security | 27 Apr 19:03 2015

[ MDVSA-2015:212 ] java-1.7.0-openjdk


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:212
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.7.0 packages fix security vulnerabilities:

 An off-by-one flaw, leading to a buffer overflow, was found in the
 font parsing code in the 2D component in OpenJDK. A specially crafted
 font file could possibly cause the Java Virtual Machine to execute
 arbitrary code, allowing an untrusted Java application or applet to
 bypass Java sandbox restrictions (CVE-2015-0469).

 A flaw was found in the way the Hotspot component in OpenJDK
 handled phantom references. An untrusted Java application or applet
 could use this flaw to corrupt the Java Virtual Machine memory and,
 possibly, execute arbitrary code, bypassing Java sandbox restrictions
 (CVE-2015-0460).

 A flaw was found in the way the JSSE component in OpenJDK parsed X.509
 certificate options. A specially crafted certificate could cause JSSE
(Continue reading)

Martin Heiland | 27 Apr 17:08 2015

Open-Xchange Security Advisory 2015-04-27

Product: Open-Xchange Server 6 / OX AppSuite
Vendor: Open-Xchange GmbH

Internal reference: 35982 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.6.1
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.1-rev21
Vendor notification: 2015-01-07
Solution date: 2015-03-02
CVE reference: CVE-2015-1588
CVSSv2: 5.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND)

Vulnerability Details:
The sanitation and cleaner engine of OX AppSuite can be exploitet to return valid script code that gets
executed by certain browsers. Such filter evasion requires rather good kowledge of the filtering
algorithm and carefully crafted script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or
triggering unwanted actions via the web interface (sending mail, deleting data etc.). Potential attack
vectors are E-Mail (via attachments) or Drive.

Solution:
Users should update to the latest patch releases 7.6.1-rev21 (or later).

Internal reference: 36024 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
(Continue reading)

security | 27 Apr 12:14 2015

[ MDVSA-2015:209 ] php


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:209
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php
 Date    : April 27, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated php packages fix security vulnerabilities:

 Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783).

 Buffer Overflow when parsing tar/zip/phar in phar_set_inode
 (CVE-2015-3329).

 Potential remote code execution with apache 2.4 apache2handler
 (CVE-2015-3330).

 PHP has been updated to version 5.5.24, which fixes these issues and
 other bugs.

 Additionally the timezonedb packages has been upgraded to the latest
 version and the PECL packages which requires so has been rebuilt
 for php-5.5.24.
(Continue reading)

security | 27 Apr 17:03 2015

[ MDVSA-2015:211 ] glusterfs


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:211
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : glusterfs
 Date    : April 27, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated glusterfs packages fix security vulnerability:

 glusterfs was vulnerable to a fragment header infinite loop denial
 of service attack (CVE-2014-3619).

 Also, the glusterfsd SysV init script was failing to properly start
 the service.  This was fixed by replacing it with systemd unit files
 for the service that work properly (mga#14049).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3619
 http://advisories.mageia.org/MGASA-2015-0145.html
 _______________________________________________________________________

(Continue reading)

Kevin Kluge | 27 Apr 15:47 2015
Picon

Elasticsearch vulnerability CVE-2015-3337

Summary:
All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that
allows an attacker to retrieve files from the server running  Elasticsearch.  This vulnerability is not
present in the initial installation of Elasticsearch.  The vulnerability is exposed when a “site
plugin” is installed.  Elastic’s Marvel plugin and many community-sponsored plugins (e.g. Kopf,
BigDesk, Head) are site plugins.  Elastic Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, the
analysis plugins, and the river plugins are not site plugins.

We have been assigned CVE-2015-3337 for this issue.

Fixed versions:
Versions 1.5.2 and 1.4.5 have addressed the vulnerability.

Remediation:
Users should upgrade to 1.5.2 or 1.4.5.  This will address the vulnerability and preserve site plugin functionality.

Users that do not want to upgrade can address the vulnerability in several ways, but these options will
break any site plugin:
- Set “http.disable_sites” to true and restart the Elasticsearch node.
- Use a firewall or proxy to block HTTP requests to /_plugin.
- Uninstall all site plugins from all Elasticsearch nodes.

Credit:
John Heasman of DocuSign reported this issue.

CVSS
Overall CVSS score: 4.3

security | 27 Apr 12:20 2015

[ MDVSA-2015:210 ] qemu


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:210
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : qemu
 Date    : April 27, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated qemu packages fix security vulnerabilities:

 A denial of service flaw was found in the way QEMU handled malformed
 Physical Region Descriptor Table (PRDT) data sent to the host's IDE
 and/or AHCI controller emulation. A privileged guest user could use
 this flaw to crash the system (rhbz#1204919).

 It was found that the QEMU's websocket frame decoder processed incoming
 frames without limiting resources used to process the header and the
 payload. An attacker able to access a guest's VNC console could use
 this flaw to trigger a denial of service on the host by exhausting
 all available memory and CPU (CVE-2015-1779).
 _______________________________________________________________________

 References:

(Continue reading)

security | 27 Apr 10:11 2015

[ MDVSA-2015:208 ] setup


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:208
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : setup
 Date    : April 27, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated setup package fixes security vulnerability:

 An issue has been identified in Mandriva Business Server 2's setup
 package where the /etc/shadow and /etc/gshadow files containing
 password hashes were created with incorrect permissions, making them
 world-readable (mga#14516).

 This update fixes this issue by enforcing that those files are owned
 by the root user and shadow group, and are only readable by those
 two entities.

 Note that this issue only affected new Mandriva Business Server
 2 installations.  Systems that were updated from previous Mandriva
 versions were not affected.

 This update was already issued as MDVSA-2015:184, but the latter was
(Continue reading)

security | 27 Apr 09:55 2015

[ MDVSA-2015:207 ] perl-Module-Signature


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:207
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : perl-Module-Signature
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated perl-Module-Signature package fixes the following security
 vulnerabilities reported by John Lightsey:

 Module::Signature could be tricked into interpreting the unsigned
 portion of a SIGNATURE file as the signed portion due to faulty
 parsing of the PGP signature boundaries.

 When verifying the contents of a CPAN module, Module::Signature
 ignored some files in the extracted tarball that were not listed in
 the signature file. This included some files in the t/ directory that
 would execute automatically during make test

 When generating checksums from the signed manifest, Module::Signature
 used two argument open() calls to read the files. This allowed
 embedding arbitrary shell commands into the SIGNATURE file that would
 execute during the signature verification process.
(Continue reading)

security | 27 Apr 09:38 2015

[ MDVSA-2015:206 ] asterisk


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:206
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : asterisk
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated asterisk packages fix security vulnerability:

 When Asterisk registers to a SIP TLS device and and verifies the
 server, Asterisk will accept signed certificates that match a common
 name other than the one Asterisk is expecting if the signed certificate
 has a common name containing a null byte after the portion of the
 common name that Asterisk expected (CVE-2015-3008).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3008
 http://advisories.mageia.org/MGASA-2015-0153.html
 _______________________________________________________________________

 Updated Packages:
(Continue reading)

security | 27 Apr 09:21 2015

[ MDVSA-2015:205 ] tor


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:205
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : tor
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated tor packages fix security vulnerabilities:

 disgleirio discovered that a malicious client could trigger an
 assertion failure in a Tor instance providing a hidden service,
 thus rendering the service inaccessible (CVE-2015-2928).

 DonnchaC discovered that Tor clients would crash with an assertion
 failure upon parsing specially crafted hidden service descriptors
 (CVE-2015-2929).

 Introduction points would accept multiple INTRODUCE1 cells on one
 circuit, making it inexpensive for an attacker to overload a hidden
 service with introductions. Introduction points now no longer allow
 multiple cells of that type on the same circuit.

 The tor package has been updated to version 0.2.4.27, fixing these
(Continue reading)

security | 27 Apr 09:11 2015

[ MDVSA-2015:204 ] librsync


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:204
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : librsync
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated librsync packages fix security vulnerability:

 librsync before 1.0.0 used a truncated MD4 strong check sum to match
 blocks. However, MD4 is not cryptographically strong. It's possible
 that an attacker who can control the contents of one part of a file
 could use it to control other regions of the file, if it's transferred
 using librsync/rdiff (CVE-2014-8242).

 The change to fix this is not backward compatible with older versions
 of librsync. Backward compatibility can be obtained using the new
 rdiff sig --hash=md4 option or through specifying the signature magic
 in the API, but this should not be used when either the old or new
 file contain untrusted data.

 Also, any applications that use the librsync library will need to
 be recompiled against the updated library. The rdiff-backup packages
(Continue reading)


Gmane