VARIoT IoT vulnerabilities database
| VAR-201606-0481 | CVE-2016-4143 | Microsoft Internet Explorer and Microsoft Edge of Adobe Flash Used in library Adobe Flash Player Vulnerability in |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. This case MS16-083 This is a different vulnerability than the other vulnerabilities listed on the list.It may be affected unspecified.
An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The former is the default browser included with operating systems prior to Windows 10; the latter is the default browser included with Windows 10, the latest operating system. in the United States. The former is a multimedia player product library; the latter is a cross-platform, browser-based multimedia player product. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:1238-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1238
Issue date: 2016-06-17
CVE Names: CVE-2016-4122 CVE-2016-4123 CVE-2016-4124
CVE-2016-4125 CVE-2016-4127 CVE-2016-4128
CVE-2016-4129 CVE-2016-4130 CVE-2016-4131
CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137
CVE-2016-4138 CVE-2016-4139 CVE-2016-4140
CVE-2016-4141 CVE-2016-4142 CVE-2016-4143
CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149
CVE-2016-4150 CVE-2016-4151 CVE-2016-4152
CVE-2016-4153 CVE-2016-4154 CVE-2016-4155
CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
=====================================================================
1. Summary:
An update for flash-plugin is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
This update upgrades Flash Player to version 11.2.202.626. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135,
CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140,
CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346665 - flash-plugin: multiple code execution issues fixed in APSB16-18
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXY7HIXlSAg2UNWIIRAmytAJ9KBVDAyt7RbmNznJhC6uA9WwA6tACfSNyo
/QNQeCm3xe5AByAOnb1Veh0=
=5kdV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201606-0480 | CVE-2016-4144 | Microsoft Internet Explorer and Microsoft Edge of Adobe Flash Used in library Adobe Flash Player Vulnerability in |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. This case MS16-083 This is a different vulnerability than the other vulnerabilities listed on the list.It may be affected unspecified.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition. The former is the default browser included with operating systems prior to Windows 10; the latter is the default browser included with Windows 10, the latest operating system. in the United States. The former is a multimedia player product library; the latter is a cross-platform, browser-based multimedia player product. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:1238-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1238
Issue date: 2016-06-17
CVE Names: CVE-2016-4122 CVE-2016-4123 CVE-2016-4124
CVE-2016-4125 CVE-2016-4127 CVE-2016-4128
CVE-2016-4129 CVE-2016-4130 CVE-2016-4131
CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137
CVE-2016-4138 CVE-2016-4139 CVE-2016-4140
CVE-2016-4141 CVE-2016-4142 CVE-2016-4143
CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149
CVE-2016-4150 CVE-2016-4151 CVE-2016-4152
CVE-2016-4153 CVE-2016-4154 CVE-2016-4155
CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
=====================================================================
1. Summary:
An update for flash-plugin is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
This update upgrades Flash Player to version 11.2.202.626. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135,
CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140,
CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346665 - flash-plugin: multiple code execution issues fixed in APSB16-18
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXY7HIXlSAg2UNWIIRAmytAJ9KBVDAyt7RbmNznJhC6uA9WwA6tACfSNyo
/QNQeCm3xe5AByAOnb1Veh0=
=5kdV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201606-0053 | CVE-2016-4122 | Microsoft Internet Explorer and Microsoft Edge of Adobe Flash Used in library Adobe Flash Player Vulnerability in |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. This case MS16-083 This is a different vulnerability than the other vulnerabilities listed on the list.It may be affected unspecified.
An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The former is the default browser included with operating systems prior to Windows 10; the latter is the default browser included with Windows 10, the latest operating system. in the United States. The former is a multimedia player product library; the latter is a cross-platform, browser-based multimedia player product. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:1238-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1238
Issue date: 2016-06-17
CVE Names: CVE-2016-4122 CVE-2016-4123 CVE-2016-4124
CVE-2016-4125 CVE-2016-4127 CVE-2016-4128
CVE-2016-4129 CVE-2016-4130 CVE-2016-4131
CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137
CVE-2016-4138 CVE-2016-4139 CVE-2016-4140
CVE-2016-4141 CVE-2016-4142 CVE-2016-4143
CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149
CVE-2016-4150 CVE-2016-4151 CVE-2016-4152
CVE-2016-4153 CVE-2016-4154 CVE-2016-4155
CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
=====================================================================
1. Summary:
An update for flash-plugin is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
This update upgrades Flash Player to version 11.2.202.626. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135,
CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140,
CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346665 - flash-plugin: multiple code execution issues fixed in APSB16-18
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXY7HIXlSAg2UNWIIRAmytAJ9KBVDAyt7RbmNznJhC6uA9WwA6tACfSNyo
/QNQeCm3xe5AByAOnb1Veh0=
=5kdV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201606-0048 | CVE-2016-4166 | Microsoft Internet Explorer and Microsoft Edge of Adobe Flash Used in library Adobe Flash Player Vulnerability in |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. This case MS16-083 This is a different vulnerability than the other vulnerabilities listed on the list.It may be affected unspecified.
An attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The former is the default browser included with operating systems prior to Windows 10; the latter is the default browser included with Windows 10, the latest operating system. in the United States. The former is a multimedia player product library; the latter is a cross-platform, browser-based multimedia player product. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:1238-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1238
Issue date: 2016-06-17
CVE Names: CVE-2016-4122 CVE-2016-4123 CVE-2016-4124
CVE-2016-4125 CVE-2016-4127 CVE-2016-4128
CVE-2016-4129 CVE-2016-4130 CVE-2016-4131
CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137
CVE-2016-4138 CVE-2016-4139 CVE-2016-4140
CVE-2016-4141 CVE-2016-4142 CVE-2016-4143
CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149
CVE-2016-4150 CVE-2016-4151 CVE-2016-4152
CVE-2016-4153 CVE-2016-4154 CVE-2016-4155
CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
=====================================================================
1. Summary:
An update for flash-plugin is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
This update upgrades Flash Player to version 11.2.202.626. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135,
CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140,
CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346665 - flash-plugin: multiple code execution issues fixed in APSB16-18
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXY7HIXlSAg2UNWIIRAmytAJ9KBVDAyt7RbmNznJhC6uA9WwA6tACfSNyo
/QNQeCm3xe5AByAOnb1Veh0=
=5kdV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201606-0486 | CVE-2016-4138 | Microsoft Internet Explorer and Microsoft Edge of Adobe Flash Used in library Adobe Flash Player Vulnerability in |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier, as used in the Adobe Flash libraries in Microsoft Internet Explorer 10 and 11 and Microsoft Edge, has unknown impact and attack vectors, a different vulnerability than other CVEs listed in MS16-083. This case MS16-083 This is a different vulnerability than the other vulnerabilities listed on the list.It may be affected unspecified.
Attackers can exploit these issues to execute arbitrary code within the context of the user running the affected application. Failed attempts will likely cause a denial-of-service condition. The former is the default browser included with operating systems prior to Windows 10; the latter is the default browser included with Windows 10, the latest operating system. in the United States. The former is a multimedia player product library; the latter is a cross-platform, browser-based multimedia player product. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:1238-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1238
Issue date: 2016-06-17
CVE Names: CVE-2016-4122 CVE-2016-4123 CVE-2016-4124
CVE-2016-4125 CVE-2016-4127 CVE-2016-4128
CVE-2016-4129 CVE-2016-4130 CVE-2016-4131
CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137
CVE-2016-4138 CVE-2016-4139 CVE-2016-4140
CVE-2016-4141 CVE-2016-4142 CVE-2016-4143
CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149
CVE-2016-4150 CVE-2016-4151 CVE-2016-4152
CVE-2016-4153 CVE-2016-4154 CVE-2016-4155
CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
=====================================================================
1. Summary:
An update for flash-plugin is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
This update upgrades Flash Player to version 11.2.202.626. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135,
CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140,
CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346665 - flash-plugin: multiple code execution issues fixed in APSB16-18
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXY7HIXlSAg2UNWIIRAmytAJ9KBVDAyt7RbmNznJhC6uA9WwA6tACfSNyo
/QNQeCm3xe5AByAOnb1Veh0=
=5kdV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201606-0451 | CVE-2016-5435 | plural Huawei Service disruption in products (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: 5.9 Severity: MEDIUM |
Memory leak in Huawei IPS Module, NGFW Module, NIP6300, NIP6600, and Secospace USG6300, USG6500, USG6600, USG9500, and AntiDDoS8000 V500R001C00 before V500R001C20SPC100, when in hot standby networking where two devices are not directly connected, allows remote attackers to cause a denial of service (memory consumption and reboot) via a crafted packet. HuaweiIPSModule and other products are China's Huawei's intrusion prevention and intrusion detection products. A memory leak vulnerability exists in several Huawei products.
An attacker can exploit this issue to exhaust memory resources and cause the device to reboot.
Huawei USG series, NGFW module, IPS module, NIP series and AntiDDoS8000 are vulnerable
| VAR-201607-0543 | CVE-2016-1398 | plural Cisco Wireless-N VPN Device firmware buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: 6.5 Severity: MEDIUM |
Buffer overflow in the web-based management interface on Cisco RV110W devices with firmware through 1.2.1.4, RV130W devices with firmware through 1.0.2.7, and RV215W devices with firmware through 1.3.0.7 allows remote authenticated users to cause a denial of service (device reload) via a crafted HTTP request, aka Bug ID CSCux86669. Cisco RV110W , RV130W and RV215W Wireless-N VPN The device firmware contains a buffer overflow vulnerability. The Cisco RV130WWireless-N is a versatile VPN router; the Cisco RV110W/RV215W is a router that combines wired/wireless network connectivity, VPN, and firewall. Multiple Cisco Products are prone to a denial-of-service vulnerability.
Attackers can exploit this issue to reload the affected device, denying service to legitimate users.
This issue is being tracked by Cisco bug IDs CSCux86664, CSCux86669 and CSCux86675
| VAR-201606-0431 | CVE-2016-1395 | plural Cisco Device product firmware Web In the base management interface root Vulnerability to execute arbitrary code with privileges |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
The web-based management interface on Cisco RV110W devices with firmware before 1.2.1.7, RV130W devices with firmware before 1.0.3.16, and RV215W devices with firmware before 1.3.0.8 allows remote attackers to execute arbitrary code as root via a crafted HTTP request, aka Bug ID CSCux82428. The Cisco RV130WWireless-N is a versatile VPN router; the Cisco RV110W/RV215W is a router that combines wired/wireless network connectivity, VPN, and firewall. Multiple Cisco Products are prone to a remote code-execution vulnerability. This may aid in further attacks.
This issue being tracked by Cisco Bug ID's CSCux82416, CSCux82422 and CSCux82428
| VAR-201606-0432 | CVE-2016-1396 | plural Cisco Device product firmware Web -Based scripting interface cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web-based management interface on Cisco RV110W devices with firmware before 1.2.1.7, RV130W devices with firmware before 1.0.3.16, and RV215W devices with firmware before 1.3.0.8 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCux82583. The Cisco RV130WWireless-N is a versatile VPN router; the Cisco RV110W/RV215W is a router that combines wired/wireless network connectivity, VPN, and firewall.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks
| VAR-201606-0433 | CVE-2016-1397 | plural Cisco Device product firmware Web -Based management interface buffer overflow vulnerability |
CVSS V2: 6.8 CVSS V3: 6.5 Severity: MEDIUM |
Buffer overflow in the web-based management interface on Cisco RV110W devices with firmware before 1.2.1.7, RV130W devices with firmware before 1.0.3.16, and RV215W devices with firmware before 1.3.0.8 allows remote authenticated users to cause a denial of service (device reload) via crafted configuration commands in an HTTP request, aka Bug ID CSCux82523. The Cisco RV130WWireless-N is a versatile VPN router; the Cisco RV110W/RV215W is a router that combines wired/wireless network connectivity, VPN, and firewall. Multiple Cisco Products are prone to a denial-of-service vulnerability.
Attackers can exploit this issue to reload the affected device, denying service to legitimate users.
This issue is being tracked by Cisco bug IDs CSCux82523, CSCux82531 and CSCux82536
| VAR-201703-0104 | CVE-2016-10309 | Ceragon FibeAir IP-10 Authentication Bypass Vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote attacker can bypass authentication by adding an ALBATROSS cookie with the value 0-4-11 to their browser. Ceragon FibeAir IP-10 of GUI Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Ceragon FibeAir IP-10 is a wireless microwave transmission device from Israel's Ceragon.
An authentication bypass vulnerability exists in Ceragon FibeAir IP-10 versions prior to 7.2.0. An attacker could use this vulnerability to bypass the authentication mechanism and perform unauthorized operations. Ceragon FibeAir IP-10 is prone to an authentication-bypass vulnerability. This may lead to further attacks
| VAR-201803-0061 | CVE-2016-5320 | Silicon Graphics LibTiff Security hole |
CVSS V2: - CVSS V3: - Severity: - |
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-5314. Reason: This candidate is a reservation duplicate of CVE-2016-5314. Notes: All CVE users should reference CVE-2016-5314 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. libTIFF is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service condition.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: libtiff security update
Advisory ID: RHSA-2016:1546-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1546.html
Issue date: 2016-08-02
CVE Names: CVE-2014-8127 CVE-2014-8129 CVE-2014-8130
CVE-2014-9330 CVE-2014-9655 CVE-2015-1547
CVE-2015-7554 CVE-2015-8665 CVE-2015-8668
CVE-2015-8683 CVE-2015-8781 CVE-2015-8782
CVE-2015-8783 CVE-2015-8784 CVE-2016-3632
CVE-2016-3945 CVE-2016-3990 CVE-2016-3991
CVE-2016-5320
=====================================================================
1. Summary:
An update for libtiff is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The libtiff packages contain a library of functions for manipulating Tagged
Image File Format (TIFF) files.
Security Fix(es):
* Multiple flaws have been discovered in libtiff. (CVE-2014-9655, CVE-2015-1547,
CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782,
CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)
* Multiple flaws have been discovered in various libtiff tools (bmp2tiff,
pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit,
tiff2rgba). By tricking a user into processing a specially crafted file, a
remote attacker could exploit these flaws to cause a crash or memory
corruption and, possibly, execute arbitrary code with the privileges of the
user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129,
CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632,
CVE-2016-3945, CVE-2016-3991)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running applications linked against libtiff must be restarted for this
update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1177893 - CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
1185805 - CVE-2014-8127 libtiff: out-of-bounds read with malformed TIFF image in multiple tools
1185815 - CVE-2014-8129 libtiff: out-of-bounds read/write with malformed TIFF image in tiff2pdf
1185817 - CVE-2014-8130 libtiff: divide by zero in the tiffdither tool
1190703 - CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode
1190709 - CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
1294417 - CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
1294425 - CVE-2015-8668 libtiff: OOB read in bmp2tiff
1294427 - CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files
1294444 - CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c
1301649 - CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
1301652 - CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
1325093 - CVE-2016-3945 libtiff: out-of-bounds write in the tiff2rgba tool
1325095 - CVE-2016-3632 libtiff: out-of-bounds write in _TIFFVGetField function
1326246 - CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8()
1326249 - CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function
1346687 - CVE-2016-5320 libtiff: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
libtiff-4.0.3-25.el7_2.src.rpm
x86_64:
libtiff-4.0.3-25.el7_2.i686.rpm
libtiff-4.0.3-25.el7_2.x86_64.rpm
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
libtiff-devel-4.0.3-25.el7_2.i686.rpm
libtiff-devel-4.0.3-25.el7_2.x86_64.rpm
libtiff-static-4.0.3-25.el7_2.i686.rpm
libtiff-static-4.0.3-25.el7_2.x86_64.rpm
libtiff-tools-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
libtiff-4.0.3-25.el7_2.src.rpm
x86_64:
libtiff-4.0.3-25.el7_2.i686.rpm
libtiff-4.0.3-25.el7_2.x86_64.rpm
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
libtiff-devel-4.0.3-25.el7_2.i686.rpm
libtiff-devel-4.0.3-25.el7_2.x86_64.rpm
libtiff-static-4.0.3-25.el7_2.i686.rpm
libtiff-static-4.0.3-25.el7_2.x86_64.rpm
libtiff-tools-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
libtiff-4.0.3-25.el7_2.src.rpm
ppc64:
libtiff-4.0.3-25.el7_2.ppc.rpm
libtiff-4.0.3-25.el7_2.ppc64.rpm
libtiff-debuginfo-4.0.3-25.el7_2.ppc.rpm
libtiff-debuginfo-4.0.3-25.el7_2.ppc64.rpm
libtiff-devel-4.0.3-25.el7_2.ppc.rpm
libtiff-devel-4.0.3-25.el7_2.ppc64.rpm
ppc64le:
libtiff-4.0.3-25.el7_2.ppc64le.rpm
libtiff-debuginfo-4.0.3-25.el7_2.ppc64le.rpm
libtiff-devel-4.0.3-25.el7_2.ppc64le.rpm
s390x:
libtiff-4.0.3-25.el7_2.s390.rpm
libtiff-4.0.3-25.el7_2.s390x.rpm
libtiff-debuginfo-4.0.3-25.el7_2.s390.rpm
libtiff-debuginfo-4.0.3-25.el7_2.s390x.rpm
libtiff-devel-4.0.3-25.el7_2.s390.rpm
libtiff-devel-4.0.3-25.el7_2.s390x.rpm
x86_64:
libtiff-4.0.3-25.el7_2.i686.rpm
libtiff-4.0.3-25.el7_2.x86_64.rpm
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
libtiff-devel-4.0.3-25.el7_2.i686.rpm
libtiff-devel-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
libtiff-debuginfo-4.0.3-25.el7_2.ppc.rpm
libtiff-debuginfo-4.0.3-25.el7_2.ppc64.rpm
libtiff-static-4.0.3-25.el7_2.ppc.rpm
libtiff-static-4.0.3-25.el7_2.ppc64.rpm
libtiff-tools-4.0.3-25.el7_2.ppc64.rpm
ppc64le:
libtiff-debuginfo-4.0.3-25.el7_2.ppc64le.rpm
libtiff-static-4.0.3-25.el7_2.ppc64le.rpm
libtiff-tools-4.0.3-25.el7_2.ppc64le.rpm
s390x:
libtiff-debuginfo-4.0.3-25.el7_2.s390.rpm
libtiff-debuginfo-4.0.3-25.el7_2.s390x.rpm
libtiff-static-4.0.3-25.el7_2.s390.rpm
libtiff-static-4.0.3-25.el7_2.s390x.rpm
libtiff-tools-4.0.3-25.el7_2.s390x.rpm
x86_64:
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
libtiff-static-4.0.3-25.el7_2.i686.rpm
libtiff-static-4.0.3-25.el7_2.x86_64.rpm
libtiff-tools-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
libtiff-4.0.3-25.el7_2.src.rpm
x86_64:
libtiff-4.0.3-25.el7_2.i686.rpm
libtiff-4.0.3-25.el7_2.x86_64.rpm
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
libtiff-devel-4.0.3-25.el7_2.i686.rpm
libtiff-devel-4.0.3-25.el7_2.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
libtiff-debuginfo-4.0.3-25.el7_2.i686.rpm
libtiff-debuginfo-4.0.3-25.el7_2.x86_64.rpm
libtiff-static-4.0.3-25.el7_2.i686.rpm
libtiff-static-4.0.3-25.el7_2.x86_64.rpm
libtiff-tools-4.0.3-25.el7_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-8127
https://access.redhat.com/security/cve/CVE-2014-8129
https://access.redhat.com/security/cve/CVE-2014-8130
https://access.redhat.com/security/cve/CVE-2014-9330
https://access.redhat.com/security/cve/CVE-2014-9655
https://access.redhat.com/security/cve/CVE-2015-1547
https://access.redhat.com/security/cve/CVE-2015-7554
https://access.redhat.com/security/cve/CVE-2015-8665
https://access.redhat.com/security/cve/CVE-2015-8668
https://access.redhat.com/security/cve/CVE-2015-8683
https://access.redhat.com/security/cve/CVE-2015-8781
https://access.redhat.com/security/cve/CVE-2015-8782
https://access.redhat.com/security/cve/CVE-2015-8783
https://access.redhat.com/security/cve/CVE-2015-8784
https://access.redhat.com/security/cve/CVE-2016-3632
https://access.redhat.com/security/cve/CVE-2016-3945
https://access.redhat.com/security/cve/CVE-2016-3990
https://access.redhat.com/security/cve/CVE-2016-3991
https://access.redhat.com/security/cve/CVE-2016-5320
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXoNKIXlSAg2UNWIIRAn0mAJ49V9uRtJCn4vAWPIfVZ3ptCa4NDQCbBuTb
H5YX3gD3gJu8C4EadiP+wtg=
=Z4gh
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ==========================================================================
Ubuntu Security Notice USN-3212-1
February 27, 2017
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libtiff-tools 4.0.6-2ubuntu0.1
libtiff5 4.0.6-2ubuntu0.1
Ubuntu 16.04 LTS:
libtiff-tools 4.0.6-1ubuntu0.1
libtiff5 4.0.6-1ubuntu0.1
Ubuntu 14.04 LTS:
libtiff-tools 4.0.3-7ubuntu0.6
libtiff5 4.0.3-7ubuntu0.6
In general, a standard system update will make all the necessary changes.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201701-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libTIFF: Multiple vulnerabilities
Date: January 09, 2017
Bugs: #484542, #534108, #538318, #561880, #572876, #585274,
#585508, #599746
ID: 201701-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in libTIFF, the worst of which
may allow execution of arbitrary code. It is called by numerous programs, including GNOME
and KDE applications, to interpret TIFF images. Please review
the CVE identifier and bug reports referenced for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libTIFF users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.7"
References
==========
[ 1 ] CVE-2013-4243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243
[ 2 ] CVE-2014-8127
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8127
[ 3 ] CVE-2014-8128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8128
[ 4 ] CVE-2014-8129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8129
[ 5 ] CVE-2014-8130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8130
[ 6 ] CVE-2014-9330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9330
[ 7 ] CVE-2014-9655
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9655
[ 8 ] CVE-2015-1547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1547
[ 9 ] CVE-2015-7313
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7313
[ 10 ] CVE-2015-7554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7554
[ 11 ] CVE-2015-8665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8665
[ 12 ] CVE-2015-8668
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8668
[ 13 ] CVE-2015-8683
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8683
[ 14 ] CVE-2015-8781
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8781
[ 15 ] CVE-2015-8782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8782
[ 16 ] CVE-2015-8783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8783
[ 17 ] CVE-2015-8784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8784
[ 18 ] CVE-2016-3186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3186
[ 19 ] CVE-2016-3619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3619
[ 20 ] CVE-2016-3620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3620
[ 21 ] CVE-2016-3621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3621
[ 22 ] CVE-2016-3622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3622
[ 23 ] CVE-2016-3623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3623
[ 24 ] CVE-2016-3624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3624
[ 25 ] CVE-2016-3625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3625
[ 26 ] CVE-2016-3631
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3631
[ 27 ] CVE-2016-3632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3632
[ 28 ] CVE-2016-3633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3633
[ 29 ] CVE-2016-3634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3634
[ 30 ] CVE-2016-3658
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3658
[ 31 ] CVE-2016-3945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3945
[ 32 ] CVE-2016-3990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3990
[ 33 ] CVE-2016-3991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3991
[ 34 ] CVE-2016-5102
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5102
[ 35 ] CVE-2016-5314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5314
[ 36 ] CVE-2016-5315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5315
[ 37 ] CVE-2016-5316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5316
[ 38 ] CVE-2016-5317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5317
[ 39 ] CVE-2016-5318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5318
[ 40 ] CVE-2016-5319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5319
[ 41 ] CVE-2016-5320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5320
[ 42 ] CVE-2016-5321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5321
[ 43 ] CVE-2016-5322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5322
[ 44 ] CVE-2016-5323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5323
[ 45 ] CVE-2016-5652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5652
[ 46 ] CVE-2016-5875
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5875
[ 47 ] CVE-2016-6223
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6223
[ 48 ] CVE-2016-8331
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8331
[ 49 ] CVE-2016-9273
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9273
[ 50 ] CVE-2016-9297
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9297
[ 51 ] CVE-2016-9318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9318
[ 52 ] CVE-2016-9448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9448
[ 53 ] CVE-2016-9453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9453
[ 54 ] CVE-2016-9532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9532
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201701-16
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--WUa5dgL7FmU1aSF31hCrUKc2JiSevbqka--
. 6) - i386, x86_64
3
| VAR-201606-0578 | No CVE | SAP BI Reporting and Planning Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
SAP BI Reporting and Planning is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
| VAR-201606-0178 | CVE-2016-4820 | I-O DATA DEVICE ETX-R Cross-Site Request Forgery Vulnerability |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE ETX-R devices allows remote attackers to hijack the authentication of arbitrary users. ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a cross-site request forgery vulnerability (CWE-352). Junichi MURAKAMI of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be performed. I-ODATADEVICEETX-R is a router product of I-ODATADEVICE, Japan.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. This may lead to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities
| VAR-201606-0179 | CVE-2016-4821 | I-O DATA DEVICE ETX-R Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
I-O DATA DEVICE ETX-R devices allow remote attackers to cause a denial of service (web-server crash) via unspecified vectors. ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a denial-of-service (DoS) vulnerability. Junichi MURAKAMI of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A remote unauthenticated attacker may cause the web server on the product to be terminated abnormally. I-ODATADEVICEETX-R is a router product of I-ODATADEVICE, Japan.
An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions
| VAR-201606-0457 | CVE-2016-5366 | Huawei Honor WS851 Vulnerability to change configuration data in router software |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow remote attackers to modify configuration data via vectors related to a "file injection vulnerability," aka HWPSIRT-2016-05052. Vendors have confirmed this vulnerability HWPSIRT-2016-05052 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy a third party " File injection vulnerability " The setting data may be changed through the process. HuaweiWS851 is a wireless router product from China's Huawei company. A security vulnerability exists in versions prior to HuaweiWS8511.1.21.1 that originated from a program that does not restrict ports. An attacker could exploit this vulnerability to inject arbitrary files. Huawei Honor is prone to an arbitrary file include vulnerability because it fails to adequately validate user-supplied input.
Huawei Honor WS851 firmware version 1.1.21.1 and prior are affected
| VAR-201606-0508 | CVE-2016-4171 | Adobe Flash memory corruption vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in June 2016. Attack activity using this vulnerability has been confirmed. For more information, APSA16-03 and APSB16-18 Please confirm. APSA16-03 https://helpx.adobe.com/jp/security/products/flash-player/apsa16-03.html APSB16-18 https://helpx.adobe.com/jp/security/products/flash-player/apsb16-18.htmlCrafted SWF Web pages with content, HTML document, PDF File, Microsoft Office An arbitrary code may be executed by opening a document. Failed exploit attempts will likely cause a denial-of-service condition.
Adobe Flash Player 21.0.0.242 and prior versions are vulnerable. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2016:1238-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1238
Issue date: 2016-06-17
CVE Names: CVE-2016-4122 CVE-2016-4123 CVE-2016-4124
CVE-2016-4125 CVE-2016-4127 CVE-2016-4128
CVE-2016-4129 CVE-2016-4130 CVE-2016-4131
CVE-2016-4132 CVE-2016-4133 CVE-2016-4134
CVE-2016-4135 CVE-2016-4136 CVE-2016-4137
CVE-2016-4138 CVE-2016-4139 CVE-2016-4140
CVE-2016-4141 CVE-2016-4142 CVE-2016-4143
CVE-2016-4144 CVE-2016-4145 CVE-2016-4146
CVE-2016-4147 CVE-2016-4148 CVE-2016-4149
CVE-2016-4150 CVE-2016-4151 CVE-2016-4152
CVE-2016-4153 CVE-2016-4154 CVE-2016-4155
CVE-2016-4156 CVE-2016-4166 CVE-2016-4171
=====================================================================
1. Summary:
An update for flash-plugin is now available for Red Hat Enterprise Linux 5
Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. These
vulnerabilities, detailed in the Adobe Security Bulletin listed in the
References section, could allow an attacker to create a specially crafted
SWF file that would cause flash-plugin to crash, execute arbitrary code, or
disclose sensitive information when the victim loaded a page containing the
malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124,
CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130,
CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135,
CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140,
CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145,
CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150,
CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155,
CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346665 - flash-plugin: multiple code execution issues fixed in APSB16-18
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
x86_64:
flash-plugin-11.2.202.626-1.el5_11.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
x86_64:
flash-plugin-11.2.202.626-1.el6_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4122
https://access.redhat.com/security/cve/CVE-2016-4123
https://access.redhat.com/security/cve/CVE-2016-4124
https://access.redhat.com/security/cve/CVE-2016-4125
https://access.redhat.com/security/cve/CVE-2016-4127
https://access.redhat.com/security/cve/CVE-2016-4128
https://access.redhat.com/security/cve/CVE-2016-4129
https://access.redhat.com/security/cve/CVE-2016-4130
https://access.redhat.com/security/cve/CVE-2016-4131
https://access.redhat.com/security/cve/CVE-2016-4132
https://access.redhat.com/security/cve/CVE-2016-4133
https://access.redhat.com/security/cve/CVE-2016-4134
https://access.redhat.com/security/cve/CVE-2016-4135
https://access.redhat.com/security/cve/CVE-2016-4136
https://access.redhat.com/security/cve/CVE-2016-4137
https://access.redhat.com/security/cve/CVE-2016-4138
https://access.redhat.com/security/cve/CVE-2016-4139
https://access.redhat.com/security/cve/CVE-2016-4140
https://access.redhat.com/security/cve/CVE-2016-4141
https://access.redhat.com/security/cve/CVE-2016-4142
https://access.redhat.com/security/cve/CVE-2016-4143
https://access.redhat.com/security/cve/CVE-2016-4144
https://access.redhat.com/security/cve/CVE-2016-4145
https://access.redhat.com/security/cve/CVE-2016-4146
https://access.redhat.com/security/cve/CVE-2016-4147
https://access.redhat.com/security/cve/CVE-2016-4148
https://access.redhat.com/security/cve/CVE-2016-4149
https://access.redhat.com/security/cve/CVE-2016-4150
https://access.redhat.com/security/cve/CVE-2016-4151
https://access.redhat.com/security/cve/CVE-2016-4152
https://access.redhat.com/security/cve/CVE-2016-4153
https://access.redhat.com/security/cve/CVE-2016-4154
https://access.redhat.com/security/cve/CVE-2016-4155
https://access.redhat.com/security/cve/CVE-2016-4156
https://access.redhat.com/security/cve/CVE-2016-4166
https://access.redhat.com/security/cve/CVE-2016-4171
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXY7HIXlSAg2UNWIIRAmytAJ9KBVDAyt7RbmNznJhC6uA9WwA6tACfSNyo
/QNQeCm3xe5AByAOnb1Veh0=
=5kdV
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"www-plugins/adobe-flash-11.2.202.626"
References
==========
[ 1 ] CVE-2016-1019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1019
[ 2 ] CVE-2016-1019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1019
[ 3 ] CVE-2016-1019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1019
[ 4 ] CVE-2016-4117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4117
[ 5 ] CVE-2016-4117
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4117
[ 6 ] CVE-2016-4120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4120
[ 7 ] CVE-2016-4120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4120
[ 8 ] CVE-2016-4120
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4120
[ 9 ] CVE-2016-4121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4121
[ 10 ] CVE-2016-4160
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4160
[ 11 ] CVE-2016-4161
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4161
[ 12 ] CVE-2016-4162
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4162
[ 13 ] CVE-2016-4163
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4163
[ 14 ] CVE-2016-4171
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4171
[ 15 ] CVE-2016-4171
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4171
[ 16 ] CVE-2016-4171
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4171
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201606-08
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201606-0514 | No CVE | Mitsubishi FX3G PLC Denial of service vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
FX3G series PLC is to provide customers with more personalized system solutions, which can fully meet the system requirements of customers in different industries.
Mitsubishi FX3G PLC has a denial of service vulnerability, allowing an attacker to use this vulnerability to restart the PLC by sending a special packet
| VAR-201608-0418 | No CVE | Siemens 300/400 series PLC Remote control vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The programmable controller (PLC) is developed on the basis of relay control and computer control, and gradually developed into a new microprocessor-based, integrated computer technology, automatic control technology and communication technology. Industrial automatic control device. Medium-sized PLC S7-300 and large-scale PLC The S7-400 is a Siemens product that can be used to form MPI, PROFIBUS and Industrial Ethernet. There is a remote control vulnerability in the Siemens 300/400 series PLC. The attacker can use the Siemens PLC to perform TCP communication through port 102. This script can remotely control the start and stop of the PLC by sending a specific message to port 102 of the PLC. The SiemensS7300/400PLC is a modular universal controller for the manufacturing industry from Siemens. The SiemensS7300/400PLC has permission to bypass the shutdown vulnerability. If the recovery requires manual restart of the PLC, no permission problems are encountered during the process
| VAR-201606-0100 | CVE-2016-3687 | F5 BIG-IP APM and Edge Gateway Open redirect vulnerability |
CVSS V2: 4.0 CVSS V3: 5.3 Severity: MEDIUM |
Open redirect vulnerability in F5 BIG-IP APM 11.2.1, 11.4.x, 11.5.x, and 11.6.x before 11.6.0 HF6 and Edge Gateway 11.2.1, when using multi-domain single sign-on (SSO), allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a base64-encoded URL in the SSO_ORIG_URI parameter. Supplementary information : CWE Vulnerability type by CWE-601: URL Redirection to Untrusted Site ( Open redirect ) Has been identified. http://cwe.mitre.org/data/definitions/601.htmlBy a third party SSO_ORIG_URI Parameter base64 Encoded with URL Any user through Web You may be redirected to a site and run a phishing attack.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. BIG-IP APM is a solution that provides secure and unified access to business-critical applications and networks; BIG-IP Edge Gateway is a remote access solution