- Arch-security - lists.archlinux.org

[arch-security] [Arch Linux Security Advisory ASA-201410-2] jenkins: multiple issues
by Remi Gacogne 02 Oct '14

02 Oct '14

Arch Linux Security Advisory ASA-201410-2 ========================================= Severity: Critical Date : 2014-10-02 CVE-ID : CVE-2013-2186 CVE-2014-1869 CVE-2014-3661 CVE-2014-3662 CVE-2014-3663 CVE-2014-3664 CVE-2014-3666 CVE-2014-3667 CVE-2014-3678 CVE-2014-3679 CVE-2014-3680 CVE-2014-3681 Package : jenkins Type : Multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package jenkins before version 1.583-1 is vulnerable to multiple vulnerabilities, including but not limited to: - denial of service ; - information leakage ; - privilege escalation ; - XSS ; - arbitrary file system write ; - remote code execution. Resolution ========== Upgrade to 1.583-1. # pacman -Syu "jenkins>=1.583-1" The problem has been fixed upstream in version 1.583. Workaround ========== None. Description =========== - SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake) This vulnerability allows unauthenticated users with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins through thread exhaustion. - SECURITY-110/CVE-2014-3662 (User name discovery) Anonymous users can test if the user of a specific name exists or not through login attempts. - SECURITY-127&128/CVE-2014-3663 (privilege escalation in job configuration permission) An user with a permission limited to Job/CONFIGURE can exploit this vulnerability to effectively create a new job, which should have been only possible for users with Job/CREATE permission, or to destroy jobs that he/she does not have access otherwise. - SECURITY-131/CVE-2014-3664 (directory traversal attack) Users with Overall/READ permission can access arbitrary files in the file system readable by the Jenkins process, resulting in the exposure of sensitive information, such as encryption keys. - SECURITY-138/CVE-2014-3680 (Password exposure in DOM) If a parameterized job has a default value in a password field, that default value gets exposed to users with Job/READ permission. - SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins core) Reflected cross-site scripting vulnerability in Jenkins core. An attacker can navigate the user to a carefully crafted URL and have the user execute unintended actions. - SECURITY-150/CVE-2014-3666 (remote code execution from CLI) Unauthenticated user can execute arbitrary code on Jenkins master by sending carefully crafted packets over the CLI channel. - SECURITY-155/CVE-2014-3667 (exposure of plugin code) Programs that constitute plugins can be downloaded by anyone with the Overall/READ permission, resulting in the exposure of otherwise sensitive information, such as hard-coded keys in plugins, if any. - SECURITY-159/CVE-2013-2186 (arbitrary file system write) Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to Jenkins master. - SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in ZeroClipboard) reflective XSS vulnerability in one of the library dependencies of Jenkins. - SECURITY-113/CVE-2014-3678 (XSS vulnerabilities in monitoring plugin) Monitoring plugin allows an attacker to cause a victim into executing unwanted actions on Jenkins instance. - SECURITY-113/CVE-2014-3679 (hole in access control) Certain pages in monitoring plugin are visible to anonymous users, allowing them to gain information that they are not supposed to. Impact ====== A remote, non-privileged attacker can execute arbitrary code, read and write arbitrary files and trick valid users into doing unwanted actions. References ========== https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014… https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1869 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3661 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3662 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3663 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3664 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3666 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3667 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3678 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3679 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3680 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3681

1 0

[arch-security] [Arch Linux Security Advisory ASA-201410-1] rsyslog: remote denial of service
by Remi Gacogne 01 Oct '14

01 Oct '14

Arch Linux Security Advisory ASA-201410-1 ========================================= Severity: Medium Date : 2014-10-01 CVE-ID : CVE-2014-3634 Package : rsyslog Type : Denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package rsyslog before version 8.4.1-1 is vulnerable to a remote denial of service. Resolution ========== Upgrade to 8.4.1-1. # pacman -Syu "rsyslog>=8.4.1-1" The problem has been fixed upstream in version 8.4.1. Workaround ========== It is possible to prevent unauthorized remote hosts from sending syslog messages to vulnerable hosts, for example by using a firewall. Description =========== Sending a syslog message containing an invalid PRI value to a vulnerable rsyslog server accepting remote message will trigger a denial of service by crashing the rsyslog process. Impact ====== A remote attacker authorized to send syslog messages can cause the syslog server to segfault, causing a denial of service. According to the rsyslog project leader, under certain preconditions it may possibly lead to remote code execution [1]. The default configuration is safe from these preconditions. References ========== [1] http://www.rsyslog.com/remote-syslog-pri-vulnerability/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3634 https://bugs.archlinux.org/task/42200

1 0

[arch-security] [Arch Linux Security Advisory ASA-201409-5] libvirt: out-of-bounds read access
by Levente Polyak 29 Sep '14

29 Sep '14

Arch Linux Security Advisory ASA-201409-5 ========================================= Severity: Medium Date : 2014-09-29 CVE-ID : CVE-3633 Package : libvirt Type : out-of-bounds read access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package libvirt before version 1.2.8-2 is vulnerable to an out-of-bounds read access in qemuDomainGetBlockIoTune().. Resolution ========== Upgrade to 1.2.8-2. # pacman -Syu "libvirt>=1.2.8-2" The problem has been fixed upstream [0] but no release is available yet. Workaround ========== The out-of-bounds access is only possible on domains that have had disks hot-plugged or removed from the live image without also updating the persistent definition to match; keeping the two definitions matched or using only transient domains will avoid the problem. Denying access to the readonly libvirt socket will avoid the potential for a denial of service attack, but will not prevent the out-of-bounds access from causing a crash for a privileged client, although such a crash is no longer a security problem. Description =========== Luyao Huang of Red Hat found that the qemu implementation of virDomainGetBlockIoTune computed an index into the array of disks for the live definition, then used it as the index into the array of disks for the persistent definition, which could result into an out-of-bounds read access in qemuDomainGetBlockIoTune(). Impact ====== A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process. References ========== [0] http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e745e8f775dfe6f64f18b5c2f… https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633 http://security.libvirt.org/2014/0004.html https://bugs.archlinux.org/task/42159

1 1

[arch-security] [Arch Linux Security Advisory ASA-201409-4] mediawiki: Cross-site Scripting (XSS)
by Levente Polyak 29 Sep '14

29 Sep '14

Arch Linux Security Advisory ASA-201409-4 ========================================= Severity: High Date : 2014-09-29 CVE-ID : CVE-7199 Package : mediawiki Type : Cross-site Scripting (XSS) Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mediawiki before version 1.23.4-1 is vulnerable to Cross-site Scripting (XSS). Resolution ========== Upgrade to 1.23.4-1. # pacman -Syu "mediawiki>=1.23.4-1" The problem has been fixed upstream in version 1.23.4. Workaround ========== None. Description =========== It was discovered that MediaWiki, a wiki engine, did not sufficiently filter CSS in uploaded SVG files, allowing for cross site scripting. Impact ====== A remote attacker is able to upload a crafted SVG file to perform a cross site scripting attack. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 https://bugzilla.wikimedia.org/show_bug.cgi?id=69008 https://bugs.archlinux.org/task/42161 https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-September/000…

1 0

[arch-security] Arch Linux Security Advisories
by Remi Gacogne 27 Sep '14

27 Sep '14

Hi all, A recent discussion on the #archlinux-security IRC channel led to the proposal of posting security announcements to the arch-security mailing-list every time a vulnerability concerning an Arch Linux package is disclosed, as other distributions are already doing [1][2]. The final goal is to be able to notify Arch users that they may need to quickly upgrade a specific package due to a vulnerability. In order to do so efficiently, I believe we need to think of a way for package maintainers to notify the Arch Linux CVE Monitoring Team (or whoever handling advisories) when they upgrade a package due to a specific security issue (if they are aware of it, of course). This would be complementary to the role of the CVE Monitoring Team, which is to monitor CVE and let package maintainers know when a package need to be upgraded / patched to fix a vulnerability. Based on an idea by Bluewind, I made the following template for advisories, and will be sending an advisory for the recent NSS vulnerability as an example in the next few minutes. Any comment to the idea of security advisories and/or this template are welcome. Best regards, Remi [1] https://lists.debian.org/debian-security-announce/ [2] http://www.gentoo.org/security/en/glsa/index.xml Template: Subject: [Arch Linux Security Advisory <YYYYMM-N>] <Package>: <Vulnerability Type> Body: Arch Linux Security Advisory YYYYMM-N ===================================== Severity: Low, Medium, High, Critical Date : YYYY-MM-DD CVE-ID : <CVE-ID> Package : <package> Type : <Vulnerability Type> Remote : <Yes/No> Link : https://wiki.archlinux.org/index.php/CVE-YYYY Summary ======= The package <package> before version <Arch Linux fixed version> is vulnerable to <Vulnerability type>. Resolution ========== Upgrade to <Arch Linux fixed version>. The problem has been fixed upstream in version <upstream fixed version>. Workaround ========== <Is there a way to mitigate this vulnerability without upgrading?> Description =========== <Long description, for example from original advisory>. Impact ====== < What is it that an attacker can do? Does this need existing pre-conditions to be exploited (valid credentials, physical access)? Is this remotely exploitable? >. References ========== <CVE-Link> <Upstream report> <Arch Linux Bug-Tracker>

5 7

[arch-security] [Arch Linux Security Advisory ASA-201409-3] python2: Information leakage through integer overflow
by Remi Gacogne 26 Sep '14

26 Sep '14

Arch Linux Security Advisory ASA-201409-3 ========================================= Severity: Low Date : 2014-09-26 CVE-ID : CVE-2014-7185 Package : python2 Type : Integer overflow Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package python2 before version 2.7.8-1 is vulnerable to an integer overflow vulnerability. Resolution ========== Upgrade to 2.7.8-1. $ pacman -Syu "python2>=2.7.8-1" The problem has been fixed upstream in version 2.7.8 [1]. Workaround ========== None. Description =========== It was reported that Python 2.7.8 fixes a potential wraparound in buffer() with possible CWE-200 implications. This could allow an attacker to access private information through information leakage. PoC: --- overflow.py --- import sys a = bytearray('here be dragons') b = buffer(a, sys.maxsize, sys.maxsize) print b[:8192] ------------------- References ========== [1] https://www.python.org/downloads/release/python-278/ http://bugs.python.org/issue21831 https://bugzilla.redhat.com/show_bug.cgi?id=1146026

1 0

[arch-security] [Arch Linux Security Advisory 201409-2] bash: Remote code execution
by Remi Gacogne 26 Sep '14

26 Sep '14

Arch Linux Security Advisory 201409-2 ===================================== Severity: Critical Date : 2014-09-26 CVE-ID : CVE-2014-6271, CVE-2014-7169 Package : bash Type : Remote code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package bash before version 4.3.026-1 is vulnerable to remote code execution. Resolution ========== Upgrade to 4.3.026-1. $ pacman -Syu "bash>=4.3.026-1" The problem has not been fixed upstream yet, though some patches were released [1]. Workaround ========== It is possible to work around this issue by replacing bash with a non-affected shell, for example dash, when specifics bash features are not needed. Description =========== GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. References ========== [1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 https://bugs.archlinux.org/task/42109 http://lcamtuf.blogspot.fr/2014/09/quick-notes-about-bash-bug-its-impact.ht…

1 0

[arch-security] [Arch Linux Security Advisory 201409-1] NSS: Signature forgery attack
by Remi Gacogne 25 Sep '14

25 Sep '14

Arch Linux Security Advisory 201409-1 ===================================== Severity: High Date : 2014-09-24 CVE-ID : CVE-2014-1568 Package : nss Type : Signature forgery attack Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package nss before version 3.17.1-1 is vulnerable to a signature forgery attack. Resolution ========== Upgrade to 3.17.1-1. The problem has been fixed upstream in version 3.17.1. Description =========== Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Impact ====== This vulnerability may allow an attacker to forge false RSA certificates, considered valid by applications, like Firefox or Thunderbird, that rely on NSS to valid certificates. This could for example be used to conduct Man-In-The-Middle attack. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

1 0

[arch-security] CVE-2014-507
by Mark Lee 26 Jul '14

26 Jul '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To All, It has been mentioned on OSS-security that there's a null pointer dereference flaw in the Stream Control Transmission Protocol in the Linux kernel. Currently Arch Linux builds this option as a module. I've already filed a bug report at : <https://bugs.archlinux.org/task/41346> Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlPTG7MACgkQZ/Z80n6+J/Y0kgEAgNUyMioU8wmch3jTdiDegjVU G2+1JljcQ/TnvnOZFCABAIUehzWBDhpJ2vsX3VSjGQgwRQEpXsJHgfulKNYrjhqT =ziEQ -----END PGP SIGNATURE-----

1 0

[arch-security] net: SCTP: NULL pointer dereference
by Mark Lee 24 Jul '14

24 Jul '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To all, A net SCTP null pointer dereference has been discovered in linux kernel; it can result in a DoS. See bug report :https://bugs.archlinux.org/task/41329 Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlPROToACgkQZ/Z80n6+J/ZxlQEAjzCaj3I3xDLVLVk1SVdqxfNt taoD1v0i4k0qjv/pLmgA/As2PL2xn5wRlIC0KsD5VTHhNF6NN19WZR4DqRWdxa81 =Pigy -----END PGP SIGNATURE-----

1 0