VARIoT IoT vulnerabilities database
| VAR-201502-0356 | CVE-2015-0315 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0313, CVE-2015-0320, and CVE-2015-0322. This vulnerability CVE-2015-0313 , CVE-2015-0320 ,and CVE-2015-0322 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlAn attacker could execute arbitrary code. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0354 | CVE-2015-0330 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0314, CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, and CVE-2015-0329.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0353 | CVE-2015-0329 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0314, CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, and CVE-2015-0330.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0351 | CVE-2015-0327 | Adobe Flash Player Heap-based buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0323. This vulnerability CVE-2015-0323 Is a different vulnerability.An attacker could execute arbitrary code. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0352 | CVE-2015-0328 | Adobe Flash Player Service disruption in (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-0325 and CVE-2015-0326. This vulnerability CVE-2015-0325 and CVE-2015-0326 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. http://cwe.mitre.org/data/definitions/476.htmlDenial of service by attacker (NULL Pointer dereference ) There is a possibility of being affected unspecified, such as being in a state.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0350 | CVE-2015-0326 | Adobe Flash Player Service disruption in (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-0325 and CVE-2015-0328. This vulnerability CVE-2015-0325 and CVE-2015-0328 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. http://cwe.mitre.org/data/definitions/476.htmlDenial of service by attacker (NULL Pointer dereference ) There is a possibility of being affected unspecified, such as being in a state.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0349 | CVE-2015-0325 | Adobe Flash Player Service disruption in (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-0326 and CVE-2015-0328. This vulnerability CVE-2015-0326 and CVE-2015-0328 Is a different vulnerability. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. http://cwe.mitre.org/data/definitions/476.htmlDenial of service by attacker (NULL Pointer dereference ) There is a possibility of being affected unspecified, such as being in a state.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0067 | CVE-2015-1546 | OpenLDAP of servers/slapd/filter.c Inside get_vrFilter Function double memory vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control. OpenLDAP of servers/slapd/filter.c Inside get_vrFilter The function has a deficiency in freeing up memory twice, resulting in service disruption ( crash ) There are vulnerabilities that are put into a state. Supplementary information : CWE Vulnerability type by CWE-415: Double Free ( Double release ) Has been identified. OpenLDAP slapd is prone to multiple denial-of-service vulnerabilities.
Successful exploits may allow an attacker to cause an affected application to crash, resulting in a denial-of-service condition. OpenLDAP is a free and open source implementation of the Lightweight Directory Access Protocol (LDAP) from the OpenLDAP Foundation in the United States, which is included in Linux distributions.
The updated packages provides a solution for these security issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
8cf3267fdb2dd7fe3e3d45560bdb21d0 mbs2/x86_64/lib64ldap2.4_2-2.4.40-1.mbs2.x86_64.rpm
865d9a982ce84212ac326c3c1e765bd7 mbs2/x86_64/lib64ldap2.4_2-devel-2.4.40-1.mbs2.x86_64.rpm
5257553f4101f109f611fb4a1169e032 mbs2/x86_64/lib64ldap2.4_2-static-devel-2.4.40-1.mbs2.x86_64.rpm
559e20b8fb73db0a2596ae53debb1171 mbs2/x86_64/openldap-2.4.40-1.mbs2.x86_64.rpm
d768c2cfd50d48df2c6d50cba2804f22 mbs2/x86_64/openldap-back_bdb-2.4.40-1.mbs2.x86_64.rpm
ca1be9bfd5f8494412dacd1704446a3d mbs2/x86_64/openldap-back_mdb-2.4.40-1.mbs2.x86_64.rpm
10616f8ee850c96f6f31a56c04b2f5c8 mbs2/x86_64/openldap-back_sql-2.4.40-1.mbs2.x86_64.rpm
abe8987076d7c071cf0556717824f968 mbs2/x86_64/openldap-clients-2.4.40-1.mbs2.x86_64.rpm
167cde52384ff479dbf66c9c3b9c1875 mbs2/x86_64/openldap-doc-2.4.40-1.mbs2.x86_64.rpm
7bb0cde0c37e82616d7e1c2f51339ea9 mbs2/x86_64/openldap-servers-2.4.40-1.mbs2.x86_64.rpm
fa9deaf6135eb3443dfa4ea2d5906d03 mbs2/x86_64/openldap-servers-devel-2.4.40-1.mbs2.x86_64.rpm
712530d38d7091f1feab1b0f214d8440 mbs2/x86_64/openldap-testprogs-2.4.40-1.mbs2.x86_64.rpm
e2a1576a5731e854ac0395c65014b8ea mbs2/x86_64/openldap-tests-2.4.40-1.mbs2.x86_64.rpm
38e739f91027490ef87474d6053b663f mbs2/SRPMS/openldap-2.4.40-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFYFxmqjQ0CJFipgRApm0AJ4xcpT1u7CPnC7I7aiJTISBkiS08ACghGEn
vp6R7J2vex/HG9fkmQLo5EI=
=FTac
-----END PGP SIGNATURE-----
| VAR-201502-0106 | CVE-2015-0314 | Adobe Flash Player Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0316, CVE-2015-0318, CVE-2015-0321, CVE-2015-0329, and CVE-2015-0330. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the BitmapFilter class. The class is not marked as final, so it can be extended. When extending the class and adding it to a filters array, Adobe Flash tries to execute a non-existent method at a specific offset. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Please review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.442"
References
==========
[ 1 ] CVE-2015-0301
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0301
[ 2 ] CVE-2015-0302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0302
[ 3 ] CVE-2015-0303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0303
[ 4 ] CVE-2015-0304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0304
[ 5 ] CVE-2015-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0305
[ 6 ] CVE-2015-0306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0306
[ 7 ] CVE-2015-0307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0307
[ 8 ] CVE-2015-0308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0308
[ 9 ] CVE-2015-0309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0309
[ 10 ] CVE-2015-0310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0310
[ 11 ] CVE-2015-0311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0311
[ 12 ] CVE-2015-0314
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0314
[ 13 ] CVE-2015-0315
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0315
[ 14 ] CVE-2015-0316
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0316
[ 15 ] CVE-2015-0317
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0317
[ 16 ] CVE-2015-0318
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0318
[ 17 ] CVE-2015-0319
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0319
[ 18 ] CVE-2015-0320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0320
[ 19 ] CVE-2015-0321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0321
[ 20 ] CVE-2015-0322
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0322
[ 21 ] CVE-2015-0323
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0323
[ 22 ] CVE-2015-0324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0324
[ 23 ] CVE-2015-0325
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0325
[ 24 ] CVE-2015-0326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0326
[ 25 ] CVE-2015-0327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0327
[ 26 ] CVE-2015-0328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0328
[ 27 ] CVE-2015-0329
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0329
[ 28 ] CVE-2015-0330
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0330
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2015:0140-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0140.html
Issue date: 2015-02-06
CVE Names: CVE-2015-0314 CVE-2015-0315 CVE-2015-0316
CVE-2015-0317 CVE-2015-0318 CVE-2015-0319
CVE-2015-0320 CVE-2015-0321 CVE-2015-0322
CVE-2015-0323 CVE-2015-0324 CVE-2015-0325
CVE-2015-0326 CVE-2015-0327 CVE-2015-0328
CVE-2015-0329 CVE-2015-0330
=====================================================================
1.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
Multiple flaws were found in the way flash-plugin displayed certain SWF
content. An attacker could use these flaws to create a specially crafted
SWF file that would cause flash-plugin to crash or, potentially, execute
arbitrary code when the victim loaded a page containing the malicious SWF
content.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190068 - flash-plugin: multiple code execution flaws (APSB15-04)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.442-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.442-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.442-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.442-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-0314
https://access.redhat.com/security/cve/CVE-2015-0315
https://access.redhat.com/security/cve/CVE-2015-0316
https://access.redhat.com/security/cve/CVE-2015-0317
https://access.redhat.com/security/cve/CVE-2015-0318
https://access.redhat.com/security/cve/CVE-2015-0319
https://access.redhat.com/security/cve/CVE-2015-0320
https://access.redhat.com/security/cve/CVE-2015-0321
https://access.redhat.com/security/cve/CVE-2015-0322
https://access.redhat.com/security/cve/CVE-2015-0323
https://access.redhat.com/security/cve/CVE-2015-0324
https://access.redhat.com/security/cve/CVE-2015-0325
https://access.redhat.com/security/cve/CVE-2015-0326
https://access.redhat.com/security/cve/CVE-2015-0327
https://access.redhat.com/security/cve/CVE-2015-0328
https://access.redhat.com/security/cve/CVE-2015-0329
https://access.redhat.com/security/cve/CVE-2015-0330
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU1NKPXlSAg2UNWIIRAuaMAKCrTaZA9Qbqdqmms8W0dscYkNvkiQCeIiHs
Rb1nXRLO0fFKuancn8e1EKw=
=IZLG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201502-0121 | CVE-2015-0589 | Cisco WebEx Meetings Server Management Web Any with root privileges in the interface OS Command execution vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The administrative web interface in Cisco WebEx Meetings Server 1.0 through 1.5 allows remote authenticated users to execute arbitrary OS commands with root privileges via unspecified fields, aka Bug ID CSCuj40460. Vendors have confirmed this vulnerability Bug ID CSCuj40460 It is released as.Remotely authenticated users can specify any OS The command may be executed. Cisco WebEx Meetings Server is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input.
Successfully exploiting this issue may allow an attacker to execute arbitrary commands in context of the affected application.
This issue is being tracked by Cisco bug ID CSCuj40460. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution. There are security vulnerabilities in the web management interface of CWMS versions 1.0 to 1.5
| VAR-201502-0135 | CVE-2015-0601 | Cisco Unified IP 9900 phones Service disruption in other firmware (DoS) Vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allow local users to cause a denial of service (device reload) via crafted commands, aka Bug ID CSCup92790. The device provides voice, video and other functions.
This issue is tracked by Cisco Bug ID CSCup92790
| VAR-201502-0138 | CVE-2015-0604 | Cisco Unified IP 9900 phones Of firmware Web Framework uploading file vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web framework on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to upload files to arbitrary locations on a phone's filesystem via crafted HTTP requests, aka Bug ID CSCup90424. Vendors have confirmed this vulnerability Bug ID CSCup90424 It is released as.Skillfully crafted by a third party HTTP Via a request, a file may be uploaded to any location in the phone's file system. The Cisco Unified IP Phone 9900 is a 9900 series IP telephony terminal device from Cisco. The device provides voice, video and other functions. This may aid in further attacks.
This issue is tracked by Cisco Bug ID CSCup90424
| VAR-201502-0411 | CVE-2015-1212 | Google Chrome Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, bypass the same-origin policy and gain elevated privileges; other attacks are also possible. Google Chrome is a web browser developed by Google (Google). ============================================================================
Ubuntu Security Notice USN-2495-1
February 10, 2015
oxide-qt vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Oxide. (CVE-2015-1209)
It was discovered that V8 did not properly consider frame access
restrictions when throwing exceptions in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same origin restrictions.
(CVE-2015-1210)
It was discovered that Chromium did not properly restrict the URI scheme
during ServiceWorker registration. If a user were tricked in to
downloading and opening a specially crafted HTML file, an attacker could
potentially exploit this to bypass security restrictions. (CVE-2015-1212)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
liboxideqtcore0 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: chromium-browser security update
Advisory ID: RHSA-2015:0163-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0163.html
Issue date: 2015-02-10
CVE Names: CVE-2015-1209 CVE-2015-1210 CVE-2015-1211
CVE-2015-1212
=====================================================================
1. Summary:
Updated chromium-browser packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Chromium is an open-source web browser, powered by WebKit (Blink).
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Chromium to crash or,
potentially, execute arbitrary code with the privileges of the user running
Chromium. (CVE-2015-1209, CVE-2015-1210, CVE-2015-1211, CVE-2015-1212)
All Chromium users should upgrade to these updated packages, which contain
Chromium version 40.0.2214.111, which corrects these issues. After
installing the update, Chromium must be restarted for the changes to take
effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190123 - CVE-2015-1209 chromium-browser: use-after-free in DOM
1190124 - CVE-2015-1210 chromium-browser: cross-origin-bypass in V8 bindings
1190125 - CVE-2015-1211 chromium-browser: privilege escalation in service workers
1190158 - CVE-2015-1212 chromium-browser: various security fixes in Chrome 40.0.2214.111
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1209
https://access.redhat.com/security/cve/CVE-2015-1210
https://access.redhat.com/security/cve/CVE-2015-1211
https://access.redhat.com/security/cve/CVE-2015-1212
https://access.redhat.com/security/updates/classification/#important
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2oc6XlSAg2UNWIIRArgRAJ0UDk0z8qCzqVFIRSEuiIgr3tP9swCfdFO2
59ank3BbCLmfdBRtQ9lpFz4=
=mT/S
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 40.0.2214.111 >= 40.0.2214.111
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to cause a Denial of Service condition,
gain privileges via a filesystem: URI, or have other unspecified
impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-40.0.2214.111"
References
==========
[ 1 ] CVE-2014-7923
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7923
[ 2 ] CVE-2014-7924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7924
[ 3 ] CVE-2014-7925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7925
[ 4 ] CVE-2014-7926
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7926
[ 5 ] CVE-2014-7927
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7927
[ 6 ] CVE-2014-7928
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7928
[ 7 ] CVE-2014-7929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7929
[ 8 ] CVE-2014-7930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7930
[ 9 ] CVE-2014-7931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7931
[ 10 ] CVE-2014-7932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7932
[ 11 ] CVE-2014-7933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7933
[ 12 ] CVE-2014-7934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7934
[ 13 ] CVE-2014-7935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7935
[ 14 ] CVE-2014-7936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7936
[ 15 ] CVE-2014-7937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7937
[ 16 ] CVE-2014-7938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7938
[ 17 ] CVE-2014-7939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7939
[ 18 ] CVE-2014-7940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7940
[ 19 ] CVE-2014-7941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7941
[ 20 ] CVE-2014-7942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7942
[ 21 ] CVE-2014-7943
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7943
[ 22 ] CVE-2014-7944
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7944
[ 23 ] CVE-2014-7945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7945
[ 24 ] CVE-2014-7946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7946
[ 25 ] CVE-2014-7947
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7947
[ 26 ] CVE-2014-7948
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7948
[ 27 ] CVE-2014-9646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9646
[ 28 ] CVE-2014-9647
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9647
[ 29 ] CVE-2014-9648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9648
[ 30 ] CVE-2015-1205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1205
[ 31 ] CVE-2015-1209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1209
[ 32 ] CVE-2015-1210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1210
[ 33 ] CVE-2015-1211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1211
[ 34 ] CVE-2015-1212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1212
[ 35 ] CVE-2015-1346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1346
[ 36 ] CVE-2015-1359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1359
[ 37 ] CVE-2015-1360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1360
[ 38 ] CVE-2015-1361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1361
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201502-0410 | CVE-2015-1211 | Google Chrome of content/browser/service_worker/service_worker_dispatcher_host.cc Vulnerability gained in |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, bypass the same-origin policy and gain elevated privileges; other attacks are also possible. Google Chrome is a web browser developed by Google (Google). ============================================================================
Ubuntu Security Notice USN-2495-1
February 10, 2015
oxide-qt vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Oxide. (CVE-2015-1209)
It was discovered that V8 did not properly consider frame access
restrictions when throwing exceptions in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same origin restrictions. If a user were tricked in to
downloading and opening a specially crafted HTML file, an attacker could
potentially exploit this to bypass security restrictions. (CVE-2015-1212)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
liboxideqtcore0 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: chromium-browser security update
Advisory ID: RHSA-2015:0163-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0163.html
Issue date: 2015-02-10
CVE Names: CVE-2015-1209 CVE-2015-1210 CVE-2015-1211
CVE-2015-1212
=====================================================================
1. Summary:
Updated chromium-browser packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Chromium is an open-source web browser, powered by WebKit (Blink).
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Chromium to crash or,
potentially, execute arbitrary code with the privileges of the user running
Chromium. (CVE-2015-1209, CVE-2015-1210, CVE-2015-1211, CVE-2015-1212)
All Chromium users should upgrade to these updated packages, which contain
Chromium version 40.0.2214.111, which corrects these issues. After
installing the update, Chromium must be restarted for the changes to take
effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190123 - CVE-2015-1209 chromium-browser: use-after-free in DOM
1190124 - CVE-2015-1210 chromium-browser: cross-origin-bypass in V8 bindings
1190125 - CVE-2015-1211 chromium-browser: privilege escalation in service workers
1190158 - CVE-2015-1212 chromium-browser: various security fixes in Chrome 40.0.2214.111
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1209
https://access.redhat.com/security/cve/CVE-2015-1210
https://access.redhat.com/security/cve/CVE-2015-1211
https://access.redhat.com/security/cve/CVE-2015-1212
https://access.redhat.com/security/updates/classification/#important
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2oc6XlSAg2UNWIIRArgRAJ0UDk0z8qCzqVFIRSEuiIgr3tP9swCfdFO2
59ank3BbCLmfdBRtQ9lpFz4=
=mT/S
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: February 17, 2015
Bugs: #537366, #539094
ID: 201502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Chromium, the worst of
which can allow remote attackers to cause Denial of Service or gain
escalated privileges.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 40.0.2214.111 >= 40.0.2214.111
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to cause a Denial of Service condition,
gain privileges via a filesystem: URI, or have other unspecified
impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-40.0.2214.111"
References
==========
[ 1 ] CVE-2014-7923
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7923
[ 2 ] CVE-2014-7924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7924
[ 3 ] CVE-2014-7925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7925
[ 4 ] CVE-2014-7926
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7926
[ 5 ] CVE-2014-7927
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7927
[ 6 ] CVE-2014-7928
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7928
[ 7 ] CVE-2014-7929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7929
[ 8 ] CVE-2014-7930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7930
[ 9 ] CVE-2014-7931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7931
[ 10 ] CVE-2014-7932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7932
[ 11 ] CVE-2014-7933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7933
[ 12 ] CVE-2014-7934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7934
[ 13 ] CVE-2014-7935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7935
[ 14 ] CVE-2014-7936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7936
[ 15 ] CVE-2014-7937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7937
[ 16 ] CVE-2014-7938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7938
[ 17 ] CVE-2014-7939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7939
[ 18 ] CVE-2014-7940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7940
[ 19 ] CVE-2014-7941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7941
[ 20 ] CVE-2014-7942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7942
[ 21 ] CVE-2014-7943
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7943
[ 22 ] CVE-2014-7944
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7944
[ 23 ] CVE-2014-7945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7945
[ 24 ] CVE-2014-7946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7946
[ 25 ] CVE-2014-7947
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7947
[ 26 ] CVE-2014-7948
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7948
[ 27 ] CVE-2014-9646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9646
[ 28 ] CVE-2014-9647
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9647
[ 29 ] CVE-2014-9648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9648
[ 30 ] CVE-2015-1205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1205
[ 31 ] CVE-2015-1209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1209
[ 32 ] CVE-2015-1210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1210
[ 33 ] CVE-2015-1211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1211
[ 34 ] CVE-2015-1212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1212
[ 35 ] CVE-2015-1346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1346
[ 36 ] CVE-2015-1359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1359
[ 37 ] CVE-2015-1360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1360
[ 38 ] CVE-2015-1361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1361
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201502-0409 | CVE-2015-1210 | Google Chrome Used in Blink of V8 Vulnerability to bypass same origin policy in binding |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, bypass the same-origin policy and gain elevated privileges; other attacks are also possible. Google Chrome is a web browser developed by Google (Google). Blink is a browser typesetting engine (rendering engine) jointly developed by Google and Opera Software. There is a security vulnerability in the 'V8ThrowException::createDOMException' function in the bindings/core/v8/V8ThrowException.cpp file in the bindings/core/v8/V8ThrowException.cpp file of Blink used in Google Chrome. Framework access restrictions. The following versions are affected: Google Chrome 40.0.2214.93 and earlier for Windows, OS X, and Linux, and Google Chrome 40.0.2214.89 and earlier for Android. ============================================================================
Ubuntu Security Notice USN-2495-1
February 10, 2015
oxide-qt vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Oxide. (CVE-2015-1209)
It was discovered that V8 did not properly consider frame access
restrictions when throwing exceptions in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same origin restrictions.
(CVE-2015-1210)
It was discovered that Chromium did not properly restrict the URI scheme
during ServiceWorker registration. If a user were tricked in to
downloading and opening a specially crafted HTML file, an attacker could
potentially exploit this to bypass security restrictions. (CVE-2015-1212)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
liboxideqtcore0 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: chromium-browser security update
Advisory ID: RHSA-2015:0163-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0163.html
Issue date: 2015-02-10
CVE Names: CVE-2015-1209 CVE-2015-1210 CVE-2015-1211
CVE-2015-1212
=====================================================================
1. Summary:
Updated chromium-browser packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Chromium is an open-source web browser, powered by WebKit (Blink).
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Chromium to crash or,
potentially, execute arbitrary code with the privileges of the user running
Chromium. (CVE-2015-1209, CVE-2015-1210, CVE-2015-1211, CVE-2015-1212)
All Chromium users should upgrade to these updated packages, which contain
Chromium version 40.0.2214.111, which corrects these issues. After
installing the update, Chromium must be restarted for the changes to take
effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190123 - CVE-2015-1209 chromium-browser: use-after-free in DOM
1190124 - CVE-2015-1210 chromium-browser: cross-origin-bypass in V8 bindings
1190125 - CVE-2015-1211 chromium-browser: privilege escalation in service workers
1190158 - CVE-2015-1212 chromium-browser: various security fixes in Chrome 40.0.2214.111
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1209
https://access.redhat.com/security/cve/CVE-2015-1210
https://access.redhat.com/security/cve/CVE-2015-1211
https://access.redhat.com/security/cve/CVE-2015-1212
https://access.redhat.com/security/updates/classification/#important
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2oc6XlSAg2UNWIIRArgRAJ0UDk0z8qCzqVFIRSEuiIgr3tP9swCfdFO2
59ank3BbCLmfdBRtQ9lpFz4=
=mT/S
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: February 17, 2015
Bugs: #537366, #539094
ID: 201502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Chromium, the worst of
which can allow remote attackers to cause Denial of Service or gain
escalated privileges.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 40.0.2214.111 >= 40.0.2214.111
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to cause a Denial of Service condition,
gain privileges via a filesystem: URI, or have other unspecified
impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-40.0.2214.111"
References
==========
[ 1 ] CVE-2014-7923
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7923
[ 2 ] CVE-2014-7924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7924
[ 3 ] CVE-2014-7925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7925
[ 4 ] CVE-2014-7926
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7926
[ 5 ] CVE-2014-7927
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7927
[ 6 ] CVE-2014-7928
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7928
[ 7 ] CVE-2014-7929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7929
[ 8 ] CVE-2014-7930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7930
[ 9 ] CVE-2014-7931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7931
[ 10 ] CVE-2014-7932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7932
[ 11 ] CVE-2014-7933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7933
[ 12 ] CVE-2014-7934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7934
[ 13 ] CVE-2014-7935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7935
[ 14 ] CVE-2014-7936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7936
[ 15 ] CVE-2014-7937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7937
[ 16 ] CVE-2014-7938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7938
[ 17 ] CVE-2014-7939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7939
[ 18 ] CVE-2014-7940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7940
[ 19 ] CVE-2014-7941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7941
[ 20 ] CVE-2014-7942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7942
[ 21 ] CVE-2014-7943
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7943
[ 22 ] CVE-2014-7944
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7944
[ 23 ] CVE-2014-7945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7945
[ 24 ] CVE-2014-7946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7946
[ 25 ] CVE-2014-7947
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7947
[ 26 ] CVE-2014-7948
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7948
[ 27 ] CVE-2014-9646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9646
[ 28 ] CVE-2014-9647
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9647
[ 29 ] CVE-2014-9648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9648
[ 30 ] CVE-2015-1205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1205
[ 31 ] CVE-2015-1209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1209
[ 32 ] CVE-2015-1210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1210
[ 33 ] CVE-2015-1211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1211
[ 34 ] CVE-2015-1212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1212
[ 35 ] CVE-2015-1346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1346
[ 36 ] CVE-2015-1359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1359
[ 37 ] CVE-2015-1360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1360
[ 38 ] CVE-2015-1361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1361
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201502-0408 | CVE-2015-1209 | Google Chrome Used in Blink of DOM Service disruption in implementations (DoS) Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor. Supplementary information : CWE Vulnerability type by CWE-416: Use-after-free ( Use of freed memory ) Has been identified. http://cwe.mitre.org/data/definitions/416.htmlBy a third party shadow-root Crafted to induce improper handling of anchors JavaScript Service disruption through code (DoS) There is a possibility of being affected unspecified, such as being in a state. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code, bypass the same-origin policy and gain elevated privileges; other attacks are also possible. Google Chrome is a web browser developed by Google (Google). Blink is a browser typesetting engine (rendering engine) jointly developed by Google and Opera Software. The following versions are affected: Google Chrome 40.0.2214.93 and earlier for Windows, OS X, and Linux, and Google Chrome 40.0.2214.89 and earlier for Android. ============================================================================
Ubuntu Security Notice USN-2495-1
February 10, 2015
oxide-qt vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Oxide. (CVE-2015-1209)
It was discovered that V8 did not properly consider frame access
restrictions when throwing exceptions in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same origin restrictions.
(CVE-2015-1210)
It was discovered that Chromium did not properly restrict the URI scheme
during ServiceWorker registration. If a user were tricked in to
downloading and opening a specially crafted HTML file, an attacker could
potentially exploit this to bypass security restrictions. (CVE-2015-1212)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
liboxideqtcore0 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs 1.4.3-0ubuntu0.14.10.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs 1.4.3-0ubuntu0.14.04.1
oxideqt-codecs-extra 1.4.3-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: chromium-browser security update
Advisory ID: RHSA-2015:0163-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0163.html
Issue date: 2015-02-10
CVE Names: CVE-2015-1209 CVE-2015-1210 CVE-2015-1211
CVE-2015-1212
=====================================================================
1. Summary:
Updated chromium-browser packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Chromium is an open-source web browser, powered by WebKit (Blink).
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Chromium to crash or,
potentially, execute arbitrary code with the privileges of the user running
Chromium. (CVE-2015-1209, CVE-2015-1210, CVE-2015-1211, CVE-2015-1212)
All Chromium users should upgrade to these updated packages, which contain
Chromium version 40.0.2214.111, which corrects these issues. After
installing the update, Chromium must be restarted for the changes to take
effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1190123 - CVE-2015-1209 chromium-browser: use-after-free in DOM
1190124 - CVE-2015-1210 chromium-browser: cross-origin-bypass in V8 bindings
1190125 - CVE-2015-1211 chromium-browser: privilege escalation in service workers
1190158 - CVE-2015-1212 chromium-browser: various security fixes in Chrome 40.0.2214.111
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
Source:
chromium-browser-40.0.2214.111-1.el6_6.src.rpm
i386:
chromium-browser-40.0.2214.111-1.el6_6.i686.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.i686.rpm
x86_64:
chromium-browser-40.0.2214.111-1.el6_6.x86_64.rpm
chromium-browser-debuginfo-40.0.2214.111-1.el6_6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-1209
https://access.redhat.com/security/cve/CVE-2015-1210
https://access.redhat.com/security/cve/CVE-2015-1211
https://access.redhat.com/security/cve/CVE-2015-1212
https://access.redhat.com/security/updates/classification/#important
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2oc6XlSAg2UNWIIRArgRAJ0UDk0z8qCzqVFIRSEuiIgr3tP9swCfdFO2
59ank3BbCLmfdBRtQ9lpFz4=
=mT/S
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: February 17, 2015
Bugs: #537366, #539094
ID: 201502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Chromium, the worst of
which can allow remote attackers to cause Denial of Service or gain
escalated privileges.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 40.0.2214.111 >= 40.0.2214.111
Description
===========
Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker may be able to cause a Denial of Service condition,
gain privileges via a filesystem: URI, or have other unspecified
impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-40.0.2214.111"
References
==========
[ 1 ] CVE-2014-7923
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7923
[ 2 ] CVE-2014-7924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7924
[ 3 ] CVE-2014-7925
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7925
[ 4 ] CVE-2014-7926
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7926
[ 5 ] CVE-2014-7927
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7927
[ 6 ] CVE-2014-7928
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7928
[ 7 ] CVE-2014-7929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7929
[ 8 ] CVE-2014-7930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7930
[ 9 ] CVE-2014-7931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7931
[ 10 ] CVE-2014-7932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7932
[ 11 ] CVE-2014-7933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7933
[ 12 ] CVE-2014-7934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7934
[ 13 ] CVE-2014-7935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7935
[ 14 ] CVE-2014-7936
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7936
[ 15 ] CVE-2014-7937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7937
[ 16 ] CVE-2014-7938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7938
[ 17 ] CVE-2014-7939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7939
[ 18 ] CVE-2014-7940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7940
[ 19 ] CVE-2014-7941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7941
[ 20 ] CVE-2014-7942
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7942
[ 21 ] CVE-2014-7943
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7943
[ 22 ] CVE-2014-7944
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7944
[ 23 ] CVE-2014-7945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7945
[ 24 ] CVE-2014-7946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7946
[ 25 ] CVE-2014-7947
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7947
[ 26 ] CVE-2014-7948
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7948
[ 27 ] CVE-2014-9646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9646
[ 28 ] CVE-2014-9647
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9647
[ 29 ] CVE-2014-9648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9648
[ 30 ] CVE-2015-1205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1205
[ 31 ] CVE-2015-1209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1209
[ 32 ] CVE-2015-1210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1210
[ 33 ] CVE-2015-1211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1211
[ 34 ] CVE-2015-1212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1212
[ 35 ] CVE-2015-1346
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1346
[ 36 ] CVE-2015-1359
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1359
[ 37 ] CVE-2015-1360
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1360
[ 38 ] CVE-2015-1361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1361
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201502-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201502-0134 | CVE-2015-0600 | Cisco Unified IP Phone 9900 Service disruption in the firmware expansion of the series firmware (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to cause a denial of service (logoff) via crafted packets, aka Bug ID CSCuq12139. Vendors have confirmed this vulnerability Bug ID CSCuq12139 It is released as.Denial of service operation via a packet crafted by a third party ( log off ) There is a possibility of being put into a state. The device provides voice, video and other functions. This vulnerability could be exploited by a remote attacker to cause a denial of service by sending a specially crafted packet.
This issue is tracked by Cisco Bug ID CSCuq12139
| VAR-201502-0136 | CVE-2015-0602 | Cisco Unified IP Phones 9900 Series Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to obtain sensitive information by sniffing the network, aka Bug ID CSCuq12117. Vendors have confirmed this vulnerability Bug ID CSCuq12117 It is released as.If a third party intercepts the network, important information may be obtained. The device provides voice, video and other functions. A remote attacker exploited the vulnerability to gain sensitive information by sniffing the network. This may aid in further attacks.
This issue is tracked by Cisco Bug ID CSCuq12117
| VAR-201502-0137 | CVE-2015-0603 | Cisco Unified IP 9900 phones Service disruption in other firmware (DoS) Vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier use weak permissions for unspecified files, which allows local users to cause a denial of service (persistent hang or reboot) by writing to a phone's filesystem, aka Bug ID CSCup90474. The Cisco Unified IP Phone 9900 is a 9900 series IP telephony terminal device from Cisco. The device provides voice, video and other functions. A security vulnerability exists in the Cisco Unified IP Phone 9900 Series. A local attacker could exploit the vulnerability to cause a denial of service (suspend, restart, or block startup).
This issue is tracked by Cisco Bug ID CSCup90474
| VAR-201502-0133 | CVE-2015-0599 | C-Series Rack Servers Run on Cisco Unified Computing System Vulnerable to a clickjacking attack |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The web interface in Cisco Integrated Management Controller in Cisco Unified Computing System (UCS) on C-Series Rack Servers does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuf50138. Vendors have confirmed this vulnerability Bug ID CSCuf50138 It is released as. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. http://cwe.mitre.org/data/definitions/254.htmlSkillfully crafted by a third party Web Through the site, clickjacking attacks can be performed and other unspecified effects can be received. Cisco Unified Computing System C-Series Rack Servers is prone to a cross-frame scripting vulnerability.
Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible. Cisco Integrated Management Controller (IMC) is a set of management tools used for it, which supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. The vulnerability is caused by the program not properly restricting the use of IFRAME elements