securing our internet, one server at a time…
It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 and referenced in this post on unhackable, was not sufficient to correct the issue for OpenSSL 0.9.8.
Please see http://www.openssl.org/news/secadv_20120419.txt for details of that vulnerability.
This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110.
Thanks to Red Hat for discovering and fixing this issue.
Affected users should upgrade to 0.9.8w.
Summary:
An application using OpenSSL could be made to crash or run programs if it
opened a specially crafted file.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL could be made to dereference a NULL pointer
when processing S/MIME messages. A remote attacker could use this to cause
a denial of service. These issues did not affect Ubuntu 8.04 LTS.
(CVE-2006-7250, CVE-2012-1165)
Tavis Ormandy discovered that OpenSSL did not properly perform bounds
checking when processing DER data via BIO or FILE functions. A remote
attacker could trigger this flaw in services that used SSL to cause a
denial of service or possibly execute arbitrary code with application
privileges. (CVE-2012-2110)
Updated rpm packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6; Red Hat Enterprise Linux 3 and 4 Extended Life Cycle Support; Red Hat Enterprise Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1 Extended Update Support.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The RPM Package Manager (RPM) is a command-line driven package anagement system capable of installing, uninstalling, verifying, querying, and updating software packages.
Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code. (CVE-2012-0060, CVE-2012-0061, CVE-2012-0815)
Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue would allow a specially-crafted RPM package to execute arbitrary code before its digital signature has been verified. Package downloads from the Red Hat Network are protected by the use of a secure HTTPS connection in addition to the RPM package signature checks.
All RPM users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.
Multiple vulnerabilities has been found and corrected in openssl:
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack (CVE-2012-0884).
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted S/MIME message, a different vulnerability than CVE-2006-7250
(CVE-2012-1165).
The updated packages have been patched to correct these issues.
Please update your systems accordingly.
A vulnerability has been found and corrected in GnuTLS:
gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before
3.0.15 does not properly handle data encrypted with a block cipher,
which allows remote attackers to cause a denial of service (heap
memory corruption and application crash) via a crafted record, as
demonstrated by a crafted GenericBlockCipher structure (CVE-2012-1573).
The updated packages have been patched to correct this issue.
Please update your systems accordingly.
The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. A flaw was discovered in the way libpng handled PNG images containing “unknown” chunks. If an application linked against libpng attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to crash.
Jueri Aedla discovered this integer overflow in the popular libpng PNG library. This affects all software and applications that depend on libpng. This includes several web browsers and several server side applications. All running applications using libpng or libpng10 must be restarted for the update to take effect.
Debian Advisory
Package : libpng
Vulnerability : integer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3026
Description : Heap-buffer-overflow in png_decompress_chunk (MFSA 2012-11)
Red Hat Advisory
Package: libpng*
Advisory: RHSA-2012:0317-1
Type: Security Advisory
Severity: Important
Issued on: 2012-02-20
Last updated on: 2012-02-20
13th February, 2012
A security issue affects these releases of Ubuntu and its
derivatives:
Several security issues were fixed in the kernel.
Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user
who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)
A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual
interrupt control is not available a local user could use this to cause a
denial of service by starting a timer. (CVE-2011-4622)
A flaw was discovered in the XFS filesystem. If a local user mounts a
specially crafted XFS image it could potential execute arbitrary code on
the system. (CVE-2012-0038)
Chen Haogang discovered an integer overflow that could result in memory
corruption. A local unprivileged user could use this to crash the system.
(CVE-2012-0044)
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
RT @valdesjo77: OpenSSH from Linux to Windows 7 via tunneled RDP http://t.co/yhAA6FuU via @lethalduck #security #tips #sysadmin
OpenSSH from Linux to Windows 7 via tunneled RDP http://t.co/yhAA6FuU via @lethalduck #security #tips #sysadmin
Apache – Multiple Vulnerabilities – affects 2.0.x-2.0.64 and 2.2.x-2.2.21. #unhackable #security http://t.co/d9G2TfWW
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
USN 1358-1 introduced a regression in PHP.
Software Description:
- php5: HTML-embedded scripting language interpreter
Details:
USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling
the ini_get() function.
Original advisory details:
It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)
ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a “max_input_vars”
directive to the php.ini configuration file. See
http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
for more information.
Stefan Esser discovered that the fix to address the predictable hash
collision issue, CVE-2011-4885, did not properly handle the situation
where the limit was reached. This could allow a remote attacker to
cause a denial of service or execute arbitrary code via a request
containing a large number of variables. (CVE-2012-0830)
It was discovered that PHP did not always check the return value of
the zend_strndup function. This could allow a remote attacker to
cause a denial of service. (CVE-2011-4153)
It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary
files via a crafted XSLT stylesheet that uses the libxslt output
extension. (CVE-2012-0057)
It was discovered that PHP did not properly enforce that PDORow
objects could not be serialized and not be saved in a session. A
remote attacker could use this to cause a denial of service via an
application crash. (CVE-2012-0788)
It was discovered that PHP allowed the magic_quotes_gpc setting to
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection. (CVE-2012-0831)
USN 1126-1 addressed an issue where the /etc/cron.d/php5 cron job
for PHP allowed local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. Emese Revfy discovered
that the fix had not been applied to PHP for Ubuntu 10.04 LTS. This
update corrects the issue. We apologize for the error. (CVE-2011-0441)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
libapache2-mod-php5 5.3.6-13ubuntu3.6
php5 5.3.6-13ubuntu3.6
php5-cgi 5.3.6-13ubuntu3.6
php5-cli 5.3.6-13ubuntu3.6Ubuntu 11.04:
libapache2-mod-php5 5.3.5-1ubuntu7.7
php5 5.3.5-1ubuntu7.7
php5-cgi 5.3.5-1ubuntu7.7
php5-cli 5.3.5-1ubuntu7.7Ubuntu 10.10:
libapache2-mod-php5 5.3.3-1ubuntu9.10
php5 5.3.3-1ubuntu9.10
php5-cgi 5.3.3-1ubuntu9.10
php5-cli 5.3.3-1ubuntu9.10Ubuntu 10.04 LTS:
libapache2-mod-php5 5.3.2-1ubuntu4.14
php5 5.3.2-1ubuntu4.14
php5-cgi 5.3.2-1ubuntu4.14
php5-cli 5.3.2-1ubuntu4.14Ubuntu 8.04 LTS:
libapache2-mod-php5 5.2.4-2ubuntu5.23
php5 5.2.4-2ubuntu5.23
php5-cgi 5.2.4-2ubuntu5.23
php5-cli 5.2.4-2ubuntu5.23
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1358-2
http://www.ubuntu.com/usn/usn-1358-1
https://launchpad.net/bugs/930115
| Advisory: | RHSA-2012:0107-1 |
|---|---|
| Type: | Security Advisory |
| Severity: | Important |
| Issued on: | 2012-02-09 |
| Last updated on: | 2012-02-09 |
| Affected Products: | Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) |
| CVEs (cve.mitre.org): |
CVE-2011-3638 CVE-2011-4086 CVE-2011-4127 CVE-2012-0028 CVE-2012-0207 |
Updated kernel packages that fix multiple security issues and two bugs are
now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
This update fixes the following security issues:
* Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes
resulted in the requests being passed to the underlying block device. If a
privileged user only had access to a single partition or LVM volume, they
could use this flaw to bypass those restrictions and gain read and write
access (and be able to issue other SCSI commands) to the entire block
device. Refer to Red Hat Knowledgebase article DOC-67874, linked to in the
References, for further details about this issue. (CVE-2011-4127,
Important)
* A flaw was found in the way the Linux kernel handled robust list pointers
of user-space held futexes across exec() calls. A local, unprivileged user
could use this flaw to cause a denial of service or, eventually, escalate
their privileges. (CVE-2012-0028, Important)
* A flaw was found in the Linux kernel in the way splitting two extents in
ext4_ext_convert_to_initialized() worked. A local, unprivileged user with
the ability to mount and unmount ext4 file systems could use this flaw to
cause a denial of service. (CVE-2011-3638, Moderate)
* A flaw was found in the way the Linux kernel's journal_unmap_buffer()
function handled buffer head states. On systems that have an ext4 file
system with a journal mounted, a local, unprivileged user could use this
flaw to cause a denial of service. (CVE-2011-4086, Moderate)
* A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query()
function. An attacker able to send certain IGMP (Internet Group Management
Protocol) packets to a target system could use this flaw to cause a denial
of service. (CVE-2012-0207, Moderate)
Red Hat would like to thank Zheng Liu for reporting CVE-2011-3638, and
Simon McVittie for reporting CVE-2012-0207.
This update also fixes the following bugs:
* When a host was in recovery mode and a SCSI scan operation was initiated,
the scan operation failed and provided no error output. This bug has been
fixed and the SCSI layer now waits for recovery of the host to complete
scan operations for devices. (BZ#772162)
* SG_IO ioctls were not implemented correctly in the Red Hat Enterprise
Linux 5 virtio-blk driver. Sending an SG_IO ioctl request to a virtio-blk
disk caused the sending thread to enter an uninterruptible sleep state ("D"
state). With this update, SG_IO ioctls are rejected by the virtio-blk
driver: the ioctl system call will simply return an ENOTTY ("Inappropriate
ioctl for device") error and the thread will continue normally. (BZ#773322)
Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.
https://www.redhat.com/security/data/cve/CVE-2011-3638.html
https://www.redhat.com/security/data/cve/CVE-2011-4086.html
https://www.redhat.com/security/data/cve/CVE-2011-4127.html
https://www.redhat.com/security/data/cve/CVE-2012-0028.html
https://www.redhat.com/security/data/cve/CVE-2012-0207.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/kb/docs/DOC-67874