Red Hat Security Advisory 2017-1839-01 - The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
1ce77e8008f791047c59b64f6f67fd895b63b533efb776d873bda60eee68a8aa
Ubuntu Security Notice 3372-1 - It was discovered that NSS incorrectly handled certain empty SSLv2 messages. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update causes NSS to limit use of the same symmetric key. Various other issues were also addressed.
e388acc86dcf59e73c62e313ac038fabb06265810beaf16fd3db321a90afdfb4
Red Hat Security Advisory 2017-1834-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.6, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix: A deserialization flaw was discovered in jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper.
8f515b16a851986c500ddf4ed6503d67dd3f7d5c26eead92d7b32eb5b1479c75
Red Hat Security Advisory 2017-1837-01 - The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services Elastic Compute Cloud. With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.7.
dc07b245ad6d917f3af654df1bff7e1343625687d28a626a8a04cd51b5dee892
Red Hat Security Advisory 2017-1838-01 - PostgreSQL is an advanced object-relational database management system. Security Fix: It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. A non-administrative database user could use this flaw to steal some information from tables they are otherwise not allowed to access.
b8da1a65f0ca936bedb76c56b840e6863ef2bc0aa2a3073a608795956545a09a
Ubuntu Security Notice 3373-1 - Emmanuel Dreyfus discovered that third-party modules using the ap_get_basic_auth_pw function outside of the authentication phase may lead to authentication requirements being bypassed. This update adds a new ap_get_basic_auth_components function for use by third-party modules. Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection during an HTTP request to an HTTPS port. Various other issues were also addressed.
4a9a5dea68311374e8d780883cdb344eae2007b3b5ebe311aa079e3e743f2f21
Red Hat Security Advisory 2017-1835-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.6, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix: A deserialization flaw was discovered in jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper.
3691e18fee16447c266d5cd96d4cb0974d75008e1132ec48a76ce9bcac67a084
Ubuntu Security Notice 3374-1 - It was discovered that RabbitMQ incorrectly handled MQTT authentication. A remote attacker could use this issue to authenticate successfully with an existing username by omitting the password.
447342daddaff1041b3b306feeb7a80790814f09559f4b1da0e7811886211c50
Red Hat Security Advisory 2017-1840-01 - The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
ddd84e1c28044f497afd84cb2e121261164c88de9c73f5305489781ccea648d2
Ubuntu Security Notice 3363-2 - USN-3363-1 fixed vulnerabilities in ImageMagick. The update caused a regression for certain users when processing images. The problematic patch has been reverted pending further investigation. It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. Various other issues were also addressed.
af6b57c695da99e12cc3f5ab75ad730a6c23b4ed2482af57284cd813dc18ec32
Ubuntu Security Notice 3366-2 - USN-3366-1 fixed vulnerabilities in OpenJDK 8. Unfortunately, that update introduced a regression that caused some valid JAR files to fail validation. This update fixes the problem. It was discovered that the JPEGImageReader class in OpenJDK would incorrectly read unused image data. An attacker could use this to specially construct a jpeg image file that when opened by a Java application would cause a denial of service. Various other issues were also addressed.
e9581a312ef7c1eb2dedb9df0dc68f52b06260cac0f6b85c8b55f77958b4e34e
Red Hat Security Advisory 2017-1833-01 - Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 60.0.3112.78. Security Fix: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim.
ad472c82dc102ba322984772143f99c483ca21f4adddbeb37cb9a6d3f0ecdd3e
Red Hat Security Advisory 2017-1833-01 - Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 60.0.3112.78. Security Fix: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim.
1353fd8d2deddb910e8700dee9e46a94525d8a937157e32db4ea34204c38bf58
Spider Player version 2.5.3 suffers from a dll hijacking vulnerability.
1bccbf22f3a5d69e0d55a18407406335bb7aad46f8469f275593e7c17217c910
FTP Commander version 8.02 suffers from a dll hijacking vulnerability.
5851441145037705e758d5db0b2b305eca6812d5cd95a05879e4e53dbd32e638
Ubuntu Security Notice 3371-1 - It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information. Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture subsystem in the Linux kernel. A local attacker could use this to expose sensitive information. Various other issues were also addressed.
29aac26db4fa25a26803428ac90ea403b7c6c8b689bbdd5436506a09c62947af
IBM Bluemix suffers from a broken mutual TLS authentication vulnerability.
eefb4b5592abaecb77e988f15cfe9fbb8c333d127e8d96e0694167e723370893
Ubuntu Security Notice 3370-1 - Robert Swiecki discovered that the Apache HTTP Server mod_auth_digest module incorrectly cleared values when processing certain requests. A remote attacker could use this issue to cause the server to crash, resulting in a denial or service, or possibly obtain sensitive information.
fb59dcbe81a38b0e84bd2e67c67c2b400326de92855c04f7a023ea36285e6393
Ubuntu Security Notice 3369-1 - Guido Vranken discovered that FreeRADIUS incorrectly handled memory when decoding packets. A remote attacker could use this issue to cause FreeRADIUS to crash or hang, resulting in a denial of service, or possibly execute arbitrary code.
2d7269bf484f6ead1a2687767dc01354af1b32f08cd2d4f72d0baaf9e1c1f6c3
This Microsoft bulletin summary lists multiple CVEs that have undergone a major revision increment.
216654f42ece44e0dad05adb1548052ac516718f4140fed8bea0feb41abc2e7d
Red Hat Security Advisory 2017-1809-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. A vulnerability was discovered in Tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application.
8bf0dc615683dd9ae21de05c218282d759e0e15d7ddc2f5c8b59f7b6184aed68
Ubuntu Security Notice 3366-1 - It was discovered that the JPEGImageReader class in OpenJDK would incorrectly read unused image data. An attacker could use this to specially construct a jpeg image file that when opened by a Java application would cause a denial of service. It was discovered that the JAR verifier in OpenJDK did not properly handle archives containing files missing digests. An attacker could use this to modify the signed contents of a JAR file. Various other issues were also addressed.
b14c83af19137eb71b4ecf4d60969230fa06f1294af8524a5b5982b5a637a156
HPE Security Bulletin HPESBHF03765 1 - Potential security vulnerabilities in OpenSSL have been addressed in HPE Network Products including Comware v7 that is applicable for ConvergedSystem 700 solutions. The vulnerabilities could be remotely exploited resulting in Denial of Service (DoS) or disclosure of sensitive information. Revision 1 of this advisory.
022069972577db48d8cb81bb5e40218f836f168ecf9948fbce4699190ff05d6d
Ubuntu Security Notice 3368-1 - It was discovered that libiberty incorrectly handled certain string operations. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. It was discovered that libiberty incorrectly handled parsing certain binaries. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Various other issues were also addressed.
50d0035ae5405187e36f6b8023b1bda1409d21528024b3a2b48a5d0e95f6b50c
Ubuntu Security Notice 3367-1 - Hanno Bock discovered that gdb incorrectly handled certain malformed AOUT headers in PE executables. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause gdb to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. It was discovered that gdb incorrectly handled printing bad bytes in Intel Hex objects. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause gdb to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS. Various other issues were also addressed.
f3e471479b529fe664751ec43fd5c8ddedf9d518467f07744a2cb8afeec18465