Newest Plugins

Cisco IOS XE NTP Subsystem Unauthorized Access (cisco-sa-20160419-ios)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version, the Cisco IOS XE software
running on the remote device is affected by an unauthorized access
vulnerability in the NTP subsystem due to a failure to check the
authorization of certain NTP packets. An unauthenticated, remote
attacker can exploit this issue, via specially crafted NTP packets, to
control the time of the remote device.

See also :

http://www.nessus.org/u?8965288b

Solution :

Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCux46898.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Cisco IOS NTP Subsystem Unauthorized Access (cisco-sa-20160419-ios)


Synopsis:

The remote device is missing a vendor-supplied security patch.

Description:

According to its self-reported version, the Cisco IOS software running
on the remote device is affected by an unauthorized access
vulnerability in the NTP subsystem due to a failure to check the
authorization of certain NTP packets. An unauthenticated, remote
attacker can exploit this issue, via specially crafted NTP packets, to
control the time of the remote device.

See also :

http://www.nessus.org/u?8965288b

Solution :

Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCux46898.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle Application Testing Suite Detection


Synopsis:

Oracle Application Testing Suite is installed on the remote host.

Description:

Oracle Application Testing suite, an integrated testing solution, is
installed on the remote host.

See also :

http://www.oracle.com/technetwork/oem/app-test/etest-101273.html

Solution :

n/a

Risk factor :

None

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle Application Testing Suite Java Object Deserialization RCE (April 2016 CPU)


Synopsis:

The remote host has a web application installed that is affected by a
remote code execution vulnerability.

Description:

The version of Oracle Application Testing Suite installed on the
remote host is affected by a remote code execution vulnerability due
to unsafe deserialize calls of unauthenticated Java objects to the
Apache Commons Collections (ACC) library. An unauthenticated, remote
attacker can exploit this, by sending a crafted SOAP request, to
execute arbitrary code on the target host.

See also :

http://www.nessus.org/u?855180af
http://www.nessus.org/u?e0204f30

Solution :

Apply the appropriate patch according to the April 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 15.10 : poppler vulnerabilities (USN-2958-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

It was discovered that the poppler pdfseparate tool incorrectly
handled certain filenames. A local attacker could use this issue to
cause the tool to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS.
(CVE-2013-4473, CVE-2013-4474)

It was discovered that poppler incorrectly parsed certain malformed
PDF documents. If a user or automated system were tricked into opening
a crafted PDF file, an attacker could cause a denial of service or
possibly execute arbitrary code with privileges of the user invoking
the program. (CVE-2015-8868).

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 16.04 : libtasn1-6 vulnerability (USN-2957-2)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the
corresponding update for Ubuntu 16.04 LTS.

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly
handled certain malformed DER certificates. A remote attacker could
possibly use this issue to cause applications using Libtasn1 to hang,
resulting in a denial of service.

Solution :

Update the affected libtasn1-6 package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 15.10 : libtasn1-3, libtasn1-6 vulnerability (USN-2957-1)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly
handled certain malformed DER certificates. A remote attacker could
possibly use this issue to cause applications using Libtasn1 to hang,
resulting in a denial of service.

Solution :

Update the affected libtasn1-3 and / or libtasn1-6 packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 12.04 LTS : oxygen-gtk3 update (USN-2936-2)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox
to crash on startup with the Oxygen GTK theme due to a pre-existing
bug in the Oxygen-GTK3 theme engine. This update fixes the problem.

We apologize for the inconvenience.

Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse
Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter,
Randell Jesup, Andrew McCreight, and Steve Fink discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-2804, CVE-2016-2806, CVE-2016-2807)

An invalid write was discovered when using the JavaScript
.watch() method in some circumstances. If a user were
tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox.
(CVE-2016-2808)

Looben Yang discovered a use-after-free and buffer overflow
in service workers. If a user were tricked in to opening a
specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-2811, CVE-2016-2812)

Sascha Just discovered a buffer overflow in libstagefright
in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-2814)

Muneaki Nishimura discovered that CSP is not applied
correctly to web content sent with the
multipart/x-mixed-replace MIME type. An attacker could
potentially exploit this to conduct cross-site scripting
(XSS) attacks when they would otherwise be prevented.
(CVE-2016-2816)

Muneaki Nishimura discovered that the chrome.tabs.update API
for web extensions allows for navigation to javascript:
URLs. A malicious extension could potentially exploit this
to conduct cross-site scripting (XSS) attacks.
(CVE-2016-2817)

Mark Goodwin discovered that about:healthreport accepts
certain events from any content present in the remote-report
iframe. If another vulnerability allowed the injection of
web content in the remote-report iframe, an attacker could
potentially exploit this to change the user's sharing
preferences. (CVE-2016-2820).

Solution :

Update the affected gtk3-engines-oxygen package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Scientific Linux Security Update : mercurial on SL7.x x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

Security Fix(es) :

- It was discovered that Mercurial failed to properly
check Git sub- repository URLs. A Mercurial repository
that includes a Git sub-repository with a specially
crafted URL could cause Mercurial to execute arbitrary
code. (CVE-2016-3068)

- It was discovered that the Mercurial convert extension
failed to sanitize special characters in Git repository
names. A Git repository with a specially crafted name
could cause Mercurial to execute arbitrary code when the
Git repository was converted to a Mercurial repository.
(CVE-2016-3069)

See also :

http://www.nessus.org/u?92b452c6

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2016:0708)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for java-1.6.0-ibm is now available for Red Hat Enterprise
Linux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

IBM Java SE version 6 includes the IBM Java Runtime Environment and
the IBM Java Software Development Kit.

This update upgrades IBM Java SE 6 to version 6 SR16-FP25.

Security Fix(es) :

* This update fixes multiple vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2016-0264,
CVE-2016-0363, CVE-2016-0376, CVE-2016-0686, CVE-2016-0687,
CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443,
CVE-2016-3449)

See also :

https://www.redhat.com/security/data/cve/CVE-2016-0264.html
https://www.redhat.com/security/data/cve/CVE-2016-0363.html
https://www.redhat.com/security/data/cve/CVE-2016-0376.html
https://www.redhat.com/security/data/cve/CVE-2016-0686.html
https://www.redhat.com/security/data/cve/CVE-2016-0687.html
https://www.redhat.com/security/data/cve/CVE-2016-3422.html
https://www.redhat.com/security/data/cve/CVE-2016-3426.html
https://www.redhat.com/security/data/cve/CVE-2016-3427.html
https://www.redhat.com/security/data/cve/CVE-2016-3443.html
https://www.redhat.com/security/data/cve/CVE-2016-3449.html
https://www.ibm.com/developerworks/java/jdk/alerts/
http://rhn.redhat.com/errata/RHSA-2016-0708.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 6 : chromium-browser (RHSA-2016:0707)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for chromium-browser is now available for Red Hat Enterprise
Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 50.0.2661.94.

Security Fix(es) :

* Multiple flaws were found in the processing of malformed web
content. A web page containing malicious content could cause Chromium
to crash, execute arbitrary code, or disclose sensitive information
when visited by the victim. (CVE-2016-1660, CVE-2016-1661,
CVE-2016-1662, CVE-2016-1663, CVE-2016-1666, CVE-2016-1664,
CVE-2016-1665)

See also :

https://www.redhat.com/security/data/cve/CVE-2016-1660.html
https://www.redhat.com/security/data/cve/CVE-2016-1661.html
https://www.redhat.com/security/data/cve/CVE-2016-1662.html
https://www.redhat.com/security/data/cve/CVE-2016-1663.html
https://www.redhat.com/security/data/cve/CVE-2016-1664.html
https://www.redhat.com/security/data/cve/CVE-2016-1665.html
https://www.redhat.com/security/data/cve/CVE-2016-1666.html
http://www.nessus.org/u?754e2284
http://rhn.redhat.com/errata/RHSA-2016-0707.html

Solution :

Update the affected chromium-browser and / or
chromium-browser-debuginfo packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

RHEL 7 : mercurial (RHSA-2016:0706)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

An update for mercurial is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Mercurial is a fast, lightweight source control management system
designed for efficient handling of very large distributed projects.

Security Fix(es) :

* It was discovered that Mercurial failed to properly check Git
sub-repository URLs. A Mercurial repository that includes a Git
sub-repository with a specially crafted URL could cause Mercurial to
execute arbitrary code. (CVE-2016-3068)

* It was discovered that the Mercurial convert extension failed to
sanitize special characters in Git repository names. A Git repository
with a specially crafted name could cause Mercurial to execute
arbitrary code when the Git repository was converted to a Mercurial
repository. (CVE-2016-3069)

Red Hat would like to thank Blake Burkhart for reporting these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2016-3068.html
https://www.redhat.com/security/data/cve/CVE-2016-3069.html
http://rhn.redhat.com/errata/RHSA-2016-0706.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle Linux 7 : mercurial (ELSA-2016-0706)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

From Red Hat Security Advisory 2016:0706 :

An update for mercurial is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Mercurial is a fast, lightweight source control management system
designed for efficient handling of very large distributed projects.

Security Fix(es) :

* It was discovered that Mercurial failed to properly check Git
sub-repository URLs. A Mercurial repository that includes a Git
sub-repository with a specially crafted URL could cause Mercurial to
execute arbitrary code. (CVE-2016-3068)

* It was discovered that the Mercurial convert extension failed to
sanitize special characters in Git repository names. A Git repository
with a specially crafted name could cause Mercurial to execute
arbitrary code when the Git repository was converted to a Mercurial
repository. (CVE-2016-3069)

Red Hat would like to thank Blake Burkhart for reporting these issues.

See also :

https://oss.oracle.com/pipermail/el-errata/2016-May/005992.html

Solution :

Update the affected mercurial packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

GLSA-201605-01 : Git: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201605-01
(Git: Multiple vulnerabilities)

Git is vulnerable to the remote execution of arbitrary code by cloning
repositories with large filenames or a large number of nested trees.
Additionally, some protocols within Git, such as git-remote-ext, can
execute arbitrary code found within URLs. These URLs that submodules use
may come from arbitrary sources (e.g., .gitmodules files in a remote
repository), and can effect those who enable recursive fetch. Restrict
the allowed protocols to well known and safe ones.

Impact :

Remote attackers could execute arbitrary code on both client and server.

Workaround :

There is no known workaround at this time.

See also :

http://seclists.org/oss-sec/2016/q1/645
https://security.gentoo.org/glsa/201605-01

Solution :

All Git users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-vcs/git-2.7.3-r1'

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : libksba -- local denial of service vulnerabilities (a1134048-10c6-11e6-94fa-002590263bf5)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Martin Prpic, Red Hat Product Security Team, reports :

Denial of Service due to stack overflow in src/ber-decoder.c.

Integer overflow in the BER decoder src/ber-decoder.c.

Integer overflow in the DN decoder src/dn.c.

See also :

http://www.nessus.org/u?c553173e
http://www.nessus.org/u?1abb5a4d
http://www.nessus.org/u?2ff8ecf3
https://security.gentoo.org/glsa/201604-04
http://www.openwall.com/lists/oss-security/2016/04/29/5
http://www.nessus.org/u?bf76a3bd

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : MySQL -- multiple vulnerabilities (8c2b2f11-0ebe-11e6-b55e-b499baebfeaf)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

Oracle reports reports :

Critical Patch Update contains 31 new security fixes for Oracle MySQL
5.5.48, 5.6.29, 5.7.11 and earlier

See also :

http://www.nessus.org/u?a0defed6
https://mariadb.com/kb/en/mariadb/mariadb-5549-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10025-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10112-release-notes/
http://www.nessus.org/u?5a02fd39
https://www.tenable.com/security/research/tra-2016-11

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : wireshark -- multiple vulnerabilities (7e36c369-10c0-11e6-94fa-002590263bf5)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

Wireshark development team reports :

The following vulnerabilities have been fixed :

- wnpa-sec-2016-19

The NCP dissector could crash. (Bug 11591)

- wnpa-sec-2016-20

TShark could crash due to a packet reassembly bug. (Bug 11799)

- wnpa-sec-2016-21

The IEEE 802.11 dissector could crash. (Bug 11824, Bug 12187)

- wnpa-sec-2016-22

The PKTC dissector could crash. (Bug 12206)

- wnpa-sec-2016-23

The PKTC dissector could crash. (Bug 12242)

- wnpa-sec-2016-24

The IAX2 dissector could go into an infinite loop. (Bug 12260)

- wnpa-sec-2016-25

Wireshark and TShark could exhaust the stack. (Bug 12268)

- wnpa-sec-2016-26

The GSM CBCH dissector could crash. (Bug 12278)

- wnpa-sec-2016-27

MS-WSP dissector crash. (Bug 12341)

See also :

https://www.wireshark.org/docs/relnotes/wireshark-2.0.3.html
http://www.nessus.org/u?99da0d37

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : mercurial -- arbitrary code execution vulnerability (78abc022-0fee-11e6-9a1c-0014a5a57822)


Synopsis:

The remote FreeBSD host is missing a security-related update.

Description:

Mercurial reports :

CVE-2016-3105: Arbitrary code execution when converting Git repos

See also :

http://www.nessus.org/u?802f60bb
http://www.nessus.org/u?95484438

Solution :

Update the affected package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

FreeBSD : php -- multiple vulnerabilities (5764c634-10d2-11e6-94fa-002590263bf5)


Synopsis:

The remote FreeBSD host is missing one or more security-related
updates.

Description:

The PHP Group reports :

- BCMath :

- Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_
definition).

- Exif :

- Fixed bug #72094 (Out of bounds heap read access in exif header
processing).

- GD :

- Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074)

- Intl :

- Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with
negative offset).

- XML :

- Fixed bug #72099 (xml_parse_into_struct segmentation fault).

See also :

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209145
http://www.php.net/ChangeLog-7.php#7.0.6
http://www.php.net/ChangeLog-5.php#5.6.21
http://www.php.net/ChangeLog-5.php#5.5.35
http://www.nessus.org/u?2846ac0d

Solution :

Update the affected packages.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Fedora 23 : php-5.6.21-1.fc23 (2016-f1d98cf017)


Synopsis:

The remote Fedora host is missing a security update.

Description:

28 Apr 2016, **PHP 5.6.21** ** Core: ** * Fixed bug #69537
(__debugInfo with empty string for key gives error). (krakjoe) * Fixed
bug #71841 (EG(error_zval) is not handled well). (Laruence)
**BCmath:** * Fixed bug #72093 (bcpowmod accepts negative scale and
corrupts _one_ definition). (Stas) **Curl:** * Fixed bug #71831
(CURLOPT_NOPROXY applied as long instead of string). (Michael Sierks)
**Date:** * Fixed bug #71889 (DateInterval::format Segmentation
fault). (Thomas Punt) **EXIF:** * Fixed bug #72094 (Out of bounds heap
read access in exif header processing). (Stas) **GD:** * Fixed bug
#71952 (Corruption inside imageaffinematrixget). (Stas) * Fixed bug
#71912 (libgd: signedness vulnerability). (Stas) **Intl:** * Fixed bug
#72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
offset). (Stas) **OCI8:** * Fixed bug #71422 (Fix ORA-01438: value
larger than specified precision allowed for this column). (Chris
Jones) **ODBC:** * Fixed bug #63171 (Script hangs after
max_execution_time). (Remi) **Opcache:** * Fixed bug #71843 (null ptr
deref ZEND_RETURN_SPEC_CONST_HANDLER). (Laruence) **PDO:** * Fixed bug
#52098 (Own PDOStatement implementation ignore __call()). (Daniel
Kalaspuffar, Julien) * Fixed bug #71447 (Quotes inside comments not
properly handled). (Matteo) **Postgres:** * Fixed bug #71820
(pg_fetch_object binds parameters before call constructor). (Anatol)
**SPL:** * Fixed bug #67582 (Cloned SplObjectStorage with overwritten
getHash fails offsetExists()). (Nikita) **Standard:** * Fixed bug
#71840 (Unserialize accepts wrongly data). (Ryat, Laruence) * Fixed
bug #67512 (php_crypt() crashes if crypt_r() does not exist or
_REENTRANT is not defined). (Nikita) **XML:** * Fixed bug #72099
(xml_parse_into_struct segmentation fault). (Stas)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?d1f994a8

Solution :

Update the affected php package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Fedora 23 : openvas-cli-1.4.4-1.fc23 / openvas-gsa-6.0.10-3.fc23 / openvas-libraries-8.0.7-2.fc23 / etc (2016-afdedc8da9)


Synopsis:

The remote Fedora host is missing one or more security updates.

Description:

Bump to latest upstream bugfix releases. Contains Security fix for
CVE-2016-1926

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1300683
http://www.nessus.org/u?b77a53f1
http://www.nessus.org/u?d600bae4
http://www.nessus.org/u?bc8e7472
http://www.nessus.org/u?7c61ca5c
http://www.nessus.org/u?222ba6e2

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Debian DSA-3565-1 : botan1.10 - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Several security vulnerabilities were found in botan1.10, a C++
library which provides support for many common cryptographic
operations, including encryption, authentication, X.509v3 certificates
and CRLs.

- CVE-2015-5726
The BER decoder would crash due to reading from offset 0
of an empty vector if it encountered a BIT STRING which
did not contain any data at all. This can be used to
easily crash applications reading untrusted ASN.1 data,
but does not seem exploitable for code execution.

- CVE-2015-5727
The BER decoder would allocate a fairly arbitrary amount
of memory in a length field, even if there was no chance
the read request would succeed. This might cause the
process to run out of memory or invoke the OOM killer.

- CVE-2015-7827
Use constant time PKCS #1 unpadding to avoid possible
side channel attack against RSA decryption

- CVE-2016-2194
Infinite loop in modular square root algorithm. The
ressol function implementing the Tonelli-Shanks
algorithm for finding square roots could be sent into a
nearly infinite loop due to a misplaced conditional
check. This could occur if a composite modulus is
provided, as this algorithm is only defined for primes.
This function is exposed to attacker controlled input
via the OS2ECP function during ECC point decompression.

- CVE-2016-2195
Fix Heap overflow on invalid ECC point.

- CVE-2016-2849
Use constant time modular inverse algorithm to avoid
possible side channel attack against ECDSA.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817932
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822698
https://security-tracker.debian.org/tracker/CVE-2015-5726
https://security-tracker.debian.org/tracker/CVE-2015-5727
https://security-tracker.debian.org/tracker/CVE-2015-7827
https://security-tracker.debian.org/tracker/CVE-2016-2194
https://security-tracker.debian.org/tracker/CVE-2016-2195
https://security-tracker.debian.org/tracker/CVE-2016-2849
https://packages.debian.org/source/jessie/botan1.10
http://www.debian.org/security/2016/dsa-3565

Solution :

Upgrade the botan1.10 packages.

For the stable distribution (jessie), these problems have been fixed
in version 1.10.8-2+deb8u1.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Debian DSA-3564-1 : chromium-browser - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Several vulnerabilities have been discovered in the chromium web
browser.

- CVE-2016-1660
Atte Kettunen discovered an out-of-bounds write issue.

- CVE-2016-1661
Wadih Matar discovered a memory corruption issue.

- CVE-2016-1662
Rob Wu discovered a use-after-free issue related to
extensions.

- CVE-2016-1663
A use-after-free issue was discovered in Blink's
bindings to V8.

- CVE-2016-1664
Wadih Matar discovered a way to spoof URLs.

- CVE-2016-1665
gksgudtjr456 discovered an information leak in the v8
JavaScript library.

- CVE-2016-1666
The chrome development team found and fixed various
issues during internal auditing.

See also :

https://security-tracker.debian.org/tracker/CVE-2016-1660
https://security-tracker.debian.org/tracker/CVE-2016-1661
https://security-tracker.debian.org/tracker/CVE-2016-1662
https://security-tracker.debian.org/tracker/CVE-2016-1663
https://security-tracker.debian.org/tracker/CVE-2016-1664
https://security-tracker.debian.org/tracker/CVE-2016-1665
https://security-tracker.debian.org/tracker/CVE-2016-1666
https://packages.debian.org/source/jessie/chromium-browser
http://www.debian.org/security/2016/dsa-3564

Solution :

Upgrade the chromium-browser packages.

For the stable distribution (jessie), these problems have been fixed
in version 50.0.2661.94-1~deb8u1.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Debian DSA-3563-1 : poppler - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

It was discovered that a heap overflow in the Poppler PDF library may
result in denial of service and potentially the execution of arbitrary
code if a malformed PDF file is opened.

See also :

https://packages.debian.org/source/jessie/poppler
http://www.debian.org/security/2016/dsa-3563

Solution :

Upgrade the poppler packages.

For the stable distribution (jessie), this problem has been fixed in
version 0.26.5-2+deb8u1.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Debian DSA-3562-1 : tardiff - security update


Synopsis:

The remote Debian host is missing a security-related update.

Description:

Several vulnerabilities were discovered in tardiff, a tarball
comparison tool. The Common Vulnerabilities and Exposures project
identifies the following problems :

- CVE-2015-0857
Rainer Mueller and Florian Weimer discovered that
tardiff is prone to shell command injections via shell
meta-characters in filenames in tar files or via shell
meta-characters in the tar filename itself.

- CVE-2015-0858
Florian Weimer discovered that tardiff uses predictable
temporary directories for unpacking tarballs. A
malicious user can use this flaw to overwrite files with
permissions of the user running the tardiff command line
tool.

See also :

https://security-tracker.debian.org/tracker/CVE-2015-0857
https://security-tracker.debian.org/tracker/CVE-2015-0858
https://packages.debian.org/source/jessie/tardiff
http://www.debian.org/security/2016/dsa-3562

Solution :

Upgrade the tardiff packages.

For the stable distribution (jessie), these problems have been fixed
in version 0.1-2+deb8u2.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

CentOS 7 : mercurial (CESA-2016:0706)


Synopsis:

The remote CentOS host is missing one or more security updates.

Description:

An update for mercurial is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Mercurial is a fast, lightweight source control management system
designed for efficient handling of very large distributed projects.

Security Fix(es) :

* It was discovered that Mercurial failed to properly check Git
sub-repository URLs. A Mercurial repository that includes a Git
sub-repository with a specially crafted URL could cause Mercurial to
execute arbitrary code. (CVE-2016-3068)

* It was discovered that the Mercurial convert extension failed to
sanitize special characters in Git repository names. A Git repository
with a specially crafted name could cause Mercurial to execute
arbitrary code when the Git repository was converted to a Mercurial
repository. (CVE-2016-3069)

Red Hat would like to thank Blake Burkhart for reporting these issues.

See also :

http://lists.centos.org/pipermail/centos-announce/2016-May/021855.html

Solution :

Update the affected mercurial packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : mercurial (SSA:2016-123-01)


Synopsis:

The remote Slackware host is missing a security update.

Description:

New mercurial packages are available for Slackware 13.0, 13.1, 13.37,
14.0, 14.1, and -current to fix a security issue.

See also :

http://www.nessus.org/u?653ad667

Solution :

Update the affected mercurial package.

Risk factor :

High

This script is Copyright (C) 2016 Tenable Network Security, Inc.

McAfee Email Gateway 7.6.x < 7.6.404 Blocked Email Alert XSS (SB10153)


Synopsis:

The application installed on the remote host is affected by a
cross-site scripting vulnerability.

Description:

The version of McAfee Email Gateway (MEG) installed on the remote host
is 7.6.x prior to 7.6.404. It is, therefore, affected by a cross-site
scripting (XSS) vulnerability that is triggered when File Filtering is
enabled with the action set to 'ESERVICES:REPLACE'. This is due to a
failure to validate input passed via alerts for blocked email
attachments
attachments are displayed 'as is' without the XML or
HTML content being properly escaped. An unauthenticated, remote
attacker can exploit this, via a crafted email attachment, to execute
arbitrary script code in a user's browser session.

See also :

https://kc.mcafee.com/corporate/index?page=content&id=SB10153

Solution :

Upgrade to McAfee Email Gateway version 7.6.404 as referenced in the
vendor advisory.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle MySQL 5.7.x < 5.7.12 Multiple Vulnerabilities (April 2016 CPU) (DROWN)


Synopsis:

The remote host is missing one or more security updates.

Description:

The version of Oracle MySQL installed on the remote host is 5.7.x
prior to 5.7.12. It is, therefore, affected by the following
vulnerabilities :

- A cipher algorithm downgrade vulnerability exists in the
bundled version of OpenSSL due to a flaw that is
triggered when handling cipher negotiation. A remote
attacker can exploit this to negotiate SSLv2 ciphers and
complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled on the server. Note that this
vulnerability only exists if the SSL_OP_NO_SSLv2 option
has not been disabled. (CVE-2015-3197)

- An unspecified flaw exists in the Pluggable
Authentication subcomponent that allows an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2016-0639)

- An unspecified flaw exists in the Federated subcomponent
that allows an authenticated, remote attacker to impact
integrity and availability. (CVE-2016-0642)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to disclose
sensitive information. (CVE-2016-0643)

- An unspecified flaw exists in the FTS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0647)

- An unspecified flaw exists in the PS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0647)

- An unspecified flaw exists in the InnoDB subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0655)

- An unspecified flaw exists in the JSON subcomponent that
allows an authenticated, remote attacker to disclose
sensitive information. (CVE-2016-0657)

- An unspecified flaw exists in the Optimizer subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0659)

- An unspecified flaw exists in the Partition subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0662)

- An unspecified flaw exists in the Security: Privileges
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0666)

- An unspecified flaw exists in the Locking subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0667)

- A key disclosure vulnerability exists in the bundled
version of OpenSSL due to improper handling of
cache-bank conflicts on the Intel Sandy-bridge
microarchitecture. An attacker can exploit this to gain
access to RSA key information. (CVE-2016-0702)

- A double-free error exists in the bundled version of
OpenSSL due to improper validation of user-supplied
input when parsing malformed DSA private keys. A remote
attacker can exploit this to corrupt memory, resulting
in a denial of service condition or the execution of
arbitrary code. (CVE-2016-0705)

- A NULL pointer dereference flaw exists in the bundled
version of OpenSSL in the BN_hex2bn() and BN_dec2bn()
functions. A remote attacker can exploit this to trigger
a heap corruption, resulting in the execution of
arbitrary code. (CVE-2016-0797)

- A denial of service vulnerability exists in the bundled
version of OpenSSL due to improper handling of invalid
usernames. A remote attacker can exploit this, via a
specially crafted username, to leak 300 bytes of memory
per connection, exhausting available memory resources.
(CVE-2016-0798)

- Multiple memory corruption issues exist in the bundled
version of OpenSSL that allow a remote attacker to cause
a denial of service condition or the execution of
arbitrary code. (CVE-2016-0799)

- A flaw exists in the bundled version of OpenSSL that
allows a cross-protocol Bleichenbacher padding oracle
attack known as DROWN (Decrypting RSA with Obsolete and
Weakened eNcryption). This vulnerability exists due to a
flaw in the Secure Sockets Layer Version 2 (SSLv2)
implementation, and it allows captured TLS traffic to be
decrypted. A man-in-the-middle attacker can exploit this
to decrypt the TSL connection by utilizing previously
captured traffic and weak cryptography along with a
series of specially crafted connections to an SSLv2
server that uses the same private key. (CVE-2016-0800)

- A man-in-the-middle spoofing vulnerability exists due to
the server hostname not being verified to match a domain
name in the Subject's Common Name (CN) or SubjectAltName
field of the X.509 certificate. A man-in-the-middle
attacker can exploit this, by spoofing the TLS/SSL
server via a certificate that appears valid, to disclose
sensitive information or manipulate transmitted data.
(CVE-2016-2047)

See also :

http://www.nessus.org/u?2142a932
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-12.html
https://support.oracle.com/rs?type=doc&id=2120034.1
http://www.nessus.org/u?855180af
https://www.drownattack.com/drown-attack-paper.pdf
https://drownattack.com/
https://www.openssl.org/news/secadv/20160301.txt

Solution :

Upgrade to MySQL version 5.7.12 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle MySQL 5.7.x < 5.7.11 Multiple Vulnerabilities (April 2016 CPU)


Synopsis:

The remote host is missing one or more security updates.

Description:

The version of Oracle MySQL installed on the remote host is 5.7.x
prior to 5.7.11. It is, therefore, affected by the following
vulnerabilities :

- A NULL pointer dereference flaw exists in the bundled
version of OpenSSL in file rsa_ameth.c due to improper
handling of ASN.1 signatures that are missing the PSS
parameter. A remote attacker can exploit this to cause
the signature verification routine to crash, resulting
in a denial of service condition. (CVE-2015-3194)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to impact
integrity and availability. (CVE-2016-0640)

- An unspecified flaw exists in the MyISAM subcomponent
that allows an authenticated, remote attacker to
disclose sensitive information or cause a denial of
service condition. (CVE-2016-0641)

- An unspecified flaw exists in the DDL subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0644)

- Multiple unspecified flaws exist in the DML subcomponent
that allow an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0646,
CVE-2016-0652)

- An unspecified flaw exists in the PS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0649)

- An unspecified flaw exists in the Replication
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0650)

- An unspecified flaw exists in the FTS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0653)

- Multiple unspecified flaws exist in the InnoDB
subcomponent that allow an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0654, CVE-2016-0656, CVE-2016-0668)

- An unspecified flaw exists in the Optimizer subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0658)

- An unspecified flaw exists in the Options subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0661)

- An unspecified flaw exists in the Performance Schema
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0663)

- An unspecified flaw exists in the Security: Encryption
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0665)

- A denial of service vulnerability exists in the bundled
OpenSSL library due to improper handling of variables
declared as TEXT or BLOB. An authenticated, remote
attacker can exploit this to corrupt data or cause a
denial of service condition. (OSVDB 134892)

- A denial of service vulnerability exists that is
triggered when handling a 'CREATE TEMPORARY TABLE ..
SELECT' statement involving BIT columns. An
authenticated, remote attacker can exploit this to
create an improper table or cause the server to exit,
resulting in a denial of service condition.
(OSVDB 134893)

- A denial of service vulnerability exists due to improper
handling of queries that contain 'WHERE 0'. An
authenticated, remote attacker can exploit this to cause
an uninitialized read, resulting in a denial of service
condition. (OSVDB 134896)

See also :

http://www.nessus.org/u?2142a932
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-11.html
https://support.oracle.com/rs?type=doc&id=2120034.1
http://www.nessus.org/u?855180af

Solution :

Upgrade to MySQL version 5.7.11 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle MySQL 5.6.x < 5.6.30 Multiple Vulnerabilities (April 2016 CPU) (DROWN)


Synopsis:

The remote host is missing one or more security updates.

Description:

The version of Oracle MySQL installed on the remote host is 5.6.x
prior to 5.6.30. It is, therefore, affected by the following
vulnerabilities :

- A cipher algorithm downgrade vulnerability exists in the
bundled version of OpenSSL due to a flaw that is
triggered when handling cipher negotiation. A remote
attacker can exploit this to negotiate SSLv2 ciphers and
complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled on the server. Note that this
vulnerability only exists if the SSL_OP_NO_SSLv2 option
has not been disabled. (CVE-2015-3197)

- An unspecified flaw exists in the Pluggable
Authentication subcomponent that allows an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2016-0639)

- An unspecified flaw exists in the Federated subcomponent
that allows an authenticated, remote attacker to impact
integrity and availability. (CVE-2016-0642)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to disclose
sensitive information. (CVE-2016-0643)

- An unspecified flaw exists in the FTS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0647)

- An unspecified flaw exists in the PS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0647)

- An unspecified flaw exists in the InnoDB subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0655)

- An unspecified flaw exists in the Security: Privileges
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0666)

- A key disclosure vulnerability exists in the bundled
version of OpenSSL due to improper handling of
cache-bank conflicts on the Intel Sandy-bridge
microarchitecture. An attacker can exploit this to gain
access to RSA key information. (CVE-2016-0702)

- A double-free error exists in the bundled version of
OpenSSL due to improper validation of user-supplied
input when parsing malformed DSA private keys. A remote
attacker can exploit this to corrupt memory, resulting
in a denial of service condition or the execution of
arbitrary code. (CVE-2016-0705)

- A NULL pointer dereference flaw exists in the bundled
version of OpenSSL in the BN_hex2bn() and BN_dec2bn()
functions. A remote attacker can exploit this to trigger
a heap corruption, resulting in the execution of
arbitrary code. (CVE-2016-0797)

- A denial of service vulnerability exists in the bundled
version of OpenSSL due to improper handling of invalid
usernames. A remote attacker can exploit this, via a
specially crafted username, to leak 300 bytes of memory
per connection, exhausting available memory resources.
(CVE-2016-0798)

- Multiple memory corruption issues exist in the bundled
version of OpenSSL that allow a remote attacker to cause
a denial of service condition or the execution of
arbitrary code. (CVE-2016-0799)

- A flaw exists in the bundled version of OpenSSL that
allows a cross-protocol Bleichenbacher padding oracle
attack known as DROWN (Decrypting RSA with Obsolete and
Weakened eNcryption). This vulnerability exists due to a
flaw in the Secure Sockets Layer Version 2 (SSLv2)
implementation, and it allows captured TLS traffic to be
decrypted. A man-in-the-middle attacker can exploit this
to decrypt the TSL connection by utilizing previously
captured traffic and weak cryptography along with a
series of specially crafted connections to an SSLv2
server that uses the same private key. (CVE-2016-0800)

- A man-in-the-middle spoofing vulnerability exists due to
the server hostname not being verified to match a domain
name in the Subject's Common Name (CN) or SubjectAltName
field of the X.509 certificate. A man-in-the-middle
attacker can exploit this, by spoofing the TLS/SSL
server via a certificate that appears valid, to disclose
sensitive information or manipulate transmitted data.
(CVE-2016-2047)

See also :

http://www.nessus.org/u?2142a932
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-30.html
https://support.oracle.com/rs?type=doc&id=2120034.1
http://www.nessus.org/u?855180af
https://www.drownattack.com/drown-attack-paper.pdf
https://drownattack.com/
https://www.openssl.org/news/secadv/20160301.txt

Solution :

Upgrade to MySQL version 5.6.30 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle MySQL 5.6.x < 5.6.29 Multiple Vulnerabilities (April 2016 CPU)


Synopsis:

The remote host is missing one or more security updates.

Description:

The version of Oracle MySQL installed on the remote host is 5.6.x
prior to 5.6.29. It is, therefore, affected by the following
vulnerabilities :

- A NULL pointer dereference flaw exists in the bundled
version of OpenSSL in file rsa_ameth.c due to improper
handling of ASN.1 signatures that are missing the PSS
parameter. A remote attacker can exploit this to cause
the signature verification routine to crash, resulting
in a denial of service condition. (CVE-2015-3194)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to impact
integrity and availability. (CVE-2016-0640)

- An unspecified flaw exists in the MyISAM subcomponent
that allows an authenticated, remote attacker to
disclose sensitive information or cause a denial of
service condition. (CVE-2016-0641)

- An unspecified flaw exists in the DDL subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0644)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0646)

- An unspecified flaw exists in the PS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0649)

- An unspecified flaw exists in the Replication
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0650)

- An unspecified flaw exists in the Options subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0661)

- An unspecified flaw exists in the Security: Encryption
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0665)

- An unspecified flaw exists in the InnoDB subcomponent
that allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0668)

- A denial of service vulnerability exists in the bundled
OpenSSL library due to improper handling of variables
declared as TEXT or BLOB. An authenticated, remote
attacker can exploit this to corrupt data or cause a
denial of service condition. (OSVDB 134892)

- A denial of service vulnerability exists that is
triggered when handling a 'CREATE TEMPORARY TABLE ..
SELECT' statement involving BIT columns. An
authenticated, remote attacker can exploit this to
create an improper table or cause the server to exit,
resulting in a denial of service condition.
(OSVDB 134893)

- A denial of service vulnerability exists due to an
unspecified flaw in LOCK TABLES that is triggered when
opening a temporary MERGE table consisting of a view in
the list of tables. An authenticated, remote attacker
can exploit this to cause the server to exit, resulting
in a denial of service condition. (OSVDB 134894)

- A denial of service vulnerability exists due to a flaw
that is triggered when repeatedly executing 'ALTER TABLE
v1 CHECK PARTITION' as a prepared statement. An
authenticated, remote attacker can exploit this to cause
the server to exit, resulting in a denial of service
condition. (OSVDB 134895)

See also :

http://www.nessus.org/u?2142a932
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-29.html
https://support.oracle.com/rs?type=doc&id=2120034.1
http://www.nessus.org/u?855180af

Solution :

Upgrade to MySQL version 5.6.29 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle MySQL 5.5.x < 5.5.49 Multiple Vulnerabilities (April 2016 CPU)


Synopsis:

The remote host is missing one or more security updates.

Description:

The version of Oracle MySQL installed on the remote host is 5.5.x
prior to 5.5.49. It is, therefore, affected by the following
vulnerabilities :

- An unspecified flaw exists in the Federated subcomponent
that allows an authenticated, remote attacker to impact
integrity and availability. (CVE-2016-0642)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to disclose
sensitive information. (CVE-2016-0643)

- An unspecified flaw exists in the FTS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0647)

- An unspecified flaw exists in the PS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0647)

- An unspecified flaw exists in the Security: Privileges
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0666)

- A man-in-the-middle spoofing vulnerability exists due to
the server hostname not being verified to match a domain
name in the Subject's Common Name (CN) or SubjectAltName
field of the X.509 certificate. A man-in-the-middle
attacker can exploit this, by spoofing the TLS/SSL
server via a certificate that appears valid, to disclose
sensitive information or manipulate transmitted data.
(CVE-2016-2047)

See also :

http://www.nessus.org/u?2142a932
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-49.html
https://support.oracle.com/rs?type=doc&id=2120034.1
http://www.nessus.org/u?855180af

Solution :

Upgrade to MySQL version 5.5.49 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.9
(CVSS2#E:POC/RL:U/RC:ND)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle MySQL 5.5.x < 5.5.48 Multiple Vulnerabilities (April 2016 CPU)


Synopsis:

The remote host is missing one or more security updates.

Description:

The version of Oracle MySQL installed on the remote host is 5.5.x
prior to 5.5.48. It is, therefore, affected by the following
vulnerabilities :

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to impact
integrity and availability. (CVE-2016-0640)

- An unspecified flaw exists in the MyISAM subcomponent
that allows an authenticated, remote attacker to
disclose sensitive information or cause a denial of
service condition. (CVE-2016-0641)

- An unspecified flaw exists in the DDL subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0644)

- An unspecified flaw exists in the DML subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0646)

- An unspecified flaw exists in the PS subcomponent that
allows an authenticated, remote attacker to cause a
denial of service condition. (CVE-2016-0649)

- An unspecified flaw exists in the Replication
subcomponent that allows an authenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-0650)

- A denial of service vulnerability exists in the bundled
OpenSSL library due to improper handling of variables
declared as TEXT or BLOB. An authenticated, remote
attacker can exploit this to corrupt data or cause a
denial of service condition. (OSVDB 134892)

- A denial of service vulnerability exists that is
triggered when handling a 'CREATE TEMPORARY TABLE ..
SELECT' statement involving BIT columns. An
authenticated, remote attacker can exploit this to
create an improper table or cause the server to exit,
resulting in a denial of service condition.
(OSVDB 134893)

- A denial of service vulnerability exists due to an
unspecified flaw in LOCK TABLES that is triggered when
opening a temporary MERGE table consisting of a view in
the list of tables. An authenticated, remote attacker
can exploit this to cause the server to exit, resulting
in a denial of service condition. (OSVDB 134894)

See also :

http://www.nessus.org/u?2142a932
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-48.html
https://support.oracle.com/rs?type=doc&id=2120034.1
http://www.nessus.org/u?855180af

Solution :

Upgrade to MySQL version 5.5.48 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Oracle Java SE Hotspot JSR 292 Method Handles RCE


Synopsis:

The remote Windows host contains a programming platform that is
affected by an arbitrary code execution vulnerability.

Description:

The version of Oracle Java SE or Java for Business installed on the
remote host is affected by an arbitrary code execution vulnerability
in the Hotspot subcomponent due to an unsafe implementation of the
Reflection API, which improperly processes JSR 292 method handles due
to a lack of enforcement of class loader constraints. A remote
attacker can exploit this, by convincing a user to visit a malicious
web page, to execute arbitrary code outside the Java sandbox.

See also :

https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636
http://www.nessus.org/u?f50143a4

Solution :

Upgrade to Oracle JDK / JRE 8 Update 77, 7 Update 99 or later.
If necessary, remove any affected versions.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 16.04 : ubuntu-core-launcher vulnerability (USN-2956-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Zygmunt Krynicki discovered that ubuntu-core-launcher did not properly
sanitize its input and contained a logic error when determining the
mount point of bind mounts when using snaps on Ubuntu classic systems
(eg, traditional desktop and server). If a user were tricked into
installing a malicious snap with a crafted snap name, an attacker
could perform a delayed attack to steal data or execute code within
the security context of another snap. This issue did not affect Ubuntu
Core systems.

Solution :

Update the affected ubuntu-core-launcher package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 / 15.10 / 16.04 : oxide-qt vulnerabilities (USN-2955-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

A use-after-free was discovered when responding synchronously to
permission requests. An attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking the program.
(CVE-2016-1578)

An out-of-bounds read was discovered in V8. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash.
(CVE-2016-1646)

A use-after-free was discovered in the navigation implementation in
Chromium in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2016-1647)

A buffer overflow was discovered in ANGLE. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2016-1649)

An out-of-bounds write was discovered in V8. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash, or
execute arbitrary code with the privileges of the sandboxed renderer
process. (CVE-2016-1653)

An invalid read was discovered in the media subsystem in Chromium. If
a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service
via application crash. (CVE-2016-1654)

It was discovered that frame removal during callback execution could
trigger a use-after-free in Blink. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash, or
execute arbitrary code with the privileges of the sandboxed renderer
process. (CVE-2016-1655)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2016-1659)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via renderer crash or execute arbitrary code with the
privileges of the sandboxed render process. (CVE-2016-3679).

Solution :

Update the affected liboxideqtcore0 package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:U/RL:ND/RC:UR)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 15.10 : php5 regression (USN-2952-2)


Synopsis:

The remote Ubuntu host is missing one or more security-related patches.

Description:

USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches
caused a regression in the PHP Soap client. This update fixes the
problem.

We apologize for the inconvenience.

It was discovered that the PHP Zip extension incorrectly handled
directories when processing certain zip files. A remote attacker could
possibly use this issue to create arbitrary directories.
(CVE-2014-9767)

It was discovered that the PHP Soap client incorrectly
validated data types. A remote attacker could use this issue
to cause PHP to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2015-8835,
CVE-2016-3185)

It was discovered that the PHP MySQL native driver
incorrectly handled TLS connections to MySQL databases. A
man in the middle attacker could possibly use this issue to
downgrade and snoop on TLS connections. This vulnerability
is known as BACKRONYM. (CVE-2015-8838)

It was discovered that PHP incorrectly handled the
imagerotate function. A remote attacker could use this issue
to cause PHP to crash, resulting in a denial of service, or
possibly obtain sensitive information. This issue only
applied to Ubuntu 14.04 LTS and Ubuntu 15.10.
(CVE-2016-1903)

Hans Jerry Illikainen discovered that the PHP phar extension
incorrectly handled certain tar archives. A remote attacker
could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code.
(CVE-2016-2554)

It was discovered that the PHP WDDX extension incorrectly
handled certain malformed XML data. A remote attacker could
possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code.
(CVE-2016-3141)

It was discovered that the PHP phar extension incorrectly
handled certain zip files. A remote attacker could use this
issue to cause PHP to crash, resulting in a denial of
service, or possibly obtain sensitive information.
(CVE-2016-3142)

It was discovered that the PHP
libxml_disable_entity_loader() setting was shared between
threads. When running under PHP-FPM, this could result in
XML external entity injection and entity expansion issues.
This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (No CVE number)

It was discovered that the PHP openssl_random_pseudo_bytes()
function did not return cryptographically strong
pseudo-random bytes. (No CVE number)

It was discovered that the PHP Fileinfo component
incorrectly handled certain magic files. An attacker could
use this issue to cause PHP to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE number
pending)

It was discovered that the PHP php_snmp_error() function
incorrectly handled string formatting. A remote attacker
could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. This
issue only applied to Ubuntu 14.04 LTS and Ubuntu 15.10.
(CVE number pending)

It was discovered that the PHP rawurlencode() function
incorrectly handled large strings. A remote attacker could
use this issue to cause PHP to crash, resulting in a denial
of service. (CVE number pending)

It was discovered that the PHP phar extension incorrectly
handled certain filenames in archives. A remote attacker
could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE
number pending)

It was discovered that the PHP mb_strcut() function
incorrectly handled string formatting. A remote attacker
could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE
number pending).

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 14.04 / 15.10 / 16.04 : libsoup2.4 update (USN-2950-2) (Badlock)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages
introduced a compatibility issue with NTLM authentication in libsoup.
This update fixes the problem.

We apologize for the inconvenience.

Jouni Knuutinen discovered that Samba contained multiple flaws in the
DCE/RPC implementation. A remote attacker could use this issue to
perform a denial of service, downgrade secure connections by
performing a man in the middle attack, or possibly execute arbitrary
code. (CVE-2015-5370)

Stefan Metzmacher discovered that Samba contained multiple
flaws in the NTLMSSP authentication implementation. A remote
attacker could use this issue to downgrade connections to
plain text by performing a man in the middle attack.
(CVE-2016-2110)

Alberto Solino discovered that a Samba domain controller
would establish a secure connection to a server with a
spoofed computer name. A remote attacker could use this
issue to obtain sensitive information. (CVE-2016-2111)

Stefan Metzmacher discovered that the Samba LDAP
implementation did not enforce integrity protection. A
remote attacker could use this issue to hijack LDAP
connections by performing a man in the middle attack.
(CVE-2016-2112)

Stefan Metzmacher discovered that Samba did not validate TLS
certificates. A remote attacker could use this issue to
spoof a Samba server. (CVE-2016-2113)

Stefan Metzmacher discovered that Samba did not enforce SMB
signing even if configured to. A remote attacker could use
this issue to perform a man in the middle attack.
(CVE-2016-2114)

Stefan Metzmacher discovered that Samba did not enable
integrity protection for IPC traffic. A remote attacker
could use this issue to perform a man in the middle attack.
(CVE-2016-2115)

Stefan Metzmacher discovered that Samba incorrectly handled
the MS-SAMR and MS-LSAD protocols. A remote attacker could
use this flaw with a man in the middle attack to impersonate
users and obtain sensitive information from the Security
Account Manager database. This flaw is known as Badlock.
(CVE-2016-2118)

Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and
Ubuntu 15.10. Ubuntu 12.04 LTS has been updated to 3.6.25
with backported security fixes.

In addition to security fixes, the updated packages contain
bug fixes, new features, and possibly incompatible changes.
Configuration changes may be required in certain
environments.

Solution :

Update the affected libsoup2.4-1 package.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Ubuntu 12.04 LTS / 14.04 / 15.10 / 16.04 : firefox vulnerabilities (USN-2936-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse
Ruderman, Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter,
Randell Jesup, Andrew McCreight, and Steve Fink discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-2804, CVE-2016-2806, CVE-2016-2807)

An invalid write was discovered when using the JavaScript .watch()
method in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2016-2808)

Looben Yang discovered a use-after-free and buffer overflow in service
workers. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial
of service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2811,
CVE-2016-2812)

Sascha Just discovered a buffer overflow in libstagefright in some
circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2016-2814)

Muneaki Nishimura discovered that CSP is not applied correctly to web
content sent with the multipart/x-mixed-replace MIME type. An attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks when they would otherwise be prevented. (CVE-2016-2816)

Muneaki Nishimura discovered that the chrome.tabs.update API for web
extensions allows for navigation to javascript: URLs. A malicious
extension could potentially exploit this to conduct cross-site
scripting (XSS) attacks. (CVE-2016-2817)

Mark Goodwin discovered that about:healthreport accepts certain events
from any content present in the remote-report iframe. If another
vulnerability allowed the injection of web content in the
remote-report iframe, an attacker could potentially exploit this to
change the user's sharing preferences. (CVE-2016-2820).

Solution :

Update the affected firefox package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : false

This script is Copyright (C) 2016 Tenable Network Security, Inc.