Red Hat Security Advisory 2015-2199-07 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
f94e9bae1ee9312a7c4a7f82ecb9725f410c0b7a137de93a1b8c44897482e087
Red Hat Security Advisory 2015-2159-06 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory.
4c8f1214c87209b025a888e27c36d8b6ff081c288e2cfca9b6e90d6d41fae18d
Red Hat Security Advisory 2015-2140-07 - The libssh2 packages provide a library that implements the SSH2 protocol. A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client. Previously, libssh2 did not correctly adjust the size of the receive window while reading from an SSH channel. This caused downloads over the secure copy protocol to consume an excessive amount of memory. A series of upstream patches has been applied on the libssh2 source code to improve handling of the receive window size. Now, SCP downloads work as expected.
b68e45af8025497478fc0ae997caa7323085b856d2be7c4e4f55033346d7dc6e
HPE Security Bulletin HPSBUX03522 SSRT102942 1 - A potential security vulnerability has been identified in the HP-UX BIND service running named. This vulnerability could be exploited remotely to create a Denial of Service (DoS). Revision 1 of this advisory.
633b86234c3422d4596642a9db25d7bc7a4fba620db6fd90ceb1ab81467cc759
Kibana versions prior to 4.1.3 and 4.2.1 suffer from a cross site request forgery vulnerability.
6045ea2c042b81972ed4a68e93347e2b9910ce5897698ea762510910c470cac1
VMware Security Advisory 2015-0008 - VMware product updates address information disclosure issue.
1c1a650290da77afa5cfb03bf88b3028205f532ac7c23a35fb455c034ad606fa
Red Hat Security Advisory 2015-2078-01 - PostgreSQL is an advanced object-relational database management system. A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input.
aac049a21ae427bf24643576d8701e697cfabc9ea4d02e806cb365d534decbce
HP Security Bulletin HPSBGN03521 2 - A potential security vulnerability has been identified in HP Operations Orchestration Central. The vulnerability could be exploited to allow Cross-Site Request Forgery (CSRF). Revision 2 of this advisory.
e92f97e1cfb23f448556b38e851e40c4fae3071be411c7a5e4dfb582b77d66c5
Debian Linux Security Advisory 3399-1 - Several vulnerabilities have been discovered in the libpng PNG library.
fc770fc5d8fb31cbec5d8f894af8183e571f9cdcc0236dffad328691216700da
Red Hat Security Advisory 2015-2068-01 - Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library.
fe60a25cea587409eb3e69819ff10f018734fe33d7f5c69935f661f1071aa61d
Ubuntu Security Notice 2814-1 - It was discovered that the NVIDIA graphics drivers incorrectly sanitized user mode inputs. A local attacker could use this issue to possibly gain root privileges.
9cea44ac231bd8392a6ff769542f3eae7053e40d8eb4017356111b4dc0c88e83
Red Hat Security Advisory 2015-2077-01 - PostgreSQL is an advanced object-relational database management system. A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input.
b8119ca3b76675c365e5ec6e10e97a27a6c8163ea9d7805cb835c9fc98116c8b
Red Hat Security Advisory 2015-2083-01 - PostgreSQL is an advanced object-relational database management system. A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input.
c9f88ba809baf90f4a629479a98d8482fd5274e5a0d331f3a4316e0f0531d8a8
Red Hat Security Advisory 2015-2081-01 - PostgreSQL is an advanced object-relational database management system. A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. All PostgreSQL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update.
a9a97fccebbbe72476920331ce502e8ceb3f18514137ac2cdace7209eb1dcd74
Red Hat Security Advisory 2015-2086-01 - The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
688052df79cb50ce4f3ff4ec55819b330ffd2d39fb32fb8e3b13e6ff8eac86d2
HP Security Bulletin HPSBGN03521 1 - A potential security vulnerability has been identified in HP Operations Orchestration Central. The vulnerability could be exploited to allow Cross-Site Request Forgery (CSRF). Revision 1 of this advisory.
2598d6a322739b3a2a0f9c9ce43bb8a1333a17d53479b18bd2784b21225a9fdb
EMC VPLEX GeoSynchrony code levels 5.4 SP1 and 5.4 SP1 P1 contain a vulnerability that allows a user password to be logged in plaintext when the user attempts to login via the NAVISPEHERE Graphical User Interface (GUI) that could potentially be exploited by malicious users.
aba3a874c54e0abf88cfae3881105008b7fa92e7ed06f163ff1aba0f5ddeb024
Ubuntu Security Notice 2813-1 - It was discovered that LXCFS incorrectly enforced directory escapes. A local attacker could use this issue to possibly escalate privileges. It was discovered that LXCFS incorrectly checked certain permissions. A local attacker could use this issue t possibly escalate privileges.
8c9a75162295a7d8159a89ca6f74a8b4cf3fe11fb2ab96fce781b0b4a13caeab
Open-Xchange Guard version 2.0 suffers from a cross site scripting vulnerability.
888154affc2ef5c3a8d0c97e1dc560312910892473344310de9e89d6ca8fcd4c
Gentoo Linux Security Advisory 201511-2 - Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Versions less than 11.2.202.548 are affected.
e6845cf2bd6a0e075d4dc6bfd3258c520129150cb19c3a4b1781f97ae1ad7e3b
On Microsoft Windows you can create NTFS hardlinks without needing write permissions on the target file.
760348b2c259a8688b4643226d703dcb86c3811fe54ead7f25e0acc81110138d
Fuzzing the RAR file format found multiple crashes, some of which are obviously exploitable for remote code execution as NT AUTHORITY\\SYSTEM on any system with Kaspersky Antivirus.
840a6644fa6473e395e71ccc99acd288e2ea564ff3edbc779548159cd42980df
The ACL on %PROGRAMDATA%\Kaspersky Lab allows BUILTIN\Users to create new files. This can be abused to create new plugins and modules during update, and other filesystem races to gain elevated privileges.
5123890ee94b7febd160cd7bdcce88da33225fd6e226283bf65d0ea4999f84e3
Red Hat Security Advisory 2015-2065-01 - The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A heap buffer overflow flaw was found in the way QEMU's NE2000 NIC emulation implementation handled certain packets received over the network. A privileged user inside a guest could use this flaw to crash the QEMU instance or potentially execute arbitrary code on the host.
de0087d5a5cfeeba9f78eba8af0424b13cc04b6e7c045f4320f4621d4e647a83
Ubuntu Security Notice 2812-1 - Florian Weimer discovered that libxml2 incorrectly handled certain XML data. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. Michal Zalewski discovered that libxml2 incorrectly handled certain XML data. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. Various other issues were also addressed.
0b86195a4b80085fc469924f41acb3926e9c8feb49034bd78a19922cf368ba60