RHSA-2018:0061-1: Important: thunderbird security update

Red Hat Enterprise Linux: An update for thunderbird is now available for Red Hat Enterprise Linux 6 and
Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-7829, CVE-2017-7846, CVE-2017-7847, CVE-2017-7848

Read More

USN-3517-1: poppler vulnerabilities

Ubuntu Security Notice USN-3517-1

8th January, 2018

poppler vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in poppler.

Software description

  • poppler
    – PDF rendering library

Details

It was discovered that poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a crafted PDF
file, an attacker could execute arbitrary. (CVE-2017-1000456)

It was discovered that poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a crafted PDF
file, an attacker could cause a denial of service. This issue only
affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-14976)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libpoppler68

0.57.0-2ubuntu4.2
poppler-utils

0.57.0-2ubuntu4.2
Ubuntu 17.04:
libpoppler64

0.48.0-2ubuntu2.5
poppler-utils

0.48.0-2ubuntu2.5
Ubuntu 16.04 LTS:
libpoppler58

0.41.0-0ubuntu1.6
poppler-utils

0.41.0-0ubuntu1.6
Ubuntu 14.04 LTS:
poppler-utils

0.24.5-2ubuntu4.9
libpoppler44

0.24.5-2ubuntu4.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000456,

CVE-2017-14976

Read More

USN-3518-1: AWStats vulnerability

Ubuntu Security Notice USN-3518-1

8th January, 2018

awstats vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

AWStats could be made to run programs if it received specially crafted
network traffic.

Software description

  • awstats
    – powerful and featureful web server log analyzer

Details

It was discovered that AWStats incorrectly filtered certain parameters. A
remote attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
awstats

7.6+dfsg-1ubuntu0.17.10.1
Ubuntu 17.04:
awstats

7.6+dfsg-1ubuntu0.17.04.1
Ubuntu 16.04 LTS:
awstats

7.4+dfsg-1ubuntu0.2
Ubuntu 14.04 LTS:
awstats

7.2+dfsg-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000501

Read More

USN-3519-1: Tomcat vulnerabilities

Ubuntu Security Notice USN-3519-1

8th January, 2018

tomcat7, tomcat8 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Tomcat.

Software description

  • tomcat7
    – Servlet and JSP engine

  • tomcat8
    – Servlet and JSP engine

Details

It was discovered that Tomcat incorrectly handled certain pipelined
requests when sendfile was used. A remote attacker could use this issue to
obtain wrong responses possibly containing sensitive information.
(CVE-2017-5647)

It was discovered that Tomcat incorrectly used the appropriate facade
object. A malicious application could possibly use this to bypass Security
Manager restrictions. (CVE-2017-5648)

It was discovered that Tomcat incorrectly handled error pages. A remote
attacker could possibly use this issue to replace or remove the custom
error page. (CVE-2017-5664)

It was discovered that Tomcat incorrectly handled the CORS filter. A remote
attacker could possibly use this issue to perform cache poisoning.
(CVE-2017-7674)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
tomcat8

8.0.38-2ubuntu2.2
libtomcat8-java

8.0.38-2ubuntu2.2
Ubuntu 16.04 LTS:
tomcat8

8.0.32-1ubuntu1.5
libtomcat8-java

8.0.32-1ubuntu1.5
Ubuntu 14.04 LTS:
tomcat7

7.0.52-1ubuntu0.13
libtomcat7-java

7.0.52-1ubuntu0.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-5647,

CVE-2017-5648,

CVE-2017-5664,

CVE-2017-7674

Read More

USN-3520-1: PySAML2 vulnerability

Ubuntu Security Notice USN-3520-1

8th January, 2018

python-pysaml2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS

Summary

PySAML2 could allow authentication without a password.

Software description

  • python-pysaml2
    – Pure python implementation of SAML2

Details

It was discovered that PySAML2 incorrectly accepted any password when run
with python optimizations enabled. An attacker could use this issue to
authenticate as any user without a valid password.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
python-pysaml2

3.0.0-3ubuntu2.2
python3-pysaml2

3.0.0-3ubuntu2.2
Ubuntu 17.04:
python-pysaml2

3.0.0-3ubuntu1.17.04.3
python3-pysaml2

3.0.0-3ubuntu1.17.04.3
Ubuntu 16.04 LTS:
python-pysaml2

3.0.0-3ubuntu1.16.04.3
python3-pysaml2

3.0.0-3ubuntu1.16.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000433

Read More