Security

Halfdog discovered that Apport incorrectly handled kernel crash dump files. A local attacker could use this issue to cause a denial of service, or possibly elevate privileges. The default symlink protections for affected releases should reduce the vulnerability to a denial of service.

From the CVE entry:

Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

- CVE-2015-1303:

Cross-origin bypass in DOM. Credit to Mariusz Mlynski.

- CVE-2015-1304:

Cross-origin bypass in V8. Credit to Mariusz Mlynski.

A remote attacker can bypass the cross-origin resource sharing policy, thus getting access to sensitive data.

Security fix: handle urlfetch range starting outside message range

See the Cyrus IMAP 2.4.18 Release Notes for additional information.

Pali Rohár discovered a possible DoS attack in any software which uses the Email::Address Perl module for parsing string input to a list of email addresses.

By default Email::Address module, version v1.907 (and all before) tries to understand nestable comments in an input string with depth level 2.

With specially crafted inputs, parsing nestable comments can become too slow and can cause high CPU load, freeze the application and end in Denial of Service.

Because input strings for Email::Address module come from external sources (e.g. from email sent by an attacker) it is a security problem impacting on all software applications which parse email messages using the Email::Address Perl module.

With this upload of libemail-address-perl, the default value of nestable comments has been set to depth level 1 (as proposed by upstream). Please note that this is not proper a fix, just a workaround for pathological inputs with nestable comments.

When a container starts up, lxc sets up the container's initial fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container.

In Moodle before 2.8.8, completed and graded lesson activity was not protected against making new attempts to answer some questions, so students could re-attempt answering questions in the lesson (CVE-2015-5264).

In Moodle before 2.8.8, users could delete files uploaded by other users in wiki (CVE-2015-5265).

In Moodle before 2.8.8, meta course synchronisation enrols suspended students as managers for a short period of time and causes large database growth. On large installations, when the sync script takes a long time, suspended students may get assigned a manager role in meta course for several minutes (CVE-2015-5266)

In Moodle before 2.8.8, password recovery tokens can be guessed because of php randomisation limitations (CVE-2015-5267).

In Moodle before 2.8.8, when viewing ratings, the group access was not properly checked, allowing users from other groups to view ratings (CVE-2015-5268).

In Moodle before 2.8.8, capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description (CVE-2015-5269).

Dario Weisser discovered that the NVIDIA graphics drivers incorrectly handled certain IOCTL writes. A local attacker could use this issue to possibly gain root privileges.

From the SUSE advisory:

CVE-2015-6831 - A use after free vulnerability in unserialize() has been fixed which could be used to crash php or potentially execute code.

CVE-2015-6832 - A dangling pointer in the unserialization of ArrayObject items could be used to crash php or potentially execute code.

CVE-2015-6833 - A directory traversal when extracting ZIP files could be used to overwrite files outside of intended area.

From the Fedora advisory:

ZF2015-07: The filesystem storage adapter of Zend\Cache was creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation.

A new pixman release 0.32.8 is now available. This is a stable release that contains an important bug fix (buffer overflow), which can affect 32-bit systems.

rolekit-0.3.2-2.fc22 - Fix permissions on role JSON settings files to avoid leaking sensitive info

In the "Shutter" screenshot application, it was discovered that using the "Show in folder" menu option while viewing a file with a specially-crafted path allows for arbitrary code execution with the permissions of the user running Shutter (CVE-2015-0854).

From the Ubuntu advisory:

It was discovered that Simple Streams did not properly perform gpg verification in some situations. A remote attacker could use this to perform a man-in-the-middle attack and inject malicious content into the stream.

From the Ubuntu advisory:

Future Firefox updates will require all addons be signed and unity-firefox-extension, webapps-greasemonkey and webaccounts-browser-extension will not go through the signing process. Because these addons currently break search engine installations, this update permanently disables the addons by removing them from the system.

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core. (CVE-2014-2486)

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via unknown vectors related to Core. (CVE-2014-2488)

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core. (CVE-2014-2489)

From the CVE entries:

CVE-2015-6241 - The proto_tree_add_bytes_item function in epan/proto.c in the protocol-tree implementation in Wireshark 1.12.x before 1.12.7 does not properly terminate a data structure after a failure to locate a number within a string, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

CVE-2015-6242 - The wmem_block_split_free_chunk function in epan/wmem/wmem_allocator_block.c in the wmem block allocator in the memory manager in Wireshark 1.12.x before 1.12.7 does not properly consider a certain case of multiple realloc operations that restore a memory chunk to its original size, which allows remote attackers to cause a denial of service (incorrect free operation and application crash) via a crafted packet.

CVE-2015-6243 - The dissector-table implementation in epan/packet.c in Wireshark 1.12.x before 1.12.7 mishandles table searches for empty strings, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the (1) dissector_get_string_handle and (2) dissector_get_default_string_handle functions.

CVE-2015-6244 - The dissect_zbee_secure function in epan/dissectors/packet-zbee-security.c in the ZigBee dissector in Wireshark 1.12.x before 1.12.7 improperly relies on length fields contained in packet data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

CVE-2015-6245 - epan/dissectors/packet-gsm_rlcmac.c in the GSM RLC/MAC dissector in Wireshark 1.12.x before 1.12.7 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.

CVE-2015-6246 - The dissect_wa_payload function in epan/dissectors/packet-waveagent.c in the WaveAgent dissector in Wireshark 1.12.x before 1.12.7 mishandles large tag values, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

CVE-2015-6247 - The dissect_openflow_tablemod_v5 function in epan/dissectors/packet-openflow_v5.c in the OpenFlow dissector in Wireshark 1.12.x before 1.12.7 does not validate a certain offset value, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.

CVE-2015-6248 - The ptvcursor_add function in the ptvcursor implementation in epan/proto.c in Wireshark 1.12.x before 1.12.7 does not check whether the expected amount of data is available, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

CVE-2015-6249 - The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x before 1.12.7 does not prevent the conflicting use of a table for both IPv4 and IPv6 addresses, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

This update fixes a critical bug with the Xdummy setup which allows local users to access the virtual display used for the xpra sessions. xpra-0.15.6-1.fc21 - Update to 0.15.6 xpra-0.15.6-1.fc22 - Update to 0.15.6 xpra-0.15.6-1.fc23 - Update to 0.15.6