All articles

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. Updated packages are available from security.ubuntu.com.

Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl. A local user could use this flaw to crash the system causing a denial of service. Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem. A local unprivileged user can crash use this flaw to crash VMs causing a deny of service. A flaw was discovered cifs file system. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service.

H. Peter Anvin reported a flaw that could crash the system. A local user could exploit this flaw to crash the system.

Updated packages are available from security.ubuntu.com.

The SUSE Linux Enterprise 11 SP2 kernel has been updated to 3.0.26, which fixes a lot of bugs and security issues. A locking problem in transparent hugepage support could be used by local attackers to potentially crash the host, or via kvm a privileged guest user could crash the kvm host system. A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. A local attacker could oops the kernel using memory control groups and eventfds.

Limit the path length users can build using epoll() to avoid local attackers consuming lots of kernel CPU time. The regset common infrastructure assumed that regsets would always have .get and .set methods, but necessarily .active methods. Unfortunately people have since written regsets without .set method, so NULL pointer dereference attacks were possible. Access to the /proc/pid/taskstats file requires root access to avoid side channel (timing keypresses etc.) attacks on other users.

Fixed an oops in jbd/jbd2 that could be caused by specific filesystem access patterns. A malicious NFSv4 server could have caused a oops in the nfsv4 acl handling. Fixed a oops in jbd/jbd2 that could be caused by mounting a malicious prepared filesystem.

Updated packages are available from download.opensuse.org.

Wireshark is a program for monitoring network traffic. Several flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. Updated packages are available from ftp.redhat.com.

Specially crafted font files could have caused buffer overflows in freetype, which could have been exploited for remote code execution. Updated packages are available from download.opensuse.org.

Specially crafted font files could have caused buffer overflows in freetype, which could be exploited for remote code execution. Updated packages are available from download.opensuse.org.

Helmut Hummel of the typo3 security team discovered that typo3, a web content management system, is not properly sanitizing output of the exception handler. This allows an attacker to conduct cross-site scripting attacks if either third-party extensions are installed that do not sanitize this output on their own or in the presence of extensions using the extbase MVC framework which accept objects to controller actions.

Updated packages are available from security.debian.org.

It was discovered that OpenSSL could be made to dereference a NULL pointer when processing S/MIME messages. A remote attacker could use this to cause a denial of service. Tavis Ormandy discovered that OpenSSL did not properly perform bounds checking when processing DER data via BIO or FILE functions. A remote attacker could trigger this flaw in services that used SSL to cause a denial of service or possibly execute arbitrary code with application privileges.

Updated packages are available from security.ubuntu.com.

Multiple vulnerabilities have been found in OpenSSL. Ivan Nestlerode discovered a weakness in the CMS and PKCS #7 implementations that could allow an attacker to decrypt data via a Million Message Attack (MMA). It was discovered that a NULL pointer could be dereferenced when parsing certain S/MIME messages, leading to denial of service. Tavis Ormandy discovered a vulnerability in the way DER-encoded ASN.1 data is parsed that can result in a heap overflow.

Updated packages are available from security.debian.org.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Numerous reference count leaks were found in the block layer I/O context handling implementation. This could allow a local, unprivileged user to cause a denial of service. A flaw was found in the cifs_lookup() implementation. POSIX open during lookup should only be supported for regular files. When non-regular files (for example, a named (FIFO) pipe or other special files) are opened on lookup, it could cause a denial of service. It was found that the register set (regset) common infrastructure implementation did not check if the required get and set handlers were initialized. A local, unprivileged user could use this flaw to cause a denial of service by performing a register set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request.

Updated packages are available from ftp.redhat.com.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Numerous reference count leaks were found in the block layer I/O context handling implementation. This could allow a local, unprivileged user to cause a denial of service. A flaw was found in the cifs_lookup() implementation. POSIX open during lookup should only be supported for regular files. When non-regular files (for example, a named (FIFO) pipe or other special files) are opened on lookup, it could cause a denial of service.

It was found that the register set (regset) common infrastructure implementation did not check if the required get and set handlers were initialized. A local, unprivileged user could use this flaw to cause a denial of service by performing a register set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request.

Updated packages are available from ftp.redhat.com.

The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw in the xfrm6_tunnel_rcv() function in the IPv6 implementation could lead to a use-after-free or double free flaw in tunnel6_rcv(). A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the xfrm6_tunnel kernel module loaded, causing it to crash. Updated packages are available from ftp.redhat.com.

Several vulnerabilities have been discovered in gajim, a feature-rich jabber client. gajim is not properly sanitizing input before passing it to shell commands. An attacker can use this flaw to execute arbitrary code on behalf of the victim if the user e.g. clicks on a specially crafted URL in an instant message. gajim is using predictable temporary files in an insecure manner when converting instant messages containing LaTeX to images. A local attacker can use this flaw to conduct symlink attacks and overwrite files the victim has write access to.

gajim is not properly sanitizing input when logging conversations which results in the possibility to conduct SQL injection attacks.

Updated packages are available from security.debian.org.

A remote code execution flaw in Samba has been fixed. A PIDL based autogenerated code uses client supplied size values which allows attackers to write beyond the allocated array size. Updated packages are available from download.opensuse.org.

Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw in the Samba suite’s Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user.

Updated packages are available from ftp.redhat.com.

Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw in the Samba suite’s Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user.

Updated packages are available from ftp.redhat.com.

Several vulnerabilities have been discovered in puppet, a centralized configuration management system. Puppet is using predictable temporary file names when downloading Mac OS X package files. This allows a local attacker to either overwrite arbitrary files on the system or to install an arbitrary package. When handling requests for a file from a remote filebucket, puppet can be tricked into overwriting its defined location for filebucket storage. This allows an authorized attacker with access to the puppet master to read arbitrary files.

Puppet is incorrectly handling filebucket store requests. This allows an attacker to perform denial of service attacks against puppet by resource exhaustion. Puppet is incorrectly handling filebucket requests. This allows an attacker with access to the certificate on the agent and an unprivileged account on puppet master to execute arbitrary code via crafted file path names and making a filebucket request.

Updated packages are available from security.debian.org.

Brian Gorenc discovered that Samba incorrectly calculated array bounds when handling remote procedure calls (RPC) over the network. A remote, unauthenticated attacker could exploit this to execute arbitrary code as the root user. Updated packages are available from security.ubuntu.com.

It was discovered that Samba, the SMB/CIFS file, print, and login server, contained a flaw in the remote procedure call (RPC) code which allowed remote code execution as the super user from an unauthenticated connection. Updated packages are available from security.debian.org.

Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem of the Linux kernel. A local unprivileged user can crash use this flaw to crash VMs causing a deny of service. H. Peter Anvin reported a flaw in the Linux kernel that could crash the system. A local user could exploit this flaw to crash the system.

A flaw was discovered in the Linux kernel’s cgroups subset. A local attacker could use this flaw to crash the system.

Updated packages are available from security.ubuntu.com.

It was discovered that sqlalchemy, an SQL toolkit and object relational mapper for python, is not sanitizing input passed to the limit/offset keywords to select() as well as the value passed to select.limit()/offset(). This allows an attacker to perform SQL injection attacks against applications using sqlalchemy that do not implement their own filtering. Updated packages are available from security.debian.org.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue.

Updated packages are available from ftp.redhat.com.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue.

Updated packages are available from ftp.redhat.com.

It was discovered that the NVIDIA graphics drivers could be reconfigured to gain access to arbitrary system memory. A local attacker could use this issue to possibly gain root privileges. Updated packages are available from security.ubuntu.com.

It was discovered that Puppet used a predictable filename when downloading Mac OS X package files. A local attacker could exploit this to overwrite arbitrary files. It was discovered that Puppet incorrectly handled filebucket retrieval requests. A local attacker could exploit this to read arbitrary files. It was discovered that Puppet incorrectly handled filebucket store requests. A local attacker could exploit this to perform a denial of service via resource exhaustion.

It was discovered that Puppet incorrectly handled filebucket requests. A local attacker could exploit this to execute arbitrary code via a crafted file path. It was discovered that Puppet used a predictable filename for the Telnet connection log file. A local attacker could exploit this to overwrite arbitrary files.

Updated packages are available from security.ubuntu.com.

Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw in the Samba suite’s Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user.

Updated packages are available from ftp.redhat.com.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.

Updated packages are available from ftp.redhat.com.

Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. A flaw in the Samba suite’s Perl-based DCE/RPC IDL (PIDL) compiler, used to generate code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote, unauthenticated attacker could send a specially-crafted RPC request that would cause the Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of the root user.

Updated packages are available from ftp.redhat.com.

FreeType is a free, high-quality, portable font engine that can open and manage font files. Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash.

Updated packages are available from ftp.redhat.com.

Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB12-08, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. Updated packages are available from ftp.redhat.com.