RHSA-2017:2425-1: Moderate: rh-postgresql95-postgresql security update

RHN Satellite and Proxy: An update for rh-postgresql95-postgresql is now available for Red Hat Satellite
5.7.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

This update applies only to Satellite 5.7 instances using either embedded or
managed PostgreSQL databases.

There are manual steps required in order to finish the migration from
postgresql92-postgresql to rh-postgresql95-postgresql. If these steps are not
undertaken, the affected Satellite will continue to use PostgreSQL 9.2.

postgresql92-postgresql will be upgraded automatically to
rh-postgresql95-postgresql as part of an upgrade to Satellite 5.8.
CVE-2016-5423, CVE-2016-5424, CVE-2017-7484, CVE-2017-7485, CVE-2017-7486

Read More

RHSA-2017:2424-1: Critical: java-1.7.0-openjdk security update

Red Hat Enterprise Linux: An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10081, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10135, CVE-2017-10243

Read More

RHSA-2017:2423-1: Important: log4j security update

Red Hat Enterprise Linux: An update for log4j is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-5645

Read More

USN-3212-4: LibTIFF vulnerabilities

Ubuntu Security Notice USN-3212-4

7th August, 2017

tiff vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

LibTIFF could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

  • tiff
    – Tag Image File Format (TIFF) library

Details

USN-3212-1 fixed several issues in LibTIFF. This update
provides a subset of corresponding update for Ubuntu 12.04 ESM.

Mei Wang discovered a multiple integer overflows in LibTIFF which
allows remote attackers to cause a denial of service (crash) or
execute arbitrary code via a crafted TIFF image, which triggers
an out-of-bounds write. (CVE-2016-3945)

It was discovered that LibTIFF is vulnerable to a heap buffer
overflow in the resulting in DoS or code execution
via a crafted BitsPerSample value. (CVE-2017-5225)

Original advisory details:

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libtiff4

3.9.5-2ubuntu1.11
libtiff-tools

3.9.5-2ubuntu1.11

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-3945,

CVE-2017-5225

Read More

USN-3339-2: OpenVPN vulnerability

Ubuntu Security Notice USN-3339-2

7th August, 2017

openvpn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenVPN.

Software description

  • openvpn
    – virtual private network software

Details

USN-3339-1 fixed several issues in OpenVPN. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Guido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy
with NTLM authentication. A remote attacker could use this issue to cause
OpenVPN clients to crash, resulting in a denial of service, or possibly
expose sensitive memory contents. (CVE-2017-7520)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
openvpn

2.2.1-8ubuntu1.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7520

Read More

USN-3379-1: Shotwell vulnerability

Ubuntu Security Notice USN-3379-1

7th August, 2017

shotwell vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Shotwell could be made to expose sensitive information over the
network.

Software description

  • shotwell
    – digital photo organizer

Details

It was discovered that Shotwell is vulnerable to an information disclosure
in the web publishing plugins resulting in potential password and oauth token
plaintext transmission.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
shotwell

0.22.0+git20160108.r1.f2fb1f7-0ubuntu3.1
shotwell-common

0.22.0+git20160108.r1.f2fb1f7-0ubuntu3.1
Ubuntu 16.04 LTS:
shotwell

0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1
shotwell-common

0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1
Ubuntu 14.04 LTS:
shotwell

0.18.0-0ubuntu4.5
shotwell-common

0.18.0-0ubuntu4.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000024

Read More

USN-3380-1: FreeRDP vulnerabilities

Ubuntu Security Notice USN-3380-1

7th August, 2017

freerdp vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in FreeRDP.

Software description

  • freerdp
    – RDP client for Windows Terminal Services

Details

It was discovered that FreeRDP incorrectly handled certain width and height
values. A malicious server could use this issue to cause FreeRDP to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250)

It was discovered that FreeRDP incorrectly handled certain values in a
Scope List. A malicious server could use this issue to cause FreeRDP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2014-0791)

Tyler Bohan discovered that FreeRDP incorrectly handled certain length
values. A malicious server could use this issue to cause FreeRDP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2017-2834, CVE-2017-2835)

Tyler Bohan discovered that FreeRDP incorrectly handled certain packets. A
malicious server could possibly use this issue to cause FreeRDP to crash,
resulting in a denial of service. (CVE-2017-2836, CVE-2017-2837,
CVE-2017-2838, CVE-2017-2839)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
libfreerdp-client1.1

1.1.0~git20140921.1.440916e+dfsg1-10ubuntu1.1
Ubuntu 16.04 LTS:
libfreerdp-client1.1

1.1.0~git20140921.1.440916e+dfsg1-5ubuntu1.2
Ubuntu 14.04 LTS:
libfreerdp1

1.0.2-2ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0250,

CVE-2014-0791,

CVE-2017-2834,

CVE-2017-2835,

CVE-2017-2836,

CVE-2017-2837,

CVE-2017-2838,

CVE-2017-2839

Read More