each other.
Jacques Mattheij

All manner of videos were (as required by law) blocked by Vimeo on the basis of those takedown orders, including totally and utterly unrelated materials that had committed the "crime" of ever using the word "pixels" in their titles -- and (ironically) even the trailer for Sandler's movie [Pixels] itself.

Thank goodness the producers of the various films named "She" over the years didn't try this stunt. Or how about a [movie] titled "The" for real chuckles?

The impact of such takedown abuse is indeed the Internet equivalent of saturation bombing -- with no consideration given to the innocent parties who will be affected, and in the case of the DMCA, then have to find the time and money to fight back against this abuse -- simply to get their videos back on the Net.

Lauren Weinstein

From the beginning of time until very recently, this was the only situation that could have occurred. Objects in the vicinity of an event were largely mute about the past. Few things, save for eyewitnesses, could ever reach back in time and produce evidence. Even 15 years ago, the victim's cell phone would have had no evidence on it that couldn't have been obtained elsewhere, and that's if the victim had been carrying a cell phone at all.

For most of human history, surveillance has been expensive. Over the last couple of decades, it has become incredibly cheap and almost ubiquitous. That a few bits and pieces are becoming expensive again isn't a cause for alarm.

Bruce Schneier

Comments (1 posted)

Privacy Badger 1.0

The Electronic Frontier Foundation has announced the 1.0 release of the Privacy Badger browser extension. "As you browse the Web, Privacy Badger looks at any third party domains that are loaded on a given site and determines whether or not they appear to be tracking you (e.g. by setting cookies that could be used for tracking, or fingerprinting your browser). If the same third party domain appears to be tracking you on three or more different websites, Privacy Badger will conclude that the third party domain is a tracker and block future connections to it." The extension is distributed under GPLv3; see this page for more information.

Comments (19 posted)

An active Firefox exploit

Mozilla has posted a warning about a Firefox vulnerability that is currently being actively exploited on the net. "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the 'same origin policy') and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files." There is a security update for the problem.

Comments (73 posted)

New vulnerabilities

activemq: denial of service

Package(s):activemq CVE #(s):CVE-2014-3576 CVE-2014-3612 CVE-2014-3600
Created:August 10, 2015 Updated:August 12, 2015
Description: From the Debian advisory:

It was discovered that the Apache ActiveMQ message broker is susceptible to denial of service through an undocumented, remote shutdown command.

Alerts:
Debian DSA-3330-1 activemq 2015-08-07

Comments (none posted)

community-mysql: unspecified vulnerabilities

Package(s):community-mysql CVE #(s):
Created:August 10, 2015 Updated:August 12, 2015
Description: Latest upstream release, 5.6.25, fixes unspecified vulnerabilities.
Alerts:
Fedora FEDORA-2015-12570 community-mysql 2015-08-10
Fedora FEDORA-2015-12544 community-mysql 2015-08-10

Comments (none posted)

devscripts: two vulnerabilities

Package(s):devscripts CVE #(s):CVE-2015-5705 CVE-2015-5704
Created:August 12, 2015 Updated:August 12, 2015
Description: From the Red Hat bugzilla:

1249635 (CVE-2015-5704): In scripts/licensecheck.pl, there is executed code, that is vulnerable to shell command injection via shell metacharacters in filename.

my $mime = `file --brief --mime --dereference $file`;

1249645 (CVE-2015-5705): In scripts/licensecheck.pl, there is code segment vulnerable to argument injection.

my $mime = `file --brief --mime --dereference $file`;

Alerts:
Fedora FEDORA-2015-12716 devscripts 2015-08-12
Fedora FEDORA-2015-12699 devscripts 2015-08-12

Comments (none posted)

drupal6-cck: unspecified vulnerability

Package(s):drupal6-cck CVE #(s):
Created:August 7, 2015 Updated:August 12, 2015
Description: Version drupal7-feeds-2.0-alpha9 fixes unspecified vulnerabilities.
Alerts:
Fedora FEDORA-2015-12028 drupal6-cck 2015-08-07
Fedora FEDORA-2015-12037 drupal6-cck 2015-08-07

Comments (none posted)

elasticsearch: two vulnerabilities

Package(s):elasticsearch CVE #(s):CVE-2015-5377 CVE-2015-5531
Created:August 11, 2015 Updated:August 12, 2015
Description: From the Elasticsearch 1.7.0 and 1.6.1 release announcement:

Remote code execution vulnerability

Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol (used for communication between nodes and Java clients) that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253.

Deployments are vulnerable even when Groovy dynamic scripting is disabled. Users that do not want to upgrade can address the vulnerability by securing the transport protocol port (default 9300) to allow access by only trusted agents. We have been assigned CVE-2015-5377 for this issue.

Directory traversal vulnerability

Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent Snapshot-Restore API calls from untrusted sources. We have been assigned CVE-2015-5531 for this issue.

Alerts:
Fedora FEDORA-2015-12031 elasticsearch 2015-08-11

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2015-4474 CVE-2015-4477 CVE-2015-4482 CVE-2015-4483 CVE-2015-4490
Created:August 12, 2015 Updated:March 28, 2016
Description: From the Arch Linux advisory:

- CVE-2015-4474 (Memory safety bugs fixed in Firefox 40): Tyson Smith, Bobby Holley, Chris Coulson, Byron Campen, and Eric Rahm reported memory safety problems and crashes that affect Firefox 39.

- CVE-2015-4477 (MediaStream use-after-free): Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash.

- CVE-2015-4482 (Out of bounds write in mar_read.c): Security researcher Holger Fuhrmannek reported that if the Updater opens a MAR format file with a specially crafted name, an out-of-bounds write will occur. This can lead to a potentially exploitable crash but requires that the malicious MAR format file be present on the local system and the Updater to be run to use it.

- CVE-2015-4483 (feed: protocol + POST method => mixed scripting): Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle (MITM) scripting attack on pages that accidentally include insecure content which would otherwise be blocked.

- CVE-2015-4490 (Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification): Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but Mozilla's implementation allows these in the case of an asterisk wildcard. This could allow for more permissive CSP usage than expected by a web developer, possibly allowing for cross-site scripting (XSS) attacks.

Alerts:
Gentoo 201605-06 nss 2016-05-31
openSUSE openSUSE-SU-2016:0894-1 thunderbird 2016-03-26
openSUSE openSUSE-SU-2016:0876-1 thunderbird 2016-03-24
Mageia MGASA-2016-0105 firefox 2016-03-09
SUSE SUSE-SU-2015:2081-1 firefox 2015-11-23
Mageia MGASA-2015-0414 iceape/sqlite3 2015-10-27
Ubuntu USN-2702-3 firefox 2015-08-20
Ubuntu USN-2702-2 ubufox 2015-08-11
Ubuntu USN-2702-1 firefox 2015-08-11
Arch Linux ASA-201508-4 firefox 2015-08-12
SUSE SUSE-SU-2015:1476-1 firefox, nss 2015-09-02
SUSE SUSE-SU-2015:1449-1 MozillaFirefox, mozilla-nss 2015-08-28

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2015-4473 CVE-2015-4475 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493
Created:August 12, 2015 Updated:February 29, 2016
Description: From the Red Hat advisory:

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.

Alerts:
Gentoo 201605-06 nss 2016-05-31
Debian-LTS DLA-434-1 gtk+2.0 2016-02-27
Gentoo 201512-05 gdk-pixbuf 2015-12-21
Debian DSA-3337-2 gdk-pixbuf 2015-12-17
SUSE SUSE-SU-2015:2081-1 firefox 2015-11-23
CentOS CESA-2015:1682 thunderbird 2015-08-25
Ubuntu USN-2712-1 thunderbird 2015-08-25
Scientific Linux SLSA-2015:1682-1 thunderbird 2015-08-25
Red Hat RHSA-2015:1682-01 thunderbird 2015-08-25
Ubuntu USN-2702-3 firefox 2015-08-20
Debian DSA-3337-1 gdk-pixbuf 2015-08-18
Mageia MGASA-2015-0313 gdk-pixbuf2.0 2015-08-13
Ubuntu USN-2702-2 ubufox 2015-08-11
Ubuntu USN-2702-1 firefox 2015-08-11
Scientific Linux SLSA-2015:1586-1 firefox 2015-08-11
Oracle ELSA-2015-1586 firefox 2015-08-11
Oracle ELSA-2015-1586 firefox 2015-08-11
Oracle ELSA-2015-1586 firefox 2015-08-11
Mageia MGASA-2015-0312 firefox 2015-08-11
Debian DSA-3333-1 iceweasel 2015-08-12
CentOS CESA-2015:1586 firefox 2015-08-12
CentOS CESA-2015:1586 firefox 2015-08-11
CentOS CESA-2015:1586 firefox 2015-08-11
Arch Linux ASA-201508-4 firefox 2015-08-12
Red Hat RHSA-2015:1586-01 firefox 2015-08-11
openSUSE openSUSE-SU-2015:1500-1 gdk-pixbuf 2015-09-07
CentOS CESA-2015:1694 gdk-pixbuf2 2015-09-01
Mageia MGASA-2015-0330 thunderbird 2015-08-27
Oracle ELSA-2015-1694 gdk-pixbuf2 2015-08-31
Slackware SSA:2015-241-01 firefox 2015-08-28
CentOS CESA-2015:1682 thunderbird 2015-08-25
Fedora FEDORA-2015-13926 gdk-pixbuf2 2015-09-06
Slackware SSA:2015-244-01 gdk 2015-09-01
Oracle ELSA-2015-1694 gdk-pixbuf2 2015-08-31
SUSE SUSE-SU-2015:1449-1 MozillaFirefox, mozilla-nss 2015-08-28
Fedora FEDORA-2015-14010 mingw-gdk-pixbuf 2015-09-06
Fedora FEDORA-2015-14011 mingw-gdk-pixbuf 2015-09-06
Fedora FEDORA-2015-13925 gdk-pixbuf2 2015-09-06
SUSE SUSE-SU-2015:1476-1 firefox, nss 2015-09-02
CentOS CESA-2015:1694 gdk-pixbuf2 2015-08-31
Scientific Linux SLSA-2015:1694-1 gdk-pixbuf2 2015-08-31
Red Hat RHSA-2015:1694-01 gdk-pixbuf2 2015-08-31
CentOS CESA-2015:1682 thunderbird 2015-08-25
Ubuntu USN-2722-1 gdk-pixbuf 2015-08-26
Oracle ELSA-2015-1682 thunderbird 2015-08-25
Oracle ELSA-2015-1682 thunderbird 2015-08-25

Comments (none posted)

gnutls: denial of service

Package(s):gnutls28 CVE #(s):CVE-2015-6251
Created:August 12, 2015 Updated:September 12, 2016
Description: From the Debian advisory:

Kurt Roeckx discovered that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free. A remote attacker can take advantage of this flaw by creating a specially crafted certificate that, when processed by an application compiled against GnuTLS, could cause the application to crash resulting in a denial of service.

Alerts:
Slackware SSA:2016-254-01 gnutls 2016-09-10
Arch Linux ASA-201508-8 gnutls 2015-08-25
Slackware SSA:2015-233-01 gnutls 2015-08-21
Fedora FEDORA-2015-13168 gnutls 2015-08-18
Fedora FEDORA-2015-13140 gnutls 2015-08-13
Mageia MGASA-2015-0322 gnutls 2015-08-25
Debian DSA-3334-1 gnutls28 2015-08-12
openSUSE openSUSE-SU-2015:1499-1 gnutls 2015-09-07
Ubuntu USN-2727-1 gnutls28 2015-09-01

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2015-5697 CVE-2015-5706 CVE-2015-5707
Created:August 7, 2015 Updated:September 29, 2015
Description: From the Debian advisory:

CVE-2015-5697: A flaw was discovered in the md driver in the Linux kernel leading to an information leak.

CVE-2015-5706: An user triggerable use-after-free vulnerability in path lookup in the Linux kernel could potentially lead to privilege escalation.

CVE-2015-5707: An integer overflow in the SCSI generic driver in the Linux kernel was discovered. A local user with write permission on a SCSI generic device could potentially exploit this flaw for privilege escalation.

Alerts:
openSUSE openSUSE-SU-2016:0301-1 kernel 2016-02-01
Mageia MGASA-2016-0015 kernel-tmb 2016-01-14
SUSE SUSE-SU-2016:0785-1 kernel 2016-03-16
SUSE SUSE-SU-2016:0585-1 kernel 2016-02-25
SUSE SUSE-SU-2015:2086-1 linux-3.12.44 2015-11-24
SUSE SUSE-SU-2015:2087-1 linux-3.12.44 2015-11-24
SUSE SUSE-SU-2015:2084-1 linux-3.12.43 2015-11-24
SUSE SUSE-SU-2015:2090-1 linux-3.12.38 2015-11-24
SUSE SUSE-SU-2015:2085-1 linux-3.12.39 2015-11-24
SUSE SUSE-SU-2015:2091-1 linux-3.12.36 2015-11-24
SUSE SUSE-SU-2015:2089-1 linux-3.12.32 2015-11-24
Oracle ELSA-2015-3098 kernel 3.8.13 2015-11-13
Oracle ELSA-2015-3098 kernel 3.8.13 2015-11-13
openSUSE openSUSE-SU-2015:1842-1 kernel 2015-10-29
Ubuntu USN-2777-1 linux-lts-utopic 2015-10-19
SUSE SUSE-SU-2015:1727-1 kernel-source 2015-10-13
Mageia MGASA-2015-0390 kernel-linus 2015-10-09
Ubuntu USN-2760-1 linux-ti-omap4 2015-10-01
Ubuntu USN-2759-1 kernel 2015-10-01
Mageia MGASA-2015-0386 kernel 2015-09-30
Ubuntu USN-2751-1 linux-lts-vivid 2015-09-29
Ubuntu USN-2750-1 linux-lts-utopic 2015-09-29
Ubuntu USN-2749-1 linux-lts-trusty 2015-09-29
Ubuntu USN-2748-1 kernel 2015-09-28
Ubuntu USN-2752-1 kernel 2015-09-29
SUSE SUSE-SU-2015:1611-1 kernel 2015-09-23
SUSE SUSE-SU-2015:1592-1 kernel 2015-09-22
Debian-LTS DLA-310-1 linux-2.6 2015-09-21
Fedora FEDORA-2015-13396 kernel 2015-08-19
Fedora FEDORA-2015-13391 kernel 2015-08-19
Fedora FEDORA-2015-12917 kernel 2015-08-12
Fedora FEDORA-2015-12908 kernel 2015-08-12
Oracle ELSA-2015-3068 kernel 2.6.32 2015-08-06
Oracle ELSA-2015-3068 kernel 2.6.32 2015-08-06
Oracle ELSA-2015-3067 kernel 2.6.39 2015-08-06
Oracle ELSA-2015-3067 kernel 2.6.39 2015-08-06
Oracle ELSA-2015-3066 kernel 3.8.13 2015-08-06
Oracle ELSA-2015-3066 kernel 3.8.13 2015-08-06
Debian DSA-3329-1 kernel 2015-08-07
Ubuntu USN-2731-1 kernel 2015-09-03
SUSE SUSE-SU-2015:1478-1 kernel 2015-09-02
Ubuntu USN-2737-1 linux-lts-vivid 2015-09-08
Ubuntu USN-2738-1 kernel 2015-09-08
Ubuntu USN-2733-1 linux-lts-trusty 2015-09-03
Ubuntu USN-2734-1 kernel 2015-09-03
Ubuntu USN-2732-1 linux-ti-omap4 2015-09-03

Comments (none posted)

lighttpd: log injection

Package(s):lighttpd CVE #(s):CVE-2015-3200
Created:August 7, 2015 Updated:September 8, 2015
Description: From the Red Hat bugzilla:

A flaw was found in Lighttpd:

When basic HTTP authentication base64 string does not contain colon character (or contains it after NULL byte - can be inserted inside base64 encoding), then that situation is logged with a string ": is missing in " and the simply decoded base64 string. This means that new lines, NULL byte and everything else can be encoded with base64 and are then inserted to logs as they are after decoding.

Alerts:
Fedora FEDORA-2015-12250 lighttpd 2015-08-07
Fedora FEDORA-2015-12252 lighttpd 2015-08-07
Mageia MGASA-2015-0338 lighttpd 2015-09-08

Comments (none posted)

mantis: information disclosure

Package(s):mantis CVE #(s):CVE-2015-5059
Created:August 7, 2015 Updated:August 12, 2015
Description: From the Red Hat bugzilla:

In MantisBT, the "Project Documentation" feature can be used to attach files to a project. When this feature is enabled ($g_enable_project_documentation = ON) and the threshold to view these files is left to its default value ($g_view_proj_doc_threshold = ANYBODY), any registered user in the system can download every such attachment, including those which are linked to private projects to which the user does not have access. This can be achieved by calling the download script directly, and specifying the ID of the file to download.

Alerts:
Fedora FEDORA-2015-12010 mantis 2015-08-07
Fedora FEDORA-2015-12011 mantis 2015-08-07

Comments (none posted)

mozilla: information leak

Package(s):firefox thunderbird seamonkey CVE #(s):CVE-2015-4495
Created:August 7, 2015 Updated:September 2, 2015
Description: From the Arch Linux advisory:

Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer.

Mozilla has received reports that an exploit based on this vulnerability has been found in the wild.

A remote attacker can craft a malicious web page stealing arbitrary files from the host running firefox. Mozilla reports that this flaw is already exploited in the wild. At least one exploit is targeting Linux and reads /etc/passwd, then in all the user directories it can access looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.

Alerts:
Gentoo 201512-10 firefox 2015-12-30
SUSE SUSE-SU-2015:1380-1 firefox 2015-08-13
SUSE SUSE-SU-2015:1379-1 firefox 2015-08-13
Slackware SSA:2015-219-02 nss 2015-08-07
Slackware SSA:2015-219-01 firefox 2015-08-07
Scientific Linux SLSA-2015:1581-1 firefox 2015-08-08
Oracle ELSA-2015-1581 firefox 2015-08-08
Oracle ELSA-2015-1581 firefox 2015-08-07
Oracle ELSA-2015-1581 firefox 2015-08-07
Mageia MGASA-2015-0305 firefox 2015-08-07
Fedora FEDORA-2015-13007 firefox 2015-08-08
Fedora FEDORA-2015-13010 firefox 2015-08-08
CentOS CESA-2015:1581 firefox 2015-08-08
CentOS CESA-2015:1581 firefox 2015-08-08
CentOS CESA-2015:1581 firefox 2015-08-08
Red Hat RHSA-2015:1581-01 firefox 2015-08-07
Ubuntu USN-2707-1 firefox 2015-08-07
Arch Linux ASA-201508-1 firefox 2015-08-07
SUSE SUSE-SU-2015:1449-1 MozillaFirefox, mozilla-nss 2015-08-28
SUSE SUSE-SU-2015:1476-1 firefox, nss 2015-09-02

Comments (none posted)

opensaml-java: missing host name verification

Package(s):opensaml-java CVE #(s):CVE-2014-3603
Created:August 7, 2015 Updated:August 12, 2015
Description: From the Red Hat bugzilla:

It was discovered that HttpResource and FileBackedHttpResource implementations in OpenSAML Java and Shibboleth IdP did not enable hostname verification when using TLS connections. Additionally, OpenSAML Java makes use of Jakarta Commons HttpClient version 3.x, which does not perform verification of the server hostname against the server's X.508 certificate (CVE-2012-5783). This flaw can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.

Alerts:
Fedora FEDORA-2015-10175 opensaml-java-openws 2015-08-07
Fedora FEDORA-2015-10235 opensaml-java-openws 2015-08-07
Fedora FEDORA-2015-10175 opensaml-java 2015-08-07
Fedora FEDORA-2015-10235 opensaml-java 2015-08-07

Comments (none posted)

pure-ftpd: denial of service

Package(s):pure-ftpd CVE #(s):
Created:August 12, 2015 Updated:September 9, 2015
Description: From the Red Hat bugzilla:

It was reported that the process handling a user session could be crashed by trying to match a file pattern longer than the maximum length for a path.

Alerts:
Fedora FEDORA-2015-12912 pure-ftpd 2015-08-20
Fedora FEDORA-2015-12961 pure-ftpd 2015-08-12
Mageia MGASA-2015-0355 pure-ftpd 2015-09-08

Comments (none posted)

qemu: denial of service

Package(s):qemu CVE #(s):CVE-2015-5745
Created:August 12, 2015 Updated:September 1, 2015
Description: From the Mageia advisory:

Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest & the host. A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.

Alerts:
SUSE SUSE-SU-2016:1785-1 kvm 2016-07-11
openSUSE openSUSE-SU-2016:1750-1 qemu 2016-07-06
SUSE SUSE-SU-2016:1703-1 qemu 2016-06-29
SUSE SUSE-SU-2016:1698-1 kvm 2016-06-28
SUSE SUSE-SU-2016:1560-1 qemu 2016-06-13
Gentoo 201602-01 qemu 2016-02-04
Fedora FEDORA-2015-015 xen 2015-10-04
Fedora FEDORA-2015-efc1d7ba5e xen 2015-10-04
Ubuntu USN-2724-1 qemu, qemu-kvm 2015-08-27
Fedora FEDORA-2015-13402 qemu 2015-08-18
Mageia MGASA-2015-0310 qemu 2015-08-11
Debian DSA-3349-1 qemu-kvm 2015-09-02
Debian DSA-3348-1 qemu 2015-09-02
Fedora FEDORA-2015-13404 qemu 2015-09-01

Comments (none posted)

rubygems: DNS hijacking

Package(s):rubygems CVE #(s):CVE-2015-3900
Created:August 11, 2015 Updated:September 9, 2015
Description: From the CVE entry:

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Alerts:
Red Hat RHSA-2015:1657-01 rh-ruby22-ruby 2015-08-24
Fedora FEDORA-2015-13157 rubygems 2015-08-19
Fedora FEDORA-2015-12574 rubygems 2015-08-11
Mageia MGASA-2015-0345 ruby-RubyGems 2015-09-08

Comments (none posted)

subversion: two vulnerabilities

Package(s):subversion CVE #(s):CVE-2015-3184 CVE-2015-3187
Created:August 11, 2015 Updated:August 18, 2015
Description: From the Debian advisory:

CVE-2015-3184: Subversion's mod_authz_svn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible. This issue does not affect the oldstable distribution (wheezy) because it only contains Apache httpd 2.2.

CVE-2015-3187: Subversion servers, both httpd and svnserve, will reveal some paths that should be hidden by path-based authz. When a node is copied from an unreadable location to a readable location the unreadable path may be revealed. This vulnerability only reveals the path, it does not reveal the contents of the path.

Alerts:
Gentoo 201610-05 subversion 2016-10-11
openSUSE openSUSE-SU-2015:2363-1 subversion 2015-12-25
Fedora FEDORA-2015-6efa349a85 subversion 2016-02-29
Mageia MGASA-2015-0326 subversion 2015-08-27
Ubuntu USN-2721-1 subversion 2015-08-20
Scientific Linux SLSA-2015:1633-1 subversion 2015-08-17
Oracle ELSA-2015-1633 subversion 2015-08-17
openSUSE openSUSE-SU-2015:1401-1 subversion 2015-08-18
CentOS CESA-2015:1633 subversion 2015-08-17
Debian-LTS DLA-293-1 subversion 2015-08-16
Red Hat RHSA-2015:1633-01 subversion 2015-08-17
Arch Linux ASA-201508-5 subversion 2015-08-14
Debian DSA-3331-1 subversion 2015-08-10
CentOS CESA-2015:1742 subversion 2015-09-08
Scientific Linux SLSA-2015:1742-1 subversion 2015-09-08
Oracle ELSA-2015-1742 subversion 2015-09-08
Red Hat RHSA-2015:1742-01 subversion 2015-09-08

Comments (none posted)

swift: arbitrary object deletion

Package(s):swift CVE #(s):CVE-2015-1856
Created:August 6, 2015 Updated:August 25, 2015
Description: From the Ubuntu advisory:

Clay Gerrard discovered Swift allowed users to delete the latest version of object regardless of object permissions when allow_version is configured. An attacker could use this issue to delete objects. (CVE-2015-1856)

Alerts:
SUSE SUSE-SU-2015:1846-1 openstack-swift 2015-10-30
Red Hat RHSA-2015:1684-01 openstack-swift 2015-08-25
Red Hat RHSA-2015:1681-01 openstack-swift 2015-08-24
Fedora FEDORA-2015-12245 openstack-swift 2015-08-07
Ubuntu USN-2704-1 swift 2015-08-05

Comments (none posted)

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732 CVE-2015-5733 CVE-2015-5734
Created:August 7, 2015 Updated:August 12, 2015
Description: From the Arch Linux advisory:

- CVE-2015-2213: SQL injection in comments ID.

- CVE-2015-5730: Timing attack in widgets.

- CVE-2015-5731: Denial of service by locking a post from being edited.

- CVE-2015-5732, CVE-2015-5733 CVE-2015-5734: XSS.

A remote attacker could lock a post from being edited, or compromise a site running wordpress.

Alerts:
Debian DSA-3383-1 wordpress 2015-10-29
Debian-LTS DLA-294-1 wordpress 2015-08-19
Fedora FEDORA-2015-12235 wordpress 2015-08-13
Fedora FEDORA-2015-12148 wordpress 2015-08-13
Debian DSA-3332-1 wordpress 2015-08-11
Mageia MGASA-2015-0309 wordpress 2015-08-10
Arch Linux ASA-201508-2 wordpress 2015-08-07

Comments (none posted)

xfsprogs: information disclosure

Package(s):xfsprogs CVE #(s):CVE-2012-2150
Created:August 12, 2015 Updated:January 5, 2016
Description: From the Red Hat bugzilla:

Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data. xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear. This could lead to exposure of stale disk data via the produced metadump image.

Alerts:
openSUSE openSUSE-SU-2016:0018-1 xfsprogs 2016-01-05
Scientific Linux SLSA-2015:2151-1 xfsprogs 2015-12-21
Oracle ELSA-2015-2151 xfsprogs 2015-11-23
Red Hat RHSA-2015:2151-01 xfsprogs 2015-11-19
openSUSE openSUSE-SU-2015:1429-1 xfsprogs 2015-08-24
Fedora FEDORA-2015-12406 xfsprogs 2015-08-19
Fedora FEDORA-2015-12435 xfsprogs 2015-08-12
Mageia MGASA-2015-0361 xfsprogs 2015-09-13

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds