Debian Linux Security Advisory 3584-1 - Gustavo Grieco discovered several flaws in the way librsvg, a SAX-based renderer library for SVG files, parses SVG files with circular definitions. A remote attacker can take advantage of these flaws to cause an application using the librsvg library to crash.
a0d690d834b83f6fda20eb751f9aff8f53c37624ab560a0721aa17cc8ec01ab1
Slackware Security Advisory - New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
f10a0b46e964863477a1a1c1cc72a063ff7811586d3483db228278a5181de15d
Debian Linux Security Advisory 3583-1 - It was discovered that the swift3 (S3 compatibility) middleware plugin for Swift performed insufficient validation of date headers which might result in replay attacks.
e28aff3110b2c38704534c1440743aeac993856c6febd613f40c6dc72fd2c94a
Ubuntu Security Notice 2960-1 - An out of bounds write was discovered in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code. It was discovered that Blink assumes that a frame which passes same-origin checks is local in some cases. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code. Various other issues were also addressed.
8927d0b54e916b7294291432f529410e17c0583a0211c9e14a3cf41075200b01
Ubuntu Security Notice 2936-3 - USN-2936-1 fixed vulnerabilities in Firefox. The update caused an issue where a device update POST request was sent every time about:preferences#sync was shown. This update fixes the problem. Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup, Andrew McCreight, and Steve Fink discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. An invalid write was discovered when using the JavaScript .watch() method in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Various other issues were also addressed.
6c4c922dce9d928039cf20682443926b93b23e9cde2cda2a6dd06d853ba4ac09
Ubuntu Security Notice 2973-1 - Christian Holler, Tyson Smith, and Phil Ringalda discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. Hanno Boeck discovered that calculations with mp_div and mp_exptmod in NSS produce incorrect results in some circumstances, resulting in cryptographic weaknesses. Various other issues were also addressed.
d29c52273e7734f2eb886a43b5407681e67a0595f44c88105e13d3a3a39ba876
Cisco Security Advisory - A vulnerability in Cisco AsyncOS for the Cisco Web Security Appliance (WSA) when the software handles a specific HTTP response code could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an appliance because the appliance runs out of system memory. The vulnerability occurs because the software does not free client and server connection memory and system file descriptors when a certain HTTP response code is received in the HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. An exploit could allow the attacker to cause a DoS condition because the appliance runs out of system memory. When this happens, the device can no longer accept new incoming connection requests. Cisco has released software updates that address this vulnerability. A workaround that addresses this vulnerability is also available.
b11575ce8d127f5df49b01eb0c86396ad5782f7a7e0f3bdae2fdeb9a80362008
Cisco Security Advisory - A vulnerability in HTTP request parsing in Cisco AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition when the proxy process unexpectedly restarts. The vulnerability occurs because the affected software does not properly allocate space for the HTTP header and any expected HTTP payload. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. An exploit could allow the attacker to cause a DoS condition when the proxy process unexpectedly reloads, which can cause traffic to be dropped. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
21c673b47e281e2e70421d9a8907f9602e0c7e17e628d35171c925eb9e710b26
Cisco Security Advisory - A vulnerability in the cached file-range request functionality of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an appliance due to the appliance running out of system memory. The vulnerability is due to a failure to free memory when a file range for cached content is requested through the WSA. An attacker could exploit this vulnerability by opening multiple connections that request file ranges through the affected device. A successful exploit could allow the attacker to cause the WSA to stop passing traffic when enough memory is used and not freed. Cisco has released software updates that address this vulnerability. A workaround that mitigates this vulnerability is also available.
5afe1eeec11fc63f9df8c27a0131f5ca50d9bbb92873adaf6907c82405559c97
Cisco Security Advisory - A vulnerability that occurs when parsing an HTTP POST request with Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) vulnerability due to the proxy process becoming unresponsive. The vulnerability is due to a lack of proper input validation of the packets that make up the HTTP POST request. An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the affected device. An exploit could allow the attacker to cause a DoS condition due to the proxy process becoming unresponsive and the WSA reloading. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
3989f6fd6c41f3bf8e2da257cae824d30c420fefadc7c41c4e080ea8c438bbfa
HP Security Bulletin HPSBHF03579 1 - HPE ConvergedSystem for SAP HANA has addressed security vulnerabilities in OpenSSL. The Cross-protocol Attack on TLS using SSLv2, also known as "DROWN", could be could be remotely exploited resulting in disclosure of privileged information, unauthorized access to data, and unauthorized access to sensitive information. Revision 1 of this advisory.
839547502680a606065e72839f52dfc00f6e75d89e9b9b2ef70a67959bf073f8
HP Security Bulletin HPSBHF03578 1 - HPE ConvergedSystem for SAP HANA Solutions has addressed stack-based buffer overflows in the GNU C library's (glibc) implementation of the getaddrinfo() library function. These vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or allow execution of arbitrary code on the host with the permissions of a user using the glibc library. Revision 1 of this advisory.
f467478965503248c96c094ed51e89e4ccb098e7d4023a82cd28359603541c37
HP Security Bulletin HPSBGN03602 1 - A potential security vulnerability has been identified in HPE RESTful Interface Tool application on Linux and Windows. The vulnerability could be exploited locally resulting in disclosure of information. Revision 1 of this advisory.
1c6a6377136f788d5ead75de59c4a1251040191325e8f3d2b0f9c32620f0660f
Ubuntu Security Notice 2950-4 - USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relaxing the "client ipc signing" parameter to "auto". Various other issues were also addressed.
f4fd0e1458d4dd5d78caeb773aa4e0931c482552cdafe454a555c5a3054c7479
Ubuntu Security Notice 2983-1 - Gustavo Grieco discovered that Expat incorrectly handled malformed XML data. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly execute arbitrary code.
4eeeb7ba793af60fa54b7a31bac089e6d2f970324f6e28dde272f727e5b36a32
Debian Linux Security Advisory 3582-1 - Gustavo Grieco discovered that Expat, an XML parsing C library, does not properly handle certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. A remote attacker can take advantage of this flaw to cause an application using the Expat library to crash, or potentially, to execute arbitrary code with the privileges of the user running the application.
2d59b734305bab95e5db0032d8269c83f14993b9f5fd822d355bce54bd326412
FreeBSD Security Advisory - Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory. Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges.
645db3fe4369fd21421c9b74273cd54e8fa721a229dc9fde4d52770ffac13ad6
FreeBSD Security Advisory - Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory. A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation.
c7c48a6a99a2c6c01b08b27fe32854f8e9e9d8b0f9221e5d0765b78ae72824fc
HP Security Bulletin HPSBGN03587 1 - 3rd party code template: A security vulnerability in Open vSwitch could potentially impact HPE Helion OpenStack resulting in a remote denial of Service (DoS) or arbitrary command execution. HPE Helion OpenStack has also addressed several OpenSSL vulnerabilities including: The Cross-protocol Attack on TLS using SSLv2 also known as "DROWN", which could be exploited remotely resulting in disclosure of information. Multiple OpenSSL vulnerabilities which could be remotely exploited resulting in Denial of Service (DoS) or other impacts. Revision 1 of this advisory.
d4fceaa0ba4a7864b939e73b9efc7e9a3c3d9f771140a67054d955accf574196
HP Security Bulletin HPSBHF03594 1 - Security vulnerabilities in OpenSSL have been addressed by HPE ConvergedSystem 500 & 900 and HPE AppSystems for SAP HANA. The vulnerabilities could be remotely exploited resulting in Denial of Service (DoS), unauthorized disclosure of information, and unauthorized modification. Revision 1 of this advisory.
d33fe09cf5ca02681f9ac76ff30e6bbf0d623c549fe9a315a6a3243d9bd2c5e5
Red Hat Security Advisory 2016-1088-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.
4794c3698f75c399fd8e56a93178cf1d6428ab89a65144f4783b6186670d6dd7
Red Hat Security Advisory 2016-1087-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.
b7bd3ec66ec724db03317de31401f5cfbf0df255890d170f9025765106bac939
Red Hat Security Advisory 2016-1089-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.
9406c3d8ed760c85a4d0cbf50bb6b97066f995e281ab809f70e60509429650aa
Ubuntu Security Notice 2982-1 - Hanno Boeck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Hanno Boeck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Various other issues were also addressed.
8c5fb3044d7b186222e7fc370ecfadfaa98aab4ee9f136e2ac763fab90769e38
Debian Linux Security Advisory 3581-1 - Julien Bernard discovered that libndp, a library for the IPv6 Neighbor Discovery Protocol, does not properly perform input and origin checks during the reception of a NDP message. An attacker in a non-local network could use this flaw to advertise a node as a router, and cause a denial of service attack, or act as a man-in-the-middle.
affa5c2647200287ee20023cbd0d5822a09944b8e4e426c1e6c7ff0c0709d1b0