Security

It was discovered that the Mechanism plugin of Blueman, a graphical Bluetooth manager, allows local privilege escalation.

Several SQL injection vulnerabilities have been discovered in Cacti, an RRDTool frontend written in PHP. Specially crafted input can be used by an attacker in the rra_id value of the graph.php script to execute arbitrary SQL commands on the database.

Two flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2015-6792)

A remotely triggerable buffer overflow has been found in the code of claws-mail handling character conversion, in functions conv_jistoeuc(), conv_euctojis() and conv_sjistoeuc(), in codeconv.c. There was no bounds checking on buffers passed to these functions, some stack-based but other potentially heap-based. This issue has been located in the wild and might currently be exploited.

A remote attacker might be able to execute arbitrary code on the affected host by sending a crafted e-mail to a claws-mail user.

It was discovered that the director's NeutronMetadataProxySharedSecret parameter remained specified at the default value of 'unset'. This value is used by OpenStack Networking to sign instance headers; if unchanged, an attacker knowing the shared secret could use this flaw to spoof OpenStack Networking metadata requests. (CVE-2015-5303)

A flaw was found in the director (openstack-tripleo-heat-templates) where the RabbitMQ credentials defaulted to guest/guest and supplied values in the configuration were not used. As a result, all deployed overclouds used the same credentials (guest/guest). A remote, non-authenticated attacker could use this flaw to access RabbitMQ services in the deployed cloud. (CVE-2015-5329)

A remote attacker could entice a user to open a specially crafted text file using IPython, possibly resulting in execution of arbitrary JavaScript with the privileges of the process.

It was discovered that the driver for Digi Neo and ClassicBoard devices did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7885)

It was discovered that the virtual video osd test driver in the Linux kernel did not properly initialize data structures. A local attacker could use this to obtain sensitive information from the kernel. (CVE-2015-7884)

CVE-2015-8543: It was discovered that a local user permitted to create raw sockets could cause a denial-of-service by specifying an invalid protocol number for the socket. The attacker must have the CAP_NET_RAW capability in their user namespace. This has been fixed for the stable distribution (jessie) only.

CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272. (bsc#955354)

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not perform sanity checks on the device's state. An attacker could exploit this flaw to cause a denial of service (NULL dereference) on the host. (CVE-2015-8551)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not perform sanity checks on the device's state. An attacker could exploit this flaw to cause a denial of service by flooding the logging system with WARN() messages causing the initial domain to exhaust disk space. (CVE-2015-8552)

Jann Horn discovered a ptrace issue with user namespaces in the Linux kernel. The namespace owner could potentially exploit this flaw by ptracing a root owned process entering the user namespace to elevate its privileges and potentially gain access outside of the namespace. (http://bugs.launchpad.net/bugs/1527374)

A race between revoking a user-type key and reading from it was found, causing the kernel to crash. This race can be triggered by unprivileged user.

Mounting ext4 filesystems in no-journal mode could have lead to a system crash.

It was reported that when adding an LDB DN to the database, that if a \00 (null byte) is used, remote memory can be read due to a combination of talloc_strdup() and a length assignment.

there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54. if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288,

A vulnerability was discovered in the way OpenStack Compute (nova) networking handled security group updates; changes were not applied to already running VM instances. A remote attacker could use this flaw to access running VM instances.

PyAMF suffers from insufficient AMF input payload sanitization which results in the XML parser not preventing the processing of XML external entities (XXE). A specially crafted AMF payload, containing malicious references to XML external entities, can be used to trigger denial of service (DoS) conditions or arbitrarily return the contents of files that are accessible with the running application privileges.

A remote attacker is able to craft special XML files that, when processed, are injecting external entities resulting in denial of service of disclosure of arbitrary file contents.

The Quassel core could be crashed by a client using the op command, causing a denial of service (CVE-2015-8547).

A remote attacker is able to open a library via Fiddle with tainted library name if passed from an untrusted input.

rubygem-passenger was not filtering the environment like apache is doing, allowing injection of environment variables.

CVE-2015-5299: Samba: Missing access control check in shadow copy code

CVE-2015-7540: samba: DoS to AD-DC due to insufficient checking of asn1 memory allocation

CVE-2015-3223: samba: Remote DoS in Samba (AD) LDAP server

CVE-2015-5252: samba: Insufficient symlink verification in smbd

CVE-2015-5296: samba: Samba client requesting encryption vulnerable to downgrade attack.

Dolev Farhi discovered an information disclosure issue in SoS. If the /etc/fstab file contained passwords, the passwords were included in the SoS report. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-3925)

Mateusz Guzik discovered that SoS incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files or gain access to temporary file contents containing sensitive system information. (CVE-2015-7529)

Ivan Zhakov discovered an integer overflow in mod_dav_svn, which allows an attacker with write access to the server to execute arbitrary code or cause a denial of service.

Subversion servers and clients are vulnerable to a remotely triggerable heap-based buffer overflow and out-of-bounds read caused by an integer overflow in the svn:// protocol parser.

This allows remote attackers to cause a denial of service or possibly execute arbitrary code under the context of the targeted process.

Cédric Krier discovered a vulnerability in the server-side of Tryton, an application framework written in Python. An aunthenticated malicious user can write arbitrary values in record fields due missed checks of access permissions when multiple records are written.

Bug #1285350 - xen: Virtual Performance Measurement Unit feature is unsupported https://bugzilla.redhat.com/show_bug.cgi?id=1285350

Bug #1284933 - CVE-2015-8341 xen: libxl leak of PV kernel can cause OOM condition https://bugzilla.redhat.com/show_bug.cgi?id=1284933

Bug #1284919 - CVE-2015-8339 CVE-2015-8340 xen: XENMEM_exchange error handling may cause DoS to host https://bugzilla.redhat.com/show_bug.cgi?id=1284919

Bug #1284911 - CVE-2015-8338 xen: Long running memory operations on ARM cause DoS https://bugzilla.redhat.com/show_bug.cgi?id=1284911

1289129: "qemu-xen-traditional" (aka qemu-dm) tracks state for each MSI-X table entry of a passed through device. This is used/updated on (intercepted) accesses to the page(s) containing the MSI-X table.

There may be space on the final page not covered by any MSI-X table entry, but memory for state tracking is allocated only for existing table entries. Therefore bounds checks are required to avoid accessing/corrupting unrelated heap memory. Such a check is present for the read path, but was missing for the write path.

A malicious administrator of a guest which has access to a passed through PCI device which is MSI-X capable can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.

In a system not using a device model stub domain (or other techniques for deprivileging qemu), the malicious guest administrator can thus elevate their privilege to that of the host. (CVE-2015-8554)

1289130: When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers.

A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain. (CVE-2015-8555)

It was found that xsupplicant uses hardcoded fixed temporary file for sockets, storing into /tmp/xsupplicant.sock.$INTERFACE.