Security

- CVE-2015-0253 (denial of service): Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531.

- CVE-2015-3183 (denial of service): core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters.

- CVE-2015-3185 (authentication bypass): Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook.

CVE-2015-4634: SQL injection vulnerability in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands in graphs.php

Currently unknown or unassigned CVE's
SQL injection vulnerability in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands in cdef.php, color.php, data_input.php, data_queries.php, data_sources.php, data_templates.php, gprint_presets.php, graph_templates.php, graph_templates_items.php, graphs_items.php, host.php, host_templates.php, lib/functions.php, rra.php, tree.php and user_admin.php

This is a security release. People running 7.x-2.0-alpha8 or below should update. This release only contains security fixes, no additional bug fixes or features.

Changes since 7.x-2.0-alpha8:

• #2495145 by twistor, cashwilliams, greggles, klausi: Possible XSS in PuSHSubscriber.inc
• #2502419 by klausi: Log messages XSS attack vector
• #1848498 by twistor: Respect allowed file extensions in file mapper

The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit fields (such as "administer taxonomy"), or be able to modify source data being imported by an administrator. Furthermore, the migrate_ui submodule must be enabled.

The module doesn't sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled (such as admin/people when the administration_views module is used), they will be able to edit their own account and give themselves a higher role (such as "administrator") even if they don't have the "'administer users'" permission.

This vulnerability is mitigated by the fact that an attacker must have access to such a user listing page and that the bulk operation for changing Roles is enabled.

It was discovered that an integer overflow in freexl, a library to parse Microsoft Excel spreadsheets may result in denial of service if a malformed Excel file is opened.

cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code.

Adam <adam AT anope.org>, upstream author of inspircd found the Debian patch that fixed CVE-2012-1836 was incomplete. Furthermore, it introduced an issue, since invalid dns packets caused an infinite loop.

From the CVE entries:

CVE-2015-2627: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to installation.

CVE-2015-2637: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JavaFX 2.2.80; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via unknown vectors related to 2D.

CVE-2015-2638: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JavaFX 2.2.80; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

CVE-2015-2664: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

From the CVE entries:

CVE-2015-2596: Unspecified vulnerability in Oracle Java SE 7u80 allows remote attackers to affect integrity via unknown vectors related to Hotspot.

CVE-2015-2613: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.

CVE-2015-2619: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, JavaFX 2.2.80, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via unknown vectors related to 2D.

CVE-2015-4729: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment.

CVE-2015-4736: Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

Thijs Alkemade discovered that the Jabber server may pass an invalid UTF-8 string to libidn, the GNU library for Internationalized Domain Names (IDNs). In the case of the Jabber server, this results in information disclosure, and it is likely that some other applications using libidn have similar vulnerabilities. This update changes libidn to check for invalid strings rather than assuming that the application has done so.

Roman Fiedler discovered that LXC had a directory traversal flaw when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user. (CVE-2015-1331)

Roman Fiedler discovered that LXC incorrectly trusted the container's proc filesystem to set up AppArmor profile changes and SELinux domain transitions. A local attacker could exploit this flaw to run programs inside the container that are not confined by AppArmor or SELinux. (CVE-2015-1334)

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS. (CVE-2015-2582)

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.23 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges. (CVE-2015-2620)

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. (CVE-2015-2643)

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to DML. (CVE-2015-2648)

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Pluggable Auth. (CVE-2015-4737)

Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to Server : I_S. (CVE-2015-4752)

A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any other existing roles to themselves and then add privileges to other users as well.

A bug was discovered in our label decompression code, making it possible for names to refer to themselves, thus causing a loop during decompression. On some platforms, this bug can be abused to cause crashes. On all platforms, this bug can be abused to cause service-affecting CPU spikes.

Update 7th of July 2015: Toshifumi Sakaguchi discovered that the original fix was insufficient in some cases. Updated versions of the Authoritative Server and Recursor were released on the 9th of June. Minimal patches are available. The insufficient fix was assigned CVE-2015-5470.

**Horde_Form 2.0.10**
* [jan] SECURITY: Fixed XSS in form renderer.

**Horde_Icalendar 2.1.1**
* [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).

**Horde_Auth 2.1.10**
* [jan] SECURITY: Don't allow to login to LDAP with an empty password.

**Horde_Core 2.20.6**
* [jan] SECURITY: Don't allow to login with an empty password.
* [jan] Give administrators access to all groups, even with $conf['share']['any_group'] disabled.

Multiple cross-site scripting flaws were discovered in the Red Hat Certificate System Agent and End Entity pages. An attacker could use these flaws to perform a cross-site scripting (XSS) attack against victims using the Certificate System's web interface.

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

The following was reported:

The function "rs_filter_graph" located in file ./librawstudio/rs-filter.c contains the following code:

g_string_append_printf(str, "}\n");
g_file_set_contents("/tmp/rs-filter-graph", str->str, str->len, NULL);

ignore = system("dot -Tpng >/tmp/rs-filter-graph.png >/tmp/rs-filter-graph"); ignore = system("gnome-open /tmp/rs-filter-graph.png");

This code makes insecure use of two temporary files:

/tmp/rs-filter-graph.png and /tmp/rs-filter-graph

This allows the truncation of arbitrary files which are owned by the user running rawstudio - for example:

ln -s ~/.important /tmp/rs-filter-graph
ln -s /etc/shadow /tmp/rs-filter-graph.png

I haven't seen a crash, but I can observe the issue under valgrind. Can be reproduced with something like: python -c "from systemd import journal; journal.send('', SYSLOG_FACILITY='10', PRIORITY='4')"

It was discovered that the uri package in the Ruby standard library uses regular expressions that may result in excessive backtracking. Ruby applications that parse untrusted URIs using this library were susceptible to denial-of-service attacks by passing crafted URIs.

If DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

CVE-2015-4645: The first problem overflows the bytes variable, so that the allocation of fragments_bytes[] has an erroneous size.

int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
...
fragment_table = malloc(bytes);

CVE-2015-4646: If we fix this by making the variable size_t, we run into an unrelated problem in which the stack VLA allocation of fragment_table_index[] can easily exceed RLIMIT_STACK.

Fernando Muñoz discovered that invalid HTML input passed to tidy, an HTML syntax checker and reformatter, could trigger a buffer overflow. This could allow remote attackers to cause a denial of service (crash) or potentially execute arbitrary code.

Geoff McLane also discovered that a similar issue could trigger an integer overflow, leading to a memory allocation of 4GB. This could allow remote attackers to cause a denial of service by saturating the target's memory.

This bug has been created based on an anonymous crash report requested by the package maintainer.

Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument.