VARIoT IoT vulnerabilities database

Cisco Wireless LAN Controller (WLC) devices 7.4(121.0) and 8.0(0.30220.385) allow remote attackers to cause a denial of service via crafted wireless management frames, aka Bug ID CSCun92979. The product provides security policy, intrusion detection and other functions in the wireless LAN. There are security vulnerabilities in the Cisco WLC Appliance 7.4 (121.0) and 8.0 (0.30220.385) releases. Attackers can exploit this issue to crash and reload the affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCun92979

Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Prime Service Catalog (PSC) 11.0 allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCuz63795. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuz63795. The solution supports automated ordering of a unified service catalog of computing, networking, storage, and other data center resources

Cisco FireSIGHT System Software 5.3.0, 5.3.1, 5.4.0, 6.0, and 6.0.1 allows remote attackers to bypass Snort rules via crafted parameters in the header of an HTTP packet, aka Bug ID CSCuz20737. Cisco FireSIGHT system The software includes Snort A vulnerability exists that bypasses the rules. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Cisco FireSIGHT System Software versions 5.3.0, 5.3.1, 5.4.0, 6.0, and 6.0.1 are vulnerable. This issue is being tracked by Cisco Bug ID CSCuz20737. Cisco FireSIGHT System Software is a set of management center software of Cisco (Cisco), which supports centralized management of the network security and operation functions of Cisco ASA and Cisco FirePOWER network security devices using FirePOWER Services

Cisco Nexus 1000v Application Virtual Switch (AVS) devices before 5.2(1)SV3(1.5i) allow remote attackers to cause a denial of service (ESXi hypervisor crash and purple screen) via a crafted Cisco Discovery Protocol packet that triggers an out-of-bounds memory access, aka Bug ID CSCuw57985. The software replaces Vmware's built-in distributed virtual switch and includes two components: a virtual Ethernet module (VEM) running inside the hypervisor and an external virtual control engine module (VSM) that manages VEM. A security vulnerability exists in versions prior to Cisco Nexus 1000vAVS device 5.2(1)SV3 (1.5i). An attacker can leverage this issue to cause denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCuw57985

Cisco Videoscape Session Resource Manager (VSRM) allows remote attackers to cause a denial of service (device restart) by sending a traffic flood to upstream devices, aka Bug ID CSCva01813. An attacker can exploit this issue to cause a denial-of-service condition. This issue being tracked by Cisco Bug ID CSCva01813. A security vulnerability exists in Cisco VSRM

Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not invalidate credentials upon a logout action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. Rockwell Automation FactoryTalk EnergyMetrix Contains a vulnerability that allows access rights to be obtained. Supplementary information : CWE Vulnerability type by CWE-285: Improper Authorization ( Inappropriate authentication ) Has been identified. http://cwe.mitre.org/data/definitions/285.htmlA third party may gain access by using an unattended workstation. Rockwell Automation FactoryTalk EnergyMetrix is a Web-based software management package for capturing, analyzing, storing, and sharing energy data from Rockwell Automation. Rockwell Automation FactoryTalk EnergyMetrix is prone to multiple security vulnerabilities. An attacker may exploit these issues to perform unauthorized actions or to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rockwell Automation FactoryTalk EnergyMetrix is a Web-based software management package for capturing, analyzing, storing, and sharing energy data from Rockwell Automation. Rockwell Automation FactoryTalk EnergyMetrix is prone to multiple security vulnerabilities. An attacker may exploit these issues to perform unauthorized actions or to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection. Supplementary information : CWE Vulnerability type by CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ( injection ) Has been identified. http://cwe.mitre.org/data/definitions/74.htmlAny type of session data can be inserted by a third party using session name management. PHP is prone to a vulnerability that lets attackers inject and execute arbitrary code. Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition. ========================================================================== Ubuntu Security Notice USN-3095-1 October 04, 2016 php5, php7.0 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in PHP. A remote attacker could use this issue to inject arbitrary session data. (CVE-2016-7125) It was discovered that PHP incorrectly handled certain gamma values in the imagegammacorrect function. (CVE-2016-7127) It was discovered that PHP incorrectly handled certain crafted TIFF image thumbnails. (CVE-2016-7128) It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. (CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7413) It was discovered that PHP incorrectly handled certain memory operations. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7133) It was discovered that PHP incorrectly handled long strings in curl_escape calls. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7134) Taoguang Chen discovered that PHP incorrectly handled certain failures when unserializing data. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7411) It was discovered that PHP incorrectly handled certain flags in the MySQL driver. (CVE-2016-7412) It was discovered that PHP incorrectly handled ZIP file signature verification when processing a PHAR archive. (CVE-2016-7414) It was discovered that PHP incorrectly handled certain locale operations. (CVE-2016-7416) It was discovered that PHP incorrectly handled SplArray unserializing. (CVE-2016-7417) Ke Liu discovered that PHP incorrectly handled unserializing wddxPacket XML documents with incorrect boolean elements. (CVE-2016-7418) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.8-0ubuntu0.16.04.3 php7.0-cgi 7.0.8-0ubuntu0.16.04.3 php7.0-cli 7.0.8-0ubuntu0.16.04.3 php7.0-curl 7.0.8-0ubuntu0.16.04.3 php7.0-fpm 7.0.8-0ubuntu0.16.04.3 php7.0-gd 7.0.8-0ubuntu0.16.04.3 php7.0-mysql 7.0.8-0ubuntu0.16.04.3 Ubuntu 14.04 LTS: libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.20 php5-cgi 5.5.9+dfsg-1ubuntu4.20 php5-cli 5.5.9+dfsg-1ubuntu4.20 php5-curl 5.5.9+dfsg-1ubuntu4.20 php5-fpm 5.5.9+dfsg-1ubuntu4.20 php5-gd 5.5.9+dfsg-1ubuntu4.20 php5-mysqlnd 5.5.9+dfsg-1ubuntu4.20 Ubuntu 12.04 LTS: libapache2-mod-php5 5.3.10-1ubuntu3.25 php5-cgi 5.3.10-1ubuntu3.25 php5-cli 5.3.10-1ubuntu3.25 php5-curl 5.3.10-1ubuntu3.25 php5-fpm 5.3.10-1ubuntu3.25 php5-gd 5.3.10-1ubuntu3.25 php5-mysqlnd 5.3.10-1ubuntu3.25 In general, a standard system update will make all the necessary changes. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/php-5.6.25-i586-1_slack14.2.txz: Upgraded. For more information, see: http://php.net/ChangeLog-5.php#5.6.25 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7134 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.25-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.25-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.25-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.25-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/php-5.6.25-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/php-5.6.25-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.25-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.25-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 142ce77a026d2a2a4a7b4d4e56a7fac1 php-5.6.25-i486-1_slack14.0.txz Slackware x86_64 14.0 package: b551196f6d0324ec2372d9ed314b19c8 php-5.6.25-x86_64-1_slack14.0.txz Slackware 14.1 package: 516e77d0b67e3ed3c9b3b81d7ef282b9 php-5.6.25-i486-1_slack14.1.txz Slackware x86_64 14.1 package: e83b3b602bf36a7a15b6e5e0cd6da8f3 php-5.6.25-x86_64-1_slack14.1.txz Slackware 14.2 package: 9b137ae0ae651fe0a15dc4007bc9047e php-5.6.25-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 5c5fd6030ff16093fb5fadd691a7a07f php-5.6.25-x86_64-1_slack14.2.txz Slackware -current package: c530cbb5f23c4bda6fbadc826e57d6f4 n/php-5.6.25-i586-1.txz Slackware x86_64 -current package: 07e604c9f080061a7f6716295032c3bb n/php-5.6.25-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg php-5.6.25-i586-1_slack14.2.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-php56 security, bug fix, and enhancement update Advisory ID: RHSA-2016:2750-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2750.html Issue date: 2016-11-15 CVE Names: CVE-2013-7456 CVE-2014-9767 CVE-2015-2325 CVE-2015-2326 CVE-2015-2327 CVE-2015-2328 CVE-2015-3210 CVE-2015-3217 CVE-2015-5073 CVE-2015-8381 CVE-2015-8383 CVE-2015-8384 CVE-2015-8385 CVE-2015-8386 CVE-2015-8388 CVE-2015-8391 CVE-2015-8392 CVE-2015-8395 CVE-2015-8835 CVE-2015-8865 CVE-2015-8866 CVE-2015-8867 CVE-2015-8873 CVE-2015-8874 CVE-2015-8876 CVE-2015-8877 CVE-2015-8879 CVE-2016-1903 CVE-2016-2554 CVE-2016-3074 CVE-2016-3141 CVE-2016-3142 CVE-2016-4070 CVE-2016-4071 CVE-2016-4072 CVE-2016-4073 CVE-2016-4342 CVE-2016-4343 CVE-2016-4473 CVE-2016-4537 CVE-2016-4538 CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 CVE-2016-5093 CVE-2016-5094 CVE-2016-5096 CVE-2016-5114 CVE-2016-5399 CVE-2016-5766 CVE-2016-5767 CVE-2016-5768 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 CVE-2016-6128 CVE-2016-6207 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 ===================================================================== 1. Summary: An update for rh-php56, rh-php56-php, and rh-php56-php-pear is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The rh-php56 packages provide a recent stable release of PHP with PEAR 1.9.5 and enhanced language features including constant expressions, variadic functions, arguments unpacking, and the interactive debuger. The memcache, mongo, and XDebug extensions are also included. The rh-php56 Software Collection has been upgraded to version 5.6.25, which provides a number of bug fixes and enhancements over the previous version. (BZ#1356157, BZ#1365401) Security Fixes in the rh-php56-php component: * Several Moderate and Low impact security issues were found in PHP. Under certain circumstances, these issues could cause PHP to crash, disclose portions of its memory, execute arbitrary code, or impact PHP application integrity. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-7456, CVE-2014-9767, CVE-2015-8835, CVE-2015-8865, CVE-2015-8866, CVE-2015-8867, CVE-2015-8873, CVE-2015-8874, CVE-2015-8876, CVE-2015-8877, CVE-2015-8879, CVE-2016-1903, CVE-2016-2554, CVE-2016-3074, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4342, CVE-2016-4343, CVE-2016-4473, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-5093, CVE-2016-5094, CVE-2016-5096, CVE-2016-5114, CVE-2016-5399, CVE-2016-5766, CVE-2016-5767, CVE-2016-5768, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6128, CVE-2016-6207, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132) * Multiple flaws were found in the PCRE library included with the rh-php56-php packages for Red Hat Enterprise Linux 6. (CVE-2015-2325, CVE-2015-2326, CVE-2015-2327, CVE-2015-2328, CVE-2015-3210, CVE-2015-3217, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395) Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-3074, CVE-2016-4473, and CVE-2016-5399. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1207198 - CVE-2015-2325 pcre: heap buffer overflow in compile_branch() 1207202 - CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23) 1228283 - CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11) 1237223 - CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18) 1260716 - CVE-2014-9767 php: ZipArchive::extractTo allows for directory traversal when creating directories 1285399 - CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20) 1285408 - CVE-2015-2327 pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19) 1287614 - CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group (8.38/3) 1287623 - CVE-2015-3210 CVE-2015-8384 pcre: buffer overflow caused by recursive back reference by name within certain group (8.38/4) 1287629 - CVE-2015-8385 pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30) 1287636 - CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion (8.38/6) 1287671 - CVE-2015-8391 pcre: inefficient posix character class syntax check (8.38/16) 1287690 - CVE-2015-8392 pcre: buffer overflow caused by patterns with duplicated named groups with (?| (8.38/27) 1287711 - CVE-2015-8381 CVE-2015-8395 pcre: Buffer overflow caused by duplicate named references (8.38/36) 1297710 - CVE-2016-5114 php: out-of-bounds write in fpm_log.c 1297717 - CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated 1305536 - CVE-2016-4342 php: use of uninitialized pointer in PharFileInfo::getContent 1305543 - CVE-2016-2554 php: buffer overflow in handling of long link names in tar phar archives 1315312 - CVE-2016-3142 php: Out-of-bounds read in phar_parse_zipfile() 1315328 - CVE-2016-3141 php: Use after free in WDDX Deserialize when processing XML data 1321893 - CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd 1323074 - CVE-2015-8835 php: type confusion issue in Soap Client call() method 1323103 - CVE-2016-4073 php: Negative size parameter in memcpy 1323106 - CVE-2016-4072 php: Invalid memory write in phar on filename containing \0 inside name 1323108 - CVE-2016-4071 php: Format string vulnerability in php_snmp_error() 1323114 - CVE-2016-4070 php: Integer overflow in php_raw_url_encode 1323118 - CVE-2015-8865 file: Buffer over-write in finfo_open with malformed magic file 1330418 - CVE-2015-8866 php: libxml_disable_entity_loader setting is shared between threads 1330420 - CVE-2015-8867 php: openssl_random_pseudo_bytes() is not cryptographically secure 1332454 - CVE-2016-4343 php: Uninitialized pointer in phar_make_dirstream() 1332860 - CVE-2016-4537 CVE-2016-4538 php: bcpowmod accepts negative scale causing heap buffer overflow corrupting _one_ definition 1332865 - CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input 1332872 - CVE-2016-4540 CVE-2016-4541 php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used 1332877 - CVE-2016-4539 php: xml_parse_into_struct() can crash when XML parser is re-used 1336772 - CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow 1336775 - CVE-2015-8873 php: Stack consumption vulnerability in Zend/zend_exceptions.c 1338896 - CVE-2015-8876 php: Zend/zend_exceptions.c does not validate certain Exception objects 1338907 - CVE-2015-8877 gd: gdImageScaleTwoPass function in gd_interpolation.c uses inconsistent allocate and free approaches 1338912 - CVE-2015-8879 php: odbc_bindcols function mishandles driver behavior for SQL_WVARCHAR columns 1339590 - CVE-2016-5093 php: improper nul termination leading to out-of-bounds read in get_icu_value_internal 1339949 - CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread 1340433 - CVE-2013-7456 gd: incorrect boundary adjustment in _gdContributionsCalc 1340738 - CVE-2016-5094 php: Integer overflow in php_html_entities() 1347772 - CVE-2016-4473 php: Invalid free() instead of efree() in phar_extract_file() 1351068 - CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow 1351069 - CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow 1351168 - CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec 1351171 - CVE-2016-5770 php: Int/size_t confusion in SplFileObject::fread 1351173 - CVE-2016-5771 php: Use After Free Vulnerability in PHP's GC algorithm and unserialize 1351175 - CVE-2016-5772 php: Double Free Corruption in wddx_deserialize 1351179 - CVE-2016-5773 php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize 1351603 - CVE-2016-6128 gd: Invalid color index not properly handled 1358395 - CVE-2016-5399 php: Improper error handling in bzread() 1359698 - CVE-2016-6289 php: Integer overflow leads to buffer overflow in virtual_file_ex 1359710 - CVE-2016-6290 php: Use after free in unserialize() with Unexpected Session Deserialization 1359718 - CVE-2016-6291 php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE 1359756 - CVE-2016-6292 php: Null pointer dereference in exif_process_user_comment 1359800 - CVE-2016-6207 php,gd: Integer overflow error within _gdContributionsAlloc() 1359811 - CVE-2016-6294 php: Out-of-bounds access in locale_accept_from_http 1359815 - CVE-2016-6295 php: Use after free in SNMP with GC and unserialize() 1359822 - CVE-2016-6296 php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c 1359828 - CVE-2016-6297 php: Stack-based buffer overflow vulnerability in php_stream_zip_opener 1360322 - CVE-2016-6288 php: Buffer over-read in php_url_parse_ex 1374697 - CVE-2016-7124 php: bypass __wakeup() in deserialization of an unexpected object 1374698 - CVE-2016-7125 php: Session Data Injection Vulnerability 1374699 - CVE-2016-7126 php: select_colors write out-of-bounds 1374701 - CVE-2016-7127 php: imagegammacorrect allows arbitrary write access 1374704 - CVE-2016-7128 php: Memory Leakage In exif_process_IFD_in_TIFF 1374705 - CVE-2016-7129 php: wddx_deserialize allows illegal memory access 1374707 - CVE-2016-7130 php: wddx_deserialize null dereference 1374708 - CVE-2016-7131 php: wddx_deserialize null dereference with invalid xml 1374711 - CVE-2016-7132 php: wddx_deserialize null dereference in php_wddx_pop_element 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-php56-2.3-1.el6.src.rpm rh-php56-php-5.6.25-1.el6.src.rpm rh-php56-php-pear-1.9.5-4.el6.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el6.noarch.rpm x86_64: rh-php56-2.3-1.el6.x86_64.rpm rh-php56-php-5.6.25-1.el6.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm rh-php56-php-common-5.6.25-1.el6.x86_64.rpm rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm rh-php56-php-process-5.6.25-1.el6.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm rh-php56-runtime-2.3-1.el6.x86_64.rpm rh-php56-scldevel-2.3-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: rh-php56-2.3-1.el6.src.rpm rh-php56-php-5.6.25-1.el6.src.rpm rh-php56-php-pear-1.9.5-4.el6.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el6.noarch.rpm x86_64: rh-php56-2.3-1.el6.x86_64.rpm rh-php56-php-5.6.25-1.el6.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm rh-php56-php-common-5.6.25-1.el6.x86_64.rpm rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm rh-php56-php-process-5.6.25-1.el6.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm rh-php56-runtime-2.3-1.el6.x86_64.rpm rh-php56-scldevel-2.3-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-php56-2.3-1.el6.src.rpm rh-php56-php-5.6.25-1.el6.src.rpm rh-php56-php-pear-1.9.5-4.el6.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el6.noarch.rpm x86_64: rh-php56-2.3-1.el6.x86_64.rpm rh-php56-php-5.6.25-1.el6.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el6.x86_64.rpm rh-php56-php-cli-5.6.25-1.el6.x86_64.rpm rh-php56-php-common-5.6.25-1.el6.x86_64.rpm rh-php56-php-dba-5.6.25-1.el6.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el6.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el6.x86_64.rpm rh-php56-php-devel-5.6.25-1.el6.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el6.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el6.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el6.x86_64.rpm rh-php56-php-gd-5.6.25-1.el6.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-imap-5.6.25-1.el6.x86_64.rpm rh-php56-php-intl-5.6.25-1.el6.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el6.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el6.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el6.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el6.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el6.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el6.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el6.x86_64.rpm rh-php56-php-process-5.6.25-1.el6.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el6.x86_64.rpm rh-php56-php-recode-5.6.25-1.el6.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el6.x86_64.rpm rh-php56-php-soap-5.6.25-1.el6.x86_64.rpm rh-php56-php-tidy-5.6.25-1.el6.x86_64.rpm rh-php56-php-xml-5.6.25-1.el6.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el6.x86_64.rpm rh-php56-runtime-2.3-1.el6.x86_64.rpm rh-php56-scldevel-2.3-1.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-php56-2.3-1.el7.src.rpm rh-php56-php-5.6.25-1.el7.src.rpm rh-php56-php-pear-1.9.5-4.el7.src.rpm noarch: rh-php56-php-pear-1.9.5-4.el7.noarch.rpm x86_64: rh-php56-2.3-1.el7.x86_64.rpm rh-php56-php-5.6.25-1.el7.x86_64.rpm rh-php56-php-bcmath-5.6.25-1.el7.x86_64.rpm rh-php56-php-cli-5.6.25-1.el7.x86_64.rpm rh-php56-php-common-5.6.25-1.el7.x86_64.rpm rh-php56-php-dba-5.6.25-1.el7.x86_64.rpm rh-php56-php-dbg-5.6.25-1.el7.x86_64.rpm rh-php56-php-debuginfo-5.6.25-1.el7.x86_64.rpm rh-php56-php-devel-5.6.25-1.el7.x86_64.rpm rh-php56-php-embedded-5.6.25-1.el7.x86_64.rpm rh-php56-php-enchant-5.6.25-1.el7.x86_64.rpm rh-php56-php-fpm-5.6.25-1.el7.x86_64.rpm rh-php56-php-gd-5.6.25-1.el7.x86_64.rpm rh-php56-php-gmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-intl-5.6.25-1.el7.x86_64.rpm rh-php56-php-ldap-5.6.25-1.el7.x86_64.rpm rh-php56-php-mbstring-5.6.25-1.el7.x86_64.rpm rh-php56-php-mysqlnd-5.6.25-1.el7.x86_64.rpm rh-php56-php-odbc-5.6.25-1.el7.x86_64.rpm rh-php56-php-opcache-5.6.25-1.el7.x86_64.rpm rh-php56-php-pdo-5.6.25-1.el7.x86_64.rpm rh-php56-php-pgsql-5.6.25-1.el7.x86_64.rpm rh-php56-php-process-5.6.25-1.el7.x86_64.rpm rh-php56-php-pspell-5.6.25-1.el7.x86_64.rpm rh-php56-php-recode-5.6.25-1.el7.x86_64.rpm rh-php56-php-snmp-5.6.25-1.el7.x86_64.rpm rh-php56-php-soap-5.6.25-1.el7.x86_64.rpm rh-php56-php-xml-5.6.25-1.el7.x86_64.rpm rh-php56-php-xmlrpc-5.6.25-1.el7.x86_64.rpm rh-php56-runtime-2.3-1.el7.x86_64.rpm rh-php56-scldevel-2.3-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-7456 https://access.redhat.com/security/cve/CVE-2014-9767 https://access.redhat.com/security/cve/CVE-2015-2325 https://access.redhat.com/security/cve/CVE-2015-2326 https://access.redhat.com/security/cve/CVE-2015-2327 https://access.redhat.com/security/cve/CVE-2015-2328 https://access.redhat.com/security/cve/CVE-2015-3210 https://access.redhat.com/security/cve/CVE-2015-3217 https://access.redhat.com/security/cve/CVE-2015-5073 https://access.redhat.com/security/cve/CVE-2015-8381 https://access.redhat.com/security/cve/CVE-2015-8383 https://access.redhat.com/security/cve/CVE-2015-8384 https://access.redhat.com/security/cve/CVE-2015-8385 https://access.redhat.com/security/cve/CVE-2015-8386 https://access.redhat.com/security/cve/CVE-2015-8388 https://access.redhat.com/security/cve/CVE-2015-8391 https://access.redhat.com/security/cve/CVE-2015-8392 https://access.redhat.com/security/cve/CVE-2015-8395 https://access.redhat.com/security/cve/CVE-2015-8835 https://access.redhat.com/security/cve/CVE-2015-8865 https://access.redhat.com/security/cve/CVE-2015-8866 https://access.redhat.com/security/cve/CVE-2015-8867 https://access.redhat.com/security/cve/CVE-2015-8873 https://access.redhat.com/security/cve/CVE-2015-8874 https://access.redhat.com/security/cve/CVE-2015-8876 https://access.redhat.com/security/cve/CVE-2015-8877 https://access.redhat.com/security/cve/CVE-2015-8879 https://access.redhat.com/security/cve/CVE-2016-1903 https://access.redhat.com/security/cve/CVE-2016-2554 https://access.redhat.com/security/cve/CVE-2016-3074 https://access.redhat.com/security/cve/CVE-2016-3141 https://access.redhat.com/security/cve/CVE-2016-3142 https://access.redhat.com/security/cve/CVE-2016-4070 https://access.redhat.com/security/cve/CVE-2016-4071 https://access.redhat.com/security/cve/CVE-2016-4072 https://access.redhat.com/security/cve/CVE-2016-4073 https://access.redhat.com/security/cve/CVE-2016-4342 https://access.redhat.com/security/cve/CVE-2016-4343 https://access.redhat.com/security/cve/CVE-2016-4473 https://access.redhat.com/security/cve/CVE-2016-4537 https://access.redhat.com/security/cve/CVE-2016-4538 https://access.redhat.com/security/cve/CVE-2016-4539 https://access.redhat.com/security/cve/CVE-2016-4540 https://access.redhat.com/security/cve/CVE-2016-4541 https://access.redhat.com/security/cve/CVE-2016-4542 https://access.redhat.com/security/cve/CVE-2016-4543 https://access.redhat.com/security/cve/CVE-2016-4544 https://access.redhat.com/security/cve/CVE-2016-5093 https://access.redhat.com/security/cve/CVE-2016-5094 https://access.redhat.com/security/cve/CVE-2016-5096 https://access.redhat.com/security/cve/CVE-2016-5114 https://access.redhat.com/security/cve/CVE-2016-5399 https://access.redhat.com/security/cve/CVE-2016-5766 https://access.redhat.com/security/cve/CVE-2016-5767 https://access.redhat.com/security/cve/CVE-2016-5768 https://access.redhat.com/security/cve/CVE-2016-5770 https://access.redhat.com/security/cve/CVE-2016-5771 https://access.redhat.com/security/cve/CVE-2016-5772 https://access.redhat.com/security/cve/CVE-2016-5773 https://access.redhat.com/security/cve/CVE-2016-6128 https://access.redhat.com/security/cve/CVE-2016-6207 https://access.redhat.com/security/cve/CVE-2016-6288 https://access.redhat.com/security/cve/CVE-2016-6289 https://access.redhat.com/security/cve/CVE-2016-6290 https://access.redhat.com/security/cve/CVE-2016-6291 https://access.redhat.com/security/cve/CVE-2016-6292 https://access.redhat.com/security/cve/CVE-2016-6294 https://access.redhat.com/security/cve/CVE-2016-6295 https://access.redhat.com/security/cve/CVE-2016-6296 https://access.redhat.com/security/cve/CVE-2016-6297 https://access.redhat.com/security/cve/CVE-2016-7124 https://access.redhat.com/security/cve/CVE-2016-7125 https://access.redhat.com/security/cve/CVE-2016-7126 https://access.redhat.com/security/cve/CVE-2016-7127 https://access.redhat.com/security/cve/CVE-2016-7128 https://access.redhat.com/security/cve/CVE-2016-7129 https://access.redhat.com/security/cve/CVE-2016-7130 https://access.redhat.com/security/cve/CVE-2016-7131 https://access.redhat.com/security/cve/CVE-2016-7132 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYKvj4XlSAg2UNWIIRAqg2AKCB6Jcysv4gkiktKAJA3gy+RKlAqwCeJpjs UCuj+0gWfBsWXOgFhgH0uL8= =FcPG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PHP: Multiple vulnerabilities Date: November 30, 2016 Bugs: #578734, #581834, #584204, #587246, #591710, #594498, #597586, #599326 ID: 201611-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in PHP, the worst of which could lead to arbitrary code execution or cause a Denial of Service condition. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.6.28 >= 5.6.28 Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev=lang/php-5.6.28" References ========== [ 1 ] CVE-2015-8865 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865 [ 2 ] CVE-2016-3074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074 [ 3 ] CVE-2016-4071 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071 [ 4 ] CVE-2016-4072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072 [ 5 ] CVE-2016-4073 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073 [ 6 ] CVE-2016-4537 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537 [ 7 ] CVE-2016-4538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538 [ 8 ] CVE-2016-4539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539 [ 9 ] CVE-2016-4540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540 [ 10 ] CVE-2016-4541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541 [ 11 ] CVE-2016-4542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542 [ 12 ] CVE-2016-4543 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543 [ 13 ] CVE-2016-4544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544 [ 14 ] CVE-2016-5385 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385 [ 15 ] CVE-2016-6289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6289 [ 16 ] CVE-2016-6290 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6290 [ 17 ] CVE-2016-6291 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6291 [ 18 ] CVE-2016-6292 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6292 [ 19 ] CVE-2016-6294 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6294 [ 20 ] CVE-2016-6295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6295 [ 21 ] CVE-2016-6296 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6296 [ 22 ] CVE-2016-6297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6297 [ 23 ] CVE-2016-7124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7124 [ 24 ] CVE-2016-7125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7125 [ 25 ] CVE-2016-7126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7126 [ 26 ] CVE-2016-7127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7127 [ 27 ] CVE-2016-7128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7128 [ 28 ] CVE-2016-7129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7129 [ 29 ] CVE-2016-7130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7130 [ 30 ] CVE-2016-7131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7131 [ 31 ] CVE-2016-7132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7132 [ 32 ] CVE-2016-7133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7133 [ 33 ] CVE-2016-7134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7134 [ 34 ] CVE-2016-7411 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7411 [ 35 ] CVE-2016-7412 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7412 [ 36 ] CVE-2016-7413 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7413 [ 37 ] CVE-2016-7414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7414 [ 38 ] CVE-2016-7416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7416 [ 39 ] CVE-2016-7417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7417 [ 40 ] CVE-2016-7418 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7418 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201611-22 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Cube Digital Media Neoscreen is a smart display from Cube Digital Media of France. Cube Digital Media Neoscreen 4.5 has a security vulnerability. An attacker could use this vulnerability to execute arbitrary script code in the context of an affected site, steal cookie-based authentication, control applications, access or modify data, and bypass authentication mechanisms. Neoscreen 4.5 is vulnerable; other versions may also be affected

Cross-site scripting (XSS) vulnerability in the integrated web server in Siemens SINEMA Remote Connect Server before 1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. SINEMA Remote Connect helps users access remote equipment or machines, making maintenance easy and secure. An attacker could exploit the vulnerability to launch a cross-site attack. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site

Siemens SIMATIC NET PC-Software before 13 SP2 allows remote attackers to cause a denial of service (OPC UA service outage) via crafted TCP packets. SIMATIC NET is an open and diverse communication system from Siemens at the industrial control level. A denial of service vulnerability exists in Siemens SIMATIC NET PCSoftware. Need to manually restart the recovery system. An attacker can exploit this issue to cause the affected application to restart, denying service to legitimate users. Siemens SIMATIC NET PC-Software is a set of software from Siemens, Germany, which supports PLC (programmable logic controller) and personal computer network communication

Siemens SIMATIC WinCC before 7.3 Update 10 and 7.4 before Update 1, SIMATIC BATCH before 8.1 SP1 Update 9 as distributed in SIMATIC PCS 7 through 8.1 SP1, SIMATIC OpenPCS 7 before 8.1 Update 3 as distributed in SIMATIC PCS 7 through 8.1 SP1, SIMATIC OpenPCS 7 before 8.2 Update 1 as distributed in SIMATIC PCS 7 8.2, and SIMATIC WinCC Runtime Professional before 13 SP1 Update 9 allow remote attackers to execute arbitrary code via crafted packets. The SIMATIC WinCC (Windows Control Center) window control center is Siemens' process monitoring system, providing complete monitoring and data acquisition (SCADA) functions for the industrial sector; the PCS 7 system is a seamlessly integrated automation solution for all industrial applications. field. A remote code execution vulnerability exists in SIMATIC WinCC/PCS 7/WinCC Runtime Professional. Multiple Siemens Products are prone to a remote code-execution vulnerability. An attacker can exploit this issue to inject and execute arbitrary code in the context of the affected application. Siemens SIMATIC WinCC, etc. are all industrial automation products of Siemens (Siemens) in Germany

Siemens SIMATIC WinCC 7.0 through SP3 and 7.2 allows remote attackers to read arbitrary WinCC station files via crafted packets. The SIMATIC WinCC (Windows Control Center) window control center is Siemens' process monitoring system, providing complete monitoring and data acquisition (SCADA) functions for the industrial sector. The SIMATIC WinCC presence file contains a vulnerability. Successful exploits may allow an attacker to read arbitrary files in the context of the user running the affected application. This may aid in further attacks. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). A security vulnerability exists in Siemens SIMATIC WinCC versions 7.0 to SP3 and 7.2

The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. Supplementary information : CWE Vulnerability type by CWE-125: Out-of-bounds Read ( Read out of bounds ) Has been identified. OpenSSL is prone to a local denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in denial-of-service conditions. OpenSSL Security Advisory [22 Sep 2016] ======================================== OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ===================================================================== Severity: High A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support. OpenSSL 1.1.0 users should upgrade to 1.1.0a OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. SSL_peek() hang on empty record (CVE-2016-6305) =============================================== Severity: Moderate OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an empty record. This could be exploited by a malicious peer in a Denial Of Service attack. OpenSSL 1.1.0 users should upgrade to 1.1.0a This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The fix was developed by Matt Caswell of the OpenSSL development team. SWEET32 Mitigation (CVE-2016-2183) ================================== Severity: Low SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had these ciphersuites disabled by default. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the OpenSSL development team. OOB write in MDC2_Update() (CVE-2016-6303) ========================================== Severity: Low An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Malformed SHA512 ticket DoS (CVE-2016-6302) =========================================== Severity: Low If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it requires a custom server callback and ticket lookup mechanism. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. OOB write in BN_bn2dec() (CVE-2016-2182) ======================================== Severity: Low The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. OOB read in TS_OBJ_print_bio() (CVE-2016-2180) ============================================== Severity: Low The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Pointer arithmetic undefined behaviour (CVE-2016-2177) ====================================================== Severity: Low Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit == p + SIZE "len" here could be from some externally supplied data (e.g. from a TLS message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <= SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. Constant time flag not preserved in DSA signing (CVE-2016-2178) =============================================================== Severity: Low Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by César Pereida. DTLS buffered message DoS (CVE-2016-2179) ========================================= Severity: Low In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. By opening many simulataneous connections an attacker could cause a DoS attack through memory exhaustion. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix was developed by Matt Caswell of the OpenSSL development team. DTLS replay protection DoS (CVE-2016-2181) ========================================== Severity: Low A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection "window" before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 21st November 2015 by the OCAP audit team. The fix was developed by Matt Caswell of the OpenSSL development team. Certificate message OOB reads (CVE-2016-6306) ============================================= Severity: Low In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate request and server certificate. As a result the attack can only be performed against a client or a server which enables client authentication. OpenSSL 1.1.0 is not affected. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) ========================================================================== Severity: Low A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect DTLS users. OpenSSL 1.1.0 TLS users should upgrade to 1.1.0a This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) ============================================================================= Severity: Low This issue is very similar to CVE-2016-6307. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect TLS users. OpenSSL 1.1.0 DTLS users should upgrade to 1.1.0a This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20160922.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2016:1940-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html Issue date: 2016-09-27 CVE Names: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-6302 CVE-2016-6304 CVE-2016-6306 ===================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-2178) * It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection. (CVE-2016-2181) * An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. (CVE-2016-2182) * A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default. * An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. (CVE-2016-6302) * Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL. (CVE-2016-6306) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase 1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation 1359615 - CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio() 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() 1369113 - CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1369504 - CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks 1377594 - CVE-2016-6306 openssl: certificate message OOB reads 1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm i386: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-perl-1.0.1e-48.el6_8.3.i686.rpm openssl-static-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm i386: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm ppc64: openssl-1.0.1e-48.el6_8.3.ppc.rpm openssl-1.0.1e-48.el6_8.3.ppc64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.ppc.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm openssl-devel-1.0.1e-48.el6_8.3.ppc.rpm openssl-devel-1.0.1e-48.el6_8.3.ppc64.rpm s390x: openssl-1.0.1e-48.el6_8.3.s390.rpm openssl-1.0.1e-48.el6_8.3.s390x.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.s390.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm openssl-devel-1.0.1e-48.el6_8.3.s390.rpm openssl-devel-1.0.1e-48.el6_8.3.s390x.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-perl-1.0.1e-48.el6_8.3.i686.rpm openssl-static-1.0.1e-48.el6_8.3.i686.rpm ppc64: openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm openssl-perl-1.0.1e-48.el6_8.3.ppc64.rpm openssl-static-1.0.1e-48.el6_8.3.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm openssl-perl-1.0.1e-48.el6_8.3.s390x.rpm openssl-static-1.0.1e-48.el6_8.3.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm i386: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-perl-1.0.1e-48.el6_8.3.i686.rpm openssl-static-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm ppc64: openssl-1.0.1e-51.el7_2.7.ppc64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm openssl-devel-1.0.1e-51.el7_2.7.ppc.rpm openssl-devel-1.0.1e-51.el7_2.7.ppc64.rpm openssl-libs-1.0.1e-51.el7_2.7.ppc.rpm openssl-libs-1.0.1e-51.el7_2.7.ppc64.rpm ppc64le: openssl-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-devel-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-libs-1.0.1e-51.el7_2.7.ppc64le.rpm s390x: openssl-1.0.1e-51.el7_2.7.s390x.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm openssl-devel-1.0.1e-51.el7_2.7.s390.rpm openssl-devel-1.0.1e-51.el7_2.7.s390x.rpm openssl-libs-1.0.1e-51.el7_2.7.s390.rpm openssl-libs-1.0.1e-51.el7_2.7.s390x.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm openssl-perl-1.0.1e-51.el7_2.7.ppc64.rpm openssl-static-1.0.1e-51.el7_2.7.ppc.rpm openssl-static-1.0.1e-51.el7_2.7.ppc64.rpm ppc64le: openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-perl-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-static-1.0.1e-51.el7_2.7.ppc64le.rpm s390x: openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm openssl-perl-1.0.1e-51.el7_2.7.s390x.rpm openssl-static-1.0.1e-51.el7_2.7.s390.rpm openssl-static-1.0.1e-51.el7_2.7.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2177 https://access.redhat.com/security/cve/CVE-2016-2178 https://access.redhat.com/security/cve/CVE-2016-2179 https://access.redhat.com/security/cve/CVE-2016-2180 https://access.redhat.com/security/cve/CVE-2016-2181 https://access.redhat.com/security/cve/CVE-2016-2182 https://access.redhat.com/security/cve/CVE-2016-6302 https://access.redhat.com/security/cve/CVE-2016-6304 https://access.redhat.com/security/cve/CVE-2016-6306 https://access.redhat.com/security/updates/classification/#important https://www.openssl.org/news/secadv/20160922.txt 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX6nnFXlSAg2UNWIIRAqklAJ9uGMit/wxZ0CfuGjR7Vi2+AjmGMwCfTpEI xpTW7ApBLmKhVjs49DGYouI= =4VgY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Additional information can be found at https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ CVE-2016-2178 Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing leak in the DSA code. CVE-2016-2179 / CVE-2016-2181 Quan Luo and the OCAP audit team discovered denial of service vulnerabilities in DTLS. For the stable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u4. For the unstable distribution (sid), these problems will be fixed soon. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: December 07, 2016 Bugs: #581234, #585142, #585276, #591454, #592068, #592074, #592082, #594500, #595186 ID: 201612-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSL, the worst of which allows attackers to conduct a time based side-channel attack. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/openssl < 1.0.2j >= 1.0.2j Description =========== Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers and the International Association for Cryptologic Research's (IACR) paper, "Make Sure DSA Signing Exponentiations Really are Constant-Time" for further details. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2j" References ========== [ 1 ] CVE-2016-2105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2105 [ 2 ] CVE-2016-2106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2106 [ 3 ] CVE-2016-2107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2107 [ 4 ] CVE-2016-2108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2108 [ 5 ] CVE-2016-2109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2109 [ 6 ] CVE-2016-2176 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2176 [ 7 ] CVE-2016-2177 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2177 [ 8 ] CVE-2016-2178 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2178 [ 9 ] CVE-2016-2180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2180 [ 10 ] CVE-2016-2183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2183 [ 11 ] CVE-2016-6304 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6304 [ 12 ] CVE-2016-6305 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6305 [ 13 ] CVE-2016-6306 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6306 [ 14 ] CVE-2016-7052 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7052 [ 15 ] Make Sure DSA Signing Exponentiations Really are Constant-Time http://eprint.iacr.org/2016/594.pdf Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-16 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-3087-2 September 23, 2016 openssl regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: USN-3087-1 introduced a regression in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem. We apologize for the inconvenience. This issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2178) Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. (CVE-2016-2181) Shi Lei discovered that OpenSSL incorrectly validated division results. (CVE-2016-2182) Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. (CVE-2016-2183) Shi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. (CVE-2016-6303) Shi Lei discovered that OpenSSL incorrectly performed certain message length checks. (CVE-2016-6306) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.5 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.21 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.38 After a standard system update you need to reboot your computer to make all the necessary changes

Hitron CGNV4 is a router product of Hitron. Hitron CGNV4 Router 4.3.9.9-SIP-UPC version exists 1. Security bypass vulnerability 2. Cross-site request forgery vulnerability 3. Command injection vulnerability. Attackers can use these vulnerabilities to execute arbitrary commands, steal cookie-based authentication, obtain sensitive information, and perform unauthorized operations. Hitron CGNV4 Router is prone to multiple security vulnerabilities, including: 1. This may aid in further attacks. Hitron CGNV4, 4.3.9.9-SIP-UPC is vulnerable; other versions may also be affected

The CiscoEPC3925 is a home router device. The CiscoEPC3925UPC has an insecure default password vulnerability. Knowledge of remote attackers with default credentials may exploit this vulnerability to gain unauthorized access and perform unauthorized actions. This may aid in further attacks

modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. Vtiger CRM is a customer relationship management (CRM) software. Vtiger CRM contains a vulnerability where it does not properly restrict access to user information data. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A user with user privileges may create new users or alter existing user information. Successfully exploiting this issue may allow attackers to perform unauthorized actions. This may lead to other attacks. Vtiger CRM 6.4.0 and prior versions are vulnerable. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not properly restricting the user-save operation

The web framework in Cisco Unified Computing System (UCS) Performance Manager 2.0.0 and earlier allows remote authenticated users to execute arbitrary commands via crafted parameters in a GET request, aka Bug ID CSCuy07827. An attacker can exploit this issue to execute arbitrary code on the affected system with the privileges of a root user. This issue being tracked by Cisco Bug ID CSCuy07827. Cisco UCS Performance Manager versions 2.0.0 and prior are vulnerable

Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. Web proxy auto-config (PAC) files are passed the full HTTPS URL in GET requests which may expose sensitive data. Supplementary information : CWE Vulnerability type by CWE-416: Use After Free ( Use of freed memory ) Has been identified. Google Chrome is prone to multiple security vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restriction and perform unauthorized actions, cause denial-of-service conditions, retrieve sensitive information; other attacks may also be possible. Versions prior to Chrome 52.0.2743.82 are vulnerable. Note: The issue described by CVE-2016-1706 has been moved to BID 92263 (Google Chrome CVE-2016-1706 Sandbox Security Bypass Vulnerability) for better documentation. Google Chrome is a web browser developed by Google (Google). CVE-2016-1704 The chrome development team found and fixed various issues during internal auditing. CVE-2016-1705 The chrome development team found and fixed various issues during internal auditing. CVE-2016-1706 Pinkie Pie discovered a way to escape the Pepper Plugin API sandbox. CVE-2016-1709 ChenQin a buffer overflow issue in the sfntly library. CVE-2016-5128 A same-origin bypass issue was discovered in the v8 javascript library. CVE-2016-5132 Ben Kelly discovered a same-origin bypass. CVE-2016-5137 Xiaoyin Liu discovered a way to discover whether an HSTS web side had been visited. For the stable distribution (jessie), these problems have been fixed in version 52.0.2743.82-1~deb8u1. For the testing (stretch) and unstable (sid) distributions, these problems have been fixed in version 52.0.2743.82-1. We recommend that you upgrade your chromium-browser packages. ========================================================================= Ubuntu Security Notice USN-3041-1 August 05, 2016 oxide-qt vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Oxide. Software Description: - oxide-qt: Web browser engine for Qt (QML plugin) Details: Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service (application crash) or execute arbitrary code. (CVE-2016-1705) It was discovered that the PPAPI implementation does not validate the origin of IPC messages to the plugin broker process. A remote attacker could potentially exploit this to bypass sandbox protection mechanisms. (CVE-2016-1706) It was discovered that Blink does not prevent window creation by a deferred frame. A remote attacker could potentially exploit this to bypas s same origin restrictions. (CVE-2016-1710) It was discovered that Blink does not disable frame navigation during a detach operation on a DocumentLoader object. A remote attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-1711) A use-after-free was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploi t this to cause a denial of service via renderer process crash, or execute arbitrary code. (CVE-2016-5127) It was discovered that objects.cc in V8 does not prevent API interceptors from modifying a store target without setting a property. A remote attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-5128) A memory corruption was discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploi t this to cause a denial of service via renderer process crash, or execute arbitrary code. (CVE-2016-5129) A security issue was discovered in Chromium. A remote attacker could potentially exploit this to spoof the currently displayed URL. (CVE-2016-5130) A use-after-free was discovered in libxml. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploi t this to cause a denial of service via renderer process crash, or execute arbitrary code. (CVE-2016-5131) The Service Workers implementation in Chromium does not properly implemen t the Secure Contexts specification during decisions about whether to control a subframe. A remote attacker could potentially exploit this to bypass same origin restrictions. (CVE-2016-5132) It was discovered that Chromium mishandles origin information during prox y authentication. A man-in-the-middle attacker could potentially exploit th is to spoof a proxy authentication login prompt. (CVE-2016-5133) It was discovered that the Proxy Auto-Config (PAC) feature in Chromium does not ensure that URL information is restricted to a scheme, host and port. A remote attacker could potentially exploit this to obtain sensitiv e information. (CVE-2016-5134) It was discovered that Blink does not consider referrer-policy informatio n inside an HTML document during a preload request. A remote attacker could potentially exploit this to bypass Content Security Policy (CSP) protections. (CVE-2016-5135) It was discovered that the Content Security Policy (CSP) implementation i n Blink does not apply http :80 policies to https :443 URLs. A remote attacker could potentially exploit this to determine whether a specific HSTS web site has been visited by reading a CSP report. (CVE-2016-5137) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: liboxideqtcore0 1.16.5-0ubuntu0.16.04.1 Ubuntu 14.04 LTS: liboxideqtcore0 1.16.5-0ubuntu0.14.04.1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: libxml2 security update Advisory ID: RHSA-2020:1190-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1190 Issue date: 2020-03-31 CVE Names: CVE-2015-8035 CVE-2016-5131 CVE-2017-15412 CVE-2017-18258 CVE-2018-14404 CVE-2018-14567 ==================================================================== 1. Summary: An update for libxml2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131) * libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412) * libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035) * libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404) * libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258) * libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The desktop must be restarted (log out, then log back in) for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1277146 - CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression 1358641 - CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to 1523128 - CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c 1566749 - CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c 1595985 - CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c 1619875 - CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: libxml2-2.9.1-6.el7.4.src.rpm x86_64: libxml2-2.9.1-6.el7.4.i686.rpm libxml2-2.9.1-6.el7.4.x86_64.rpm libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-python-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-devel-2.9.1-6.el7.4.i686.rpm libxml2-devel-2.9.1-6.el7.4.x86_64.rpm libxml2-static-2.9.1-6.el7.4.i686.rpm libxml2-static-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: libxml2-2.9.1-6.el7.4.src.rpm x86_64: libxml2-2.9.1-6.el7.4.i686.rpm libxml2-2.9.1-6.el7.4.x86_64.rpm libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-python-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-devel-2.9.1-6.el7.4.i686.rpm libxml2-devel-2.9.1-6.el7.4.x86_64.rpm libxml2-static-2.9.1-6.el7.4.i686.rpm libxml2-static-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: libxml2-2.9.1-6.el7.4.src.rpm ppc64: libxml2-2.9.1-6.el7.4.ppc.rpm libxml2-2.9.1-6.el7.4.ppc64.rpm libxml2-debuginfo-2.9.1-6.el7.4.ppc.rpm libxml2-debuginfo-2.9.1-6.el7.4.ppc64.rpm libxml2-devel-2.9.1-6.el7.4.ppc.rpm libxml2-devel-2.9.1-6.el7.4.ppc64.rpm libxml2-python-2.9.1-6.el7.4.ppc64.rpm ppc64le: libxml2-2.9.1-6.el7.4.ppc64le.rpm libxml2-debuginfo-2.9.1-6.el7.4.ppc64le.rpm libxml2-devel-2.9.1-6.el7.4.ppc64le.rpm libxml2-python-2.9.1-6.el7.4.ppc64le.rpm s390x: libxml2-2.9.1-6.el7.4.s390.rpm libxml2-2.9.1-6.el7.4.s390x.rpm libxml2-debuginfo-2.9.1-6.el7.4.s390.rpm libxml2-debuginfo-2.9.1-6.el7.4.s390x.rpm libxml2-devel-2.9.1-6.el7.4.s390.rpm libxml2-devel-2.9.1-6.el7.4.s390x.rpm libxml2-python-2.9.1-6.el7.4.s390x.rpm x86_64: libxml2-2.9.1-6.el7.4.i686.rpm libxml2-2.9.1-6.el7.4.x86_64.rpm libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-devel-2.9.1-6.el7.4.i686.rpm libxml2-devel-2.9.1-6.el7.4.x86_64.rpm libxml2-python-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: libxml2-debuginfo-2.9.1-6.el7.4.ppc.rpm libxml2-debuginfo-2.9.1-6.el7.4.ppc64.rpm libxml2-static-2.9.1-6.el7.4.ppc.rpm libxml2-static-2.9.1-6.el7.4.ppc64.rpm ppc64le: libxml2-debuginfo-2.9.1-6.el7.4.ppc64le.rpm libxml2-static-2.9.1-6.el7.4.ppc64le.rpm s390x: libxml2-debuginfo-2.9.1-6.el7.4.s390.rpm libxml2-debuginfo-2.9.1-6.el7.4.s390x.rpm libxml2-static-2.9.1-6.el7.4.s390.rpm libxml2-static-2.9.1-6.el7.4.s390x.rpm x86_64: libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-static-2.9.1-6.el7.4.i686.rpm libxml2-static-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: libxml2-2.9.1-6.el7.4.src.rpm x86_64: libxml2-2.9.1-6.el7.4.i686.rpm libxml2-2.9.1-6.el7.4.x86_64.rpm libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-devel-2.9.1-6.el7.4.i686.rpm libxml2-devel-2.9.1-6.el7.4.x86_64.rpm libxml2-python-2.9.1-6.el7.4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: libxml2-debuginfo-2.9.1-6.el7.4.i686.rpm libxml2-debuginfo-2.9.1-6.el7.4.x86_64.rpm libxml2-static-2.9.1-6.el7.4.i686.rpm libxml2-static-2.9.1-6.el7.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-8035 https://access.redhat.com/security/cve/CVE-2016-5131 https://access.redhat.com/security/cve/CVE-2017-15412 https://access.redhat.com/security/cve/CVE-2017-18258 https://access.redhat.com/security/cve/CVE-2018-14404 https://access.redhat.com/security/cve/CVE-2018-14567 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.8_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXoOdR9zjgjWX9erEAQhgbQ/+JolcknqNffv7HQZNxYOtS/M2Zx/E3IB4 QwmkXhfmgV44ig4prUpghE/+O5eTUPjqSq6rHjih/pjCjG4bVcK6BptxBFi7WQwo GM0ryvm0p0fib0dy+Ov3NNC6Dhg32NIVwC0pWTIEdYcOGBfDY3mXlLXx5aHefisu p1C7F6rP4xxMRDOlQhAB4UPMkPSD/MtKIyxIEqiAT5olybSTl0um2AB5XtLlCbkT h4IXDsAyswvBIS/bxnyZkn6oHEiD3JBwcP+ZU0jgSEy34O92ttV7hRQb1H1+YHOO li1bX5IcbmFzATwBfCZQmNfrp/XU4Ra28GT/3JGntnhhxFmz1xe/h5YNJTwZ+0TX yxKZdAz3brm/mt6uvbY4PpGERyA+X/Moz4ToXCEL2jVfSXbOuajRtCV8Cp3X7bCd Ed2imuXZQPpUXNVdF73RJ7YB6vEhQRIdlKgEXzPPpuHFH1HprvSLoJyrDD1T8bfx TVrrmvtWKtXq0DYSD7wGw23WZJJeUIgyKiZNTlIxvb0c7r8+aZ+toY07sZlBkTCA cjWNRnHDNkdYH2ZoNPQlzYzk5rSYGqhoOvF85pNCY4v4fofyMEnyAY7MEZ/Z991X Ko2ShKSzEtKSMcx2B2wPg+hFcACP8HbKxSbW3SzoCSKCOGEAPLQlJ5eHXwLOAO3Q IZIK7xZywNw=8RZh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . (CVE-2016-4448) It was discovered that libxml2 incorrectly handled certain malformed documents. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201610-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium: Multiple vulnerabilities Date: October 29, 2016 Bugs: #589278, #590420, #592630, #593708, #595614, #597016 ID: 201610-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in the Chromium web browser, the worst of which allows remote attackers to execute arbitrary code. Background ========== Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/chromium-54.0.2840.59" References ========== [ 1 ] CVE-2016-5127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5127 [ 2 ] CVE-2016-5128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5128 [ 3 ] CVE-2016-5129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5129 [ 4 ] CVE-2016-5130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5130 [ 5 ] CVE-2016-5131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5131 [ 6 ] CVE-2016-5132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5132 [ 7 ] CVE-2016-5133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5133 [ 8 ] CVE-2016-5134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5134 [ 9 ] CVE-2016-5135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5135 [ 10 ] CVE-2016-5136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5136 [ 11 ] CVE-2016-5137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5137 [ 12 ] CVE-2016-5138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5138 [ 13 ] CVE-2016-5139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5139 [ 14 ] CVE-2016-5140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5140 [ 15 ] CVE-2016-5141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5141 [ 16 ] CVE-2016-5142 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5142 [ 17 ] CVE-2016-5143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5143 [ 18 ] CVE-2016-5144 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5144 [ 19 ] CVE-2016-5145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5145 [ 20 ] CVE-2016-5146 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5146 [ 21 ] CVE-2016-5147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5147 [ 22 ] CVE-2016-5148 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5148 [ 23 ] CVE-2016-5149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5149 [ 24 ] CVE-2016-5150 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5150 [ 25 ] CVE-2016-5151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5151 [ 26 ] CVE-2016-5152 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5152 [ 27 ] CVE-2016-5153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5153 [ 28 ] CVE-2016-5154 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5154 [ 29 ] CVE-2016-5155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5155 [ 30 ] CVE-2016-5156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5156 [ 31 ] CVE-2016-5157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5157 [ 32 ] CVE-2016-5158 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5158 [ 33 ] CVE-2016-5159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5159 [ 34 ] CVE-2016-5160 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5160 [ 35 ] CVE-2016-5161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5161 [ 36 ] CVE-2016-5162 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5162 [ 37 ] CVE-2016-5163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5163 [ 38 ] CVE-2016-5164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5164 [ 39 ] CVE-2016-5165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5165 [ 40 ] CVE-2016-5166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5166 [ 41 ] CVE-2016-5167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5167 [ 42 ] CVE-2016-5170 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5170 [ 43 ] CVE-2016-5171 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5171 [ 44 ] CVE-2016-5172 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5172 [ 45 ] CVE-2016-5173 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5173 [ 46 ] CVE-2016-5174 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5174 [ 47 ] CVE-2016-5175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5175 [ 48 ] CVE-2016-5177 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5177 [ 49 ] CVE-2016-5178 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5178 [ 50 ] CVE-2016-5181 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5181 [ 51 ] CVE-2016-5182 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5182 [ 52 ] CVE-2016-5183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5183 [ 53 ] CVE-2016-5184 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5184 [ 54 ] CVE-2016-5185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5185 [ 55 ] CVE-2016-5186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5186 [ 56 ] CVE-2016-5187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5187 [ 57 ] CVE-2016-5188 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5188 [ 58 ] CVE-2016-5189 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5189 [ 59 ] CVE-2016-5190 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5190 [ 60 ] CVE-2016-5191 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5191 [ 61 ] CVE-2016-5192 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5192 [ 62 ] CVE-2016-5193 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5193 [ 63 ] CVE-2016-5194 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5194 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201610-09 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . 6) - i386, x86_64 3. This update upgrades Chromium to version 52.0.2743.82. (CVE-2016-1706, CVE-2016-1708, CVE-2016-1709, CVE-2016-1710, CVE-2016-1711, CVE-2016-5127, CVE-2016-5128, CVE-2016-5129, CVE-2016-5130, CVE-2016-5131, CVE-2016-5132, CVE-2016-5133, CVE-2016-5134, CVE-2016-5135, CVE-2016-5136, CVE-2016-5137, CVE-2016-1705) 4. Bugs fixed (https://bugzilla.redhat.com/): 1358630 - CVE-2016-1706 chromium-browser: sandbox escape in ppapi 1358632 - CVE-2016-1708 chromium-browser: use-after-free in extensions 1358633 - CVE-2016-1709 chromium-browser: heap-buffer-overflow in sfntly 1358634 - CVE-2016-1710 chromium-browser: same-origin bypass in blink 1358636 - CVE-2016-1711 chromium-browser: same-origin bypass in blink 1358637 - CVE-2016-5127 chromium-browser: use-after-free in blink 1358638 - CVE-2016-5128 chromium-browser: same-origin bypass in v8 1358639 - CVE-2016-5129 chromium-browser: memory corruption in v8 1358640 - CVE-2016-5130 chromium-browser: url spoofing 1358641 - CVE-2016-5131 chromium-browser: use-after-free in libxml 1358642 - CVE-2016-5132 chromium-browser: limited same-origin bypass in service workers 1358643 - CVE-2016-5133 chromium-browser: origin confusion in proxy authentication 1358645 - CVE-2016-5134 chromium-browser: url leakage via pac script 1358646 - CVE-2016-5135 chromium-browser: content-security-policy bypass 1358647 - CVE-2016-5136 chromium-browser: use after free in extensions 1358648 - CVE-2016-5137 chromium-browser: history sniffing with hsts and csp 1358649 - CVE-2016-1705 chromium-browser: various fixes from internal audits 6

Integer overflow in the rtxMemHeapAlloc function in asn1rt_a.lib in Objective Systems ASN1C for C/C++ before 7.0.2 allows context-dependent attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow), on a system running an application compiled by ASN1C, via crafted ASN.1 data. ASN.1 Is a standard data structure notation for network and communication applications. Heap-based buffer overflow (CWE-122) - CVE-2016-5080 ASN1C Is ASN.1 Used to generate high-level language source code from the syntax. According to the reporter, ASN1C Generated by C Or C++ The source code of the heap manager rtxMemHeapAlloc A heap-based buffer overflow vulnerability exists in the function. 2016 Year 7 Moon 20 As of today, similar vulnerabilities Java And C# It is unknown whether it exists in the source code output by. rtxMemHeapAlloc It depends on whether you are using a function. Specifically, it was received from an unreliable communication partner ASN.1 Processing your data may be affected by this vulnerability. For development of in-house products ASN1C Developers using are required to verify the source code to see if their products contain this vulnerability. The reporter has published further information as a security advisory. In the most serious case, received from an unreliable partner ASN.1 By processing the data, the authority of the application by a remote third party (root Or SYSTEM Authority etc. ) May execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. FundaciA3n Dr. ASN1C compiler for C/C++ 1. ASN1C compiler for C/C++ Advisory ID: STIC-2016-0603 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2016-07-18 Date of last update: 2016-07-19 Vendors contacted: Objective Systems Inc. Release mode: Coordinated release 2. *Vulnerability Description* Abstract Syntax Notation One (ASN.1) is a technical standard and formal notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking[1]. It is a joint standard of the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), and International Telecommunication Union Telecommunication Standardization Sector ITU-T[2] used in technical standards for wireless communications such as GSM, UMTS and LTE, Lawful Interception, Intelligent Transportation Systems, signalling in fixed and mobile telecommunications networks (SS7), wireless broadband access (WiMAX), data security (X.509), network management (SNMP), voice over IP and IP-based videoconferencing (H.323), manufacturing, aviation, aerospace and several other areas[3]. Software components that generate, transmit and parse ASN.1 encoded data constitute a critical building block of software that runs on billions of mobile devices, telecommunication switching equipment and systems for operation and management of critical infrastructures. The ASN.1 specification is sufficiently complicated to make writing programs that parse ASN.1 encoded data a perilious and error-prone activity. Many technology vendors have adopted the practice of using computer-generated programs to parse ASN.1 encoded data. This is accomplished by using an ASN.1 compiler, a software tool that given as input a data specification written in ASN.1 generates as output the source code of a program that can be used to encode and decode in compliance with the specification. The output of an ASN.1 compiler is generally incorporated as a building block in a software system that transmits or processes ASN.1 encoded data. is a US-based private company[5] that develops and commercializes ASN1C, a ASN1 compiler for various programming languages, to vendors in the telecommunications, data networking, aviation, aerospace, defense and law enforcement sectors[6]. The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network. has addressed the issue and built a fixed interim version of the ASN1C for C/C++ compiler that is a available to customers upon request. The fixes will be incorporated in the next (v7.0.2) release of ASN1C for C/C++. For further information about vulnerable vendors and available fixes refer to the CERT/CC vulnerability note [4]. 4. ASN1C compiler for C/C++ version 7.0 or below. Refer to the CERT/CC vulnerability note[4] for a list of potentially affected vendors. 5. *Vendor Information, Solutions and Workarounds* Vendor fixed the issue in an interim release of the ASN1C v7.0.1 compiler available to customers upon request[5]. The upcoming ASN1C v7.0.2 release will incorporate the fixes. 6. *Credits* This vulnerability was discovered and researched by Lucas Molas. The publication of this advisory was coordinated by Programa Seguridad en TIC. 7. *Technical Description* This document details a bug found in the latest release of Objective Systems Inc,. ASN1C compiler for C/C++ (v7.0.0), particularly in the 'rtxMemHeapAlloc' function contained in the pre-compiled 'asn1rt_a.lib' library, where two integer overflows have been detected, which could lead to corruption of heap memory in an attacker-controlled scenario. The component analyzed was the "evaluation package of ASN1C" (v7.0.0) for Windows (x86) MSVC 32-bit, but the analysis also applies to other platforms. The analysis was performed with the IDA (v6.9) disassembler, from which the assembly blocks shown below have been extracted (the assembly syntax and location addresses may vary). The pre-compiled library analyzed, 'asn1rt_a.lib', was extracted from '<installdir>\c\lib\' (which corresponds to the Visual C++ 2013 version). In 'rtxMemHeapAlloc', after initial checks to the context's internal memory heap ('pMemHeap') which may entail calls to 'rtxMemHeapCreate' and 'rtxMemHeapCheck', the 'nbytes' argument ('arg_4' in the disassembly) is manipulated. Its value is rounded to the next multiple of 8 bytes using 'ecx' and storing the result in 'var_9C'. To accomplish this, a value of '7' is added to 'ecx' before making the shift without checking the resulting value, which could lead to an integer overflow of the 32-bit register if the value of 'nbytes' is '0xFFFFFFF9' or higher. The following assembly blocks illustrate this. /----- loc_A6: mov ecx, [ebp+arg_4] add ecx, 7 shr ecx, 3 mov [ebp+var_9C], ecx mov edx, [ebp+var_18] mov eax, [edx+18h] and eax, 20000000h jnz short loc_D2 -----/ The 'rtxMemHeapAlloc' function does not perform any validation of the 'nbytes' argument and therefore it is up to the caller to make sure its value does not overflow when the allocator rounds it up to a multiple of 8 bytes and adds 20 bytes to the memory to be allocated to accomodate a heap control structure. However, the caller of 'rtxMemHeapAlloc' will be a function automatically generated by the ASN1C compiler and typically will not have any size contrains on the arguments passed to 'rtxMemHeapAlloc', and indireddctly to 'malloc', unless added manually. The resulting value of 'var_9C' is checked against the constant '0FFFCh' to decide whether to allocate the memory requested using the internal heap implementation or the system's memory allocator, which is usually available through the 'malloc' function. A similar pattern is found later when 'malloc' is called. If 'malloc' is used, the value in 'var_9C' is discarded in favor of the original value of the 'nbytes' argument. This value is added to '14h' in 'ecx' before saving it to 'var_E8' without any validation which could lead to an integer overflow if the value of argument 'nbytes' is '0xFFFFFFEC' or greater. The resulting value in 'var_E8' is then used as the argument for the call to 'malloc'. As a consequence, large values passsed in the 'nbytes' argument to 'rtxMemHeapAlloc' will result in a size calculation that wraps around and ends up calling 'malloc' with a size argument that is less that what is needed to store the data that will be copied to it later on. The following assembly block illustrates this. /----- loc_D2: mov ecx, [ebp+arg_4] add ecx, 14h mov [ebp+var_E8], ecx mov edx, [ebp+var_E8] push edx mov eax, [ebp+var_18] mov ecx, [eax+1Ch] call ecx add esp, 4 mov [ebp+var_24], eax cmp [ebp+var_24], 0 jnz short loc_120 -----/ Due to the fact that the bugs are located in the core runtime support library, it is hard to assess its exploitability in all scenarios but it is safe to assume that it would lead attacker controlled memory corruption of either the system's heap (if 'malloc' is called) or in the internal memory allocator (if the number of bytes requested is below the aforementioned threshold). Since heap control structures can be overwritten with attacker controlled data, it is safe to assume that remote code execution can be achieved in many scenarios in which ASN.1 parsing code generated by the ASN1C compiler for C/C++ is used without manual modification. Manual modification of automatically generated code is generally not recommended so mechanisms that would prevent triggering of these bugs are not likely to be found in deployed systems. As an illustrative example, the 3GPP APIs can be mentioned, particularly the '[NAS/RRC add-on for ASN1C SDK]'[7]. The C code generated by the ASN1C for the RRC decoder ('EUTRA-RRC-DefinitionsDec.c'), uses 'rtxMemHeapAlloc' for the allocation of the extension optional bits of the extension elements) where the length, not known in advance, is obtained from the encoded element received from an untrusted source, calling 'pd_SmallLength' which allows unconstrained whole numbers, resulting in a call to 'rtxMemHeapAlloc' with an externally controlled 'nbytes' argument. /----- /* decode extension elements */ if (extbit) { OSOCTET* poptbits; /* decode extension optional bits length */ stat = pd_SmallLength (pctxt, &bitcnt); if (stat != 0) return stat; poptbits = (OSOCTET*) rtxMemAlloc (pctxt, bitcnt); if (0 == poptbits) return RTERR_NOMEM; for (i_ = 0; i_ < bitcnt; i_++) { stat = DEC_BIT (pctxt, &poptbits[i_]); if (stat != 0) { rtxMemFreePtr (pctxt, poptbits); return stat; } } -----/ 8. *Report Timeline* . 2016-06-03: Sent email to Objective Systems Inc. 2016-06-06: Vendor responded with contact information to send the bug report in plaintext. 2016-06-06: Bug report sent in plaintext to the email address provided by the vendor. The report included technical details to identify and reproduce the bug. Publication date set to July 6, 2016. 2016-06-08: CERT/CC contacted, bug report filed in a web form, encrypted using the CERT/CC PGP public key. 2016-06-08: CERT/CC replied by email acknowledging report, assigned VR-198 as internal tracking number. 2016-06-08: Email sent to CERT/CC saying that the bug is present in code generated by the ASN1C compiler for C, it is also likely that C++ code is also buggy and not likely in Java code but neither C++ not Java code were tested. 2016-06-10: Email sent to the vendor requesting acknowledgement of the report sent on June 6 and noting that CERT/CC was contacted. 2016-06-10: Vendor acknowledged reception of the bug report and stated that it will look into the issue as time permits. indicated that the issues were fixed in an interim v7.0.1.x version of ASN1C that will be available to customers upon request and that the next v7.0.2 release will incorporate the fixes. Offered a version of ASN1C updated with the fixes for testing. 2016-06-14: Programa STIC replied to the vendor accepting the offer for the pre-release version of ASN1C with the fixes and stated it is on track for publication on July 6. 2016-06-15: Programa STIC notified CERT/CC that the vendor has fixed the issues and will make available an updated version of ASN1C to customers upon request. Asked CERT/CC about plans for dissemination of the report and whether it had contact information for ITU IMPACT. Publication is still planned for July 6. 2016-06-16: CERT/CC replied saying they have no contact information for ITU IMPACT but will try to reach as many potentially affected vendors as possible. The vulnerabilities were assigned the CVE-2016-5080 identifier. CERT/CC will likely publish a Vulnerability Note on its website once the report becomes public. 2016-06-16: Programa STIC said that vendors will need to assess whether they're vulnerable and determine if they want to ask Objective Systems for the fixed interim v7.0.1.x version or wait for the v7.0.2 release. Programa STIC recommends the former since the v7.0.2 release may include non-security fixed and feature and does not have a estimated release date at the moment. 2016-06-27: Programa STIC sent mail to CERT/CC requesting a status update and saying its on track to publish on July 6. 2016-07-01: CERT/CC replied saying one of the contacted vendors requested to delay the publication for 2 months while they investigate their products. Asked if Programa STIC would accept the request or proceed with the current publication date. 2016-07-01: Programa STIC replied that a two month delay seemed excessive and that at least 2 additional factors should be weighed: 1. memory corruption bugs in ASN.1 related components of an LTE stack have been announced or hinted at in several infosec conference presentations over the past few weeks and its likely the same or similar bugs will become public soon. 2. Objective Systems has already produced a fix that is available upon request to all its customers. It does not seem reasonable to impose a 2 month publication delay on every other vendor. Asked CERT/CC: 1. Did other vendors request to postpone publication or indicated they were or were not vulnerable? 2. Did CERT/CC disseminate the information to any other parties? . 2016-07-01: CERT/CC indicated they've contacted as many vendors as possible, US-CERT and international CERT partners and that only one vendor has requested to delay publication so far. Agreed that proceeding with the original publication schedule is reasonable given the partial disclosure due to dissemination that already occurred plus the fact that a fix is available . 2016-07-01: Programa STIC sent mail to CERT/CC saying that for the moment it will proceed with the original deadline but make a final decision on July 5. 2016-07-06: Programa STIC sent email to CERT/CC indicating it decided to postpone publication for a week to give vendors some additional time to assess whether they are vulnerable and plan for issuing fixes. The new publication date was set to July 13. 2016-07-06: CERT/CC replied that it will notify vendors of the new publication date. 2016-07-14: Programa STIC told CERT/CC that publication was postponed to Monday, July 18. 2016-07-13: Programa STIC sent mail to Objective Systems Inc. asked if a CVE ID has been assigned to the issue. 2016-07-13: Programa STIC sent mail to Objective Systems Inc. saying CVE-2016-5080 was assigned by CERT and promising to send draft of the security advisory when ready for publication. 2016-07-14: Programa STIC sent email to Objective Systems informing them that the security advisory will bul published on July 18 with guidance for potentially affected vendors to contact them to request a fixed version of the ASN1C compiler for C/C++. 9. *References* [1] Abstract Syntaxt Notation One (ASN1) http://www.itu.int/en/ITU-T/asn1/Pages/introduction.aspx [2] ASN.1 Project (ITU) http://www.itu.int/en/ITU-T/asn1/Pages/asn1_project.aspx [3] ASN.1 Applications and Standards http://www.oss.com/asn1/resources/standards-use-asn1.html [4] CERT/CC Vulnerability Notes http://www.kb.cert.org/vuls [5] Objective Systems Inc. https://www.obj-sys.com [6] Vendors possibly using ASN.1 compiler for C/C++. https://www.obj-sys.com/customers/ [7] Non-Access Stratum (NAS) LTE, GERAN-RRC, and other non-ASN.1 APIs 3GPP TS 24.007 24.008 24.011 24.301 44.018. https://www.obj-sys.com/products/asn1apis/lte_3gpp_apis.php 10. *About FundaciA3n Dr. Manuel Sadosky* The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the countryas most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar 11. *Copyright Notice* The contents of this advisory are copyright (c) 2014-2016 FundaciA3n Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/ -- Programa de Seguridad en TIC FundaciA3n Dr. Manuel Sadosky Av. CA3rdoba 744 Piso 5 Oficina I TE/FAX: 4328-5164