[월:] 2016년 04월

USN-2936-1: Firefox vulnerabilities Ubuntu Security Notice USN-2936-1 27th April, 2016 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software description firefox – Mozilla Open Source web browser Details Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman,Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup,Andrew McCreight, and Steve Fink discovered multiple memory safety issuesin Firefox. If a user were tricked in to opening a specially craftedwebsite, an attacker could potentially exploit these to cause a denial ofservice via application crash, or execute arbitrary code with theprivileges of the user invoking Firefox. (CVE-2016-2804, CVE-2016-2806,CVE-2016-2807) An invalid write was discovered when using the JavaScript .watch() [ more… ]

USN-2952-2: PHP regression Ubuntu Security Notice USN-2952-2 27th April, 2016 php5 regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Summary USN-2952-1 caused a regression in PHP. Software description php5 – HTML-embedded scripting language interpreter Details USN-2952-1 fixed vulnerabilities in PHP. One of the backported patchescaused a regression in the PHP Soap client. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the PHP Zip extension incorrectly handled directories when processing certain zip files. A remote attacker could possibly use this issue to create arbitrary directories. (CVE-2014-9767) It was discovered that the PHP Soap client incorrectly validated data types. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-8835, CVE-2016-3185) It was discovered [ more… ]

USN-2950-2: libsoup update Ubuntu Security Notice USN-2950-2 27th April, 2016 libsoup2.4 update A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10 Ubuntu 14.04 LTS Summary This update fixes libsoup NTLM authentication. Software description libsoup2.4 – HTTP client/server library for GNOME Details USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packagesintroduced a compatibility issue with NTLM authentication in libsoup. Thisupdate fixes the problem. We apologize for the inconvenience. Original advisory details: Jouni Knuutinen discovered that Samba contained multiple flaws in the DCE/RPC implementation. A remote attacker could use this issue to perform a denial of service, downgrade secure connections by performing a man in the middle attack, or possibly execute arbitrary code. (CVE-2015-5370) Stefan Metzmacher discovered that Samba contained multiple flaws in the NTLMSSP authentication implementation. A remote attacker could use this issue to [ more… ]

USN-2955-1: Oxide vulnerabilities Ubuntu Security Notice USN-2955-1 27th April, 2016 oxide-qt vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10 Ubuntu 14.04 LTS Summary Several security issues were fixed in Oxide. Software description oxide-qt – Web browser engine for Qt (QML plugin) Details A use-after-free was discovered when responding synchronously topermission requests. An attacker could potentially exploit this to causea denial of service via application crash, or execute arbitrary code withthe privileges of the user invoking the program. (CVE-2016-1578) An out-of-bounds read was discovered in V8. If a user were tricked in toopening a specially crafted website, an attacker could potentially exploitthis to cause a denial of service via renderer crash. (CVE-2016-1646) A use-after-free was discovered in the navigation implementation inChromium in some circumstances. If a user were tricked in to opening [ more… ]

USN-2934-1: Thunderbird vulnerabilities Ubuntu Security Notice USN-2934-1 27th April, 2016 thunderbird vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in Thunderbird. Software description thunderbird – Mozilla Open Source mail and newsgroup client Details Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, DanielHolbert, Jesse Ruderman, and Randell Jesup discovered multiple memorysafety issues in Thunderbird. If a user were tricked in to opening aspecially crafted message, an attacker could potentially exploit these tocause a denial of service via application crash, or execute arbitrary codewith the privileges of the user invoking Thunderbird. (CVE-2016-1952) Nicolas Golubovic discovered that CSP violation reports can be used tooverwrite local files. If a user were tricked in to opening a speciallycrafted website in a browsing context with [ more… ]