Security

SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.

From the cinder bug report:

Bastian Blank reported a vulnerability in Cinder and Nova. By creating a qcow2 image with an arbitrary backing file, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. A similar vulnerability in Nova can also be used by an authenticated user to trick Nova during a snapshot upload, resulting in disclosure of any file for which the Nova process user has access to. All Cinder setups and all Nova setups with force_raw_image (which is set by default) are affected.

- CVE-2015-3236 (lingering HTTP credentials in connection re-use):

libcurl can wrongly send HTTP credentials when re-using connections.

libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPT_USERPWD for example. Name and password. Just like all other libcurl options the credentials are sticky and are kept associated with the "handle" until something is made to change the situation.

Further, libcurl offers a curl_easy_reset() function that resets a handle back to its pristine state in terms of all settable options. A reset is of course also supposed to clear the credentials. A reset is typically used to clear up the handle and prepare it for a new, possibly unrelated, transfer.

Within such a handle, libcurl can also store a set of previous connections in case a second transfer is requested to a host name for which an existing connection is already kept alive.

With this flaw present, using the handle even after a reset would make libcurl accidentally use those credentials in a subsequent request if done to the same host name and connection as was previously accessed.

An example case would be first requesting a password protected resource from one section of a web site, and then do a second request of a public resource from a completely different part of the site without authentication. This flaw would then inadvertently leak the credentials in the second request.

- CVE-2015-3237 (SMB send off unrelated memory contents):

libcurl can get tricked by a malicious SMB server to send off data it did not intend to.

In libcurl's state machine function handling the SMB protocol (smb_request_state()), two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to figure out what data range to send back.

The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handcrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory.

From the Debian advisory:

CVE-2015-3231 - Incorrect cache handling made private content viewed by "user 1" exposed to other, non-privileged users.

CVE-2015-3232 - A flaw in the Field UI module made it possible for attackers to redirect users to malicious sites.

CVE-2015-3233 - Due to insufficient URL validation, the Overlay module could be used to redirect users to malicious sites.

CVE-2015-3234 - The OpenID module allowed an attacker to log in as other users, including administrators.

Due to an issue in the caching mechanism of Views it's possible that configured filters lose their effect. This can lead to exposure of content that otherwise would be hidden from visitors. This vulnerability is mitigated by the fact that it can't be exploited directly but occurs when certain prerequisites meet. Systems that use in-memory cache backends like redis / memcache are more likely to be affected by this issue. This is due the common strategy used to free cache space if the configured memory limit of the cache is reached.

From the Mageia advisory:

The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.0.7 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via a crafted .cine file that triggers the avpicture_get_size function to return a negative frame size.

A context-dependent attacker can cause a denial of service condition.

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

A flaw was found in the way the nft_flush_table() function of the Linux kernel's netfilter tables implementation flushed rules that were referencing deleted chains. A local user who has the CAP_NET_ADMIN capability could use this flaw to crash the system.

This update corrects a double-free error that existed within the "unrar_extract_next_prepare()" function (libclamunrar_iface/unrar_iface.c) when parsing a RAR file. While no CVE was assigned, this issue does have potential security implications.

A heap buffer overflow flaw was found in the way the libwmf library processed WMF files containing BMP images. A specially crafted WMF file could cause an application using libwmf to crash or, possibly, execute arbitrary code.

Jakub Wilk discovered the fix for CVE-2015-1196 was incomplete for GNU patch. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.

The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly have unspecified other impact via a crafted tar archive. (CVE-2015-3307)

The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue. (CVE-2015-4147)

From the Red Hat advisory:

It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598)

Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)

Multiple flaws were found in PHP's File Information (fileinfo) extension. A remote attacker could cause a PHP application to crash if it used fileinfo to identify type of attacker supplied files. (CVE-2014-9652, CVE-2015-4604, CVE-2015-4605)

• Fix possible failure to recover from an inconsistent database state (Robert Haas)
• Fix rare failure to invalidate relation cache init file (Tom Lane)
• Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)
• Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans (Tom Lane, Tomas Vondra)

Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilitie...

Multiple vulnerabilities were discovered in the dissectors for WCCP and GSM DTAP, which could result in denial of service.

Ray Strode, a developer at Red Hat, discovered an authentication setup issue inside the XWayland compatibility server, used to host X11 clients inside a Wayland compositor's session. XWayland is used by Weston and Mutter / GNOME Shell's Wayland mode.

Due to an omission in authentication setup, the XWayland server would start up in non-authenticating mode, meaning that any client with access to the server's UNIX socket was able to connect to the server and use it as a regular client. No Wayland compositor was known to start XWayland with TCP access open, so remote exploitation is not considered possible.

On many systems, all local users would have full access to the XWayland server, allowing untrusted users to capture contents of, and input destined for, other X11 clients.

This permission bypass does not extend to native Wayland clients: XWayland is not given access to the buffers of any Wayland clients in the host session, nor is any input sent to XWayland unless an X11 client was active at that time.

The resolution was to restrict XWayland connections to the same UID as the server itself, matching Wayland's default permissions.

(1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363. (CVE-2012-6531)

(1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. (CVE-2012-6532)