Security

From the CVE entry:

When auditing the filesystem the names of files are logged. These filenames can contain escape sequences, when viewed using the ausearch programs "-i" option for example this can result in the escape sequences being processed unsafely by the terminal program being used to view the data.

It was discovered that in certain configurations, if the relevant conntrack kernel module is not loaded, conntrackd will crash when handling DCCP, SCTP or ICMPv6 packets.

Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

     * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety
       hazards
     * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with
       malformed MP3 file
     * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream
       playback
     * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of
       non-configurable JavaScript object properties
     * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues
       in libstagefright
     * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting
       through Mozilla Maintenance Service with hard links (only affected
       Windows)
     * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with
       Updater and malicious MAR file (does not affect openSUSE RPM packages
       which do not ship the updater)
     * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST
       bypasses mixed content protections
     * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared
       memory in JavaScript
     * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf
       when scaling bitmap images
     * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
       Buffer overflows on Libvpx when decoding WebM video
     * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities
       found through code inspection
     * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security
       Policy allows for asterisk wildcards in violation of CSP specification
     * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in
       XMLHttpRequest with shared workers

There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.

Problems:
* Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.
* Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle)
Exploitations:
In a situation where the net/http agent HTTP communication with the final http clients is using some reverse proxy (reverse proxy cache, SSL terminators, etc), some requests can be made exploiting the net/http HTTP protocol violations.

A double free issue has been discovered in the function jasper_image_stop_load. This vulnerability can be triggered by loading a specially crafted image through jasper.

A remote attacker is able to send a specially crafted image that triggers a double free leading to denial of service.

This update fixes a security vulnerability in kdepim : kmail doesn't encrypt attachments when "automatic encryption" is selected

The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly.

I would like to announce the release of MediaWiki 1.25.2, 1.24.3, and 1.23.10.

* Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList.

* Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user's watchlist via csrf.

* John Menerick reported that MediaWiki's thumb.php failed to sanitize various error messages, resulting in xss.

Additionally, several extensions have been updated to fix security issues.

CVE-2015-4756 mysql: unspecified vulnerability related to Server:InnoDB

CVE-2014-4702: Similar to the CVE-2014-4701 issue in the check_dhcp plug-in, the same flaw was found to affect check_icmp. A local attacker could obtain sensitive information by using this flaw to read parts of INI configuration files that belong to the root user.

From another Red Hat bugzilla entry:

CVE-2014-4701, CVE-2014-4703: It was reported that check_dhcp plugin allow local unprivileged user to read parts of INI config files belonging to root on a local system. It could allow an attacker to obtain sensitive information like passwords that should only be accessible by root user. The vulnerability is due to check_dhcp plugin having Root SUID permissions and inappropriate access control when reading user provided config file (through --extra-opts= option).

It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd. (CVE-2015-5621)

An improper permission check issue was discovered in the server admission control component in OpenShift. A user with build permissions could use this flaw to execute arbitrary shell commands on a build pod with the privileges of the root user.

From the OpenSSH release notes:

sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world- writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev. (CVE-2015-6565)

sshd(8): Portable OpenSSH only: Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit. (CVE-2015-6563)

sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit. (CVE-2015-6564)

A Denial of Service flaw was found in the L2 agent when using the IPTables firewall driver. By submitting an address pair that will be rejected as invalid by the ipset tool, an attacker may cause the agent to crash.

In ownCloud before 6.0.8 and 8.0.4, a bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted (CVE-2015-4715).

In ownCloud before 6.0.8 and 8.0.4, the sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive (CVE-2015-4717).

In ownCloud before 6.0.8 and 8.0.4, the external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ";" character which is interpreted as command separator by smbclient (the used software to connect to SMB shared by ownCloud). Effectively this allows an attacker to gain access to any file on the system or overwrite it, finally leading to a PHP code execution in the case of ownCloud’s config file (CVE-2015-4718).

Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.

    /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/

Also 5.5.28 has been released: upstream changelog.

From the Debian advisory:

Lin Hua Cheng discovered that a session could be created when anonymously accessing the django.contrib.auth.views.logout view. This could allow remote attackers to saturate the session store or cause other users' session records to be evicted.

Additionally the contrib.sessions.backends.base.SessionBase.flush() and cache_db.SessionStore.flush() methods have been modified to avoid creating a new empty session as well.

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. (CVE-2015-3219)

Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate. (CVE-2015-3988)

CVE-2015-5165: Qemu emulator built with the RTL8139 emulation support is vulnerable to an information leakage flaw. It could occur while processing network packets under RTL8139 controller's C+ mode of operation.

A guest user could use this flaw to read uninitialised Qemu heap memory upto 65K bytes.

From another Red Hat bugzilla entry:

CVE-2015-5166: Qemu emulator built with the IDE Emulation PCI PIIX3/4 support is vulnerable to a use-after-free flaw. It could occur when trying to write data to an I/O port inside guest. This issue is specific to the Xen platform.

A privileged(CAP_SYS_RAWIO) guest user on the Xen platform could use this flaw to crash the Qemu instance or probably attempt to make a guest escape.

It was discovered that Request Tracker, an extensible trouble-ticket tracking system is susceptible to a cross-site scripting attack via the user [and] group rights management pages (CVE-2015-5475) and via the cryptography interface, allowing an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected by the second cross-site scripting vulnerability.

Cross-site scripting (XSS) vulnerability in the history display in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via a username, related to generating a link. (CVE-2012-6130)

Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1. (CVE-2012-6131)

Cross-site scripting (XSS) vulnerability in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the otk parameter. (CVE-2012-6132)

From the Debian LTS advisory:

XSS flaws in ok and error messages
We solve this differently from the proposals in the bug-report by not allowing *any* html-tags in ok/error messages anymore. (CVE-2012-6133)

"sheepman" fixed a vulnerability in Ruby 1.8: DL::dlopen could open a library with tainted name even if $SAFE > 0.

From the Fedora advisory:

Incorrect payload processing for different IKE versions.

James Kettle, Alain Tiemblo, Christophe Coevoet and Fabien Potencier discovered that twig, a templating engine for PHP, did not correctly process its input. End users allowed to submit twig templates could use specially crafted code to trigger remote code execution, even in sandboxed templates.

Hi, an emergency release fixing an HTTPS resource leak (spotted by André Cruz) is available

http://uwsgi-docs.readthedocs.org/en/latest/Changelog-2.0.11.1.html

If you use the uWSGI https router you should upgrade to avoid excessive file descriptors and memory allocation.

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.0.32, 4.1.40, 4.2.32, and 4.3.30 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core.

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a multimedia player and streamer, could dereference an arbitrary pointer due to insufficient restrictions on a writable buffer. This could allow remote attackers to execute arbitrary code via crafted 3GP files.

WebKitGTK+ 2.8.5 includes fixes for 3 security issues.

Wireshark was updated to fix several security vulnerabilities and bugs.

- Wireshark 1.12.7 [boo#941500] The following vulnerabilities have been fixed:

* Wireshark could crash when adding an item to the protocol tree. wnpa-sec-2015-21

* Wireshark could attempt to free invalid memory. wnpa-sec-2015-22

* Wireshark could crash when searching for a protocol dissector. wnpa-sec-2015-23

* The ZigBee dissector could crash. wnpa-sec-2015-24

* The GSM RLC/MAC dissector could go into an infinite loop. wnpa-sec-2015-25

* The WaveAgent dissector could crash. wnpa-sec-2015-26

* The OpenFlow dissector could go into an infinite loop. wnpa-sec-2015-27

* Wireshark could crash due to invalid ptvcursor length checking. wnpa-sec-2015-28

* The WCCP dissector could crash. wnpa-sec-2015-29

* Further bug fixes and updated protocol support as listed in: https://www.wireshark.org/docs/relnotes/wireshark-1.12.7....

Dawid Golunski discovered that when running under PHP-FPM in a threaded environment, Zend Framework, a PHP framework, did not properly handle XML data in multibyte encoding. This could be used by remote attackers to perform an XML External Entity attack via crafted XML data.