Security advisories for Wednesday

[Posted October 14, 2015 by ris]

Arch Linux has updated chromium (multiple vulnerabilities) and flashplugin (multiple vulnerabilities).

Fedora has updated icu (F22: multiple vulnerabilities), php (F22: multiple vulnerabilities), and xen (F22; F21: denial of service).

Mageia has updated flash-player-plugin (multiple vulnerabilities), git (multiple vulnerabilities), openjpeg2 (code execution), and qemu (multiple vulnerabilities).

openSUSE has updated polkit (13.2, 13.1: multiple vulnerabilities).

SUSE has updated flash-player (SLE12; SLE11-SP3,4: multiple vulnerabilities).

Ubuntu has updated gdk-pixbuf (15.04, 14.04, 12.04: two vulnerabilities).

Security advisories for Wednesday

Posted Oct 14, 2015 21:38 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

Oh how surprising, polkit's JavaScript interpreter turns out to be a source of security holes. This was, of course, *entirely* unpredictable at the time when polkit switched from an INI-file format to JavaScript for its configuration (without providing any backward-compatibility path for existing configuration). Obviously using an interpreter for a Turing-complete language meant to be invoked by web browsers running as unprivileged users in a *privileged authentication system* was not in any way fraught with problems or a disaster waiting to happen.

Security advisories for Wednesday

Posted Oct 15, 2015 8:45 UTC (Thu) by torquay (guest, #92428) [Link]

No, no, no. We haven't have forethought in open source development. It ruins all the fun in fixing everything afterwards (because there's nothing better to do with our time), new CVE numbers (somebody needs to feed the insecurity industry!), and then rewriting everything from scratch because all the fixes result in spaghetti codebase. Rinse and repeat.

Security advisories for Wednesday

Posted Oct 16, 2015 18:06 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

To be fair, this seems to be a problem with their *use* of the interpreter, not the interpreter itself.