- Arch-security - lists.archlinux.org

[arch-security] [Arch Linux Security Advisory ASA-201410-9] libpurple: remote dos and information leakage
by Remi Gacogne 22 Oct '14

22 Oct '14

Arch Linux Security Advisory ASA-201410-9 ========================================= Severity: High Date : 2014-10-22 CVE-ID : CVE-2014-3695, CVE-2014-3696, CVE-2014-3698 Package : libpurple Type : Remote denial of service, Information leakage Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libpurple before version 2.10.10-1 is vulnerable to a remote denial of service and remote information leakage. Resolution ========== Upgrade to 2.10.10-1. # pacman -Syu "libpurple>=2.10.10-1" The problem has been fixed upstream in version 2.10.10. Workaround ========== None. Description =========== A malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory. A malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon via MXit with an overly large length value. A malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in a Novell Groupwise message. Impact ====== A remote attacker could access arbitrary memory from any application using libpurple via a specially crafted XMPP message. A remote attacker in position of man-in-the-middle, or a malicious server, could remotely crash any application using libpurple via a MXit or Novell Groupwise message. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3695 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3696 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3698 https://pidgin.im/news/security/?id=87 https://pidgin.im/news/security/?id=88 https://pidgin.im/news/security/?id=90

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-8] wpa_supplicant, hostapd: Arbitrary command execution
by Levente Polyak 20 Oct '14

20 Oct '14

Arch Linux Security Advisory ASA-201410-8 ========================================= Severity: Critical Date : 2014-10-20 CVE-ID : CVE-2014-3686 Package : wpa_supplicant, hostapd Type : Arbitrary command execution Remote : yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package wpa_supplicant and hostapd before version 2.3-1 are vulnerable to arbitrary command execution. Resolution ========== Upgrade to 2.3-1. # pacman -Syu "wpa_supplicant>=2.3-1" "hostapd>=2.3-1" The problem has been fixed upstream in version 2.3. Workaround ========== Disable use of wpa_cli/hostapd_cli command to run action scripts (this may break functionality). Description =========== Jouni Malinen discovered an input sanitization issue in the wpa_cli and hostapd_cli tools included in the wpa_supplicant and hostapd packages. A remote wifi system within range could provide a crafted frame triggering arbitrary command execution under the privileges of the wpa_cli/hostapd_cli process. Impact ====== A remote attacker is able to perform arbitrary command execution with the with privileges of the affected process. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3686 https://bugs.archlinux.org/task/42401 http://www.openwall.com/lists/oss-security/2014/10/09/28 http://w1.fi/security/2014-1/

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-7] drupal: pre-auth sql injection
by Remi Gacogne 16 Oct '14

16 Oct '14

Arch Linux Security Advisory ASA-201410-7 ========================================= Severity: Critical Date : 2014-10-16 CVE-ID : CVE-2014-3704 Package : drupal Type : SQL injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package drupal before version 7.32-1 is vulnerable to a remote, non-authenticated, SQL injection. Resolution ========== Upgrade to 7.32-1. # pacman -Syu "drupal>=7.32-1" The problem has been fixed upstream in version 7.32. Workaround ========== None. Description =========== Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. This vulnerability has been marketed as drupageddon by the discoverer, Sektion Eins. Impact ====== A remote, non-authenticated, attacker can alter or drop the drupal database with a single HTTP request. This can be escalated to code execution. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3704 https://www.drupal.org/SA-CORE-2014-005 https://bugs.archlinux.org/task/42388 https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerabil…

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-6] openssl: denial of service / man-in-the-middle / poodle mitigation
by Remi Gacogne 16 Oct '14

16 Oct '14

Arch Linux Security Advisory ASA-201410-6 ========================================= Severity: High Date : 2014-10-16 CVE-ID : CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 Package : openssl Type : Denial of service, Man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package openssl before version 1.0.1.j-1 is vulnerable to a remote denial of service via two different memory leaks. In addition to that, it fails to properly disable the SSLv3 protocol when building with the no-ssl3 option, thus leaving openssl vulnerable to the POODLE attack on SSLv3. This new version adds support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade, as exploited on the POODLE attack. Resolution ========== Upgrade to 1.0.1.j-1. # pacman -Syu "openssl>=1.0.1.j-1" The problem has been fixed upstream in version 1.0.1j. Workaround ========== The SRTP memory leak described in CVE-2014-3513 can be mitigated by building openssl with the OPENSSL_NO_SRTP option enabled. The POODLE attack can be avoided by disabling the use of SSLv3, or at least the downgrade of failed TLS connections to SSLv3. There is no workaround for the other leak or the no-ssl3 compile-time option. Description =========== SRTP Memory Leak (CVE-2014-3513) -------------------------------- A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. Session Ticket Memory Leak (CVE-2014-3567) ------------------------------------------ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. Build option no-ssl3 is incomplete (CVE-2014-3568) -------------------------------------------------- When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. SSL 3.0 Fallback protection --------------------------- OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). Impact ====== The two memory leaks allow a remote, non-authenticated attacker to cause a denial of service. The no-ssl3 option error may prevent administrator from effectively disable SSLv3. The POODLE attack may allow an active attacker to decipher the content of an SSL connection, such as the content of a session cookie. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3513 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3567 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3568 https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/~bodo/ssl-poodle.pdf https://www.imperialviolet.org/2014/10/14/poodle.html

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-4] zeromq: Man-in-the-middle downgrade and replay attack
by Levente Polyak 15 Oct '14

15 Oct '14

Arch Linux Security Advisory ASA-201410-4 ========================================= Severity: Medium Date : 2014-10-15 CVE-ID : CVE-2014-7202 CVE-2014-7203 Package : zeromq Type : Man-in-the-middle downgrade and replay attack Remote : yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package zeromq before version 4.0.5-1 is vulnerable to man-in-the-middle downgrade and replay attacks. Resolution ========== Upgrade to 4.0.5-1. # pacman -Syu "zeromq>=4.0.5-1" The problem has been fixed upstream in version 4.0.5. Workaround ========== None. Description =========== - CVE-2014-7202 (downgrade attack) A bug in stream_engine.cpp allows man-in-the-middle attackers to conduct downgrade attacks via a crafted connection request. - CVE-2014-7203 (replay attack) libzmq did not ensure that nonces are unique, which allows man-in-the-middle attackers to conduct replay attacks via unspecified vectors. Impact ====== A remote attacker is able to perform unauthorized modifications by using a downgrade attack to target vulnerable protocol versions or by performing a replay attack of a recorded communication. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7202 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7203 https://github.com/zeromq/libzmq/issues/1190 https://github.com/zeromq/libzmq/issues/1191 https://bugs.archlinux.org/task/42381 http://seclists.org/oss-sec/2014/q3/776

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-5] rsyslog: remote denial of service
by Remi Gacogne 08 Oct '14

08 Oct '14

Arch Linux Security Advisory ASA-201410-5 ========================================= Severity: Medium Date : 2014-10-08 CVE-ID : CVE-2014-3683 Package : rsyslog Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package rsyslog before version 8.4.2-1 is vulnerable to a remote denial of service. Resolution ========== Upgrade to 8.4.2-1. # pacman -Syu "rsyslog>=8.4.2-1" The problem has been fixed upstream in version 8.4.2. Workaround ========== It is possible to prevent unauthorized remote hosts from sending syslog messages to vulnerable hosts, for example by using a firewall. Description =========== The rsyslog fix shipped in 8.4.1 for an invalid PRI value (see ASA-201410-1) was incomplete, as it did not cover cases where PRI values > MAX_INT. These values caused an integer overflow, resulting in negative values. Sending a syslog message containing an invalid PRI value to a vulnerable rsyslog server accepting remote message will trigger a denial of service by crashing the rsyslog process. Impact ====== A remote attacker authorized to send syslog messages can cause the syslog server to segfault, causing a denial of service. According to the rsyslog project leader, under certain preconditions it may possibly lead to remote code execution [1]. The default configuration is safe from these preconditions. References ========== [1] http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3683

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-3] mediawiki: Cross-site Scripting (XSS) and UI redressing
by Levente Polyak 04 Oct '14

04 Oct '14

Arch Linux Security Advisory ASA-201410-3 ========================================= Severity: Medium Date : 2014-10-04 CVE-ID : CVE-2014-7295 Package : mediawiki Type : Cross-site Scripting (XSS) and UI redressing Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mediawiki before version 1.23.5-1 is vulnerable to Cross-site Scripting (XSS) and UI redressing. Resolution ========== Upgrade to 1.23.5-1. # pacman -Syu "mediawiki>=1.23.5-1" The problem has been fixed upstream in version 1.23.5. Workaround ========== None. Description =========== It was discovered that MediaWiki, a wiki engine, was separating the allowance of css and js modules resulting in Cross-site Scripting (XSS) and UI redressing issues. Impact ====== A remote attacker is able to perform Cross-site Scripting (XSS) and/or UI redressing attacks on affected MediaWiki pages. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7295 https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-October/00016… http://www.openwall.com/lists/oss-security/2014/10/02/36

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-2] jenkins: multiple issues
by Remi Gacogne 02 Oct '14

02 Oct '14

Arch Linux Security Advisory ASA-201410-2 ========================================= Severity: Critical Date : 2014-10-02 CVE-ID : CVE-2013-2186 CVE-2014-1869 CVE-2014-3661 CVE-2014-3662 CVE-2014-3663 CVE-2014-3664 CVE-2014-3666 CVE-2014-3667 CVE-2014-3678 CVE-2014-3679 CVE-2014-3680 CVE-2014-3681 Package : jenkins Type : Multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package jenkins before version 1.583-1 is vulnerable to multiple vulnerabilities, including but not limited to: - denial of service ; - information leakage ; - privilege escalation ; - XSS ; - arbitrary file system write ; - remote code execution. Resolution ========== Upgrade to 1.583-1. # pacman -Syu "jenkins>=1.583-1" The problem has been fixed upstream in version 1.583. Workaround ========== None. Description =========== - SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake) This vulnerability allows unauthenticated users with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins through thread exhaustion. - SECURITY-110/CVE-2014-3662 (User name discovery) Anonymous users can test if the user of a specific name exists or not through login attempts. - SECURITY-127&128/CVE-2014-3663 (privilege escalation in job configuration permission) An user with a permission limited to Job/CONFIGURE can exploit this vulnerability to effectively create a new job, which should have been only possible for users with Job/CREATE permission, or to destroy jobs that he/she does not have access otherwise. - SECURITY-131/CVE-2014-3664 (directory traversal attack) Users with Overall/READ permission can access arbitrary files in the file system readable by the Jenkins process, resulting in the exposure of sensitive information, such as encryption keys. - SECURITY-138/CVE-2014-3680 (Password exposure in DOM) If a parameterized job has a default value in a password field, that default value gets exposed to users with Job/READ permission. - SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins core) Reflected cross-site scripting vulnerability in Jenkins core. An attacker can navigate the user to a carefully crafted URL and have the user execute unintended actions. - SECURITY-150/CVE-2014-3666 (remote code execution from CLI) Unauthenticated user can execute arbitrary code on Jenkins master by sending carefully crafted packets over the CLI channel. - SECURITY-155/CVE-2014-3667 (exposure of plugin code) Programs that constitute plugins can be downloaded by anyone with the Overall/READ permission, resulting in the exposure of otherwise sensitive information, such as hard-coded keys in plugins, if any. - SECURITY-159/CVE-2013-2186 (arbitrary file system write) Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to Jenkins master. - SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in ZeroClipboard) reflective XSS vulnerability in one of the library dependencies of Jenkins. - SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring plugin) Monitoring plugin allows an attacker to cause a victim into executing unwanted actions on Jenkins instance. - SECURITY-113/CVE-2014-3679 (hole in access control) Certain pages in monitoring plugin are visible to anonymous users, allowing them to gain information that they are not supposed to. Impact ====== A remote, non-privileged attacker can execute arbitrary code, read and write arbitrary files and trick valid users into doing unwanted actions. References ========== https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014… https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1869 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3661 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3662 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3663 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3664 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3666 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3667 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3678 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3679 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3680 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3681

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-1] rsyslog: remote denial of service
by Remi Gacogne 01 Oct '14

01 Oct '14

Arch Linux Security Advisory ASA-201410-1 ========================================= Severity: Medium Date : 2014-10-01 CVE-ID : CVE-2014-3634 Package : rsyslog Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package rsyslog before version 8.4.1-1 is vulnerable to a remote denial of service. Resolution ========== Upgrade to 8.4.1-1. # pacman -Syu "rsyslog>=8.4.1-1" The problem has been fixed upstream in version 8.4.1. Workaround ========== It is possible to prevent unauthorized remote hosts from sending syslog messages to vulnerable hosts, for example by using a firewall. Description =========== Sending a syslog message containing an invalid PRI value to a vulnerable rsyslog server accepting remote message will trigger a denial of service by crashing the rsyslog process. Impact ====== A remote attacker authorized to send syslog messages can cause the syslog server to segfault, causing a denial of service. According to the rsyslog project leader, under certain preconditions it may possibly lead to remote code execution [1]. The default configuration is safe from these preconditions. References ========== [1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3634 https://bugs.archlinux.org/task/42200

1 0

[arch-security] [Arch Linux Security Advisory ASA-201409-5] libvirt: out-of-bounds read access
by Levente Polyak 29 Sep '14

29 Sep '14

Arch Linux Security Advisory ASA-201409-5 ========================================= Severity: Medium Date : 2014-09-29 CVE-ID : CVE-3633 Package : libvirt Type : out-of-bounds read access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libvirt before version 1.2.8-2 is vulnerable to an out-of-bounds read access in qemuDomainGetBlockIoTune().. Resolution ========== Upgrade to 1.2.8-2. # pacman -Syu "libvirt>=1.2.8-2" The problem has been fixed upstream [0] but no release is available yet. Workaround ========== The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem. Description =========== Luyao Huang of Red Hat found that the qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition, which could result into an out-of-bounds read access in qemuDomainGetBlockIoTune(). Impact ====== A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. References ========== [0] http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e745e8f775dfe6f64f18b5c2f… https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633 http://security.libvirt.org/2014/0004.html https://bugs.archlinux.org/task/42159

1 1